28 thoughts on “BULLETIN: Godaddy.com Phishing Scam. Don’t Click Email!!

  1. Observer

    Domain registrars should stop asking domain holders to click on the links in their emails. That’s a stupid practice.

    Reply
  2. petrogold

    It is known that warning “Not to Click” will rather produce more clicks. Rick, may we know more about the Scam.Gratefully,

    Reply
  3. Pitbull

    Thanks Rick… Very timely post, as I just got your email at the same time as the Godaddy email…

    Reply
  4. Jay

    Shoot, good heads up – I never even thought about avoiding links from emails from my registrars. Thanks Rick! I put up my 2nd blog post yesterday talking about how to avoid domain name scams, I’ll have to add this one and I’ll make sure to give credit.

    Reply
  5. CN

    Well there is this Phishing email but now there is also a 2 Step Verification Email being sent out by Godaddy. Once you register a new domain, you have to verify the whois by clicking on the link sent out in the email by Godaddy. So one needs to carefully check whether its a general phishing email or a legitimate email when you register a new domain. Now registering a new domain will show as Pending Whois Verification till a point you verify either via email or I guess the other option is via telephone.

    Reply
  6. Ben

    “Well there is this Phishing email but now there is also a 2 Step Verification Email being sent out by Godaddy. Once you register a new domain, you have to verify the whois by clicking on the link sent out in the email by Godaddy.”

    Could GoDaddy confirm this? Is that right or is that phishing scam as well?

    Reply
  7. Acro

    GoDaddy started sending out legitimate verification emails, as required by new mandates by ICANN.

    The process involves clicking on a link emailed *once* to the email address that has yet to be verified. NO LOGIN IS REQUIRED in this case, as the click confirms the email using a hashed string.

    So the good news: the legitimate email from GoDaddy requires no login.
    The bad news: the legitimate email from GoDaddy requires no login.

    This paradox signifies that when user interaction is mandatory, the phishing attacks have an advantage.

    Reply
  8. Acro

    If you clicked and no login was presented but ended up on the GoDaddy page confirming your confirmation, it was a legitimate email.

    If you clicked and you were asked to log in, you are going to have to change your login info immediately, and/or contact support.

    Reply
  9. Louise

    @ Acro, you don’t need to log in with the verification, because you are ALREADY logged in, having just registered a domain name. Can you confirm this? Register a domain; log out, THEN try clicking the link on the confirmation email.

    My experience shows, since you are logged in to begin with, you don’t need to enter your username and psswd.

    Reply
  10. Acro

    Louise, that’s not correct, so please take my statement above as fully accurate: The legitimate email does not require one to be logged in.

    Reply
  11. Rick Schwartz

    I am not smart enough to figure out the genuine from the fake. So I think GoDaddy and whoever gets hit next, needs to add some clarity. I deleted the TWO I have gotten so far. I don’t intend on answering/clicking any of them. I think they need to figure out another way. Not going to happen.

    Reply
  12. BullS

    First they hit you on top, then below , then at your back and now they want to steal your soul.

    gosh…more BS on the internet

    Reply
  13. Robbie

    Rick, godaddy forces you to click the link pretty much, otherwise the domain is unable to have it’s nameservers changed, nor can you move it or sell it etc…

    I got this email on Friday, it looked legit, I called in, the guy in the tech call center, said they been dealing with calls all day. It looked like a phoney email, but everything checked back legit. It took the scammers 2 days to get a game plan, and try to trick most likely large domain holders. It is a new icann mandated procedure, really there has to be a better way. No just wait for the new gtld scams, with their .anything emails…

    If anyone has any doubts of what they clicked, a simple fix, CHANGE YOUR PASSWORD!

    Reply
  14. Jagan

    Hello Sridhar,
    If u clicked & it took you to a page that looked like godaddy login page, you need to immediately change your godaddy.com password & turn on 2 step verification so that if someone tries to log into your account you will receive a phone call. You might also want to call godaddy & tell them to put a hold on your account for the next 30-60 days so that you can plan your next move. Best regards.

    Reply
  15. Louise

    Okay, but I wanted to posit it. We’re having a discussion. When my bank emails me a ilnk to my account, I have to log in. When I sign up for gmail and receive a confirmation email, either I’m logged in, and the confirmation goes through, or I have to log in.

    It doesn’t sound secure if you can just click a link without logging in.

    Reply
  16. NEIL@LegalWeed.TV

    Rick,
    Mr. Observer is perfectly right. God-Bless.org!
    This is a malicious practice of ugly dictators registrars, you know better than us.
    They are harassing us like we are soliciting the domain names, not paying for them a lot of money…
    If you do not click, the nasty registrar is BLOCKING YOUR ACCOUNT.
    That’s why Colorado legalized marijuana, for d-o-l-l-a-r.com, not for induced dizziness…The registrars did not get it…
    Rick, if you allow me, Happy New Year 2014 to all Domainers!
    Huge TargetedTraffic.com on your domains!
    DiamondsHub.com and eGoldGold.com to be in your houses! Kind regards, Neil

    Reply
  17. Ramahn

    Acro beat me to it and is 100% correct. For new regs, Godaddy will send an email requiring you to click a link to verify your email. No login is required tho. Its legit.

    The rule of thumb is to NEVER give out your password.

    Reply
  18. Cyborg

    A heads up to those who register with Godaddy…

    The landing page of ‘godaddy.com’ does not redirect to https so you’ll risk exposing your credentials without encryption when you submit them.

    Be sure that you are on SSL when you login by specifically going to https://www.godaddy.com

    This is important for this type of phishing scam because they most likely do not have SSL encryption on the fake login…though they might. Pay attention.

    Reply
  19. MAGOOgle

    If anyone is stupid enough to click on a link from “any email” without at least looking at the “link code”, and/or the “header of the email”, you deserve what you get. Your malware scanner and antivirus will never save you from yourself.

    That being said, some of these company’s need to keep emails coming from company looking addresses. YouTube is very bad with that ( example: youtu.be is legit but does not look it and they have used it in emails).

    Folks, this crap is “not new”. If you want to survive, you better act in your own best interest. Nobody will do it for you.

    Reply
  20. Ramahn

    Correct Mag, and the email godaddy used in the verification link they sent me was ‘sales@godaddy.com’. The same email used for normal domain registration receipts.

    Reply

Leave a Reply