{Updated} GoDaddy scamming its employees out of a bonus

[Bombastinator]

9 minutes ago, CarlBar said:

 

The last thing you want as a company is for your floor level workers to stop trusting management. It's a recipe for company ending disaster.

 

Also to all those saying this is exactly what a phishing scam would actually do. No it's not. Doing this requires specific knowledge of how a company formats it's internal e-mails, what is a non-suspicious sounding bonus amount, and the necessary e-mail addresses actually are. It also requires that they use an actual attack that could get past a spam filter, and the one used should never have gotten past.

 

The only way this could be anything remotely realistic is if management themselves are utterly incompetent in every possibble way about basic internal e-mail security.

All that is a acquirable though.  It wouldn’t be possible for someone on another continent with a rudimentary knowledge of the language and no knowledge of the company, but none of the things you point to is proprietary.   Could a “Nigerian prince” do it? No.  A disgruntled former employee could though.

[poochyena]

19 minutes ago, CarlBar said:

Also to all those saying this is exactly what a phishing scam would actually do. No it's not. Doing this requires specific knowledge of how a company formats it's internal e-mails, what is a non-suspicious sounding bonus amount, and the necessary e-mail addresses actually are. It also requires that they use an actual attack that could get past a spam filter, and the one used should never have gotten past.

 

The only way this could be anything remotely realistic is if management themselves are utterly incompetent in every possibble way about basic internal e-mail security.

Which is all very possible, especially against a high profile company.

[CarlBar]

24 minutes ago, Bombastinator said:

All that is a acquirable though.  It wouldn’t be possible for someone on another continent with a rudimentary knowledge of the language and no knowledge of the company, but none of the things you point to is proprietary.   Could a “Nigerian prince” do it? No.  A disgruntled former employee could though.

 

19 minutes ago, poochyena said:

Which is all very possible, especially against a high profile company.

 

Um no it really isn't, disgruntled former employee aside, (and even then they'd have to have gone up through several layers of the company and had some very specific access at the point they where fired which would have had to have been very recent). This wasn't from what i understand sent to a handful of well used externally facing e-mail addresses. it went out across a good chunk of the entire company. Many of those e-mail addresses have no external method of being known to a potential phisher. Likewise whilst a company may make public some or even in some cases all of the info on it's bonus structure for the year your rarely going to see a complete breakdown by employee of the pay structure. meaning even if you've got a full list of e-mail addresses, (itself a massive security breech which kind of defeats the point of carrying such a scam out), you've no idea what is a realistic offer to send to each e-mail, send a too high or too low value or send different values to different people doing the same job in the same room and your likely to get spotted super fast, which again defeats the entire point of such an attack vector.

 

Finally whilst compromising the formatting is more reasonable, it still requires that internal and external e-mails use the same formatting. Which isn't guaranteed.

 

Also none of that address the spam filter point. Even if you have all of the above information a spam filter on the works e-mails should be filtering out bonus announcement that don't come from a specific internal e-mail address anyway., the only way this e-mail even makes it out of a spam folder, (at worst, a best it would be automatically deleted), is if the e-mail security setup is badly flawed.

[poochyena]

10 minutes ago, CarlBar said:

 a spam filter on the works e-mails should be filtering out bonus announcement that don't come from a specific internal e-mail address anyway

how, exactly?

[Bombastinator]

23 minutes ago, CarlBar said:

 

 

Um no it really isn't, disgruntled former employee aside, (and even then they'd have to have gone up through several layers of the company and had some very specific access at the point they where fired which would have had to have been very recent). This wasn't from what i understand sent to a handful of well used externally facing e-mail addresses. it went out across a good chunk of the entire company. Many of those e-mail addresses have no external method of being known to a potential phisher. Likewise whilst a company may make public some or even in some cases all of the info on it's bonus structure for the year your rarely going to see a complete breakdown by employee of the pay structure. meaning even if you've got a full list of e-mail addresses, (itself a massive security breech which kind of defeats the point of carrying such a scam out), you've no idea what is a realistic offer to send to each e-mail, send a too high or too low value or send different values to different people doing the same job in the same room and your likely to get spotted super fast, which again defeats the entire point of such an attack vector.

 

Finally whilst compromising the formatting is more reasonable, it still requires that internal and external e-mails use the same formatting. Which isn't guaranteed.

 

Also none of that address the spam filter point. Even if you have all of the above information a spam filter on the works e-mails should be filtering out bonus announcement that don't come from a specific internal e-mail address anyway., the only way this e-mail even makes it out of a spam folder, (at worst, a best it would be automatically deleted), is if the e-mail security setup is badly flawed.

So the argument is that a spammer would have to have specific addresses, email formatting changes too quickly for someone fired more than a few months ago to be able to replicate it, and spam filters are 100% efficient.

 

There isnt one thing there that sounds reasonable to me. 

[CarlBar]

23 minutes ago, poochyena said:

how, exactly?

 

The same way spam filters have been filtering out suspect e-mails for years? I may get the odd phishing scam in my inbox, but on the rare occasions i have to check my spam folder for missing e-mails there's a hell of a lot more in there that i never saw. And a company e-mail dealing with bonuses has it way easier as a bonus announcement that closely fakes the companies own formatting has a lot less room for the usual variation used to get past regular spam filters by regular phishing scams. An e-mail that is phishing a bonus announcement has to have a formatting that matches or is close to normal company internal e-mails, but has to come from an external address. That combination should be automatically suspect. Likewise e-mails dress that are using misspelling to deliberately appear to come from internal address should also be automatic red flags to any spam filter, (as they are on personal accounts)

 

In that sense it's a lot easier to filter this stuff for internal e-mail addresses than it is a regular personal account as said addresses should rarely be getting e-mails from non-company addresses, that makes it dead simple to filter as you can just dump everything not from a company address either into the spam folder or outright delete depending on the content and e-mail address used.

 

12 minutes ago, Bombastinator said:

So the argument is that a spammer would have to have specific addresses, email formatting changes too quickly for someone fired more than a few months ago to be able to replicate it, and spam filters are 100% efficient.

 

There isnt one thing there that sounds reasonable to me. 

 

No.

 

The spammer would have to have a lot of specific addresses, not just some, they would have to have access to the internal e-mail formatting, (only a former employee should have that realistically), and spam filters should catch phishing attempts that are obvious scams. You know just like the spam filters on my yahoo and outlook accounts do. Any phishing attempt that makes it past outlook and Yahoos filters for me either dosen't try to claim to be anyone i know or uses an e-mail address radically different from the real thing. Ones with mildly misspelled addresses go straight into my spam folder, (on the rare occasion i have to dig through it thats what i mostly find in there, though a lot of the non-similar e-mail addresses also end up in there too).

 

The example e-mail dress used in this instance would never have made it past outlooks or yahoos spam filters, (assuming the legitimate address was adequately known to them), and it should never make it past the companies filter either.

 

 

[wanderingfool2]

 Honestly, I think this is a perfect kind of email to entrap employees and make them think.  I've seen way too many employees that don't even give a second thought to who the email is originally coming from.  While it might be "cruel", it's exactly the kind of email that entices people to click.

 

1 hour ago, CarlBar said:

 

The last thing you want as a company is for your floor level workers to stop trusting management. It's a recipe for company ending disaster.

 

Also to all those saying this is exactly what a phishing scam would actually do. No it's not. Doing this requires specific knowledge of how a company formats it's internal e-mails, what is a non-suspicious sounding bonus amount, and the necessary e-mail addresses actually are. It also requires that they use an actual attack that could get past a spam filter, and the one used should never have gotten past.

 

The only way this could be anything remotely realistic is if management themselves are utterly incompetent in every possibble way about basic internal e-mail security.

You are aware that they didn't send out the email from an internal email address right?  Yes, you can do things like flag all external emails and label them as coming from an outside source...but that also has a downsides...that also doesn't stop a lot of employees from believing trick emails (trust me I tried as an internal test before)

 

Spam filter's can't catch everything, especially if it's a properly crafted spam email.  You can take a more aggressive approach to spam filtering, but then you hit the problem that I've run into (in that it starts filtering too many real emails and you start getting into trouble because employees aren't replying to emails because it's caught up in spam).

 

Did you even read that email as well.  It wasn't specially crafted for each employee or anything special to make it look like an internal email.  It is something anyone who writes corporate emails could easily write.  An actual attack only has to register a similar domain, link it to a service like gsuite and you're set.

 

Spam filters are fallible, even labeling emails from external emails as "external" in their title, people will still fall for it (and it does create other issues in day to day stuff).  Employees are the last line of defense, but you have to test them somehow.

 

32 minutes ago, CarlBar said:

This wasn't from what i understand sent to a handful of well used externally facing e-mail addresses. it went out across a good chunk of the entire company. Many of those e-mail addresses have no external method of being known to a potential phisher

You are missing the point I think.  It's a form of penetration testing (testing your employees)...e.g. You send it to all the front line employees and see who bites...it doesn't matter if a potential phisher knows your entire email list...you still send it to everyone that you want to test because then you learn who needs to be trained more (or let go).

 

It's easy to get different email addresses from companies...and yes you might not get tons of them, but one is all you need (I've personally had a sales rep leak my name/contact to a former customer because they were blacklisted in the system, and my name came up as being the one who blacklisted them)

 

  

9 minutes ago, CarlBar said:

In that sense it's a lot easier to filter this stuff for internal e-mail addresses than it is a regular personal account as said addresses should rarely be getting e-mails from non-company addresses, that makes it dead simple to filter as you can just dump everything not from a company address either into the spam folder or outright delete depending on the content and e-mail address used.

Actually...seriously read the article and get a better clue of what is going on.  Most staff get external emails, and interact with external members.  Spam filter's don't always work, and you seriously have no clue how spam filters work.  They are fallible, and it really is a fine balance of filtering too much vs not filtering enough.

 

Specifically as well notice the words "line level employees" in the article.  Those people deal with a bunch of external people, and there has likely been emails that have slipped through before.

[Bombastinator]

44 minutes ago, wanderingfool2 said:

 Honestly, I think this is a perfect kind of email to entrap employees and make them think.  I've seen way too many employees that don't even give a second thought to who the email is originally coming from.  While it might be "cruel", it's exactly the kind of email that entices people to click.

 

You are aware that they didn't send out the email from an internal email address right?  Yes, you can do things like flag all external emails and label them as coming from an outside source...but that also has a downsides...that also doesn't stop a lot of employees from believing trick emails (trust me I tried as an internal test before)

 

Spam filter's can't catch everything, especially if it's a properly crafted spam email.  You can take a more aggressive approach to spam filtering, but then you hit the problem that I've run into (in that it starts filtering too many real emails and you start getting into trouble because employees aren't replying to emails because it's caught up in spam).

 

Did you even read that email as well.  It wasn't specially crafted for each employee or anything special to make it look like an internal email.  It is something anyone who writes corporate emails could easily write.  An actual attack only has to register a similar domain, link it to a service like gsuite and you're set.

 

Spam filters are fallible, even labeling emails from external emails as "external" in their title, people will still fall for it (and it does create other issues in day to day stuff).  Employees are the last line of defense, but you have to test them somehow.

 

You are missing the point I think.  It's a form of penetration testing (testing your employees)...e.g. You send it to all the front line employees and see who bites...it doesn't matter if a potential phisher knows your entire email list...you still send it to everyone that you want to test because then you learn who needs to be trained more (or let go).

 

It's easy to get different email addresses from companies...and yes you might not get tons of them, but one is all you need (I've personally had a sales rep leak my name/contact to a former customer because they were blacklisted in the system, and my name came up as being the one who blacklisted them)

 

  

Actually...seriously read the article and get a better clue of what is going on.  Most staff get external emails, and interact with external members.  Spam filter's don't always work, and you seriously have no clue how spam filters work.  They are fallible, and it really is a fine balance of filtering too much vs not filtering enough.

 

Specifically as well notice the words "line level employees" in the article.  Those people deal with a bunch of external people, and there has likely been emails that have slipped through before.

So by that logic there should never be any spam ever and the entire concept of social engineering is pointless.  As for the the need for specific addresses thing, you know how spam works right?

 

NOTE:  somehow the wrong reply got quoted here.  Was supposed to be a rebuttal to @CarlBar’s reply to my reply.

[WereCatf]

23 minutes ago, CarlBar said:

I may get the odd phishing scam in my inbox

So, you admit that occasionally spam gets through? Welp, good job on shooting your own argument down!

 

24 minutes ago, CarlBar said:

And a company e-mail dealing with bonuses has it way easier as a bonus announcement that closely fakes the companies own formatting has a lot less room for the usual variation used to get past regular spam filters by regular phishing scams

See above: sometimes these things get through! Besides which, it doesn't have to be pixel-perfect and it doesn't even have to look the same as an official one would. All it needs to do is to look official enough to fool a human!

 

27 minutes ago, CarlBar said:

that makes it dead simple to filter as you can just dump everything not from a company address either into the spam folder or outright delete depending on the content and e-mail address used

If it was so dead-simple, false positives wouldn't be a thing. Alas, they are a thing!

 

28 minutes ago, CarlBar said:

You know just like the spam filters on my yahoo and outlook accounts do

The same filters that just literally let emails from "Chase" and "iCloud" through last night on my account? Hmmmmmmmmmmmm.

[wanderingfool2]

13 minutes ago, Bombastinator said:

So by that logic there should never be any spam ever and the entire concept of social engineering is pointless.  As for the the need for specific addresses thing, you know how spam works right?

I'm really tired at the moment, so maybe not wording things correctly.  Which part of my post makes you think that?  From what I've read of your posts, I think we are agreement (and our posts line up).

 

Given that I said the following "Spam filter's don't always work, and you seriously have no clue how spam filters work.  They are fallible, and it really is a fine balance of filtering too much vs not filtering enough."  (I'm beginning to think it was a misquote and you meant to quote Carl's reply?)

 

I'll say it again.  Spam filters are fallible.  These kinds of emails are a way to do penetration testing (at an employee level).   It's perfectly reasonable to test multiple employees at once, even if the scenario would be that a phisher would only have initial access to a few emails...because you are only as strong as your weakest link (in terms of employees)

[Bombastinator]

13 minutes ago, wanderingfool2 said:

I'm really tired at the moment, so maybe not wording things correctly.  Which part of my post makes you think that?  From what I've read of your posts, I think we are agreement (and our posts line up).

 

Given that I said the following "Spam filter's don't always work, and you seriously have no clue how spam filters work.  They are fallible, and it really is a fine balance of filtering too much vs not filtering enough."  (I'm beginning to think it was a misquote and you meant to quote Carl's reply?)

 

I'll say it again.  Spam filters are fallible.  These kinds of emails are a way to do penetration testing (at an employee level).   It's perfectly reasonable to test multiple employees at once, even if the scenario would be that a phisher would only have initial access to a few emails...because you are only as strong as your weakest link (in terms of employees)

I wasn’t replying to your post I was replying to @carlbar.  Or at least I intended to.  I don’t know how you got quoted.  Apologies.

[wanderingfool2]

7 minutes ago, Bombastinator said:

I wasn’t replying to your post I was replying to @carlbar.  Or at least I intended to.  I don’t know how you got quoted.  Apologies.

lol, it's okay...more I reread your post the more I figured it was likely meant for him.  (I'm guessing I posted at the time you were hitting the quote button, which is how it happened)

[CarlBar]

@Bombastinator & @wanderingfool2 & @WereCatf

 

I think somethings gotten lost along the way in what i was trying to say. The point is a real phishing scam has things in it's way that force it to do stuff to get around those things that make it much easier to detect for the human at the other end. Thats why i pointed out that some things do get through my spam filter. The things that get through have a lot more wrong with them than just 2 wrong letters in the e-mail address.

 

Add-on things like private internal e-mail addresses and external entity couldn't know and issues of matching addresses to pay levels and you've added yet more layers that make it harder for a phishing scam to produce an e-mail with so little suspicious about it.

 

The human bullshit filter by it's nature, (and much like computer spam filters), has to make certain assumptions, and the human mind is not perfect in it's ability to spot warning signs. The whole point of so many measures, (intentional or otherwise), in the path of pulling somthing like this off is to make it so any attempt that makes it to an employee is harder to miss, and knowing this people are much less likely to pick up on super low suspicion things.

 

The problem here is that whilst the attack worked, it did so by exploiting assumptions, (conscious or subconscious), amongst the employees about what was possibble, and it did so by bypassing other measures that justified those assumptions. A real phishing attack could not do this so it's neither a useful test of your security nor a useful teaching tool for your employees.

 

It's simply setting up the employees to fail for no purpose.

[Tristerin]

I mean...it was socially engineered beautifully to elicit an emotion, then reaction, which could lead to someone making it into the godaddy environment. 

 

Can fault them for being effective.  While distasteful, I wouldnt call this a scam at all.  Just well engineered to get the response they wanted to make people aware of, while at work, in an company ecosystem, that they need to be leery of phishing attempts.

[CarlBar]

7 minutes ago, Tristerin said:

I mean...it was socially engineered beautifully to elicit an emotion, then reaction, which could lead to someone making it into the godaddy environment. 

 

Can fault them for being effective.  While distasteful, I wouldnt call this a scam at all.  Just well engineered to get the response they wanted to make people aware of, while at work, in an company ecosystem, that they need to be leery of phishing attempts.

 

The problem is the way it was done is going to result in endless false positives as it teaches people the wrong lesson, they're going to be looking for things that should never reach them and not looking as hard for the kind of things that could reach them that are a phishing scam. It's amongst the worst possibble ways of raising awareness because it puts people on guard against the wrong thing whilst making them less likely to pay attention to what they should be looking out for.

[StDragon]

I'm an IT administrator and coordinator for an MSP (Managed Service Provider), so I have some first-hand perspective of what goes on in the industry. That said, all too often people fall prey to phishing e-mails regardless of how credentialed they are. I've seen it with engineers, executives, people holding PhDs, etc. It's not so much an exploit of intelligence as it is human behavior. People are a creature of habits and emotions. When you strip away the technological aspect of the topic, Phishing is just a form of social engineering to play on people's emotional reaction. A good hacker understands this and will exploit their victim like some magnificent Stradivarius. For a good read on this very topic, I highly recommend a book titled 'The Art of Deception' by Kevin Mitnick.

 

The fact is, criminal activity is mainstream on the web, and companies like Godaddy owe it to their customer to ensure the products and services they offer are safe and secure. But they can't do that if their own employees aren't tasked to do the job. As much of a dick move that this was, these employees need to buck up and accept this as part of the job. They're not paid minimum wage nor working on something as mindless as flipping burgers. If you work for Godaddy, chances are you've got both customer and technical skillsets. As an employee, if you fell for this phishing attempt, you only have yourself to blame.

 

For the rest of you, let this be a lesson! Real threats can arrive internally and not just from the outside. In many ways, we have Godaddy to thank for falling on the sword for their reputation. As a customer, this makes me more likely to recommend Godaddy, not less. Unlike Solarwinds that failed so bad, their stock took a dump as well as their reputation. I don't think their employees are too happy now.

 

In closing, it's really holds true that the best lessons learned in life are formulated from the mistakes you've made in the past. I hope these employees and everyone else paying attention learned something valuable from all this.  

 

 

[TorC]

GoDaddy's timing (given the pandemic and holidays) was terrible.  The lesson -- unfeeling but necessary.

[poochyena]

10 hours ago, CarlBar said:

The same way spam filters have been filtering out suspect e-mails for years?

SPAM filter, not phishing filter. They detect SPAM, which is email sent in large volume. They don't detect single individually crafted emails.

ugh.

[CarlBar]

1 hour ago, poochyena said:

SPAM filter, not phishing filter. They detect SPAM, which is email sent in large volume. They don't detect single individually crafted emails.

ugh.

 

Um actually they do, all the damm time. A modern spam filter, filters out all known bad e-mail addresses, message contents and intelligently filters e-mail addresses and contents resembling commonly used formatting for legitimate companies that are sent from addresses not associated with said official entity. Not that an e-mail sent out to this many individuals doesn't count as spam as well.

[Bombastinator]

28 minutes ago, DutchGuyTom said:

My 2 cents:

 

I think that the topic and timing was insensitive and they could have written a fake phishing email that didn't involve offering a bonus.

 

That said, this shouldn't be the scandal that it has become online. I certainly don't think this justifies Verge awarding them the Most Evil Company of the Year award (I am sure there are more evil companies out there).

 

While insensitive, phishing scams are a serious liability and companies have to defend against them. It could cost them millions otherwise.

This whole thing has mostly merely lowered my opinion of reporting by Verge, which was already in some jeopardy.

[Lh2p]

I'll tell you first hand they sent it from an internal email. They did not send it from an external email as it's claimed... 

[TetraSky]

9 minutes ago, Lh2p said:

I'll tell you first hand they sent it from an internal email. They did not send it from an external email as it's claimed... 

 

Hmm, Interesting.

On that screenshot, the c and l are not separated at all and appears as a proper d.

I wonder if that's just the way the formatting is handling on mobile devices.

[Lh2p]

Nope not fake or edited. They legit sent it from an internal email. Then a few days later sent the email out to everyone about how they failed the test. Then sent a 3rd email to clarify that they accidently sent the you failed email to everyone. Absolute madness and unprofessionallism. Blurred my own email for my own reasons. 

[GoodBytes]

If the employers doesn't trust its employees, then you have a problem. As now the employees will not trust its employers anymore, kill moral, and things will fall apart beyond repair. That said, GoDaddy is already a shit service, so this is most likely an issue already.

 

That said, their aggressive marketing campaign, and shitty business model seems to be working well for them (offer a super low price service, and then jack up the price beyond the competition, once your site is all setup with them (basically 1 year later) locking you in). This is a similar tactic that Oracle does. Offers very low and compelling pricing... once you ties your project with their solutions, BANG now you have these massive license pricing, making companies forced to pay up these ridicules fees, as you can't quickly change to another solution. Sadly, this tactic also works for Oracle.

 

[TetraSky]

17 minutes ago, Lh2p said:

Nope not fake or edited. They legit sent it from an internal email. Then a few days later sent the email out to everyone about how they failed the test. Then sent a 3rd email to clarify that they accidently sent the you failed email to everyone. Absolute madness and unprofessionallism. Blurred my own email for my own reasons. 

So, considering you have access to this email, is it safe to assume you are an employee of GoDaddy ?
Would it be possible to check that email on a desktop PC and see if the email's domain really is as shown on mobile? Since the news shows it as "GoCLaddy.com", but you're showing "GoDaddy.com".

This would at least help rule out whether or not it truly was sent from internal or external email, as we're getting conflicted information here.

 

Also another question.

Is this your personal email, like Gmail/Hotmail/Outlook, or an internal email that was handed out to you as an employee and is only used for work, within the same domain as GoDaddy and is obviously not public knowledge to anyone outside of the company? If it's an internal email, how easy is it to obtain the emails of all the employees?