Internet domain registrar rental server GoDaddy employees are angry. Just before Christmas Eve, they received an email from their in-house email address stating that they would receive a temporary bonus of $ 650 (about 67,000 yen), and were happy to fill in the “necessary items for bonus payment”. Was returned. However, they later received a notice saying, “If you fail the phishing test, take a security course.”
“We can’t celebrate our annual holiday party together, but we would like to thank all the employees who have contributed to this year’s record performance and we’ll give you an extra $ 650 bonus!”
The email is sent from Happyholiday@Godaddy.com. Emails from email addresses that use your company’s domain should be returned with information about yourself and your workplace, along with the words “You need to make sure you receive this one-off bonus before Christmas holidays.” The requested form was included.
For $ 650, you can spend a little more luxurious Christmas and New Year holidays with your family. You can also buy one or two game software on a new-generation game console that has just come out. Not surprisingly, the employees were delighted and about 500 of the emails they received returned with the required information.
It’s a bit cruel to say that the result is a security class attendance notice that has just been caught. Although it is not uncommon for companies to occasionally send fake phishing emails internally to raise employee security awareness, they have overcome the difficult situation of a pandemic of the new coronavirus and have achieved record new customer acquisition in the latest financial results. At the end of the year for employees who worked reportably, this deal isn’t swanky.
Some employees have spread this anger on Twitter, and some users who have learned of it have even told GoDaddy to switch the server’s host company.
Meanwhile, GoDaddy said in a statement on the 24th that it apologized to employees, “We are very serious about maintaining the security of the platform, but some employees measure their awareness of anti-phishing measures. I also understand the fact that I am indignant at the test. This test imitated the actual phishing technique that can occur, but I will consider the consideration for employees and take better measures. I need to. “
The phishing technique is aimed at the timing when the other party is most likely to get caught, so while GoDaddy’s test is not wrong from a security point of view, it can be said that it was overkill considering the feelings of employees. .. With all these problems, we would like to see you pay some extra bonuses here and there when both parties are able to raise their security awareness and deliver reliable services to their users.
By the way, in November, GoDaddy mistakenly passed the domain operation authority of its own virtual currency trading platform liquid.com to the site attacker, allowing access to internal storage and internal email information. There was a problem. In addition, NiceHash, which performs virtual currency mining, has also reported problems such as GoDaddy’s domain registration record setting being changed by someone . GoDaddy acknowledges that both were initiated by social engineering attacks targeting employees.
Even before that, GoDaddy had leaked employee credentials to the outside due to attacks targeting employees, and it is not unclear how the security officer feels a little overkill.