CAUTION! GoDaddy phishing happening right now

[Acro]

The following email appears to come from support@godaddy.com but it points to:
http://205.234.236.23/~ytrindic/

It's a server in Pakistan mzwebhost.com. Contacting their upstream provider.

+++++++++++


Dear Customer,

This notification is generated automatically as a service to you.

Because of unusual number of invalid login attempts on you account, we had to believe that, their might be some security problem on you account. So we have decided to put an extra verification process to ensure your identity and your account security.
Please click on sign in to domain servers to continue to the verification process and ensure your account security. It is all about your security. Thank you. and visit the customer service section.
please contact us within 1 days.

If you need to address this matter, or in any way need further assistance or technical support, call us any time at (480) 505-8877 or email us at support@godaddy.com. We appreciate your business!

Sincerely,
GoDaddy.com DomainAlert team

[biggedon]

yeah

i got two of these emails yesterday

knew it was fake when i did a "hover over" the link

also who would attempt to steal my crap names at godaddy?

[Acro]

I got 5 so far. Complaint sent via http://www.servercentral.net/supportrequest

[jdk]

I received 7 over the past two days. I forwarded them to Godaddy, but likely won't do any good.

[PRED]

thanks very much Acro, as ever you are always on top of things
cheers. I actually just got 5!
If it had been one i would maybe have clicked but seen the redirect.
I havd already junked them as phishing and redirected one to godaddy support.
Spread the word on the forums guys!

[Acro]

NP Pred. The email is very well constructed, also the form page itself that takes the username/password is exceptionally done. I submitted a few pairs such as "fbi_is_coming/sore_loser" - hopefully they will be shut down soon. Just complain using the form above.

[Seraphim]

Whoa, got several of these. Thanks for the heads up Theo.

[Acro]

The form and images are hosted at

Code:

 http://elpos.ba/galerija/albums/userpics2/msg/

.ba = Bosnia

Some photos of the sore losers implicated in this scam:

Code:

http://elpos.ba/galerija/albums/userpics2/ado.jpg
http://elpos.ba/galerija/albums/userpics2/enes.JPG
http://elpos.ba/galerija/albums/userpics2/square00.JPG
http://elpos.ba/galerija/albums/userpics2/square05.JPG
http://elpos.ba/galerija/albums/userpics2/normal_square06.JPG
http://elpos.ba/galerija/albums/userpics2/nijaz.JPG
http://elpos.ba/galerija/albums/userpics2/kancelarija1.JPG

[DomainMagnate]

I only got 4 so far, feeling a little left out :o

[Seraphim]

The form and images are hosted at

Code:

 http://elpos.ba/galerija/albums/userpics2/msg/

.ba = Bosnia

Some photos of the sore losers implicated in this scam:

Code:

http://elpos.ba/galerija/albums/userpics2/ado.jpg
http://elpos.ba/galerija/albums/userpics2/enes.JPG
http://elpos.ba/galerija/albums/userpics2/square00.JPG
http://elpos.ba/galerija/albums/userpics2/square05.JPG
http://elpos.ba/galerija/albums/userpics2/normal_square06.JPG
http://elpos.ba/galerija/albums/userpics2/nijaz.JPG
http://elpos.ba/galerija/albums/userpics2/kancelarija1.JPG

That is bizarre. A hijacked domain perhaps? They aren't actually using their own domain are they? Would be pretty funny if so.

[Acro]

Probably so.

Code:

link to a toolkit http://elpos.ba/galerija/albums/userpics2/boom.php

[Seraphim]

Probably so.

Code:

link to a toolkit http://elpos.ba/galerija/albums/userpics2/boom.php

Wow, what the hell is that? What's a toolkit?

[Acro]

Looks like a root toolkit that can perform other penetration tasks remotely. Also it links to http://milw0rm.com which is a known repository of exploits. These ****ers need to be shut down.

[DomainMagnate]

Good research there Acro, just blogged about it

[Acro]

Nice pic, Michael

[Doc Com]

Yea, DNFers, Mobility, NPers post on your twitter accounts also.

Many noobs (and veterans) may fall for this.

Phew, what a relief.

And to think I had to acually renew domain names.






















=)

[Poker]

also who would attempt to steal my crap names at godaddy?

people with crap mentalities (or crack problems)...

[Acro]

Looks like the hacking tools have been removed. The IP that was sending the emails has also been turned off.

[Domainator]

We reported these to GD yesterday and they confirmed was a scam..

[Seraphim]

Looks like the hacking tools have been removed. The IP that was sending the emails has also been turned off.

You and LegendaryJP need to start your own DN-PI service, you both have solid research skills. I know it's inevitable I'd send some cash your way.