Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

GoDaddy accounts vulnerable to social engineering and Photoshop

Steve Ragan | March 20, 2015
GoDaddy's layered verification protections defeated by a phone call and four hours in Photoshop

When it came to government-issued identification, he turned to friends in Indiana.

"I knew a few people in Indiana and they both sent me quality pictures of their license. In the end, I found it easier to modify their existing license than to make a new one from scratch. I spent about four hours with the details of the license and getting the shading of the text right.

"This was probably overkill, but I'm a perfectionist when it comes to these things. The subtitles in the driver's license seal were no match for Photoshop's 'content aware and replace' feature. It wasn't perfect, so the majority of my time was spent pushing pixels until it looked right. A little blur and grain go a long way to making something look authentic," Mr. Troia said.

The form was submitted on Friday, March 13, but it wouldn't be reviewed until the following Monday, as those responsible for change requests do not work during the weekends.

On Tuesday afternoon, Mr. Troia received an email asking for additional information. Most of the domains under my account are registered to a business name, which would require additional information.

"I sent an email stating that there was no actual business which they could verify, and that I just put something there because I thought I had to. I sent the email and immediately called right after. The woman I spoke with was super nice. She looked at the email while we were on the phone and said that people use non-existent business names all the time. They just needed the written copy for an audit trail. She authorized the email switch while we were on the phone. Instructions to reset my account password were in my email by the time we hung up," Mr. Troia said.

What happened to my account is something that could happen to any account.

There was no document verification performed and the ID submitted by Mr. Troia used an image that looks nothing like me. From social engineering, to the crafted social media profile, fake ID and email account, this was a classic example of a targeted attack from start to finish.

An account takeover such as this allows an attacker to use the hijacked domain to create code-signing certificates. It could be used to impersonate someone's personal brand, and leverage said brand to target customers, fans, or business partners.

An attacker could develop any number of domains and use them for a watering hole attack, or alter DNS and direct visitors to a server under their control.

In fact, such tactics are a favorite of groups such as Lizard Squad and the Syrian Electronic Army, who target hosting accounts for exactly those reasons.


Previous Page  1  2  3  4  5  Next Page 

Sign up for CIO Asia eNewsletters.