[HN Gopher] Social engineering GoDaddy (2007)
___________________________________________________________________
Social engineering GoDaddy (2007)
Author : pbear2k21
Score : 57 points
Date : 2022-06-13 14:36 UTC (8 hours ago)
(HTM) web link (g.livejournal.com)
(TXT) w3m dump (g.livejournal.com)
| trafnar wrote:
| Reminds me of this story "How I lost my $50,000 Twitter username"
| from 2014.
|
| https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...
| hombre_fatal wrote:
| Also, "Amazon's customer support backdoor" (2016).
|
| https://medium.com/@espringe/amazon-s-customer-service-backd...
|
| The screenshots of the attack/transcript make my stomach hurt.
| pbear2k21 wrote:
| Oops - The title was meant to say 2007. However GoDaddy still
| suffers from social engineering attacks, e.g.
| https://www.zdnet.com/article/godaddy-staff-fall-prey-to-soc...
| [deleted]
| iamricks wrote:
| I've mentioned this before[1], we once had a domain stolen
| because somebody called GoDaddy and was able to get the 2FA code
| removed with a phone call and they had some leaked email
| credentials for the account.
|
| We had to call GoDaddy and cancel the domain transfer, they would
| give us no information on how it happened.
|
| [1]: https://news.ycombinator.com/item?id=29308613
| [deleted]
| EGreg wrote:
| This why we need Web2 + Web3 = Web5. Dorsey was right to work
| with the ION guys from Microsoft. It's not new, though, I know
| all the main people in the space and back in 2014 it was Tim
| Berners-Lee and Solid talking about the same thing. At Qbix and
| Intercoin have been working on identity and social apps for
| years, interviewing people in the space too:
|
| https://qbix.com/blog - see the last two articles
|
| Domain names are the original NFTs. But unlike most NFTs, the
| owner can MODIFY them and what they point to. So they are more
| useful.
|
| The problem with everything before Web3 is the feudalism and
| relying on third parties who run the infrastructure to also
| manage your identity.
| duskwuff wrote:
| No. Stop that, you're embarrassing yourself.
|
| The problem at hand here is social engineering. Your
| cryptocurrency scheme (and, to be clear, this is your own
| scheme you're promoting here) is not a solution to social
| engineering.
| [deleted]
| EGreg wrote:
| EGreg wrote:
| [deleted]
| personjerry wrote:
| Isn't this fraud?
| hyperhopper wrote:
| Who was defrauded? Not the old domain owner, he just got a
| legit email and decided to sell.
|
| Maybe they committed some other crime against GoDaddy, but I'm
| not a lawyer and I'm not sure what. They impersonated a call
| center manager, but I'm not sure if that's against the law.
| After that the employee willingly told them things.
| dylan604 wrote:
| >Maybe they committed some other crime against GoDaddy
|
| As a non-sequiter, I'd say GoDaddy is a crime against
| humanity
| sethammons wrote:
| Wow, I wonder if that is what happened to my company's domain a
| decade ago. We lost control of our domain due to social
| engineering at GoDaddy. It was really, really tense as we worked
| to get control back. We got lucky and we able to retrieve the
| domain later that day.
| biermic wrote:
| I also have heard of such a story. A friend of mine did something
| similar a long time ago.
|
| Someone posted malicious stuff on his website, which showed up
| when googling my friends name. This costed him quite some
| business.
|
| He knew the email address of the website owner, and the provider
| where the website was hosted. So he registered the same email
| address under a different free email hosting provider. Then he
| sent the website hoster an e-mail where he told them about a new
| email address and if they could change it. With that he could
| reset the password and delete the website.
| [deleted]
| jherico wrote:
| My take is "don't use the same channel for internal coms as for
| customer coms". That way training could make it clear:
|
| * Supervisor communication will always come through Slack, or
| email or some other mechanism. * Never trust that the identity of
| anyone on the phone is someone internal unless you initiated the
| call.
| malfist wrote:
| That works until someone gets their slack compromised
| confident_inept wrote:
| This stuff is still incredibly easy to do to this day. I was the
| general manager of a retail office store chain and we would
| frequently have calls come in forging fake complaints but asking
| for the district or regional manager's first and/or last name.
| The attacker would then call another store in the region claiming
| to be "Mr. Head Manager".
|
| Most associates knew or had seen the names (they were required to
| be posted in the break room) but often times never met the people
| in question. The attacker got associates and other
| shift/associate managers to do everything from giving up secure
| information on the registers to ring up gift cards.
|
| It was happening two to three times a week in our district at
| times despite weekly training and conference calls on the
| subject. Some people are just born to be duped.
| swatcoder wrote:
| > Some people are just born to be duped
|
| Nah, _all_ people are born to be duped. Nobody can be vigilant
| all the time. There 's a point where you have to let down your
| guard and trust that there's no monster ready to pounce on you
| from the shadows. Vigilance has its own costs that often work
| against the tasks at hand, and can really fry your body if held
| high for too long.
|
| As GM you may have been especially vigilant about this issue
| because you saw yourself as the steward of your store(s), but
| those associates weren't in the same position and were bound to
| be more lax on net.
|
| It doesn't sound like these social engineering attacks tanked
| the company, so whatever dynamic existed between everyone
| seemed to work adequately.
| formerkrogemp wrote:
| It doesn't hurt that retail stores in the US pay dirt and
| shit for wages.
___________________________________________________________________
(page generated 2022-06-13 23:01 UTC)