GoDaddy Scam/Phish/Spam

Published: 2010-06-21
Last Updated: 2011-02-08 23:45:29 UTC
by Adrien de Beaupre (Version: 1)
3 comment(s)

A number of readers (and myself included) have received an email claiming to be from GoDaddy. The email is grammatically correct,  and appears quite genuine. The subject is "GoDaddy.com Order Confirmation" and interestingly the images within the HTML are pulled from imagesak.godaddy.com, excepting one which came from "hxxp://img.securepaynet.net/bbimage.aspx?pl=somecodeandmyemailaddress".  The links in the emails I have seen point to "hxxp://dextersss-com-ua.1gb.ua/zzx.htm" among others. The phishing site and IP address and domain registration are in the Ukraine.

Thanks to Christopher and Dwight!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

3 comment(s)

Comments

I have seen similar spam, also claiming to be order confirmations and purporting to be from various e-commerce sites. The emails are loaded with an HTML part that contains obfuscated JavaScript that takes the victim to one of a few domains and the same /zzx.htm file. The URLs I have seen appear to have already been cleaned up, so I do not know what zzx.htm contained.
Yesterday I got two phishing spams claiming to be Paypal satisfaction surveys. They both came through wanadoo.fr's SMTP servers, and pointed to a link on mx01.hospitalnovo.com.br. When I tried to follow the link, Safari warned that it was a suspected fraudulent site, and I didn't go further.
I have now seen two such attempts sent to my work address, one claiming to be from go-daddy and the other saying buy.com. The buy.com one was going to a url at sonda.co.kr but the style of the two are very similar.

Diary Archives