This is a true cybercrime story, which hit my friend Tom. Click here to read the story from the beginning. OR Click here to read the whole story as a single page.
Saturday, March 27, 10:23 PM EDT
The dark figure waited for DreamHost support to respond to his chat request. He had requested the password be reset, eight times since 9:35, since he had tricked them into adding his email address to the account. But he hadn’t been receiving the password-reset messages in his email.
Brian answered the chat. “Hi there, how can I help you.”
Now impersonating Tom, the legitimate owner of the account, he explained his problem as best he could. “I’m trying to get login info in my new email address, but not receiving email from DreamHost.” He gave Brian the account ID and email address.
“You’re already logged into the panel, if you’re talking to me,” Brian said.
“Yes,” the dark figure replied. That was true. He was logged into the administration panel, just not into Tom’s account. Not yet. But hopefully soon. He told Brian that he had recently updated the email address, and that he needed to use the new address, not the old one.
Brian replied, “Both are actually listed on your account.” He explained that Tom could use the administration panel to make any changes he needed.
Yes, the dark figure said, he’d tried that many times, but it wasn’t working. He kept getting an error, he said in his typical broken English.
Brian asked him to try it again.
So he did. Of course, he didn’t actually try anything. His story was a complete fiction, but a believable one. He described the steps he would have gone through, had he actually had access to Tom’s administration panel. Every value he would type, every checkbox he would check, every button he would click on.
“Page still pending load,” he added after another minute.
Brian waited patiently.
“Now get the page cannot to display error,” the dark figure wrote, but he knew that wouldn’t be enough. He knew he needed to make it sound like an insurmountable, unsolvable problem. “I also tried from Firefox, Safari, and cleared caches. I think it’s Windows issue with AJAX. Need to re-install windows tomorrow. Please check it.”
This must have puzzled Brian. Maybe he thought he was dealing with a clueless user. Maybe he thought it was a strange, inexplicable problem that would take too much time to track down. Maybe he just wanted to get “Tom” off his back. The exact reason didn’t matter. What mattered was that he took the bait.
“That’s weird,” Brian said. “I just tried it, and it worked perfectly. I changed it for you.”
The dark figure said he would refresh his display and see if it worked. Another fiction, of course. He couldn’t refresh any display, because he wasn’t looking at the display. But he could determine whether it worked. He asked for another password reset. He still didn’t receive the email message, but that might just mean the computer was still processing the. So he tried again, and again, and again, in quick succession. And finally it worked.
He reported to Brian that the data had been updated.
Brian was clearly pleased to have helped.
The dark figure had access to Tom’s account now, but there was one thing he needed to do before stealing control over the VL.com domain. He needed to cover his tracks, and for that, he needed Tom’s email passwords. He logged into Tom’s account and looked up the email box ID’s. Then he contacted support again.
Unfortunately, he got Brian again. Brian was no doubt tired with him by now, but he gave it a try anyhow. He said he was trying to see the passwords of two users under his account.
Brian replied that “Tom” couldn’t see the passwords, but he could reset them.
Indeed, that was a security precaution that DreamHost had put in place some time ago, in order to stop people from doing what the dark figure was trying to do right now.
Brian suggested not making any more changes right now, just to keep everything working for now. Yup. He was clearly tired of dealing with “Tom.”
The email the dark figure was trying to erase was actually being sent to a Google Apps account, but maybe Tom had used the same password on both his DreamHost email accounts and on his Google account. The dark figure also had asked for the Google password to be reset, and he hoped that a password-reset message then might have appeared in one of the DreamHost mailboxes.
So the dark figure waited another half hour and tried again. This time, he got Sam, who was more than happy to help. He was able to get the passwords for the two email boxes, but they appeared to be long strings of random characters. And neither of those email boxes contained the Google reset message.
The dark figure would not be able to crack into Tom’s email. His best hope was that he could complete the thievery he came here to do, before Tom realized what was going on.
Sunday, March 27, 1:16 AM EDT
Tom instant-messaged me: “Somebody is trying to break into my Dreamhost account.”
“How can you tell?” I asked.
He had gotten a bunch of email messages telling him that his DreamHost account password had been reset. But it particularly disturbed him that the last of these messages was also sent to an anonymous email address, at HushMail, an email address Tom did not control.
What to do? DreamHost’s primary means of customer support was via the administration panel, if Tom could still login.
I acutely realized that this is one of the instances in which you really need another means of contacting DreamHost support. Since then, I’ve discovered that DreamHost’s public contact form, as well as their abuse email address. Either would probably have worked at least as well as what we ended up doing.
We didn’t know how the attacker had cracked into Tom’s DreamHost account. Tom’s Google-hosted account had not been compromised, as far as we could tell. So the cracker had either found an exploit in DreamHost’s password-reset form, or else he was listening in on DreamHost’s or Google’s network. In any case, it was a scary prospect.
As a fellow DreamHost customer, I contacted support on Tom’s behalf and relayed his plea for help. It would be almost 13 hours before we received an initial response, and several more hours before we were taken seriously. Not fast enough to prevent the disaster that was to come.