So you’ve got two-step authentication set up to harden the security of your email account (you do, right?). But when was the last time you took a good look at the security of your inbox’s recovery email address? That may well be the weakest link in your email security chain, as evidenced by the following tale of a IT professional who saw two of his linked email accounts recently hijacked in a bid to steal his Twitter identity.
Earlier this week, I heard from Chris Blake, a longtime KrebsOnSecurity reader from the United Kingdom. Blake reached out because I’d recently written about a character of interest in the breach at British phone and broadband provider TalkTalk: an individual using the Twitter handle “@Fearful“.
Blake proceeded to explain how that same Fearful account had belonged to him for some time until May 2015, when an elaborate social engineering attack on his Internet service provider (ISP) allowed the current occupant of the account to swipe it out from under him.
On May 11, Blake received a text message on his mobile stating that his Microsoft Outlook account password had been changed. A minute later, he got another text from Microsoft saying his two-factor authentication (texted login codes to his phone) had been removed. After that, he could no longer log in to his Outlook account because someone had changed his password and removed his recovery email address (changing it to a free and disposable yopmail.com account).
Minutes after that, someone tweeted out the message from his account: “This twitter account is officially operated by Elliott G.” The tweet prior to that one mentions Blake by name and is a response to an inquiry to the Microsoft Store before the account was taken. The alias on Blake’s @Fearful account was changed to “Glubz”.
Blake said it took some time to figure out how the miscreant had hijacked his Twitter and Outlook accounts. Turns out, the recovery email address that he’d supplied for his Outlook account was to an email address at his local ISP, and the attacker executed the first step in the hijack by tricking a customer service employee at the ISP into redirecting his messages.
The attacker, apparently another person with a British accent, called Blake’s ISP pretending to be Blake and said he was locked out of his inbox. Could the ISP please change the domain name system (DNS) settings on his domain and associated mail account?
According to Blake, an investigation into the incident at the ISP shows that the customer service rep asked the caller to verify any other email addresses associated with Blake’s ISP account, and after some waiting the support employee actually read off a few of them. Seconds later, the attacker sent an email to the support person that spoofed one of those email addresses. After that, Blake’s ISP complied with the request, changing the DNS settings on his account to settings that the caller supplied for an account at Namecheaphosting.com.
OG IS A THING
With all of the access to other accounts that one’s inbox affords, the attacker in this case could have done some serious damage and cost Blake a lot of money. So why was he only interested in Blake’s Twitter account?
Short usernames are something of a prestige or status symbol for many youngsters, and some are willing to pay surprising amounts of money for them. Known as “OG” (short for “original” and also “original gangster”) in certain circles online, these can be usernames for virtually any service, from email accounts at Webmail providers to social media services like Instagram, Snapchat, Twitter and Youtube. People who traffic in OG accounts prize them because they can make the account holder appear to have been a savvy, early adopter of the service before it became popular and before all of the short usernames were taken.
“I didn’t realize this was even a thing until all this happened,” Blake said of the demand for OG accounts. “It wasn’t until the day after my email accounts were hacked that I realized it was really my Twitter account he was after.”
As it happens, the guy who is currently squatting on Blake’s @Fearful Twitter account — a young wanna-be hacker who uses the nickname “Glubz” — is very publicly in the business of selling hijacked OG accounts. In the screen shot below, we can see Glubz on the script kiddie-friendly online community Hackforums promoting his “OG Store,” in which he sells “Snapchats,” Email accounts and “Youtubes” for $10-$40 apiece, payable via Bitcoin or PayPal. The bottom of the message includes a link to Glubz’s personal site — elliottg[dot]net (also hosted at Namecheaphosting.com).
Here’s Glubz on another script-kiddie friendly forum (Forumkorner) responding to one of dozens of requests from other members to offer his best appraisal of the market price for various hijacked OG accounts.
WHO IS GLUBZ?
Blake said it took him all of about five minutes to find who and where his virtual mugger lived. Turned out that the kid wasn’t far from Blake — in a U.K. town just a few dozen kilometers away.
Searching Google for “Glubz” brings up an Instagram and Snapchat account by the same name. Most of the pics that were until recently on Glubz’s Instagram are stock photos, but a couple of them appear to be taken from a mobile phone. Happily, the same photos are archived here. One of them shows what looks like the front yard and street in front of Glubz’s home as seen through his window shades.
Glubz’s own personal OG Youtube account is, naturally, just “Ty,” (no doubt hijacked as well). In one of his tutorials on how to “hack” stuff, Glubz explains a trick he learned for determining the country in which any given Yahoo! email account was created. In his video, Glubz steps through the reset-password process for one of his accounts — firstname.lastname@example.org — which shows that the last two digits of his mobile phone are “19.”
Glubz also had an entry at the now-defunct skidpaste.org, a site which sought to document the known aliases, addresses and other contact information on young script kids (hence “skid”) who fancy themselves much better hackers than they really are. That entry pegged Glubz as one 16-year-old Elliott Gunton of Norwich, U.K. Sure enough, the Skidpaste entry shows a mobile number for Gunton that ends in “19.” Pull the Google Street View listing for the Norwich address in Glubz’s Skidpaste entry, and one can see the street pictured in Glubz’s Instagram photo.
On Tuesday, London police said they had arrested a fourth individual in connection with the TalkTalk hack — a 16-year-old boy from Norwich. Reached via direct message on Twitter, Glubz (@Fearful) was evasive and would neither confirm nor deny being arrested. Meanwhile, Fearful’s Twitter “favorites” page is a mix of jail jeers and tweets from people wishing him well for getting out on bail.
Back to the beginning of this post: Take a minute to check out and think through the security of your inbox. If you’re not sure whether your provider offers two-step authentication, have a look at TwoFactorAuth.org.
But just as importantly, consider putting in place the same protections on the email account that you use as your recovery email address. If your recovery email address is an account given to you by your ISP, consider perhaps changing it to a service that offers two-step authentication and that may not be so easy to get on the phone. I am speaking from experience here, as someone who had his own inbox compromised because of a social engineering call to his own ISP.
Update 12:51 p.m. ET: As others have mentioned in the comments here, it’s not for nothing that a social engineering attack against Blake’s ISP recalls the recent alleged hack of CIA Director John Brennan’s inbox. In that incident, the attackers called Verizon to reset Brennan’s password. Wired.com breaks down how that attack succeeded.