Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

GoDaddy Employees Were Told They Were Getting a Holiday Bonus. It Was Actually a Phishing Test. 236

An anonymous reader shares a report (alternative source): "2020 has been a record year for GoDaddy, thanks to you!" the email read. Sent by Happyholiday@Godaddy.com, tucked underneath a glittering banner of a snowflake and stamped with the words "GoDaddy Holiday Party," the Dec. 14 email to hundreds of GoDaddy employees promised some welcome financial relief during an otherwise stressful year. "Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!" the email read.

"To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th." But, two days later, the company sent another email. "You're getting this email because you failed our recent phishing test," the company's chief security officer Demetrius Comes wrote. "You will need to retake the Security Awareness Social Engineering training." The follow-up email from Comes said that roughly 500 GoDaddy employees clicked on the holiday bonus email and failed the test. Scottsdale-based GoDaddy, the world's largest domain registrar and web-hosting company, did not respond to repeated requests for comment about the emails. The emails were forwarded to The Copper Courier by three GoDaddy employees.
This discussion has been archived. No new comments can be posted.

GoDaddy Employees Were Told They Were Getting a Holiday Bonus. It Was Actually a Phishing Test.

Comments Filter:
  • Sadistic (Score:5, Insightful)

    by BytePusher ( 209961 ) on Thursday December 24, 2020 @03:28PM (#60863474) Homepage
    Pretending to give your employees a bonus so you can show them they're stupid? And they wonder why anti-tech anti-corporate sentiment is growing...
    • Re:Sadistic (Score:5, Insightful)

      by Anachronous Coward ( 6177134 ) on Thursday December 24, 2020 @03:45PM (#60863524)

      True, but as others have pointed out, it was an effective test. And likely a lesson that won't be forgotten.

      But they shouldn't be surprised if henceforth every email from corporate is reported to security as a phishing attempt. (Something I like to occasionally do when I'm in a bad mood.)

      • Re:Sadistic (Score:5, Insightful)

        by algaeman ( 600564 ) on Thursday December 24, 2020 @04:04PM (#60863588)
        A lesson learned by people who will be looking to leave the organization at the earliest opportunity. This sort of tone deaf stunt while many people are under serious financial stress sounds a lot like a hostile workplace,
        • So, are you claiming that phishing tests shouldn't be realistic? Given the current economic conditions due to COVID-19, it seems to me that actual real phishing attempts are likely to involve financial incentives. And since it's near the end of the year, a bonus certainly sounds realistic.

          Yes, having a windfall yanked away feels bad. And it doesn't matter if it was due to a security test masquerading as a phishing attempt, or if it was a real phishing attempt.

          • If you fail to consider how people will feel about it, do not be surprised when they leave.
          • by dcw3 ( 649211 )

            I'm claiming that when you get set up by your own company, or even when you didn't, but you saw other friends get set up, it sticks with you. You've learned that you can't trust you own internal email & bosses. This was a stupid move.

        • Presumably the people who failed this test were employed by Go Daddy at the time, and thus were likely not struggling due to their own unemployment.

          • by Pitawg ( 85077 )

            Dear Head in Clouds,

            Having a GoDaddy salary, large or not, does not mean the five other unemployed adults under your roof are not feeding off that solitary stream of income, generating the stress and hardship that urged them to click on an email from management discussing extra money.

            --
            With my feet on the ground,
            Non-lonely, Non-jerk

        • If they are incapable of handling a phishing campaign dispassionately, how are they going to catch the real thing?
      • Re:Sadistic (Score:5, Insightful)

        by apoc.famine ( 621563 ) <apoc...famine@@@gmail...com> on Thursday December 24, 2020 @04:14PM (#60863626) Journal

        We had to do some stupid anti-phishing course at work, and all of a week later HR sent out an email that checked pretty much all of the boxes for a phishing attempt. It was just remarkable. I have no idea if the person didn't take the training, or what. I just can't imagine doing that training and then laying out a dozen red flags in an email. (Urgent request to access a company resource to verify tax info, threats that our paychecks might get delayed if we didn't, link to an unfamiliar subdomain, etc.)

        So anyway, even though it was legit we all reported it as a phishing attempt. A day later they sent out a follow-up apologizing for the "tone" in the previous email, but restating what they needed us to do. So we reported that one as well, until they frog-marched the HR rep down to give us the request in person.

        • My sympathies. We get phishing tests regularly, along with threats of unspecified disciplinary actions if you fail them. This is harsh, but may be understandable. What's wrong is that our company uses umpteen outsourced services that send us emails that we are supposed accept as legit. I once asked our security department if there was a list of these we could refer to, and their response was pretty much "duh, shrug, no".

          • Your sec department is failing at their job of proper vendor vetting. I have a list of all IS vendors we've dealt with in the past two years, and another linked list of specific employees at said vendors. One of my vendor vetting questions is "Do you have any challange/accept, PIN, password, or such to verify when doing technical support?"
        • I had a similar experience, except the I-can't-belive-it's-not-phishing email was from the non-IT side of Security. And they did the exact same thing again several months later.

          We also had a big hoopla made about training people to report phishing incidents, except the required mail client plug-in couldn't be installed since it wasn't in the software catalog and regular users can't install arbitrary programs themselves. Technically everyone failed the phishing tests during that people since no one reported.

        • Re:Sadistic (Score:5, Funny)

          by StickyKeys ( 2825659 ) on Thursday December 24, 2020 @07:00PM (#60864048)
          Hold up, you fell for the old "HR rep came in person" scam?
      • by msauve ( 701917 )
        >True, but as others have pointed out, it was an effective test.

        Was it? Or did people examine the headers, and determine it originated from within GoDaddy before responding? And, if the email was received on GoDaddy email accounts, but didn't originate from GoDaddy, then "the company's chief security officer Demetrius Comes" is the one who failed.
        • by Ichijo ( 607641 )

          Or did people examine the headers, and determine it originated from within GoDaddy before responding?

          No need, all they had to do was check the "from:" address and see that it was from gocladdy.com, not godaddy.com. The notice at the top of the message that Outlook prevented display of some of the pictures in the email should have been another red flag.

          Also, it appears that the employees photoshopped the screenshots to obscure this information before sending it to the news organizations. So they screwed up

      • by sjames ( 1099 )

        I have done phishing tests for hire. I find that the old click this to validate your webmail account to be sufficiently effective.

      • They should have paid out the bonuses... to everyone that DIDN'T fall for it and put their information in the form.

    • by DeplorableCodeMonkey ( 4828467 ) on Thursday December 24, 2020 @04:03PM (#60863586)

      Most people I've worked with don't really scan emails before acting on links. What this exercise did was just prove to 500+ employees that the offer of a $650 bonus is all it takes to make them jump right in and click some link without even asking why Payroll is making them click on a link rather than just saying it will be added automatically to their next direct deposit.

      Companies are having to get more aggressive because criminals are getting savvier and employees often still live in la la land.

      • My employer passes email through some third-party service that rewrites the URLs in emails, so I can't tell where the link go.

        • > The "actual story" appears to have been slashdotted (doesn't respond), and neither the alternate nor the summary mention that. In fact, the summary specifically say it was "Sent by Happyholiday@Godaddy.com."

          It's responding now and the screenshot does not show cl it shows d.

          Other people are saying the video says 'cl' but I don't see it. Maybe /.'ers are running a test...

          I want to know why From: .*GoDaddy.com emails would be allowed into the corporate email system from outside. Don't they know about SP

        • Mine too. It's infuriating. It's part of their APT scanning, but it's just so irritating. Having to click the link to see where it goes is just asinine, and the opposite of the stupid anti-phishing training they inflict on us.

          It's just an extra headache when I want to forward a known safe link to someone outside my organization. I have to click the link in the email I got, pass the APT validation, open the website, copy the URL, head back to email, and finally paste it in.

          So they slow our job down, prevent one of the important tools in spotting phishing from working, provide "training" that tells us to look at URLs carefully, and assume that their APT scanning has a list of all of the known bad URLs in it which is why it's safe to click links that we can't see where they go. Then they send phishing emails to try to catch us.

          Even more hilariously, they occasionally include links in the email which haven't been mangled by the APT scan, which makes them instantly obvious as fake emails. They want us to be using our detective skills and checking URLs, which only works during the tests and no other time, so nobody even thinks of doing it. It's fucking GENIUS!

    • Re:Sadistic (Score:5, Funny)

      by dissy ( 172727 ) on Thursday December 24, 2020 @04:39PM (#60863716)

      From RobMalda@slashclot.org
      To: BytePusher@placeholder.value

      Hello good sir or madam,

      We at slash media would like to show our appreciation of your outstanding comment moderation history, by sending you a one-time 2000LB bag of hot grits as a holiday bonus!

      However we are trapped in the datacenter and would very much like to return home for the holidays to send your bonus.
      We would be very grateful if you could provide a loan of only 100LB of hot grits. We promise to refund it in full as soon we return to the NOC.

      Thank you for your financial assistance in this matter.

    • Do you really think real scammers don't do exactly that? In order for a test to be effective you have to emulate real phishing emails. What is better, get your feelings hurt but learn a lesson you won't soon forget, or at a later time fall for a real phishing scam, cause a major breach and get fired?

       

  • YOUR FIRED! (Score:2, Funny)

    by Que_Ball ( 44131 )
    In a follow up fax you get:

    YOUR FIRED!
  • Dick move (Score:4, Insightful)

    by johannesg ( 664142 ) on Thursday December 24, 2020 @03:30PM (#60863482)

    It seems incredibly ill-advised:

    - Bad for morale, telling your people they get a bonus and then screwing them over like this.

    - Bad advertisement, as apparently email security at godaddy is so bad that mails that come from outside their own network, but with a godaddy domain, are forwarded without so much as a warning (our corporate email system does that).

    I'm even wondering if it's legal. If your employer tells you to click on something, not clicking on that something could be seen as "refusal to work", which at least in my country is a firing offense. And of course, this also means that all subsequent emails from management can safely be ignored. "Oh, I thought it was the phishing thing again and deleted it. Better safe than sorry, right!"

    • Re:Dick move (Score:5, Informative)

      by Nicholas Schumacher ( 21495 ) on Thursday December 24, 2020 @03:42PM (#60863508) Homepage

      One little problem, if you look at the actual story the email did not come in from godaddy.com - is came from Gocladdy.com. If was a well crafted fishing email - the type that companies fall for all the time.

      They had already had official statements sent around the company that the company was not getting bonuses.

      The email did not come in from the godaddy domain - so your email security statement is off base (in fact outlook also gave a message that it was not loading part of the message because it came from outside the organization as well)

      This is why companies have official channels for things to be sent to employees - so they have some way to know if they should read it or not.

      • if you look at the actual story

        Never! This... is... SLASHDOT!!!

        Also, the fine summary does in fact state it came from godaddy.com. And where I work, every email from outside our own domain, gets a huge red banner at the top, so if godaddy doesn't have that they're asking for trouble.

        • And where I work, every email from outside our own domain, gets a huge red banner at the top, so if godaddy doesn't have that they're asking for trouble.

          Mine too. Except for the phishing tests, the IT department has specifically excluded them from getting the big red "THIS CAME FROM OUTSIDE" banner. Not sure why, since the test mails always purport to be from well-known companies that aren't ours. (Citibank, Amazon, etc.)

          On the other hand, the phishing tests all have an X-PHISHTEST: header. Anyone with e

        • If you go to the story, there is a video that includes the actual email in question - and it comes from Gocladdy.com - and if your company puts big banners on top of any mail coming from outside your domain then you must not deal with people outside your domain much.

          In companies that deal with a lot of messages from outside domains (like godaddy) putting a warning like that on every outside domain would be detrimental - because people would just get used to ignoring that banner (if you are seeing that alarm

      • by msauve ( 701917 )
        >came from Gocladdy.com

        The "actual story" appears to have been slashdotted (doesn't respond), and neither the alternate nor the summary mention that. In fact, the summary specifically say it was "Sent by Happyholiday@Godaddy.com."
        • by Entrope ( 68843 )

          If text is in the body of an email, you can trust it 100%.

          Signed, President Abraham Lincoln

    • I'm surprised that it isn't obvious by now that training and depending on people not to click on links in emails is REALLY BAD SECURITY.
      If you want good security, then do not have a system that is easily compromised by employees clicking on links in emails.
      What system is good? I'm not sure. But I am certain that one is stupid.

  • Not mad (Score:4, Insightful)

    by colonslash ( 544210 ) on Thursday December 24, 2020 @03:34PM (#60863490)

    That's actually a clever test.

    • Re: (Score:2, Interesting)

      by misnohmer ( 1636461 )

      In the current social climate the test email should have said "This is a phishing test, click here to get mandatory refresh on social engineering security and a ding on your performance evaluation", including a large red flashing banner with skulls and crossbones warning signs. Then the company should have lobbied the government to make a law requiring all phishing emails must have such a banner - you'd probably find a politician (start with California) to introduce this "Mandatory phishing warnings to prot

  • by jmccue ( 834797 ) on Thursday December 24, 2020 @03:35PM (#60863494) Homepage

    Same thing were I work, but the email text was something like:

    Happy Holidays, please go here for you $25 Bonus Christmas Gift Card

    We never get holiday bonuses where I worked, so most people knew it was a phishing test (which it was)

    • by Ksevio ( 865461 )

      Something similar was sent out at my company, but then it turned out to be legit. A manager had to send a follow up message because too many people reported it

  • Smart! (Score:4, Insightful)

    by Joe2020 ( 6760092 ) on Thursday December 24, 2020 @03:36PM (#60863502)

    Damn, that was smart. Liking it. I wonder how many snowflakes are going to complain about it, but this was a cool test. GoDaddy is handing out coal for Christmas like true Santa.

    I am of course assuming the employees don't suffer negative repercussions from this and it is only meant to raise awareness. Anything else would suck.

    • Re:Smart! (Score:4, Insightful)

      by GameboyRMH ( 1153867 ) <gameboyrmh.gmail@com> on Thursday December 24, 2020 @04:18PM (#60863636) Journal

      Yes, handing out coal to people who are likely struggling in a pandemic while the company is likely making higher profits than usual. Real cool.

      • Would a phisher come up with this scheme, then discard the idea as being too low? Nope. Therefore the test was justified. I tip my cap to GoDaddy for this (and only this).

        If an email promise of a Christmas bonus doesn't get your spider-senses tingling enough to carefully check the From: header for a suspicious address. Then you absolutely need to retake the security course. Read the message, it is crazily suspicious.

        • I could agree if they'd actually given the employees a bonus. The ones who passed the test, at the very least. But this was a massive dick move wrapped in a technically good security test.

          • I could agree if they'd actually given the employees a bonus. The ones who passed the test, at the very least. But this was a massive dick move wrapped in a technically good security test.

            *lol* Talk about bad ...

            Guys, this was a test and GoDaddy is an Internet provider. Of course every customers of theirs expects them to be at the top of their game. And phishing is nasty, it's a real problem. Was this an evil test? Absolutely. Did anybody get hurt? No. Perhaps some got upset, but they'll live. The point is to raise awareness and the result was shockingly bad, because of how many of GoDaddy's employees actually failed. So if you want to talk about the bad stuff here, then you need to talk abo

            • This has however got nothing to do if GoDaddy actually decided to payout a bonus or not. There never was a bonus. Only really dumb suckers would still go on about it after the test how they didn't get a bonus. That's so dumb that it could be used in a Dumb & Dumber or Borat movie actually. Like when everbody gets that this was just a test, and then there is this one guy who doesn't get it and goes on about the money and what he could have done with it, and so on. There is no money!

              I could agree with this if they had offered something ridiculous in the test like a million dollar prize, rather than a reasonable holiday bonus, like this was. If you don't get it, you're probably just too wealthy and/or too coldly sociopathic to understand, and you'll have to try to intellectually wrap your head around how this could hurt someone since you have no feel for their money situation and/or emotions.

              Even the top infosec badasses in the company probably thought for a second, "Hey, nice, a reason

              • I could agree with this if they had offered something ridiculous in the test like a million dollar prize, rather than a reasonable holiday bonus, like this was. If you don't get it, you're probably just too wealthy and/or too coldly sociopathic to understand, and you'll have to try to intellectually wrap your head around how this could hurt someone since you have no feel for their money situation and/or emotions.

                Even the top infosec badasses in the company probably thought for a second, "Hey, nice, a reasonable Christmas bonus!" until they ran across the first red flag.

                You cannot think like this. You really need to match the real world conditions if you truly want to train your people and to recognise phishing. There is no second place. A million dollar prize as Christmas bonus would be obviously ridiculous that nobody would believe it even if the boss came into their office and told them the news to their face: "Hey, guess what? Everyone gets a million dollar!" ... Don't tell me you would actually believe a word and would not assume it's a silly joke, but you would want

                • You still don't get how this would be hurtful to people, I'm guessing because you're too wealthy, from the way you talk about money, as if freeing up money is a simple lifestyle choice.

                  • And you definitely don't get it.

                    A good test IS REALISTIC. $650 Christmas bonus is reasonable enough to be believable, while a million dollars is not.

                  • You still don't get how this would be hurtful to people

                    Of course I get it. I already said it was evil, but I also said that this is how phising works. Bad people do not play nice. It is why they are bad.

                    Now do you understand how one employee, who falls for an actual phising attempt could damage the entire company and can affect the jobs of all the employees? This is the actual and very real threat, which GoDaddy is trying to prevent. This can cost several employees their job, possibly even damage GoDaddy for a long time and mean the loss of many customers, not

  • My company sent out an email about a pizza party. Those that clicked the link and filled out the form had to take security training.
  • Summary is wrong. (Score:5, Informative)

    by Nicholas Schumacher ( 21495 ) on Thursday December 24, 2020 @03:43PM (#60863518) Homepage

    If you go look at the video, the emails did not come in from Godaddy.com - they came from Gocladdy.com.

    In other words, the employees should have caught it as a phishing email.

  • I'd leave (Score:2, Redundant)

    by cygnusvis ( 6168614 )
    I would start looking for other employment in the new year.
  • by Ken_g6 ( 775014 ) on Thursday December 24, 2020 @03:53PM (#60863542)

    This email was actually sent by the company. They promised a bonus. Then they reneged. They ought to be sued. But it's probably not worth it to any of the employees.

    This shouldn't tie a company's hands too much. They can still do a phishing test like this. They just have to actually pay the bonus to everyone. And make employees who respond re-take training.

    • by geek ( 5680 )

      This email was actually sent by the company. They promised a bonus. Then they reneged. They ought to be sued.

      Found the professional victim. Fuck off with your crying you little bitch

  • If I didn't care about getting fired, I'd sue them in small claims court.
    The email was sent by the company stating they would get a bonus with no caveats or disclosures. That's a financial commitment. It does not matter one iota that it was sent from a different domain. Emails for company-related business, such as third-party benefits providers, come from alternate domains all the time.
    • I think that the employees took the correct approach, and forwarded the e-mail of this to the local news station. With the amount of negative PR they're getting from this (I sure as hell wouldn't want to work for GoDaddy after reading this story!), I'd imagine that they'll probably rethink pulling a stunt like this again.

      Play stupid games with your employees, and prepare to win stupid prizes.

      • And when they stop testing because of complainers like you and some actual scammer uses the exact same method to compromise their systems I'm sure people like you will be sitting there complaining that they didn't train their employees well enough.

        This was a test using the EXACT methods that scammers use to penetrate systems everyday and are exactly the type of things that IT security needs to make sure that employees are on their guard against.

    • I think you need to sue whoever you got your law degree from, I think that might have just been a homeless guy in a suit.
  • I work for a Fortune-500 company, and this kind of test is routinely performed at least twice a year. Never failed it, quite easy to smell the trap (amazon gift card, a iPhone offered by the HR dept., etc.), but since they repeat the test since a few years, I guess that many coworkers do not pass it.
  • ... and those who were cought also deserved to be cought, this was still a bad thing, before the Holidays, after a year like this. The problem is that in this world the ones responsible don't need to behave towards their underlings. And that they don't need to fear a thing, like those 500 underlings coming up to their office to give them a thorough beating. Which they should.

    That I'm in the process of moving most of the domains I'm responsible for away from HostEurope, which has been part of GoDaddy since 2

  • I conduct these kinds of phishing tests with my staff. But this is going too far, there must be more to the story.

  • Report most everything as SPAM unless you recognize the sender, subject and content as appropriate. Maybe even then. Especially corporate bulk email--how would you know otherwise?

    HTML email is an abomination. Treat it as such.

  • Does the test reflect the sickness of modern world? Absolutely. Does that make it effective? Probably. Is GoDaddy managed by psychopaths? Apparently. I imagine their version of a hearing test would be sneaking into your bedroom at night and playing a recording of your children screaming "Fire! It burns! Mommy, Daddy, help me, I'm dying!"
  • Demetrius Comes wrote. "You will need to retake the Security Awareness Social Engineering training."

    HR to Demetrius: "You will need to take Emotional and Social Awareness Training."

    Sent by Happyholiday@Godaddy.com,

    COO to Demetrius: "Stop undermining our DMARC, SPF and DKIM secure email messaging infrastructure".

  • Just another datapoint on the slimyness of GoDaddy...

  • by bferrell ( 253291 ) on Thursday December 24, 2020 @05:42PM (#60863848) Homepage Journal

    Usually right after a mandatory training on security... Fail and you get to take it over again.

    They compare the fail rate against the training pass rate to determine how effective the "training partner" is.

    Gawd, how I HATE those "partners"!

  • I get emails to my work account that pretend to be benefits and bonus payment all the time. Every single one I forward to IT and ask if it is legit.
  • The name of the company makes me vomit. Why would anyone buy anything from them, and why would anyone choose to work there?
  • This phishing test was a dirty trick that proves the boss class view all off the working class added up as having a value of zero. None of us go to work each day for our health or because we like it, but to acquire the one thing that makes it possible to survive in this society. Promising more of it, then saying "gotcha sucker" is an obscenity. They easily could have posed as UPS or Fedex saying you need to digitally sign for a package.

"The pathology is to want control, not that you ever get it, because of course you never do." -- Gregory Bateson

Working...