Attack on GoDaddy Highlights Importance of Employee Security Training
An employee of the website hosting and Internet domain registrar, GoDaddy was tricked into giving a Black hat hacker information that could allow the hacker to take over customer’s domain names. This incident further illustrates that employees can be the weakest link in an organizations security.
The hacker successfully extorted a prized Twitter name “@N” from the GoDaddy customer, Naoki Hiroshima, after Hiroshima’s domain names were hijacked. The hijacked domains included his primary email address which allowed the hacker access to Hiroshima’s Facebook account. Hiroshima claims that the @N Twitter name is worth as much as $50,000.
GoDaddy said the hacker knew lots of personal information about Hiroshima when he contacted the company employee.
"The hacker then socially engineered an employee to provide the remaining information needed to access the customer account," Todd Redfoot, chief information security officer for GoDaddy, said in a statement emailed to CruxialCIO.
GoDaddy helped Hiroshima regain control of his GoDaddy accounts and the company says it is helping him get back other services that were lost in the attack.
"We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques," Redfoot said.
The incident demonstrates the importance of ongoing employee training in the area of social engineering. Employees need to understand that hackers will use questions in person, on the phone, and in email to gain information that can be used against an individual as well as the organization.
Security training is key to keeping organizational information as well as facilities safe. Hackers will often send phishing email to employees designed to trick recipients into opening malicious malware attachments or to click on links that take the user to websites that install malware onto the user’s computer. One example of this caused a law firm’s trust account to be drained of six figures.
Prevention: Train employees often about security, social engineering and other risks that they face. Organizations should also conduct regular risk assessments and penetration tests to determine how well employees will react to different types of situations.
ABOUT THE AUTHOR: Scott Greene of Evidence Solutions, Inc.
For over 30 years, Scott Greene has been helping companies meet the challenges of the swiftly evolving computer technology industry.
Directly from high school, Scott went to work for IBM. Scott studied Systems Engineering at the University of Arizona. He has since earned certifications in many products and programming languages.
The Evidence Solutions team analyzes data from Computers, Cell Phones, Black Boxes, Dispatch Systems, Medical Records, Email systems and more. Scott then explains the digital evidence in plain English.
Scott’s extensive knowledge draws clients to him from all over the United States as well as Internationally for consulting, Forensics and expert witness services. His extensive and diverse experience allows him to be an expert in many facets of digital and electronic evidence. Scott, a sought after speaker and educator, travels throughout the country sharing his knowledge and presenting to local, regional, national and International organizations.
Copyright Evidence Solutions, Inc.
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.