This is a true cybercrime story, which hit my friend Tom. Click here to read the story from the beginning. OR Click here to read the whole story as a single page.
Sunday, March 28, 2:40 PM EDT
Glen, from DreamHost’s abuse-response team, replied to our support request, saying that Tom should provide certain billing details, in order to verify that he owned the account. That’s DreamHost’s standard procedure. But we believed that someone might be listening in on DreamHost’s email. How to convince Glen that this issue needs looking into? Tom emailed him back, explaining that he believed that DreamHost’s email servers had been compromised, asking to talk via phone or to send the data via fax.
Tom said to me, “I’m sure they’ve chalked this up to some customer with sloppy security getting their email compromised.”
Shortly thereafter, Glen confirmed that suspicion. He said that while he was open to evidence that DreamHost’s network had been compromised, there hadn’t been break-ins on any other accounts. He suggested that Tom scan his computer for viruses, to make sure there wasn’t something installed on it that was listening in on his email.
Tom shot back, “It’s a Linux machine with a secure password behind a firewall. I have a clue about security. The only place I am seeing any evidence of a breach is with DreamHost. The attacker attempted, and failed, to reset the password on my Google-hosted account. If he had compromised my machine here, he would have been able to intercept that email.”
That seemed to have been persuasive, as Glen looked at the situation in more detail. Although he didn’t find any record that Tom’s account password had been accessed, he accepted that Tom knew enough about security in order to avoid the common mistakes that people usually make. He also restored the account’s original email address, which gave Tom access again.
At around this time, Tom’s Google-hosted account received an email that someone was trying to transfer VL.com away to another registrar. Unfortunately, Google thought it was spam. Tom wouldn’t find the notice until another day had passed.
Sunday, March 28, 6:09 PM EDT
The dark figure had requested that VL.com be transferred away to a registrar in the Bahamas. But by the time the request had gone through, he had been locked out of the DreamHost account. If he could crack back in, however, maybe he could still complete the transfer.
Using a tried-and-true method, he chatted with DreamHost support. “Need update current email on file, but still not successful,” he said in his trademark broken English.
He was on the line with Schroder, who tried to walk him through the process.
But that would do the dark figure no good, because he couldn’t actually log into the account. His goal was to beg, trick, or badger Schroder into making the change for him. “Can you done it for me?” he asked.
“No,” Schroder replied, “I’m sorry. I can’t change it for you.”
“I can verify ownership,” the dark figure said. He gave Schroder the answer to the security question, which he had set earlier just for this contingency. He also recited the last four digits of the account’s credit card, which he had gotten from the account’s control panel and written down.
Schroder said, “If you can’t walk me through the method you’re using to change the info, then, I’m sorry, but I can’t help you with this.”
“Ok. Thanks,” the dark figure wrote, resolving to try back later with a different support rep.
Sunday, March 28, 6:52 PM EDT
While Tom waited for his browser to start up, he told me that he had two different contract programming jobs to work on this weekend, and he wanted to upgrade his operating system and switch his MythTV box over to a digital tuner. I guess he wasn’t going to make any progress on any of those projects.
“Look on the bright side,” I said. “Can’t think of what that is. But I’m sure there’s one there… somewhere.”
“Metaphorical bruises are often good to motivate you to take corrective action against repeating the mistake,” Tom replied.
He finally got back into his account, changed the account’s login email address, locked out the attacker, and reset the passwords. He examined his domains. They were all still there. He couldn’t tell whether VL.com was still locked, but all the domain-name configuration looked correct.
By then, it was at 7:08 PM.
Sunday, March 28, 7:07 PM EDT
The dark figure tried again with DreamHost’s support chat. This time, he got Jeremy. He explained, impersonating Tom, that he was trying to change the primary address on Tom’s account.
Within a few minutes, Jeremy had solved his problem.
The dark figure used the automated system to reset the password on Tom’s account, knowing that as soon as he could get in, he would be able to complete the theft. But before he could lock Tom out, someone had already overridden the request. Clearly, Tom was onto him, logged into the system, and actively fighting with him for control of the account.
Time to switch tactics.
Sunday, March 28, 7:19 PM EDT
Tom was on the DreamHost support chat with Jason. “Help. My DH account is actively being hacked.”
“Unfortunately,” Jason said, “any inquiries pertaining to hacked sites or accounts need to be taken care of via email so our abuse/security team can assist you. This isn’t something I can help you with via Live Chat.”
“Glen reset my password about an hour ago,” Tom explained, “and the attacker is repeating the attack.”
“Okay, you will need to submit a support ticket for this. Thank you!”
Sunday, March 28, 7:19 PM EDT
The dark figure contacted Seohee via the DreamHost support chat, still impersonating Tom, told him he was having trouble transferring VL.com away, and asked for help.
He was worried that Tom may have already discovered the pending transfer and may have locked down the domain. “What’s current status of ‘TRANSFER AWAY’?” he asked. “It’s canceled?”
No, it wasn’t canceled. It was still pending. The dark figure told Seohee a story about trying to approve the transfer but receiving an error. “Please approve it from your admin end. Restarting transfer request taking few days.” Sadly.
“Please hold,” Seohee said.
Within a couple minutes, the dark figure was able to write: “I can see it’s approved. And in new registrar.”
“Thanks for hanging in there. sorry for the confusion,” Seohee wrote.
“Thanks again. Have great day,” replied the dark figure.
Finally, everyone was happy.
(to be concluded, tomorrow)