This is a true cybercrime story, which hit my friend Tom. Click here to read the story from the beginning. OR Click here to read the whole story as a single page. (If you’re looking for my usual “Friday Fun” column, it will return next week.)
Tom and I speculated on how the intruder broke into Tom’s DreamHost account, and what damage he might be doing there. I thought he might trash Tom’s account, and I was concerned that Tom be able to restore any lost data quickly. But Tom really didn’t have any data in that account. All of his Internet services were served from elsewhere.
He thought the cracker was probably setting up a phishing site. That is, the guy would put up a fake web page that looked like a real company web page, maybe for a bank. Then he would send people to that fake page, maybe with fake spam emails, and then try to trick people into giving him their bank logins and passwords. Tom even feared the guy might charge up fake domain names on his credit card.
Fortunately, there was no way for the attacker to obtain Tom’s credit card number, except for the last 4 digits. Nor could he charge up services or domain registrations on the card, because DreamHost’s system always asks for new credit card information when you make new purchases. So that was good.
Our bigger concern was how he had managed to break in. The email box Tom had been using as a contact email for DreamHost, that account was still secure. Tom was also certain that his Linux desktop computer was secure, and he had found no breaches on his office LAN. He even had been using secure protocols he used to transfer email into the office LAN. That is, even if someone were able to listen in on his Internet connection, the cracker wouldn’t be able to decode Tom’s encrypted communications. The only alternative was that someone had cracked into a mail server at DreamHost, or maybe even the DreamHost control panel itself.
I joked that at least I would have something to blog about the following week.
I sent a message to DreamHost support, on Tom’s behalf, marked urgent. I explained that his control panel account had been cracked into, and that he had been locked out of it, so he could not contact support thereby. I gave them his phone number and told them he wanted them to call him immediately. By then it was almost 2 o’clock Sunday morning.
“Sure, self-hosted stuff is more likely to be poorly maintained and easier to breach,” Tom commented to me, “but if a problem happens, I can always hit the big red button and halt it.”
And this was certainly one of those situations. You’ve just discovered that someone has cracked into your account and locked you out. You want to be ableto scream that your account has been compromised, and before anything else happens, you want your service provider to freeze the account. You can sort it all out later, when the experts can dig up the forensic details. But for now, you just want to stop the attacker from whatever damage he’s trying to do.
Still no response from DreamHost support. No way I knew of to escalate the request. No way to phone DreamHost. (And as we discovered later, DreamHost’s policy is not to discuss security breaches over the phone, only via email, because they want a written record of the conversation.) At one point, we also discovered DreamHost’s chat-support feature, and I tried contacting someone thereby, but no one responded to my chat request at 3:00 in the morning.
In the past, I’ve defended DreamHost’s control-panel-based support system, because it’s more than effective for normal, “my website’s not working” support requests. But this was not that kind of support request. We urgently needed DreamHost to freeze the account, at least temporarily, to keep the attacker from doing any more damage than he’d already done. Then the normal support mechanism would have been sufficient to pick up the pieces.
“I’m not sure it’d be worth the savings,” Tom noted, “to host anything critical at an organization that is effectively unreachable. I get that phone support would be abused, but you have to have a ‘break glass when on fire’ option somewhere.”
At 3:01 AM Sunday morning, Tom realized that there was indeed some real damage the cracker could do. “vl.com is worth $100K+. So I need to escalate this somehow.”
We gave up on the non-responsive chat and on the support ticket shortly before 4 AM. We went to bed, long overdue for sleep.
Sunday, March 28, 11:05 AM EDT
“Hello. Welcome to DreamHost Live Chat. My name is Javier. How can I help you?”
“I’m sent transfer request from new domain registrar for my domain,” the dark figure posing as Tom typed into his computer. “Can you see transfer request on your admin end and verify if received request from other registrar? VL.com.”
He had already unlocked the VL.com domain, worth hundreds of thousands of dollars, and had transferred it to a registrar in the Bahamas. He had done this before, with other domains. Once the domain was out of the US, it would be harder for Tom to get it back, and much more difficult for anyone to prosecute the dark figure or his friends for stealing the domain. International law is a bitch, and that worked to the dark figure’s favor. At the very least, Tom would have to spend thousands of dollars to arbitrate the case, possibly with nothing to show for it. Some domains may be worth massive amounts of money, but they were not considered “property” by most governments. And that too worked in the dark figure’s favor.
But while the Bahamas were ready to receive VL.com, the dark figure still needed to approve the transfer away from DreamHost, and DreamHost’s interface didn’t appear to be cooperating. Indeed, Javier confirmed that DreamHost had not received the transfer request. The dark figure would have to contact the registrar in the Bahamas and have them resend it. Too much time wasted now, but there still was probably time to steal the domain away. Hopefully, no one would know what was happening until Monday morning.
(to be continued, on Monday)