GoDaddy Employees Were Told They Were Getting a Holiday Bonus. It Was Actually a Phishing Test. 236
An anonymous reader shares a report (alternative source): "2020 has been a record year for GoDaddy, thanks to you!" the email read. Sent by Happyholiday@Godaddy.com, tucked underneath a glittering banner of a snowflake and stamped with the words "GoDaddy Holiday Party," the Dec. 14 email to hundreds of GoDaddy employees promised some welcome financial relief during an otherwise stressful year. "Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!" the email read.
"To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th." But, two days later, the company sent another email. "You're getting this email because you failed our recent phishing test," the company's chief security officer Demetrius Comes wrote. "You will need to retake the Security Awareness Social Engineering training." The follow-up email from Comes said that roughly 500 GoDaddy employees clicked on the holiday bonus email and failed the test. Scottsdale-based GoDaddy, the world's largest domain registrar and web-hosting company, did not respond to repeated requests for comment about the emails. The emails were forwarded to The Copper Courier by three GoDaddy employees.
"To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th." But, two days later, the company sent another email. "You're getting this email because you failed our recent phishing test," the company's chief security officer Demetrius Comes wrote. "You will need to retake the Security Awareness Social Engineering training." The follow-up email from Comes said that roughly 500 GoDaddy employees clicked on the holiday bonus email and failed the test. Scottsdale-based GoDaddy, the world's largest domain registrar and web-hosting company, did not respond to repeated requests for comment about the emails. The emails were forwarded to The Copper Courier by three GoDaddy employees.
Sadistic (Score:5, Insightful)
Re:Sadistic (Score:5, Insightful)
True, but as others have pointed out, it was an effective test. And likely a lesson that won't be forgotten.
But they shouldn't be surprised if henceforth every email from corporate is reported to security as a phishing attempt. (Something I like to occasionally do when I'm in a bad mood.)
Re:Sadistic (Score:5, Insightful)
Re: Sadistic (Score:2)
So, are you claiming that phishing tests shouldn't be realistic? Given the current economic conditions due to COVID-19, it seems to me that actual real phishing attempts are likely to involve financial incentives. And since it's near the end of the year, a bonus certainly sounds realistic.
Yes, having a windfall yanked away feels bad. And it doesn't matter if it was due to a security test masquerading as a phishing attempt, or if it was a real phishing attempt.
Re: (Score:2)
Re: (Score:3)
I'm claiming that when you get set up by your own company, or even when you didn't, but you saw other friends get set up, it sticks with you. You've learned that you can't trust you own internal email & bosses. This was a stupid move.
Re: Sadistic (Score:2)
Presumably the people who failed this test were employed by Go Daddy at the time, and thus were likely not struggling due to their own unemployment.
Re: (Score:2)
Dear Head in Clouds,
Having a GoDaddy salary, large or not, does not mean the five other unemployed adults under your roof are not feeding off that solitary stream of income, generating the stress and hardship that urged them to click on an email from management discussing extra money.
--
With my feet on the ground,
Non-lonely, Non-jerk
Re: (Score:2)
Re:Sadistic (Score:5, Insightful)
We had to do some stupid anti-phishing course at work, and all of a week later HR sent out an email that checked pretty much all of the boxes for a phishing attempt. It was just remarkable. I have no idea if the person didn't take the training, or what. I just can't imagine doing that training and then laying out a dozen red flags in an email. (Urgent request to access a company resource to verify tax info, threats that our paychecks might get delayed if we didn't, link to an unfamiliar subdomain, etc.)
So anyway, even though it was legit we all reported it as a phishing attempt. A day later they sent out a follow-up apologizing for the "tone" in the previous email, but restating what they needed us to do. So we reported that one as well, until they frog-marched the HR rep down to give us the request in person.
Re: (Score:2)
My sympathies. We get phishing tests regularly, along with threats of unspecified disciplinary actions if you fail them. This is harsh, but may be understandable. What's wrong is that our company uses umpteen outsourced services that send us emails that we are supposed accept as legit. I once asked our security department if there was a list of these we could refer to, and their response was pretty much "duh, shrug, no".
Re: (Score:2)
Re: (Score:2)
I had a similar experience, except the I-can't-belive-it's-not-phishing email was from the non-IT side of Security. And they did the exact same thing again several months later.
We also had a big hoopla made about training people to report phishing incidents, except the required mail client plug-in couldn't be installed since it wasn't in the software catalog and regular users can't install arbitrary programs themselves. Technically everyone failed the phishing tests during that people since no one reported.
Re:Sadistic (Score:5, Funny)
Re: (Score:3)
Was it? Or did people examine the headers, and determine it originated from within GoDaddy before responding? And, if the email was received on GoDaddy email accounts, but didn't originate from GoDaddy, then "the company's chief security officer Demetrius Comes" is the one who failed.
Re: (Score:2)
No need, all they had to do was check the "from:" address and see that it was from gocladdy.com, not godaddy.com. The notice at the top of the message that Outlook prevented display of some of the pictures in the email should have been another red flag.
Also, it appears that the employees photoshopped the screenshots to obscure this information before sending it to the news organizations. So they screwed up
Re: (Score:2)
I have done phishing tests for hire. I find that the old click this to validate your webmail account to be sufficiently effective.
Re: (Score:2)
They should have paid out the bonuses... to everyone that DIDN'T fall for it and put their information in the form.
It's not sadistic, it's a very effective exercise (Score:5, Insightful)
Most people I've worked with don't really scan emails before acting on links. What this exercise did was just prove to 500+ employees that the offer of a $650 bonus is all it takes to make them jump right in and click some link without even asking why Payroll is making them click on a link rather than just saying it will be added automatically to their next direct deposit.
Companies are having to get more aggressive because criminals are getting savvier and employees often still live in la la land.
Re: (Score:2)
My employer passes email through some third-party service that rewrites the URLs in emails, so I can't tell where the link go.
Re: (Score:2)
> The "actual story" appears to have been slashdotted (doesn't respond), and neither the alternate nor the summary mention that. In fact, the summary specifically say it was "Sent by Happyholiday@Godaddy.com."
It's responding now and the screenshot does not show cl it shows d.
Other people are saying the video says 'cl' but I don't see it. Maybe /.'ers are running a test...
I want to know why From: .*GoDaddy.com emails would be allowed into the corporate email system from outside. Don't they know about SP
Re:It's not sadistic, it's a very effective exerci (Score:4, Insightful)
Mine too. It's infuriating. It's part of their APT scanning, but it's just so irritating. Having to click the link to see where it goes is just asinine, and the opposite of the stupid anti-phishing training they inflict on us.
It's just an extra headache when I want to forward a known safe link to someone outside my organization. I have to click the link in the email I got, pass the APT validation, open the website, copy the URL, head back to email, and finally paste it in.
So they slow our job down, prevent one of the important tools in spotting phishing from working, provide "training" that tells us to look at URLs carefully, and assume that their APT scanning has a list of all of the known bad URLs in it which is why it's safe to click links that we can't see where they go. Then they send phishing emails to try to catch us.
Even more hilariously, they occasionally include links in the email which haven't been mangled by the APT scan, which makes them instantly obvious as fake emails. They want us to be using our detective skills and checking URLs, which only works during the tests and no other time, so nobody even thinks of doing it. It's fucking GENIUS!
Re:Sadistic (Score:5, Funny)
From RobMalda@slashclot.org
To: BytePusher@placeholder.value
Hello good sir or madam,
We at slash media would like to show our appreciation of your outstanding comment moderation history, by sending you a one-time 2000LB bag of hot grits as a holiday bonus!
However we are trapped in the datacenter and would very much like to return home for the holidays to send your bonus.
We would be very grateful if you could provide a loan of only 100LB of hot grits. We promise to refund it in full as soon we return to the NOC.
Thank you for your financial assistance in this matter.
Re: Sadistic (Score:2)
Re: (Score:2)
Do you really think real scammers don't do exactly that? In order for a test to be effective you have to emulate real phishing emails. What is better, get your feelings hurt but learn a lesson you won't soon forget, or at a later time fall for a real phishing scam, cause a major breach and get fired?
Security Compromised, Domain Transfer Successful (Score:5, Insightful)
Why does the employer need that, they already know where I live and work.
THAT should have been the first reaction. Those that responded shouldn't be working for godaddy. As a godaddy customer, the security of the products I use are subject to minimum wage idiot greed/avarice and this puts my business in an untenable security position.
Re: (Score:2, Insightful)
Re:Security Compromised, Domain Transfer Successfu (Score:5, Interesting)
You're right, we should hire better people. Your prices will double starting 1/1/21. Thank you for your input, as always your suggestions are deeply appreciated. Sincerely, -The GoDaddy Team.
That is actually what I did. i am with SafeNames, and while slightly more expensive, they are totally worth it.
Re: Security Compromised, Domain Transfer Successf (Score:5, Insightful)
Re: (Score:2)
The article does not state if employees typically receive a bonus and if they had any furloughs during work-from-home orders.
If it happened to me, I might be initially pissed off but I'd soon understand the logic. There are plenty of fraudsters out there that use the holidays as an "in" to fool people.
Re: (Score:2)
This is just stupid. How are employers supposed to send benefits cards and information to employees? Trust me, I know.
Geez. Come on. Think.
Re: Security Compromised, Domain Transfer Successf (Score:5, Insightful)
Guess you don't work at a large company. At mine various teams ask for physical addresses all the time. IT just had to get mine this past weekend so they could ship me a new laptop.
1. Only payroll dept has the addresses, no-one else has them in bulk.
2. With offices closed many people are living with family or elsewhere, not their home address on file.
Re: Security Compromised, Domain Transfer Success (Score:3)
How did your company manage to get "large" without implementing a system to track their employees' shipping address? All of the places I've worked at, from fortune 50 enterprises down to the startups have had a solution for people's locations.
The email should look like "here's where we're going to ship your laptop; please confirm that it's correct," not "please give me your address." That's indicative of a complete Mickey Mouse operation.
Suggest paying for Namely. You'll probably get promoted to director of
Re: Security Compromised, Domain Transfer Success (Score:5, Informative)
How did your company manage to get "large" without implementing a system to track their employees' shipping address? All of the places I've worked at, from fortune 50 enterprises down to the startups have had a solution for people's locations.
Many did it by not giving every idiot access to the full employee database. Security means least privilege.
Re: (Score:2)
GoDaddy already knew the name/address of their staff... so responding to this phishing test indicated they didn't think to call HR.
Re: Security Compromised, Domain Transfer Succes (Score:4, Insightful)
Because the local field tech in charge of provisioning my laptop doesn't have access to the system of record payroll uses for my checks and tax forms.
Did you even read my post?
Re: (Score:2)
Re: (Score:2)
"Why does the employer need that, they already know where I live and work."
A) The information is in system A.
B) The information needs to be in system B.
C) The entry only needs to happen once.
For example, my division was acquired by another company in November, 2019. They needed to move the office out of the old parent company's building within one year.They need to enter photos for the card access system at the new building. They're no good way to dump the old photos out of the old system, and the old paren
Re: (Score:2)
Re:Sadistic (Score:4, Insightful)
They generally don't have families as we know them. A CXO's wife is more like a chamberlain-with-benefits and his children are raised more by professional nannies than said wife.
But moreso, most of them have no idea of the money troubles working stiffs face. They think about money the way a middle class person might think about tap water, sure they know it costs something, but for all but the most extraordinary uses they don't really need to think about it, they just turn on the tap and it's there. $650 to them is less than couch cushion change.
Re: Sadistic (Score:5, Interesting)
Considering 500 employees out of the 7,000 fell for it, it seems like most of them saw it for the hoax that it really was, so I doubt it's going to have a major impact on morale. Basically they demonstrated a practical tactic that a real phishing campaign might actually use.
Those who didn't fall for it did a good job, and those who did represent an unacceptable risk to the company that must be addressed. The training requirement is fully appropriate, as was the content of the phish. Really, nothing at all can be considered unacceptable in a test phishing campaign; if you can dream up a really dirty tactic, so can a scammer. I've seen plenty of case studies where everything from confidential patient data to financial records leaked because some idiot was being careless. If anything, these guys should be happy they're merely getting off with a warning and a requirement to train, rather than having their whole careers tossed (nevermind their jobs) because they fell for a scam.
Re: (Score:2)
Even for the 6500 who didn't fall for it, it just serves to underscore that they didn't get a Christmas bonus.
Re: (Score:2)
The difference between good guys and bad guys (Score:2)
Background - I'm career security professional. I'm devising a phishing reminder (a fake phish) like this for my company as one of my current Todo list projects.
> Those who didn't fall for it did a good job, and those who did represent an unacceptable risk to the company that must be addressed
This is true. In fact a fake phish from the security department is a very effective reminder.
> Really, nothing at all can be considered unacceptable in a test phishing campaign; if you can dream up a really dirty
Re: (Score:2)
Re: (Score:2)
Now what I need to do is find an actual invitation from a real vendor to model my fishing phish after. I checked his email - he hasn't received any in the last 60 days.
Any vendor sales and marketing people here who can advise on what that email should look like?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: Sadistic (Score:3)
Re: (Score:2)
Glad I don't work for godaddy, anyway.
YOUR FIRED! (Score:2, Funny)
YOUR FIRED!
Dick move (Score:4, Insightful)
It seems incredibly ill-advised:
- Bad for morale, telling your people they get a bonus and then screwing them over like this.
- Bad advertisement, as apparently email security at godaddy is so bad that mails that come from outside their own network, but with a godaddy domain, are forwarded without so much as a warning (our corporate email system does that).
I'm even wondering if it's legal. If your employer tells you to click on something, not clicking on that something could be seen as "refusal to work", which at least in my country is a firing offense. And of course, this also means that all subsequent emails from management can safely be ignored. "Oh, I thought it was the phishing thing again and deleted it. Better safe than sorry, right!"
Re:Dick move (Score:5, Informative)
One little problem, if you look at the actual story the email did not come in from godaddy.com - is came from Gocladdy.com. If was a well crafted fishing email - the type that companies fall for all the time.
They had already had official statements sent around the company that the company was not getting bonuses.
The email did not come in from the godaddy domain - so your email security statement is off base (in fact outlook also gave a message that it was not loading part of the message because it came from outside the organization as well)
This is why companies have official channels for things to be sent to employees - so they have some way to know if they should read it or not.
Re: (Score:3)
if you look at the actual story
Never! This... is... SLASHDOT!!!
Also, the fine summary does in fact state it came from godaddy.com. And where I work, every email from outside our own domain, gets a huge red banner at the top, so if godaddy doesn't have that they're asking for trouble.
Re: (Score:2)
Mine too. Except for the phishing tests, the IT department has specifically excluded them from getting the big red "THIS CAME FROM OUTSIDE" banner. Not sure why, since the test mails always purport to be from well-known companies that aren't ours. (Citibank, Amazon, etc.)
On the other hand, the phishing tests all have an X-PHISHTEST: header. Anyone with e
Guess what - the summary is WRONG (Score:3)
If you go to the story, there is a video that includes the actual email in question - and it comes from Gocladdy.com - and if your company puts big banners on top of any mail coming from outside your domain then you must not deal with people outside your domain much.
In companies that deal with a lot of messages from outside domains (like godaddy) putting a warning like that on every outside domain would be detrimental - because people would just get used to ignoring that banner (if you are seeing that alarm
Re: (Score:2)
The "actual story" appears to have been slashdotted (doesn't respond), and neither the alternate nor the summary mention that. In fact, the summary specifically say it was "Sent by Happyholiday@Godaddy.com."
Re: (Score:2)
If text is in the body of an email, you can trust it 100%.
Signed, President Abraham Lincoln
Re: (Score:2)
And Stupid (Score:2)
I'm surprised that it isn't obvious by now that training and depending on people not to click on links in emails is REALLY BAD SECURITY.
If you want good security, then do not have a system that is easily compromised by employees clicking on links in emails.
What system is good? I'm not sure. But I am certain that one is stupid.
Not mad (Score:4, Insightful)
That's actually a clever test.
Re: (Score:2, Interesting)
In the current social climate the test email should have said "This is a phishing test, click here to get mandatory refresh on social engineering security and a ding on your performance evaluation", including a large red flashing banner with skulls and crossbones warning signs. Then the company should have lobbied the government to make a law requiring all phishing emails must have such a banner - you'd probably find a politician (start with California) to introduce this "Mandatory phishing warnings to prot
Same where I work (Score:3)
Same thing were I work, but the email text was something like:
Happy Holidays, please go here for you $25 Bonus Christmas Gift Card
We never get holiday bonuses where I worked, so most people knew it was a phishing test (which it was)
Re: (Score:3)
Something similar was sent out at my company, but then it turned out to be legit. A manager had to send a follow up message because too many people reported it
Smart! (Score:4, Insightful)
Damn, that was smart. Liking it. I wonder how many snowflakes are going to complain about it, but this was a cool test. GoDaddy is handing out coal for Christmas like true Santa.
I am of course assuming the employees don't suffer negative repercussions from this and it is only meant to raise awareness. Anything else would suck.
Re:Smart! (Score:4, Insightful)
Yes, handing out coal to people who are likely struggling in a pandemic while the company is likely making higher profits than usual. Real cool.
Re: (Score:2)
Would a phisher come up with this scheme, then discard the idea as being too low? Nope. Therefore the test was justified. I tip my cap to GoDaddy for this (and only this).
If an email promise of a Christmas bonus doesn't get your spider-senses tingling enough to carefully check the From: header for a suspicious address. Then you absolutely need to retake the security course. Read the message, it is crazily suspicious.
Re: (Score:2)
I could agree if they'd actually given the employees a bonus. The ones who passed the test, at the very least. But this was a massive dick move wrapped in a technically good security test.
Re: (Score:2)
I could agree if they'd actually given the employees a bonus. The ones who passed the test, at the very least. But this was a massive dick move wrapped in a technically good security test.
*lol* Talk about bad ...
Guys, this was a test and GoDaddy is an Internet provider. Of course every customers of theirs expects them to be at the top of their game. And phishing is nasty, it's a real problem. Was this an evil test? Absolutely. Did anybody get hurt? No. Perhaps some got upset, but they'll live. The point is to raise awareness and the result was shockingly bad, because of how many of GoDaddy's employees actually failed. So if you want to talk about the bad stuff here, then you need to talk abo
Re: (Score:2)
This has however got nothing to do if GoDaddy actually decided to payout a bonus or not. There never was a bonus. Only really dumb suckers would still go on about it after the test how they didn't get a bonus. That's so dumb that it could be used in a Dumb & Dumber or Borat movie actually. Like when everbody gets that this was just a test, and then there is this one guy who doesn't get it and goes on about the money and what he could have done with it, and so on. There is no money!
I could agree with this if they had offered something ridiculous in the test like a million dollar prize, rather than a reasonable holiday bonus, like this was. If you don't get it, you're probably just too wealthy and/or too coldly sociopathic to understand, and you'll have to try to intellectually wrap your head around how this could hurt someone since you have no feel for their money situation and/or emotions.
Even the top infosec badasses in the company probably thought for a second, "Hey, nice, a reason
Re: (Score:2)
I could agree with this if they had offered something ridiculous in the test like a million dollar prize, rather than a reasonable holiday bonus, like this was. If you don't get it, you're probably just too wealthy and/or too coldly sociopathic to understand, and you'll have to try to intellectually wrap your head around how this could hurt someone since you have no feel for their money situation and/or emotions.
Even the top infosec badasses in the company probably thought for a second, "Hey, nice, a reasonable Christmas bonus!" until they ran across the first red flag.
You cannot think like this. You really need to match the real world conditions if you truly want to train your people and to recognise phishing. There is no second place. A million dollar prize as Christmas bonus would be obviously ridiculous that nobody would believe it even if the boss came into their office and told them the news to their face: "Hey, guess what? Everyone gets a million dollar!" ... Don't tell me you would actually believe a word and would not assume it's a silly joke, but you would want
Re: (Score:2)
You still don't get how this would be hurtful to people, I'm guessing because you're too wealthy, from the way you talk about money, as if freeing up money is a simple lifestyle choice.
Re: Smart! (Score:2)
And you definitely don't get it.
A good test IS REALISTIC. $650 Christmas bonus is reasonable enough to be believable, while a million dollars is not.
Re: (Score:2)
You still don't get how this would be hurtful to people
Of course I get it. I already said it was evil, but I also said that this is how phising works. Bad people do not play nice. It is why they are bad.
Now do you understand how one employee, who falls for an actual phising attempt could damage the entire company and can affect the jobs of all the employees? This is the actual and very real threat, which GoDaddy is trying to prevent. This can cost several employees their job, possibly even damage GoDaddy for a long time and mean the loss of many customers, not
Not The First (Score:2)
Re: Not The First (Score:5, Funny)
Was pizza served during the security training?
Re: (Score:2)
Re: Not The First (Score:2)
Summary is wrong. (Score:5, Informative)
If you go look at the video, the emails did not come in from Godaddy.com - they came from Gocladdy.com.
In other words, the employees should have caught it as a phishing email.
I'd leave (Score:2, Redundant)
If you think about it, that's fraud (Score:3)
This email was actually sent by the company. They promised a bonus. Then they reneged. They ought to be sued. But it's probably not worth it to any of the employees.
This shouldn't tie a company's hands too much. They can still do a phishing test like this. They just have to actually pay the bonus to everyone. And make employees who respond re-take training.
Re: (Score:2)
This email was actually sent by the company. They promised a bonus. Then they reneged. They ought to be sued.
Found the professional victim. Fuck off with your crying you little bitch
Sue Them (Score:2)
The email was sent by the company stating they would get a bonus with no caveats or disclosures. That's a financial commitment. It does not matter one iota that it was sent from a different domain. Emails for company-related business, such as third-party benefits providers, come from alternate domains all the time.
Re: (Score:3)
I think that the employees took the correct approach, and forwarded the e-mail of this to the local news station. With the amount of negative PR they're getting from this (I sure as hell wouldn't want to work for GoDaddy after reading this story!), I'd imagine that they'll probably rethink pulling a stunt like this again.
Play stupid games with your employees, and prepare to win stupid prizes.
Re: (Score:2)
And when they stop testing because of complainers like you and some actual scammer uses the exact same method to compromise their systems I'm sure people like you will be sitting there complaining that they didn't train their employees well enough.
This was a test using the EXACT methods that scammers use to penetrate systems everyday and are exactly the type of things that IT security needs to make sure that employees are on their guard against.
Re: (Score:2)
This is quite a common procedure (Score:2)
Even when the mail came from gocladdy.com... (Score:2)
... and those who were cought also deserved to be cought, this was still a bad thing, before the Holidays, after a year like this. The problem is that in this world the ones responsible don't need to behave towards their underlings. And that they don't need to fear a thing, like those 500 underlings coming up to their office to give them a thorough beating. Which they should.
That I'm in the process of moving most of the domains I'm responsible for away from HostEurope, which has been part of GoDaddy since 2
phishing tests (Score:2)
I conduct these kinds of phishing tests with my staff. But this is going too far, there must be more to the story.
Report EVERYTHING as SPAM (Score:2)
Report most everything as SPAM unless you recognize the sender, subject and content as appropriate. Maybe even then. Especially corporate bulk email--how would you know otherwise?
HTML email is an abomination. Treat it as such.
Taking advantage of desperation and the holidays? (Score:2)
Probable followup (Score:2)
Demetrius Comes wrote. "You will need to retake the Security Awareness Social Engineering training."
HR to Demetrius: "You will need to take Emotional and Social Awareness Training."
Sent by Happyholiday@Godaddy.com,
COO to Demetrius: "Stop undermining our DMARC, SPF and DKIM secure email messaging infrastructure".
GoDaddy=SLIMY... (Score:2)
Just another datapoint on the slimyness of GoDaddy...
This has become quite common for IT to do... (Score:3)
Usually right after a mandatory training on security... Fail and you get to take it over again.
They compare the fail rate against the training pass rate to determine how effective the "training partner" is.
Gawd, how I HATE those "partners"!
They should get a bonus, but this is a good test (Score:2)
Dodging the real question (Score:2)
Money is the only reason anyone works (Score:2)
Re: (Score:3)
Except that with companies using cloud services, you can often have links in an email that go to different domains than the email domain.
(also in this case, both the email domain and the embedded links could have both gone to Gocladdy.com, and it would not have triggered a problem according to your rules)
Re: (Score:2)
All of the above is true... Except in enterprise email (O365/Outlook and Gmail for businesses).
Not to mention most people don't even know what to look for in the headers
sigh