BrandLabs shared a warning post on Twitter this afternoon. While the email appears to be targeting Squadhelp sellers who utilize their White Label Marketplace (WLM), it is something anyone should be wary about:

.@squadhelp @GoDaddyHelp @DInvesting
New scam targeting sellers on Squadhelp who link their email to a WLM. Faked Godaddy email says your account will be suspended and give you a button to click on. Mine was sent from info@jeangaleart.com pic.twitter.com/9Lc6AVzS9N

— BrandLabs (@BrightHawkIP) March 4, 2024

According to the person who posted the warning, the email address that received this phishing email is used exclusively within his WLM website. Further, in order to see the email address, someone would have to click the contact us link. I am not sure if this means the person behind the phishing effort clicked the contact button or has an automated way to do it.

I’ve written a number of articles about phishing attempts made to induce GoDaddy customers into giving up their login credentials. I think phishing is one of the leading causes of domain name theft, and it appears  to have reached a crescendo in the last year. It seems that domain theft isn’t the only objective of phishing attackers.

Jeremy Kirk published an article on  CIO.com warning that attackers are using hijacked domain registrar accounts to  infect computers with malware.  “Hundreds of hacked domain name accounts registered through GoDaddy are being used as part of a highly effective campaign using the Angler exploit kit to infect computers with malware,” wrote Kirk. The article cited a blog post written by Nick Biasini, an outreach engineer with Cisco Systems.

Kirk went on to explain what is happening with the subdomains:

I want to share another GoDaddy account phishing email that is playing on the ICANN verification requirements to get people to open the email and possibly click a link to a phishing website. One giveaway is the link to a non-GoDaddy owned website that tries to give people the impression it is associated with the company. The email subject is “Immediate Verification Required” and it may have one of your domain names listed as well.

I won’t mention the website used to avoid giving it publicity, but if you click any links (or paste links into a browser), make sure the website is the one you intend to visit. In addition, the GoDaddy email should have your name or registrant name, and any email requiring action should have a corresponding notification in your account to confirm that it is an outstanding issue.

If you ever have a question about whether or not a domain name is a phishing email, or if you know it is, you can report a phishing email to GoDaddy very easily and they can confirm.

Here is the content of the email:

GoDaddy’s security has been under the microscope lately, with two high profile security incidents reported by Krebs On Security on November 21 and on March 31. I wrote about the first incident, which involved an account held by Escrow.com. With many employees working from home because of Covid-19, it has likely become a much more challenging task to ensure GoDaddy employees use best security practices to avoid being hacked or having systems or accounts compromised.

According to an article in The Copper Courier, GoDaddy tested its employees by deploying an email promising a holiday bonus, but it was really a phishing test in disguise:

Email spam filters have gotten pretty good at catching phishing attempts. Most of the time, phishing emails are caught and or blocked by email providers and never even seen by the intended recipient. In some cases, the emails make it to the user’s inbox but are marked as spam / junk. This helps prevent phishing, but it’s not foolproof, and phishing or spearphishing are not always obvious.