Attack on GoDaddy
Highlights Importance of Employee Security Training
Electronic and Digital Evidence / Social Media Cyber Expert Articles
An employee of the website hosting and Internet domain registrar, GoDaddy was tricked into giving a black-hat hacker information that could allow the hacker to take over customer’s domain names. This incident further illustrates that employees can be the weakest link in an organizations security.
The hacker successfully extorted a prized Twitter name “@N” from the GoDaddy customer, Naoki Hiroshima, after Hiroshima’s domain names were hijacked. The hijacked domains included his primary email address which allowed the hacker access to Hiroshima’s Facebook account. Hiroshima claims that the @N Twitter name is worth as much as $50,000.
GoDaddy said the hacker knew lots of personal information about Hiroshima when he contacted the company employee.
"The hacker then socially engineered an employee to provide the remaining information needed to access the customer account," Todd Redfoot, chief information security officer for GoDaddy, said in a statement emailed to CruxialCIO.
GoDaddy helped Hiroshima regain control of his GoDaddy accounts and the company says it is helping him get back other services that were lost in the attack.
"We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques," Redfoot said.
The incident demonstrates the importance of ongoing employee training in the area of social engineering. Employees need to understand that hackers will use questions in person, on the phone, and in email to gain information that can be used against an individual as well as the organization.
Security training is key to keeping organizational information as well as facilities safe. Hackers will often send phishing email to employees designed to trick recipients into opening malicious malware attachments or to click on links that take the user to websites that install malware onto the user’s computer. One example of this caused a law firm’s trust account to be drained of six figures.
Prevention: Train employees often about security, social engineering and other risks that they face. Organizations should also conduct regular risk assessments and penetration tests to determine how well employees will react to different types of situations.
