GoDaddy took an axe and gave education 40 whacks. And when they saw what they had done, they gave their employees 41.

Hanlon’s Razor  states “never attribute to malice that which is adequately explained by stupidity”
Occam’s Razor is widely stated as “the simplest explanation is usually the right one.”

As a security veteran of 23 years, with a focus on anti-malware, I am well qualified to render the opinion that GoDaddy’s recent “phishing simulation” was a real cyber-attack. GoDaddy’s actions have created a significant probability of inflicting financial harm upon their employees. Additionally, GoDaddy has put their own customers at a heightened level of risk for a cyber-attack.

As I explain my rationale, I would like you to decide for yourselves if Occam’s Razor and/or Hanlon’s Razor suggest that GoDaddy assault was the result of ignorance or if it was malice. I believe that

Occam’s Razor would suggest the attack was both ignorant and malicious. Of course, that is my opinion.  I can’t know what Demetrius Comes, CSO at GoDaddy, was thinking so I can’t know for sure if it was intentional maliciousness, dangerously incompetent, or both.

GoDaddy started out with what should have been a clever exercise in security awareness education by employing a technique called embedded learning. For those of you unfamiliar with the term, here’s a very brief summary: In the field of the science of learning there is a window of opportunity called a “teachable moment.” A teachable moment can be created through the competent use of embedded learning.

In this context embedded learning means that when a person falls for a phish and they get immediate feedback, they are far more receptive to learning, and the education sticks better. Please note the word “immediate.” Cyber criminals use embedded learning techniques; however, they often leave out the immediate feedback component in order to maximize damage. GoDaddy’s inappropriately delayed feedback maximized damage rather than exploiting what would have been a well-crafted teachable moment.

For more information on embedded learning, I recommend that you read the Carnegie Mellon study on anti-phishing education. For real fun, check out a deliciously devious exercise called The West Point Carronade.

A simulated phish promising a bonus at this time of year is a great real-world example of how targeted phishing attacks trick people. But without proper execution it is monumentally insane. As you may have learned from the Carnegie Mellon study, immediate feedback is a pillar of embedded learning. Had GoDaddy provided immediate feedback they would have capitalized upon a teachable moment. Instead, they created a cybersecurity hazard.

What makes GoDaddy’s actions a malicious cyber-attack vs an educational exercise? Inflicting excessive emotional distress, and creating significant potential for financial harm do. Delay was wielded as a weapon. Emotional distress would have been contained with immediate feedback, but the delay gave employees time to go home and raise their own hopes and the hopes of their families. Some financial harm is probable. People will celebrate an anticipated bonus by spending money they otherwise would not have and may not otherwise be able to afford. Celebrations may include a special meal, or more expensive holiday presents than would otherwise not have been bought. The delay appears malicious, but again, ignorance could also be the cause of GoDaddy’s delay. My guess is that the delay was extremely mean-spirited.  This was ill-advised. An enraged employee is an easy mark for cybercriminals using bribes instead of wasting zero-days to breach a company. Inflicting emotional distress and financial harm is a gourmet recipe for an insider attack. GoDaddy has all but begged for such. A lone-wolf insider attack is bad enough, but GoDaddy’s recklessness could easily incite an entire posse of collaborative insider attackers. Attacks could range from destruction of data and hardware, to leaked information or supply chain attacks. GoDaddy is supply chain. As a public service to GoDaddy, here is a link to Cybersecurity Insider’s 2020 Insider Threat Report. 

An ounce of prevention is worth a pound of cure. GoDaddy, for prevention, outsource your security awareness education to a company that is competent. For a defense-in-depth approach, put moratorium on internally developed and deployed employee security awareness education. If the failed “educational” exercise was performed by an outside security awareness education vendor, ask for a refund. Lowest bid is the worst criteria for education, get professional help with choosing a security awareness education vendor. The cure? Make your employees happy.

Remember, GoDaddy, you created the scenario of probable financial harm to some of your employees, and in doing so invited adversity upon your customers. You do have the ability to repair any financial harm, as well as emotional harm you have done to your employees. You will need to go well above and beyond to fix the employee morale that you launched an RPG at. That means doing far more than you think is reasonable, evidence suggests you struggle mightily to assess reasonable.

A note to GoDaddy’s customers. Just as company’s often provides consumers with free credit monitoring after a breach, I’d ask GoDaddy for two years of free network security monitoring, provided by a qualified vendor. The risk of an insider attack that GoDaddy has recklessly created should make your security department lose sleep. Oh, and please don’t think that GoDaddy threw you under the bus… they threw the whole damned bus at you -:)

Randy Abrams
Soft-spoken Senior Security Analyst
SecureIQLab