GoDaddy: Hackers stole source code, installed malware in multi-year breach(bleepingcomputer.com) |
GoDaddy: Hackers stole source code, installed malware in multi-year breach(bleepingcomputer.com) |
I don't understand how that could possibly be profitable. Imagine how many searches there must be for new domains every day. There is no way they could afford to buy all of the domains that people searched for.
And if they had any means of measuring how "good" a domain name is, in order to filter the searches that people make, and front run only the ones looking for good domain names – I don't think that would make sense either. If you were able to reliably measure how good a domain name was you could just buy the domain name right away without waiting for any customers to search for the domain.
Anyway, for anyone that is looking for a registrar to use I recommend that you stay away from GoDaddy. Register your domains with Gandi.net, they are nice and good. https://www.gandi.net/en-GB
Because registrars have the power to "reserve" domains they like for some time either for free or for only a pennies.
I can confirm this experience, on 2 occasions when I looked up a very specific (and definitely not common) domain, they were suddenly reserved by GoDaddy and sold for a premium price. Not hundreds, but like 50-150 instead of 12.
I can't prove it, of course, but after hearing about those problems with GoDaddy multiple times it just seems too convenient for them to be a coincidence.
This is just a sign of GoDaddy's complacency. I use Godaddy for domain registrations only. Yet I had my account taken over with a sim card attack/swap and they spent so long to fix the issue that domains where transfered without locking.
Web Hosting, particularly 'shared' hosting is extremely prone to regular banal attacks and requires extreme constant attention, customers less tech savvy would choose it for the very reason they know the Godaddy name, they're expecting them to look after the tech work.
A Multi-Year breach is an incredible display of incompetence and neglect. I have no idea what the security/monitor team are doing there but someone definitely dropped the ball, especially given the fact they admit that the 2020 break was related. It should have been and open and shut case from there.
As someone who has waited on hold with GoDaddy support for over six hours on multiple occasions, this does not surprise me.
When I first set up my company's website it was hosted at GoDaddy. Totally static site. It got 'hacked' one day, with new php files and redirecting users to some nonsense. This was August 2016. The ftp server had a very long, random password. I changed it again after this.
It happened *again* March 2017, though different files were added. After this I moved my site to Digital Ocean.
I never found out how this happened.
Does anyone know how long this has been going on? The article didn't give a definitive start date.
In this particular case, they had "shared hosting" and it turned out the permissions on their particular directory were somehow left writeable by "other". In the *nix filesystem sense.
eg any other customer/user/etc on the server was able to overwrite the files. Which someone had done at some point.
Was easy to fix at the time (eg fix the permissions), but I have no idea if it occurred again over time.
But FTP - unless godaddy enforced TLS connections on that - which back in 2016 probably not because it would have been a support burden this could has easily have been password sniffed.
It is just another one of the examples of a company that advertises that intensely is probably a company I don't really want to be involved.
"We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group"
GoDaddy PR (to world): The attackers were sophisticated, the cops said so!
Speaks volumes for the culture being cultivated at GoDaddy.
Instead of calling them names and assuming bad intent, maybe take a second to think about how much it must suck for them right now. I'm sure it's all hands on deck nights/weekends to fix. No one sets out to do a bad job in my experience.
A smart attacker can hack your company unnoticed and passively watch your company for the right moment to strike. I doubt that the hackers logged into the office VPN every day.
Friends don't let friends use GoDaddy.
Pulled the site down locally and started the regular process of find/remove, but nothing was showing up. Hosting the site locally, the JS wasn't being put on the page. Checked all the server files for stuff like php.ini, user.ini, etc etc. Nothing was showing up.
Created a plain info.php file on the account. That had the JS injected into it.
Started searching for other sites with the same JS, found a bunch, dozens. Started a search for "neighbor" sites to the one I was investigating, ones that most likely were on the same server. They ALL had the JS injected. Server was owned.
I alerted the client and sent a note into GoDaddy, like you need to check this out. Got a response that it was impossible for the server to be compromised and I should buy their Sitelock service for security. Instead we requested a migration to another server and that cleared up the issue.
there are a ton of hard working people at GD that care a lot about the products we make. I don't think that's a fair assessment.
Better alternatives
Namecheap, ovh, digitalocean, gandi, TransIP
I've tried A2 and NameHero and both were very solid along with fast/great support.
Anything else I should look into?
Then the "elephant shooter" drama happened and I moved to namecheap and didn't look back. Was a breath of fresh air in comparison.
I didn't see a way to delete my gd account, so think it is still there. Hope my data didn't get out again. :doh:
I turn it into a game. I love the feeling of having cheated their systems and cleverly opting out of all the up-sells. I am forced to use GoDaddy because I have profitable blogs and e-commerce stores which would be a holy war trying to migrate all that to other services. It's do-able, but would be a headache and a half.
Updating the entire zone just to automatically set a verification token (like for Let's Encrypt) is too risky.
switching from impossible to read perl scripts to flavor-of-the-day language would be a use case i can actually get behind and support for replacing.
They are a french company. Their slogan is "No Bullshit," (2) and I think they've done a decent job of living up to that.
My only frustration has been a situation where I was transferring an existing domain over to them. I wanted to create the zone file ahead of time so that when the transfer happened, there would be an identical zone file ready to go. But they wouldn't allow me to create a zone file for a domain that hadn't transferred over to them yet. Since I'm not doing anything critical with my domains, it was just an annoyance, but that would be a show-stopper for some.
As it pertains to billing problems, they allow you to pre-pay a chunk of money to your account. (They take PayPal.) It deducts from that amount when domains renew. That provides a buffer if you need to cancel your credit card.
Also, on the occasions that I have created trouble tickets, they have been responded to in a reasonable amount of time with helpful information.
(1) https://www.gandi.net (2) https://www.gandi.net/en/no-bullshit
For web hosting, I used Bluehost for many years and because extremely dissatisfied with them. I switched to Siteground.com about five years ago and have very little to complain about.
When you buy a domain from them they also include a pair of web/smtp/pop/imap mailboxes you can use, with the ability to create aliases, including wildcard aliases. So I don't need to pay separately for fastmail or some other email service.
Nice is also that you can buy credits - that way I could renew a bunch of domains that expired at different times and filing only invoice to bookkeeping.
There are many others I can vouch for. There's a good list of them here[0]. Make sure to choose ones that have proper 2FA as it's a good heuristic for how well they consider security.
...but they're cheaper than other registrars known for being cheap, and I've monitored their nameservers (and a few others') for nearly a year before switching away from my previous registrar and they were consistently fast whereas others had spikes, outages, or constantly round robined across oceans or some such.
Quality servers at very low prices makes me put up with some broken UI for a few minutes per renewal.
I'm sure recommending AWS for hosting is not what you're looking for, but I've been running a static website on S3 fronted by their CDN and it's been nothing but painless.
You forgot "expensive"... It's also a lot more expensive.
(i have a discount/referral code if you want it - contact form on website)
Ever more reason to migrate them, imo.
https://domaininvesting.com/godaddy-still-not-frontrunning-d...
I have no information on whether they are or aren't front-running, but every time I've seen a specific allegation, it's been disproven. That doesn't make it factual either way, but I like Godaddy for enough other reasons to not use them, so I don't particularly care if they are or aren't, but I've yet to see a specific allegation be found credible.
Doesn't sound like much of an investigation. It has happened to so many people (including myself) that either they do it themselves, allow third party access to domain search or their employees are able to do it.
(I do not actually believe this.)
Its because it used to happen and people are convinced it is still happening usually due to the aftermarkets. Its just not economically feasible anymore.
If you imagine ordering all the domains in order of desirability, where the most desirable are long gone, and nobody wants "nsejrx8oesrjasrjb.com" (and even if they want an obfuscated domain, they don't want that obfuscated domain), there is a middle ground where it's not worth pre-registering but if you see an indication of interest it may push you over, especially if you have a cheap back door for registration as registrars do. In that case, the only ones sensible to front-run are the ones in that middle ground. It is possible that I never chose a domain that triggered such an algorithm. That said, as I was aware of this possibility at the time, I did deliberately try to come up with a combination of tasty & tempting words in a new format that looked like maybe someone would really want it, and I never could get the hypothetical algorithms to bite.
Take a crack at it if you're interested; it really isn't that hard or a big investment in time.
But like I said, these allegations crop up all the time, and investigations are done all the time, and every single time I have seen them, they have been quickly disproven. I am not an oracle, so it's possible that I've missed the cache of definite proof that exists, but I have seen lots and lots of debunking of the notion.
To your point though, there are numerous ways that could make someone feel like they were front-run, whether or not they had been.
* Before the ubiquity of SSL, I think it was common for people to buy search traffic from ISPs. If there were domain-squatters paying for this data, it would be trivial for them to buy anonymous traffic data, filter by "godaddy.com?domain=" and collate the reports. If they also cross-referenced the ${domain} part of that query with the number of people who attempted to go to ${domain}, it would be a good signal that owning ${domain} could be profitable
* Obviousness. It's not always, but often enough that when I see these allegations arise, they're related to The New Thing. e.g., 3 years ago, a lot of people felt like they were front-run for domains they were considering that started with "nft," or "crypto." Now, I'd wager that a lot of people feeling like they were front-run were considering domain names with "ai" in them.
* Selling search volume. I have no idea if Godaddy is or isn't doing this, but it's definitely a possibility. If they are, it isn't front-running, but the effect is just as nefarious IMO. I believe they've said that they don't, but that's from a vague memory and I have no idea if they can or should be considered credible