csoonline.com, just published a Troubling post on how easy it was to gain control of a domain name and access to a Godaddy account they did not own. The author of the story, Steve Ragan, tells the tale of how he asked the CEO of Night Lion Security Vinny Troia, to try to take control of the author’s domain name and account at Godaddy.
The story entitled “GoDaddy accounts vulnerable to social engineering and Photoshop” and subtitled “GoDaddy’s layered verification protections defeated by a phone call and four hours in Photoshop”
Here are the highlights:
“On Tuesday, my personal account at GoDaddy was compromised. I knew it was coming, but considering the layered account protections used by the world’s largest domain registrar, I didn’t think my attacker would be successful.
I was wrong. He was able to gain control over my account within days, and all he needed to do was speak to customer support and submit a Photoshopped ID.
Sometimes, customers forget their account number or password; perhaps they forget what email they’ve used to register a domain. In either case, GoDaddy’s support staff are there to assist.
According to GoDaddy support, account resets are a simple process. If you’ve forgotten your username or customer number, you simply select the correct link at the login screen or account assistance page. However, you can also call customer support and complete the process over the phone.
Depending on the circumstances, a phone call will resolve most account related problems, provided you know your domain, the email address on file, customer number (or username), street address on file, or the last four digits of the credit card used on the account.
“Initiating the takeover was a relatively simple process. said Mr. Troja who called GoDaddy and explained that I no longer had access to my domain. We reviewed and verified the WHOIS information – which really consisted of me reciting the WHOIS information back to the representative”
“She asked if I had access to the email address on file, which I obviously did not. I explained that there were a lot of office politics at the moment that I didn’t feel like getting into. Long story short, it was my domain and I wanted access to it.”
“Resetting a username and password seems reasonable, provided the customer isn’t being pushy and can justify a lack of information. That’s what Mr. Troia did. He justified a lack of information by playing the frustrated executive.
“She asked me to verify the PIN, which I didn’t have.
She then asked me to verify the last four digits of the credit card used to purchase the domain, which I also didn’t have.
I explained to her that I’d asked my assistant to setup the domain for me,” Mr. Toria said, continuing his explanation.
Mr. Troia told GoDaddy’s support representative that his “assistant” had said he’d used a card ending in four random numbers.
The numbers he gave the representative were made-up on the spot. Naturally, those numbers were incorrect and that verification step failed.
Adding to this, the support representative was told that the assistant didn’t remember setting up a PIN”
I was directed to a website where I could fill out a form and request access,” Mr. Troia said.
If none of the account information is available during a reset request, GoDaddy will allow customers to use a change of account (or email) form.
This form requires that you provide a copy of a government-issued ID, such as a passport, military ID, or driver’s license, in order to prove you’re who you say you are. If the domain in question isn’t a personal domain, then business information is required as well. The entire process is completed online.
In order for the attack to work, Mr. Troia created a fake Gmail account, as well as a Google + profile to match his version of Steve Ragan the owner of the domain. The email account would be used for password resets. The social media account was simply there to give Troia’s Steve Ragan a presence on the Web.
I knew a few people in Indiana and they both sent me quality pictures of their license. In the end, I found it easier to modify their existing license than to make a new one from scratch. I spent about four hours with the details of the license and getting the shading of the text right.
The form was submitted on Friday, March 13
On Tuesday afternoon, Mr. Troia received an email asking for additional information. Most of the domains under my account are registered to a business name, which would require additional information.
“I sent an email stating that there was no actual business which they could verify, and that I just put something there because I thought I had to. I sent the email and immediately called right after. The woman I spoke with was super nice. She looked at the email while we were on the phone and said that people use non-existent business names all the time. They just needed the written copy for an audit trail. She authorized the email switch while we were on the phone. Instructions to reset my account password were in my email by the time we hung up,” Mr. Troia said
There was no document verification performed and the ID submitted by Mr. Toria used an image that looks nothing like me. From social engineering, to the crafted social media profile, fake ID and email account, this was a classic example of a targeted attack from start to finish.
An account takeover such as this allows an attacker to use the hijacked domain to create code-signing certificates. It could be used to impersonate someone’s personal brand, and leverage said brand to target customers, fans, or business partners.”
An attacker could develop any number of domains and use them for a watering hole attack, or alter DNS and direct visitors to a server under their control.
In fact, such tactics are a favorite of groups such as Lizard Squad and the Syrian Electronic Army, who target hosting accounts for exactly those reasons.
“If [the attackers] wanted to be slick about it, they could gain access, insert their code, create backdoor admin accounts, and return access back to the original owner before they even knew what had happened. The owner would receive the confirmation email, see that their website is still online, and consider it a Phishing attack and just delete it,” Mr. Troia said.
GoDaddy isn’t the only major domain registrar to use photo ID as a last resort. Network Solutions also has an ID-based verification, but unlike GoDaddy, the ID and required documents must be faxed over, instead of uploaded. Interestingly enough, one domain registrar, Hover.com, doesn’t allow photo ID as a form of verification, because “anyone could just whip something up in Photoshop.”
Using GoDaddy’s DomainControl and privacy features, which are offered as a value-added service for an additional cost, would only slow a determined attacker. While the public can’t see the registration details, the support staff can. So an attacker armed with public information could abuse the change of account form.
Two-factor authentication isn’t viable either, he said, because if someone hijacks the domain and enables that protection after the fact, then the customer would be left with few options for reacquiring access to the domain.””
Davinderpal S Bhatia says
Transferring domain out of account is a huge challange for someone else if account holder has DTVS (Domain Transfer Validation Service) at godaddy. Before any transfer out of account a Godaddy executive has to call at a specified number (usually cellphone of account holder) and ask for a PIN. Unless someone else has the domain owner’s cellphone and knows the PIN, domain stays in account. I am a satisfied customer and find DTVS very reliable.
The problem occurs when you change phone numbers or have other issues. At some point systems break and you have to have some other method of resolution – whatever it is, that’s your vulnerability. This is why corporations use third party services. Of course they’re not foolproof either but there is liability, insurance and other protections in place plus the knowledge these companies should know what they are doing.
Davinderpal S Bhatia says
I was told that client can change his/her phone number as long as he/she calls from the original phone beforehand. To be on the safe side, phone number listed in whois should not be the one to be called for PIN.
I know I may have said this before, but the best security I have found has been with Fabulous.com as they have what I think is a unique method. Never had any trouble with security there, that I know of.
I agree. It’s secure, although it doesn’t scale up, e.g. the executive lock is reserved for a small number of domains in one’s portfolio.
Ok, godaddy enom time for an employee meeting, and maybe giving the whois number, and email a call first, and a 1 week wait period, and 60 day transfer out lock down.
Every idiot will be trying this now.
Domain Observer says
Using telephone is a door to a problem in many areas of business including banking. It is not good at all to give sensitive information through a phone, particularly when the receiver cannot be verified as a legitimate receiver on the phone. How can you verify that the receiver of your info is a legitimate member of a legitimate company? There is no evidence left unless you record the telephone conversation. It should be banned for registrars to get verification data through telephone from a caller who describes himself/herself as account owner. Whatever a caller says as the reason for not being able to access his/her registered email, that is fishy and and should be classified as suspicious and handled with utmost care and caution on the part of the registrar.
Joseph Peterson says
That’s a coincidence. Someone just attempted to hack my account yesterday. Got off the phone with GoDaddy an hour or two ago.
Told you so, Joseph. It’s going to be a matter of time.