Warning: The web site godaddy-support.com is being used by cybercriminals in Hong Kong, China, to steal GoDaddy account passwords.
Registered with Namesilo on 10/16/2015, godaddy-support.com is currently hosted on the IP address 103.226.125.17.
According to IPNIC, the hosting server belongs to Hong Kong Runidc Technology Co Limited, a provider in China.
This is the most convincing GoDaddy-spoofing portal we’ve seen so far.
Here’s how it works.
Cybercriminals from China are sending out bogus email notifications, asking unsuspecting domain registrants to confirm their email address:
“*ICANN, the Internet Corporation for Assigned Names and Numbers, requires that all domain registrars maintain correct and current WHOIS contact data for domain owners.
You have registered one or more domains from Godaddy Inc. and verification of the Registrant email address is required for these domain name(s) to remain active. Please click the link below to verify the email address. If you don’t verify your email address, we’re required to temporarily put your website on hold until verification is complete.*
Please cut-and-paste the following URL into an open web browser to complete the verification process:”
Once someone clicks on the link, they are taken to godaddy-support.com where they are presented with the following page:
Naturally, once there, a visitor who is acting upon the email notification that supposedly came from GoDaddy, will most likely click on the “Sign In” link.
When that happens, a drop down overlay appears, asking for the username and password to be entered:
Once the victim enters their user name and password at this fake GoDaddy portal, the information is stored by the cybercriminals and the following fake confirmation page appears:
At that point, the victim’s account credentials are in the hands of the Chinese cybercriminals!
Taking a look at the page’s source shows that the data is indeed submitted via the form, and processed by the script at “order.asp“:
Always visit GoDaddy.com directly instead of clicking on email links.
You can see whether any of your domains need to have their contact info verified, by visiting your access panel at GoDaddy. More information here.
By all means, enable two-factor authentication at GoDaddy, which requires the use of a cellphone that receives a confirmation code via SMS, every time you need to log in.
Original phishing email reported at NamePros.
Looks like NameSilo already deactivated the domain (it is set to clientHold). Yet another reason they are the best registrar.
Ron – Yes it is down now (the IP isn’t) after I reported it to Namesilo. Whether that makes them the best registrar is questionable, but it’s a plus that they responded quickly.
Now is the time the registrars should declare that their emails will NEVER EVER ask the registrants to click on any links in their emails.
Good work and what a great suggestion!
“Always visit GoDaddy.com directly instead of clicking on email links”
Ben – Thanks, and for raising awareness 😉
Thanks for posting this. I appreciate the publicity around it and agree two factor is very important. I also highly suggest you go to any site directly rather than clicking a link to be safe. I was alerted to this on namepros as well and went to our security team with the info so they could contact the hosting company. I am grateful for people sharing these types of things publicly so we can all be a little safer.