Hacker News new | ask | show | jobs
by superseeplus 2001 days ago
Are there any indications that the email is even a phishing email? The email is from an internal address. Do they mean to say that their internal email system can’t detect fake emails purporting to be from an internal address? This is cruel in multiple ways. Promising a non existent bonus and then blaming employees for failing a phishing test (which is not even a real phishing email or exposes deep seated IT inadequacies). Presumably this goes on their performance report too.
5 comments
agotterer 2001 days ago
I was thinking the same thing. You shouldn’t fail by clicking a link sent by an internal email address. If the link took you to an external site and you entered your GoDaddy credentials or provided personal information, that might be a different story.
link
vitus 2001 days ago
> You shouldn’t fail by clicking a link sent by an internal email address.

I disagree in making this broad of a claim -- insider threats are certainly an issue. And as a sibling commenter points out, email headers are easily spoofed.

I'm not condoning GoDaddy's pentest (agreed with everyone else who sees this as a cruel prank), but also, um, why would you click a link if your company is telling you they're going to pay you a bonus? Wouldn't that just go through payroll as with everything else?

edit: it looks like the phishing email provided the bonus as an opt-in? yeah, that ought to raise red flags that it's not just being applied across the board, but still, it's been a tough year, so people might not think as hard about it.

link
michaelt 2000 days ago
> email headers are easily spoofed.

Not if they've properly deployed DKIM and SPF - which, if they have a phishing problem, should have been among their top priorities.

link
vitus 2000 days ago
should have been != was

I don't know what the security situation is like at Godaddy, but I'm sure there's some amount of investment needed to roll that out broadly without accidentally breaking existing employee workflows.

And my point still stands re: insider attack. At least at Google, anyone could ostensibly register HappyHolidays@google.com (or some variation if it's already taken) as an alias or a mailing list, which removes the need for spoofing.

link
chris11 2001 days ago
Entering personal info might also be understandable. My employer gives a Christmas gift. This year they asked us to update a form with our temporary address if we were in a different location.
link
vitus 2001 days ago
Absolutely, in the context of a physical item being shipped to you (especially if they can't just distribute it at the office), if it's not through payroll. (e.g. we had site-specific fun events in lieu of the annual holiday party)

But a cash bonus? That's the epitome of something that 1) should go through payroll and 2) should just get direct-deposited into your bank account as is the case with your regular paycheck. There's no reason why you'd need to provide any additional info.

link
xref 2000 days ago
It was sent from “@gocladdy.com” and tried to trick users with the kerning between “d” and “cl”, where are you seeing it was an internal address?
link
tsimionescu 2000 days ago
Unless the pictured email client has an absolutely horrible kerning implementation, it is sent from @Godaddy.com. Where did you get the "@gocladdy.com" information from?
link
musingsole 2000 days ago
From xref's other post: https://www.wfaa.com/mobile/article/news/godaddyunderfirefor...

https://imgur.com/a/eqrijWx

link
tsimionescu 2000 days ago
The photo from the original article is different:

https://imgur.com/a/anfsAsa

I can't access wfaa.com ("Access denied" errors even on /), perhaps they are blocking European traffic?

link
llacb47 2000 days ago
That's Tegna for you.
link
permo-w 2000 days ago
the second line of the article says it is from happyholidays@godaddy.com. So that’s where
link
armada651 2001 days ago
Does it matter if it's an internal address? Any address can be spoofed and some internal addresses could have leaked.

I wouldn't attach any value to the address even with SPF and DCIM, which are often mis-configured.

link
iamacyborg 2001 days ago
If GoDaddy are misconfiguring their DKIM records they’ve got bigger problems.
link
michaelt 2000 days ago
The apex phishing e-mail is indistinguishable from a legitimate e-mail, except by SPF/DKIM. After all, the apex phishing e-mail is based on a byte-for-byte copy of a legitimate e-mail.
link
throwaway3849 2000 days ago
For phishing test links that contain identifiable query parameters, it's easy enough to write a quick script which finds those emails and moves them into the "phishing tests" folder. For those operating in a system which proxies email links, just not checking email is a valid alternative. Just treat the whole well as poisoned.
link
toddh 2001 days ago
Usually there's a corporate email address for internal email. Does all godaddy internal email come from godaddy.com? That would be strange.
link
tsimionescu 2001 days ago
The email in my company all comes from @<company-name>.com. Why would a company keep a separate domain for internal vs external email? Is that common practice?
link
michaelt 2000 days ago
It's rare but not unknown - for example Facebook employees' e-mails are whatever@fb.com rather than whatever@facebook.com and sometimes facebook send e-mails from whatever@facebookmail.com ¯\_(ツ)_/¯
link
terinjokes 2000 days ago
Facebook's case is likely because they launched a public email service back in 2010.
link
the_jeremy 2000 days ago
It's not internal vs external, it's employee vs users (e.g., @google.com vs @gmail.com)
link
superseeplus 2000 days ago
That’s an excellent point. Yahoo uses yahoo.com for their public email service. Google uses google.com for their internal (employee) email addresses.
link
Macha 2000 days ago
Yahoo consequently does not use yahoo.com for internal email addresses. Even before all the merger activity
link