{Updated} GoDaddy scamming its employees out of a bonus

[charlie_root]

It's a great idea. This is exactly the sort of phishing email that attackers would use on their employees.

 

It's absolutely not "scamming them out of a bonus". What an absurd take. It's a training exercise.

[wanderingfool2]

7 hours ago, LAwLz said:

Spoofing an internal email address is easy. If you give me your email address I'll send you an email from lawlz@LinusTechTips.com if you want. Checking the sender provides essentially 0 additional security since spoofing a sender is usually very easy. The "from" field in an email provides as much authentication as the "from" field on a postcard.

 

LinusTechTips.com has a pretty tight SPF record...so unless you send it from anything other than 192.99.56.40 it would likely fail (well be detected as spam).  I can also speak in terms of the organization I worked with before...we setup the exchange server to reject any internal emails that originated from an outside source.  Not saying that it invalidates as much (given it could potentially be a compromised account)...but if your organizations email domain is setup correct, you should not be able to send a spoofed internal email

 

Realistically though, I think at this time there isn't enough information to go on to say whether it was the employees fault or GoDaddy's.  Although, if it was sent with a godaddy.com email address then yea...it is a lot more of a jerk move (because regardless of whether or not the employees figured out something was off, they setup false hopes).  The part that makes this up on the fence for me, is I don't know whether they were flagging people for just clicking the link, or actually putting in information.  If they get people for putting in their information, then yea 100% it's on the employees.

 

e.g. Does HR send out links commonly (I know I've been at company that have sent out links, and expected employees to follow it and do training courses...it was to really weird URL's and I actually asked my superiors when I first came across it).  If GoDaddy does similar things, or has in the past then having an user click a link from an internal email isn't the employees fault.  If however, GoDaddy never has done so...it's still a bit hit and miss in my opinion.  I do get that there could be a virus or something...but that becomes a lot harder (given that means the phisher would have to have compromised someone already, registered a similar domain, and exploit an unpatched RCE attack).  [i.e. if they had just opened a webpage I would be more forgiving]

  

8 hours ago, Lh2p said:

100% came from an internal email. Gocladdy.com was the link when you hover over those links. Which still is a signal where should stop people. I'm all for these kinda tests, but it could have used any other incentive and actually emulated a real phishing.

Actually, this would be similar to a real world scenario (if someone had been compromised and the phishers sent out an email to the list).

 

Curiousity sake though, not doubting what you have said...just would like clarification on a few things:

1) Did they flag people who clicked on the link, or just people who proceeded to put in information

2) Does HR or such send out things like links and such typically in emails? (I know my old work place did)

[CarlBar]

@wanderingfool2 Thanks for addressing that. The thing with anything like this is that people see what they expect to see. If you present someone with a fakeout that doesn't obviously have any warning signs, odds are they will never spot it, and a good security system takes this into account and is setup such that it either minimises the consequences or better yet prevents the employee from having the opportunity to make the 

 

@Lawlz: The point isn't that people aren't responsible for their actions, but there's a difference between at fault and responsible.I'll pick some safety culture examples because details on that sort of things are a lot easier to find, (generally when your security goes wrong you don't make public all the measured they bypassed for future security purposes, so it's harder to find the kind of detail i'm talking about), which demonstrates the difference between making an error and being responsible.

 

A few decades back when Boeing introduced the 737-400 series one of the first aircraft crash landed on the M1 here in the UK. The ultimate sequance of events was determined to eb an engine failure that was miss-diagnosed by the pilots resulting in them shutting down the wrong engine, and when the damage engine failed on approach to an emergency landing the aircraft crashed. But whilst they where considered at fault, they where not ultimately held to be responsible as they'd made the mistakes due to a combination of aircraft design feature changes of which they where unaware and a significantly altered instrument panel that made the information they needed there to diagnose the issue correctly difficult to comprehend, (several changes where implemented in safety regulations after this to prevent just such a thing from occurring again). They where ultimately considered to have made a reasonable error under the circumstances.

 

I can't speak for the paypal e-mail you brought up as i haven't used them in donkey's years. But here's the obvious questions.

 

1. Did it use a proper paypal e-mail address, or one that takes more than a casual glance to spot as wrong.

 

2. Was it played out and formatted like a normal paypal e-mail.

 

3. Does paypal legitimately send you hyperlinks in your e-mails to follow.

 

4. did whatever website the link send you to look indistinguishable from the real paypal website.

 

If yes to all 4 had you done so you would be at fault, but not ultimately responsible as you would have made a reasonable error. That may not help you get your money back unfortunately, but when your assigning blame it actually matters.

 

You'll note that at no point have i address any serious questions about their internal security setup. I've assumed all along that it's competent and thus it should be relatively hard to mass spam the entire company with a bad e-mail, have the most common and realistic ones make it through a spam filter, and, (to name one of several more possibilities), get the required information to make resonable sounding propositions, e.t.c.

 

If i wanted to get critical i'd

 

A) start by asking if there are any significant number of people in the company that don't receive a great deal of stuff by internal e-mail. If so they don't need an internal e-mail account and can receive anything that they would have got before via their managers. Someone without an internal e-mail account can't fall for this.

 

B) Of those that do need an internal e-mail account, how many actually need to be able to receive external e-mails to do their job. Again if they can't receive it they can't make a mistake, (and any vector that relies on an internal breech to disseminate is probably going to fall under reasonable error).

 

C) Of those that need to receive external e-mails. How many need to be able to access the internet to do their jobs. If they can;t follow the bad links  they can't do any harm, (this doesn't stop virus attachments, but it's a big step against phishing scams and i'm focusing my questions on the e-mail phishing rather than e-mail attachment side).

 

D) Of those that need to receive external e-mails and need internet access at the same time, how many need to be able to see hyperlinks and raw web-addresses in their e-mails? If they never get the link or address they can;t follow it to screw up. (Hint if your remotely serious about security the list of accounts that can do this should be hyper restricted).

 

E) For those that need web access and to be able to receive external e-mails with visible web addressees and hyperlinks, is there a robust system in place for them to report bad e-mails to someone who can then take remedial action, (warning employees, getting the spam filter updated, e.t.c.), and is there a system in place to deal with any employees who may have been fooled in the meantime.

 

I'll stop there but i imagine you can think of some more. A good security system tries to make it so that even if the human gets it wrong ti has no negetive consequences because humans get things wrong all the time. Good security as much as possible, (emphasis on the possibble part, it isn't allways i acknowledge), does not rely on humans getting things right to function.

[suicidalfranco]

And i should see goDaddy on a bad light because...

Really don't see the issue here, dumb people acted dumbly. The blame is solely on them. Imagine if it was a real phissing attack and results in a data breach, you'd be all screaming from the top of your lungs that goDaddy is responsible for the breach.

Frankly if i was in a leadership position in GD i'd fire all those who failed the test, too much of a risk to keep around.

 

[Lh2p]

8 hours ago, wanderingfool2 said:

Curiousity sake though, not doubting what you have said...just would like clarification on a few things:

1) Did they flag people who clicked on the link, or just people who proceeded to put in information

2) Does HR or such send out things like links and such typically in emails? (I know my old work place did)

Well, they flagged everyone on mistake.... Hahah and Yea everything they send out is full of links.