Yesterday I received this email supposedly from Godaddy, a domain registrar I occasionally use.It says ‘Your account contains more than 3259 directories and may pose a potential performance risk to the server. Please reduce the number of directories for your account to prevent possible account deactivation’.
It is followed by a convenient link to where I should login and fix the issue.
Now the first red flag this raises is the fact that I use Godaddy as a registrar and not as a hosting provider. Hence there is no possibility that my account can create a directory let alone 3259 directories. Creating directories is an activity only available if you are hosting a website there.
This alone gave me a clue as to it being a phish. Another red flag is that the email itself supposedly comes from a hosting provider which guarantees you will pay attention immediately. Any alert email from Godaddy would be important to me as I have a few domains registered there.
Here is the website it goes to when that link is clicked:
Other than a slight typo at the footer and the fact it doesn’t have as many (annoying) advertisements than usual, it looks about as much a typical Godaddy login page as it can be.
It’s easy to miss any red flags especially if you have an account there and you want to fix any issues but if you take a closer look at the URL:
The domain is SWTEST.RU. This is the final red flag that tells you this site is bogus.
So here’s the complete list of observations I had to help anyone else who might fall for phishing emails such as this:
1.) The ‘from’ Email can be aliased, which means it can be made to appear as coming from godaddy.com but it actually is not. This is an old trick.
2.) The link the email supplies can also be faked. It is easy to write the URL to look legit but the actual destination URL to be different. In Gmail, click MORE > Show Original to view the source email. I did not check this myself. This is to show how easy it can be done.
3.) The links on the fake website are all the same, leading to itself.
4.) I do not use Godaddy’s hosting service, only their registrar services. This is specific to myself, but it might also apply to others who may receive a similar notice from a company they use. It is important to qualify which of the services or products you actually use and which you do not.
5.) The email is an alert from an important service. Godaddy is a domain registrar and is therefore where important details of domains I own are kept. Any email from them is a priority which is why malicious email authors would want to use that to trick people into going to their site and stealing their passwords.
6.) And finally, LOOK AT THE URL. By far this is the best and most efficient way of determining a phishing attempt. If the notice is from Godaddy, the link should go to godaddy.com and nowhere else.
What to do?
Before deleting the email, attempt to notify your email provider or at least mark it as spam. On Gmail it’s as easy as clicking MORE > Report phishing.