So you’ve got two-step authentication set up to harden the security of your email account (you do, right?). But when was the last time you took a good look at the security of your inbox’s recovery email address? That may well be the weakest link in your email security chain, as evidenced by the following tale of a IT professional who saw two of his linked email accounts recently hijacked in a bid to steal his Twitter identity.
Earlier this week, I heard from Chris Blake, a longtime KrebsOnSecurity reader from the United Kingdom. Blake reached out because I’d recently written about a character of interest in the breach at British phone and broadband provider TalkTalk: an individual using the Twitter handle “@Fearful“.
Blake proceeded to explain how that same Fearful account had belonged to him for some time until May 2015, when an elaborate social engineering attack on his Internet service provider (ISP) allowed the current occupant of the account to swipe it out from under him.
On May 11, Blake received a text message on his mobile stating that his Microsoft Outlook account password had been changed. A minute later, he got another text from Microsoft saying his two-factor authentication (texted login codes to his phone) had been removed. After that, he could no longer log in to his Outlook account because someone had changed his password and removed his recovery email address (changing it to a free and disposable yopmail.com account).
Minutes after that, someone tweeted out the message from his account: “This twitter account is officially operated by Elliott G.” The tweet prior to that one mentions Blake by name and is a response to an inquiry to the Microsoft Store before the account was taken. The alias on Blake’s @Fearful account was changed to “Glubz”.
Blake said it took some time to figure out how the miscreant had hijacked his Twitter and Outlook accounts. Turns out, the recovery email address that he’d supplied for his Outlook account was to an email address at his local ISP, and the attacker executed the first step in the hijack by tricking a customer service employee at the ISP into redirecting his messages.
The attacker, apparently another person with a British accent, called Blake’s ISP pretending to be Blake and said he was locked out of his inbox. Could the ISP please change the domain name system (DNS) settings on his domain and associated mail account?
According to Blake, an investigation into the incident at the ISP shows that the customer service rep asked the caller to verify any other email addresses associated with Blake’s ISP account, and after some waiting the support employee actually read off a few of them. Seconds later, the attacker sent an email to the support person that spoofed one of those email addresses. After that, Blake’s ISP complied with the request, changing the DNS settings on his account to settings that the caller supplied for an account at Namecheaphosting.com.
OG IS A THING
With all of the access to other accounts that one’s inbox affords, the attacker in this case could have done some serious damage and cost Blake a lot of money. So why was he only interested in Blake’s Twitter account?
Short usernames are something of a prestige or status symbol for many youngsters, and some are willing to pay surprising amounts of money for them. Known as “OG” (short for “original” and also “original gangster”) in certain circles online, these can be usernames for virtually any service, from email accounts at Webmail providers to social media services like Instagram, Snapchat, Twitter and Youtube. People who traffic in OG accounts prize them because they can make the account holder appear to have been a savvy, early adopter of the service before it became popular and before all of the short usernames were taken.
“I didn’t realize this was even a thing until all this happened,” Blake said of the demand for OG accounts. “It wasn’t until the day after my email accounts were hacked that I realized it was really my Twitter account he was after.”
As it happens, the guy who is currently squatting on Blake’s @Fearful Twitter account — a young wanna-be hacker who uses the nickname “Glubz” — is very publicly in the business of selling hijacked OG accounts. In the screen shot below, we can see Glubz on the script kiddie-friendly online community Hackforums promoting his “OG Store,” in which he sells “Snapchats,” Email accounts and “Youtubes” for $10-$40 apiece, payable via Bitcoin or PayPal. The bottom of the message includes a link to Glubz’s personal site — elliottg[dot]net (also hosted at Namecheaphosting.com). Continue reading →