Likely attempt to steal GoDaddy passwords: read

[Archangel]

I received this email today. I believe it was spoofed, as the sender's address is suppor (missing the T) @ godaddy.com & the sender is "godaddy" (they're more professional to merely type in their name, all lowercase):

Dear Godaddy User:



Note: Godaddy website upgrade,

please log in and re-activate your account

To view or manage changes:

Go to the GoDaddy.com home page and log in at the top of the screen with your username or customer number and password. Click on the "My Account" tab to launch the product dashboard.
From the dashboard, you can manage, renew, and upgrade your products and services.

To retrieve your customer number or password hint or to reset your password, click the "Forgot Your Password?" hyperlink in the login area on the home page.

NOTE: For certain ccTLDs? you must renew no later than the 20th of the month prior to the expiration date. If you fail to do so, your domain name will be placed on non-renewal status and you will only be able to renew the name by calling Go Daddy.

Thanks for choosing Go Daddy for your domain name registration needs.

Sincerely,

Bob Parsons
CEO and Founder
GoDaddy.com

P.S. .CO is the first truly global, recognizable domain to come along in years. Get a new .CO domain name now – JUST $29.99 $17.99/yr***.

I advise that if you get this email, you NOT click on any links in it, just to be safe.

 

[Kate]

Can you paste the headers?
I guess there was a link that takes you to a phishing page.

 

[Archangel]

How do I display headers in Hotmail?

The subject alone is a red-flag: "Note: Godaddy website upgrade; Please log in and activate your account!;‏" I never once paid for their hosting. Why would I upgrade? lol It's a phishing scam. I just hope ppl read this thread before they click on any links in the email, assuming they receive it.

 

[bmugford]

I received several of these today. They are phishing emails.

I think it is a good rule to never click on links in email, ever.

Brad

 

[silentg]

In the message > On the right side (below the date) you'll see Reply link with a down arrow icon. Click the down arrow and click on View message source.

How do I display headers in Hotmail?

The subject alone is a red-flag: "Note: Godaddy website upgrade; Please log in and activate your account!;‏" I never once paid for their hosting. Why would I upgrade? lol It's a phishing scam. I just hope ppl read this thread before they click on any links in the email, assuming they receive it.

 

[Archangel]

Ah, thanks. With my screen resolution, didn't see the option. Anyway:

x-store-info:sbevkl2QZR7OXo7WID5ZcVBK1Phj2jX/
Authentication-Results: hotmail.com; sender-id=fail (sender IP is 64.71.138.44) [email protected]; dkim=none header.d=godaddy.com; x-hmca=fail
X-SID-PRA: [email protected]
X-SID-Result: Fail
X-DKIM-Result: None
X-Message-Status: n:0:n
X-AUTH-Result: FAIL
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0w
X-Message-Info: NhFq/7gR1vSKhFmi4WwI4OAjiaalZuZIpBZFj+AuZ7DE1tpk71eMxG7FceQcme5UoQYABfPXe/mQrquSbIsHanjH01t8eSH8OTJ/ATsqrXPjV44Zem4GowiODc1NBFNU561Z9mLKp6sw20NUTpugfQ==
Received: from smtpbg55.qq.com ([64.71.138.44]) by BAY0-MC4-F30.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Sun, 1 Apr 2012 04:40:26 -0700
X-QQ-mid: esmtp16t1333280419t798t22536
Received: from rhhe (unknown [1.56.186.112])
by esmtp5.qq.com (ESMTP) with SMTP id 0
for <[email protected]>; Sun, 01 Apr 2012 19:40:18 +0800 (CST)
X-QQ-SSF: 00000000000000002F2200000020000
X-QQ-CSender: [email protected]
Message-ID: <001142448254$88244333$36636731@rhhe>
From: "godaddy" <[email protected]>
To: <[email protected]>
Subject: Note: Godaddy website upgrade; Please log in and activate your account!;
Date: Sun, 1 Apr 2012 19:40:12 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0026_015B4E3A.104E32D0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
Return-Path: [email protected]
X-OriginalArrivalTime: 01 Apr 2012 11:40:26.0524 (UTC) FILETIME=[3B5565C0:01CD0FFC]

This is a multi-part message in MIME format.

------=_NextPart_000_0026_015B4E3A.104E32D0
Content-Type: text/plain;
charset="gb2312"
Content-Transfer-Encoding: base64

In the message > On the right side (below the date) you'll see Reply link with a down arrow icon. Click the down arrow and click on View message source.

 

[Eric Lyon]

Definitely a phishing scam for account info... Godaddy wouldn't be sending from a Chinese qq.com email account lol

Eric Lyon

 

[RazorNF]

The actual email address of the sender appears to be from a Chinese site, qq.com

Definitely looks like a phishing expedition.

Go and take a look at the source beyond the headers - the urls in the message itself are likely not pointing to godaddy.com

 

[DN BROKER]

Thanks for the update. I'll post it on my blog.

---------- Post added at 01:31 AM ---------- Previous post was at 01:07 AM ----------

Warning Issued

http://torontodomainer.com/alert-godaddy-phishing-scam-email-asking-users-to-re-activate-accounts/

 

[-EM-]

Remeber godaddy will mention your name at first like "Dear Name Surname" and never "Dear godaddy user"

 

[dnb8]

Recently I got the same email but from alibaba.com.

 

[keepsmile]

From: godaddy <[email protected]>
Subject: Note: Godaddy website upgrade, Please log in and activate your account!
Date: May 6, 2012 11:11:06 PM GMT+03:00
To: [email protected]
X-Apparently-To: [email protected] via 98.138.87.116; Sun, 06 May 2012 13:11:42 -0700
Return-Path: <[email protected]>
Received-Spf: pass (domain of qq.com designates 64.71.138.45 as permitted sender)
X-Ymailisg: GxmN0hkWLDvwSdHyNK_rG1GxgVohbT1ngfZ5AjFqCwBpJ8PA xi4G8tgtNOi_K1BYz1xeH2lUN.2z4PkDfgWE9fUcIjN2bFjK7Atfabuy3.ZK iD5zlgnRRN_sm.rq4_YolsURU4EWGuVROe3U0G.Z_irQe4F0ls.TIN_p_bKd bjgUQTDFeGQ7uLd6MKBRgUCO0bnYycYg24GyuxX10rP5uvJCPG5Z6fPnshc0 yi4tLSiUu7sbITluvE8100C4tYpfBWccLagLeObo.FMsws4ROHRqdj7.0uss .94l6QYvS4R9mek9uaBvKOiRddiiUKLJ08GF6X.uju9gif.pKFsj0NO8cNaG Lb0fZE6d_rB54loLDJYOdwW3C1ELVdmam21U1hekVvmiBcv5eyRGuHvbsYtG VqRal7.7e3_yyzqHL6WppsQS.av8pwF2LMegaGyDTONPwXTGItuF8KRTJzkI zyrvPIbvuMD9UBXaOaAUtgh0vcNYnMRB7AJKy1sF9XoFsJhO8dWtqGt2HQ7T fvE4krPB5_mUfx.ZT1NWytZ.q4qymyaTgwsoLq4Pn6kMuIUe8NdTmqTwC4tT Z.WrIhtH3cdSDANgKLGim77d3uB2CefoaltSrpI2yNpJQkPjvg4UzZlPHKbX cbs_3iWqpOsvMl.fv246dfpLXR7ik.olysGHf2txQqOhFOS31caOOJnCzTa9 GHFZ2eyF8qUWlar1m7DYoGUVCVxhwi.5018l2dwW2loLwmJe_HtPVRuSlM8E LVFbmYJr0VR2q_kQEQv80w4CbtAgwKVtr_h_xZcPzkRT5qbPYq_9ydQiqQCj ynv8irpN6qOiwTywq7mUP6AuWYaHdt5E4VuMsTEfSsybglEmxr1uLHn4KtXS jO.18yGLOy1EtvUYbeNcQKfNTheBFiYW_WROCCJtiz5Ylb26uyFP1MKS65Ag QfXaHludVSxDl_f_O.zQKkyh4Yj1PtHz4lGwO5cEYLNn8uDIQTqmvfJzeUpa HhxcC2Kr7Eio5mIT6oSwOMnc4xupFVAoprm8QoabfTV3OiLh7ufQ1BqcPS8s XmLOckNSRp91h0W7AgQB8tyiXrKglPAtFdZntQ1Lo_9roLuL6vCglcvXXowy kR9forwZuffe3p2glMFP0Ibg2CX6EqvLIlct_bYCJl3EXmHgei124fnaZrpE lAvRGIi8s_.SHNbADU8lqDrgMlTx13gpAv6NG5srien.ptMbsSFMpZSeFwJe HrtImNxFZW49uf.7uwOKx1Z2fmTye.qBeqGh1BdJLoTMOKJQRDqcu9gopJtW kK3loOpUb51S._AotoYPneu159xrevu633uzOahQhfZQbPs8MG5hqkzrLEg6 YmTKgpRZqO2eeRzj9fpL8.sw3inqAY7OOC_s2OCLZ1OEW7.hRI5K5cWuisAH At7mDwrJeQE3LsmI5T1k.4Z86Idns.ThOFPuZOGGeYovflRHwgcpU3fguWI4 w48mJ.kKiVe_JUfvoQ46fsiJhoRdlSjKxQDXuSuh.tNdtP8SrPRk.Peq.ItA 0CQxTKAfC_tq4iuraB7i5VZ_PyELKmnlRhh.RQAqr13r5w--
X-Originating-Ip: [64.71.138.45]
Authentication-Results: mta1023.mail.sk1.yahoo.com from=godaddy.com; domainkeys=neutral (no sig); from=godaddy.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (HELO smtpbg56.qq.com) (64.71.138.45) by mta1023.mail.sk1.yahoo.com with SMTP; Sun, 06 May 2012 13:11:42 -0700
Received: from ly (unknown [210.109.97.23]) by esmtp5.qq.com (ESMTP) with SMTP id 0 for <[email protected]>; Mon, 07 May 2012 04:11:34 +0800 (CST)
X-Qq-Mid: esmtp16t1336335097t212t29555
X-Qq-Ssf: 00000000000000003H2200000020000
X-Qq-Csender: [email protected]
Message-Id: <006405012821$42717001$87513070@ly>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_084B_01A73792.18F1BE40"
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.5512
Content-Length: 56066