CAUTION! GoDaddy phishing happening right now - DNForum - Domain Sales, Domain Forum, Domain Appraisals, Domain Registrars

**Acro** · 04-10-2009, 12:46 PM

The following email appears to come from support@godaddy.com but it points to:
http://205.234.236.23/~ytrindic/

It's a server in Pakistan mzwebhost.com. Contacting their upstream provider.

+++++++++++

Dear Customer,

This notification is generated automatically as a service to you.

Because of unusual number of invalid login attempts on you account, we had to believe that, their might be some security problem on you account. So we have decided to put an extra verification process to ensure your identity and your account security.
Please click on sign in to domain servers to continue to the verification process and ensure your account security. It is all about your security. Thank you. and visit the customer service section.
please contact us within 1 days.

If you need to address this matter, or in any way need further assistance or technical support, call us any time at (480) 505-8877 or email us at support@godaddy.com. We appreciate your business!

Sincerely,
GoDaddy.com DomainAlert team

**biggedon** · 04-10-2009, 01:00 PM

yeah

i got two of these emails yesterday

knew it was fake when i did a "hover over" the link

also who would attempt to steal my crap names at godaddy?

**Acro** · 04-10-2009, 01:03 PM

I got 5 so far. Complaint sent via http://www.servercentral.net/supportrequest

**jdk** · 04-10-2009, 01:07 PM

I received 7 over the past two days. I forwarded them to Godaddy, but likely won't do any good.

**PRED** · 04-10-2009, 01:09 PM

thanks very much Acro, as ever you are always on top of things
cheers. I actually just got 5!
If it had been one i would maybe have clicked but seen the redirect.
I havd already junked them as phishing and redirected one to godaddy support.
Spread the word on the forums guys!

**Acro** · 04-10-2009, 01:12 PM

NP Pred. The email is very well constructed, also the form page itself that takes the username/password is exceptionally done. I submitted a few pairs such as "fbi_is_coming/sore_loser" - hopefully they will be shut down soon. Just complain using the form above.

**Seraphim** · 04-10-2009, 01:14 PM

Whoa, got several of these. Thanks for the heads up Theo.

**Acro** · 04-10-2009, 01:15 PM

The form and images are hosted at

Code:

 http://elpos.ba/galerija/albums/userpics2/msg/

.ba = Bosnia

Some photos of the sore losers implicated in this scam:

Code:

http://elpos.ba/galerija/albums/userpics2/ado.jpg
http://elpos.ba/galerija/albums/userpics2/enes.JPG
http://elpos.ba/galerija/albums/userpics2/square00.JPG
http://elpos.ba/galerija/albums/userpics2/square05.JPG
http://elpos.ba/galerija/albums/userpics2/normal_square06.JPG
http://elpos.ba/galerija/albums/userpics2/nijaz.JPG
http://elpos.ba/galerija/albums/userpics2/kancelarija1.JPG

**DomainMagnate** · 04-10-2009, 01:20 PM

I only got 4 so far, feeling a little left out :o

**Seraphim** · 04-10-2009, 01:24 PM

Quote:

Originally Posted by Acro

The form and images are hosted at

Code:

 http://elpos.ba/galerija/albums/userpics2/msg/

.ba = Bosnia

Some photos of the sore losers implicated in this scam:

Code:

http://elpos.ba/galerija/albums/userpics2/ado.jpg
http://elpos.ba/galerija/albums/userpics2/enes.JPG
http://elpos.ba/galerija/albums/userpics2/square00.JPG
http://elpos.ba/galerija/albums/userpics2/square05.JPG
http://elpos.ba/galerija/albums/userpics2/normal_square06.JPG
http://elpos.ba/galerija/albums/userpics2/nijaz.JPG
http://elpos.ba/galerija/albums/userpics2/kancelarija1.JPG

That is bizarre. A hijacked domain perhaps? They aren't actually using their own domain are they? Would be pretty funny if so.

**Acro** · 04-10-2009, 01:25 PM

Probably so.

Code:

link to a toolkit http://elpos.ba/galerija/albums/userpics2/boom.php

**Seraphim** · 04-10-2009, 01:29 PM

Quote:

Originally Posted by Acro

Probably so.

Code:

link to a toolkit http://elpos.ba/galerija/albums/userpics2/boom.php

Wow, what the hell is that? What's a toolkit?

**Acro** · 04-10-2009, 01:31 PM

Looks like a root toolkit that can perform other penetration tasks remotely. Also it links to http://milw0rm.com which is a known repository of exploits. These ****ers need to be shut down.

**DomainMagnate** · 04-10-2009, 01:35 PM

Good research there Acro, just blogged about it

**Acro** · 04-10-2009, 01:38 PM

Nice pic, Michael

**Doc Com** · 04-10-2009, 02:01 PM

Yea, DNFers, Mobility, NPers post on your twitter accounts also.

Many noobs (and veterans) may fall for this.

Phew, what a relief.

And to think I had to acually renew domain names.

=)

**Poker** · 04-10-2009, 02:43 PM

Quote:

Originally Posted by biggedon

also who would attempt to steal my crap names at godaddy?

people with crap mentalities (or crack problems)...

**Acro** · 04-10-2009, 08:02 PM

Looks like the hacking tools have been removed. The IP that was sending the emails has also been turned off.

**Domainator** · 04-10-2009, 08:06 PM

We reported these to GD yesterday and they confirmed was a scam..

**Seraphim** · 04-10-2009, 08:29 PM

Quote:

Originally Posted by Acro

Looks like the hacking tools have been removed. The IP that was sending the emails has also been turned off.

You and LegendaryJP need to start your own DN-PI service, you both have solid research skills. I know it's inevitable I'd send some cash your way.

04-10-2009, 12:46 PM	#1 (permalink)
Acro Bloody lovely Last Online: Today 06:23 PM iTrader: (394) Join Date: Feb 2004 Posts: 23,886 DNF$: 4,003 Location: USA Country:	CAUTION! GoDaddy phishing happening right now The following email appears to come from support@godaddy.com but it points to: http://205.234.236.23/~ytrindic/ It's a server in Pakistan mzwebhost.com. Contacting their upstream provider. +++++++++++ Dear Customer, This notification is generated automatically as a service to you. Because of unusual number of invalid login attempts on you account, we had to believe that, their might be some security problem on you account. So we have decided to put an extra verification process to ensure your identity and your account security. Please click on sign in to domain servers to continue to the verification process and ensure your account security. It is all about your security. Thank you. and visit the customer service section. please contact us within 1 days. If you need to address this matter, or in any way need further assistance or technical support, call us any time at (480) 505-8877 or email us at support@godaddy.com. We appreciate your business! Sincerely, GoDaddy.com DomainAlert team __________________ DomainGang.com - Domainers' Most Awesome News Source Acroplex - Web & Graphics Acro.net - My Blog My Countdown Counting down to: Snapnames rebate hitting my mailbox 82 days 3 hours 47 minutes

04-10-2009, 01:00 PM	#2 (permalink)
biggedon iSpoof.com Last Online: Today 05:32 PM iTrader: (112) Join Date: Sep 2002 Posts: 10,997 DNF$: 51,465 Location: 96.net	yeah i got two of these emails yesterday knew it was fake when i did a "hover over" the link also who would attempt to steal my crap names at godaddy? __________________ worldiptv.com * svc.net * belisted.com * mobi.us.com * sop.net * qfm.net * upyo.com * vioz.com * Need A SedoPro Account PM Me

04-10-2009, 01:03 PM	#3 (permalink)
Acro Bloody lovely Last Online: Today 06:23 PM iTrader: (394) Join Date: Feb 2004 Posts: 23,886 DNF$: 4,003 Location: USA Country:	I got 5 so far. Complaint sent via http://www.servercentral.net/supportrequest __________________ DomainGang.com - Domainers' Most Awesome News Source Acroplex - Web & Graphics Acro.net - My Blog My Countdown Counting down to: Snapnames rebate hitting my mailbox 82 days 3 hours 47 minutes

04-10-2009, 01:07 PM	#4 (permalink)
jdk DNF Addict Name: Doug Last Online: Yesterday 06:09 PM iTrader: (175) Join Date: Jul 2004 Posts: 6,886 DNF$: 68,548 Location: Florida Country:	I received 7 over the past two days. I forwarded them to Godaddy, but likely won't do any good. __________________ Domain Research Tool - Save $125!! Discounted DNF$ For Sale - Pimp RPG Game Alphabetize.org

04-10-2009, 01:09 PM	#5 (permalink)
PRED Last Online: Today 12:58 PM iTrader: (118) Join Date: May 2006 Posts: 7,960 DNF$: 1,065 Country:	thanks very much Acro, as ever you are always on top of things cheers. I actually just got 5! If it had been one i would maybe have clicked but seen the redirect. I havd already junked them as phishing and redirected one to godaddy support. Spread the word on the forums guys! __________________ dental recruitment \| dental practices \| Coniston

04-10-2009, 01:12 PM	#6 (permalink)
Acro Bloody lovely Last Online: Today 06:23 PM iTrader: (394) Join Date: Feb 2004 Posts: 23,886 DNF$: 4,003 Location: USA Country:	NP Pred. The email is very well constructed, also the form page itself that takes the username/password is exceptionally done. I submitted a few pairs such as "fbi_is_coming/sore_loser" - hopefully they will be shut down soon. Just complain using the form above. __________________ DomainGang.com - Domainers' Most Awesome News Source Acroplex - Web & Graphics Acro.net - My Blog My Countdown Counting down to: Snapnames rebate hitting my mailbox 82 days 3 hours 47 minutes

04-10-2009, 01:14 PM	#7 (permalink)
Seraphim Platinum Lifetime Member Last Online: Today 05:10 PM iTrader: (21) Join Date: Jan 2006 Posts: 3,073 DNF$: 1,397 Location: Hillsboro, OR Country:	Whoa, got several of these. Thanks for the heads up Theo. __________________ ...

04-10-2009, 01:15 PM	#8 (permalink)
Acro Bloody lovely Last Online: Today 06:23 PM iTrader: (394) Join Date: Feb 2004 Posts: 23,886 DNF$: 4,003 Location: USA Country:	The form and images are hosted at Code: http://elpos.ba/galerija/albums/userpics2/msg/ .ba = Bosnia Some photos of the sore losers implicated in this scam: Code: http://elpos.ba/galerija/albums/userpics2/ado.jpg http://elpos.ba/galerija/albums/userpics2/enes.JPG http://elpos.ba/galerija/albums/userpics2/square00.JPG http://elpos.ba/galerija/albums/userpics2/square05.JPG http://elpos.ba/galerija/albums/userpics2/normal_square06.JPG http://elpos.ba/galerija/albums/userpics2/nijaz.JPG http://elpos.ba/galerija/albums/userpics2/kancelarija1.JPG __________________ DomainGang.com - Domainers' Most Awesome News Source Acroplex - Web & Graphics Acro.net - My Blog My Countdown Counting down to: Snapnames rebate hitting my mailbox 82 days 3 hours 47 minutes Last edited by Acro; 04-10-2009 at 01:20 PM.. Reason: Automerged Doublepost

04-10-2009, 01:20 PM	#9 (permalink)
DomainMagnate Domain Magnate™ Name: Michael Last Online: Today 06:16 AM iTrader: (68) Join Date: Nov 2005 Posts: 3,637 DNF$: 6,457 Location: DnMagnate.com	I only got 4 so far, feeling a little left out :o __________________ Domain Magnate Mind Reading

04-10-2009, 01:25 PM	#11 (permalink)
Acro Bloody lovely Last Online: Today 06:23 PM iTrader: (394) Join Date: Feb 2004 Posts: 23,886 DNF$: 4,003 Location: USA Country:	Probably so. Code: link to a toolkit http://elpos.ba/galerija/albums/userpics2/boom.php __________________ DomainGang.com - Domainers' Most Awesome News Source Acroplex - Web & Graphics Acro.net - My Blog My Countdown Counting down to: Snapnames rebate hitting my mailbox 82 days 3 hours 47 minutes

04-10-2009, 01:31 PM	#13 (permalink)
Acro Bloody lovely Last Online: Today 06:23 PM iTrader: (394) Join Date: Feb 2004 Posts: 23,886 DNF$: 4,003 Location: USA Country:	Looks like a root toolkit that can perform other penetration tasks remotely. Also it links to http://milw0rm.com which is a known repository of exploits. These **ers need to be shut down. __________________ DomainGang.com - Domainers' Most Awesome News Source Acroplex - Web & Graphics Acro.net - My Blog My Countdown Counting down to:** Snapnames rebate hitting my mailbox 82 days 3 hours 47 minutes

04-10-2009, 01:35 PM	#14 (permalink)
DomainMagnate Domain Magnate™ Name: Michael Last Online: Today 06:16 AM iTrader: (68) Join Date: Nov 2005 Posts: 3,637 DNF$: 6,457 Location: DnMagnate.com	Good research there Acro, just blogged about it __________________ Domain Magnate Mind Reading

04-10-2009, 01:38 PM	#15 (permalink)
Acro Bloody lovely Last Online: Today 06:23 PM iTrader: (394) Join Date: Feb 2004 Posts: 23,886 DNF$: 4,003 Location: USA Country:	Nice pic, Michael __________________ DomainGang.com - Domainers' Most Awesome News Source Acroplex - Web & Graphics Acro.net - My Blog My Countdown Counting down to: Snapnames rebate hitting my mailbox 82 days 3 hours 47 minutes

04-10-2009, 02:01 PM	#16 (permalink)
Doc Com Dances With Dogs Name: Dances With Dogs Last Online: Today 05:13 PM iTrader: (73) Join Date: Dec 2006 Posts: 10,268 DNF$: 25,357 Country:	Yea, DNFers, Mobility, NPers post on your twitter accounts also. Many noobs (and veterans) may fall for this. Phew, what a relief. And to think I had to acually renew domain names. =) __________________ Conservative With A Conscience Last edited by Doc Com; 04-10-2009 at 02:03 PM.. Reason: Automerged Doublepost

04-10-2009, 08:02 PM	#18 (permalink)
Acro Bloody lovely Last Online: Today 06:23 PM iTrader: (394) Join Date: Feb 2004 Posts: 23,886 DNF$: 4,003 Location: USA Country:	Looks like the hacking tools have been removed. The IP that was sending the emails has also been turned off. __________________ DomainGang.com - Domainers' Most Awesome News Source Acroplex - Web & Graphics Acro.net - My Blog My Countdown Counting down to: Snapnames rebate hitting my mailbox 82 days 3 hours 47 minutes

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

04-10-2009, 08:06 PM	#19 (permalink)
Domainator DotAgent Last Online: 11-16-2009 11:57 PM iTrader: (27) Join Date: Sep 2004 Posts: 991 DNF$: 6,554 Country:	We reported these to GD yesterday and they confirmed was a scam.. __________________ DOMAINator

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode