GoDaddy Phising Email
I received an email from Go Daddy with a subject “GoDaddy.com Account Security Alert”. It informed me that 3 different IP addresses logging into my GoDaddy account in the past 24 hours. I should do as the email instructed otherwise my account will be locked.
Here is the email:
****************************************************************** Account Security Alert ****************************************************************** Dear xxxxxxx, It seems that our systems have detected \’3\’ different IP addresses logging into your GoDaddy Account Center, in the past 24 hours. Therefore, our security team have deemed it necessary, that we lock the account, until further action has been taken. You have 24 hours to do the following, or your GoDaddy account will be locked, until we can verify the real owner. Please, follow the following information carefully, and make sure you do not enter any incorrect details. Please point your browser to http://secure.godaddy.com/default.aspx? isc=multipleipa&ci=8987 Then follow the on-screen guide. You have 24 hours todo this, or all accounts, domains, hosting, and any other product of GoDaddy linked with your account, will be terminated. Please do not reply to this email. Emails sent to this address will not be answered. Thanks again for being a GoDaddy.com, Inc. customer. Sincerely, GoDaddy.com, Inc. —————————————————————– Copyright 2009 GoDaddy.com, Inc.. All rights reserved.When I hover my mouse pointer on the link, I see that the URL is not GoDaddy site but pointing to http://godaddysecure.com. It make me curious. It might be a phising mail. Then I check the email header and compare it with header email I usually receive from Godaddy.
This is the header of that suspicious email:
Received: from qmail-cgi-norm-0.netfirms.com (38-mail-static.netfirms.com [70.35.18.38]) by mx.google.com with SMTP id 6si7270441qwk.14.2009.07.13.16.33.20; Mon, 13 Jul 2009 16:33:20 -0700 (PDT) Received-SPF: neutral (google.com: 70.35.18.38 is neither permitted nor denied by best guess record for domain of /[email protected]) client-ip=70.35.18.38; Authentication-Results: mx.google.com; spf=neutral (google.com: 70.35.18.38 is neither permitted nor denied by best guess record for domain of /[email protected]) smtp.mail=/[email protected] Received: (qmail 6240 invoked from network); 13 Jul 2009 23:33:20 -0000 Received: from unknown (10.8.8.14) by q0-cgi-norm.netfirms.com with QMQP; 13 Jul 2009 23:33:20 -0000 Date: 13 Jul 2009 23:33:20 -0000 Message-ID: <20090713233320.76459.qmail@cgi14> X-IP: 92.12.173.48 X-URI: /sendmail.php X-ID: 3155370And this is the header of regular Godaddy email:
Received: from smtpout24-02.prod.mesa1.secureserver.net (smtpout24-02.prod.mesa1.secureserver.net [68.178.232.28]) by mx.google.com with SMTP id 3si11736138pzk.133.2009.07.15.10.31.27; Wed, 15 Jul 2009 10:31:27 -0700 (PDT) Received-SPF: pass (google.com: domain of [email protected] designates 68.178.232.28 as permitted sender) client-ip=68.178.232.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 68.178.232.28 as permitted sender) [email protected] Received: (qmail 4686 invoked from network); 15 Jul 2009 17:31:27 -0000 Received: from unknown (HELO gdmailer04.dc1.corp.gd) (208.109.14.189) by smtpout24-02.prod.mesa1.secureserver.net with SMTP; 15 Jul 2009 17:31:27 -0000 Received: from mail pickup service by gdmailer04.dc1.corp.gd with Microsoft SMTPSVC; Wed, 15 Jul 2009 10:31:27 -0700 X-MID: 1785c520-e8b6-4e7a-8f8d-c58e8a03e9cd X-10pl8ID: 1298From the email header, I notice that Godaddy email always coming from legitimate mail server mark as permitted sender that will passs SPF check. While that suspicious email coming from other mail server that do not pass SPF check.
The conclusion is clear. That suspicious email is absolutely a phising email. I don’t have to follow the instruction. In fact, later on I logged on to Godaddy by typing the www.godaddy.com in my browser and changed my password.
If you receive a similar email, just delete it immediately. Do not click the link. It might direct you to a fake Godaddy page where they can grab your password if you try to log on there or it might direct you to install a cookie on your computer that the phiser might use later on to gather information about you.
Be careful with your Godaddy account. Use complex password and change it periodically.