Social engineering attack on GoDaddy and PayPal to blame in Twitter hijacking

Naoki Hiroshima lost access to his unique Twitter handle after being pressured by the criminal responsible for compromising his PayPal and GoDaddy accounts.

Update: GoDaddy confirms the social engineering aspects of this Twitter extortion scheme.

Update 2: Added commentary from Chris Hadnagy and Michele Fincher, from Social-Engineer Inc.

Leverage. That's what the criminal had when he contacted Naoki Hiroshima. Until recently, he had one of the highly prized single letter Twitter profiles; his was @N, but now it's @N_is_stolen.

The details of his story are posted to his Medium account.

In order to steal the coveted Twitter account, the criminal behind this scheme started with PayPal. Initially, they tried to reset the account password, but Hiroshima uses two-factor authentication, so that attempt failed. The attacker tried again, this time allegedly calling PayPal and posing as an employee, where they claim they managed to get the customer service representative to give out the last four digits of Hiroshima's credit card.

In a statement, PayPal said that Hiroshima's personal details and credit card details were not shared, noting that Hiroshima's PayPal account was not compromised.

"We have carefully reviewed our records and can confirm that there was a failed attempt made to gain this customer’s information by contacting PayPal... Our customer service agents are well trained to prevent, social hacking attempts like the ones detailed in this blog post.We are personally reaching out to the customer to see if we can assist him in any way."

It's entirely possible the criminal lied to Hiroshima, that's what criminals do. So their claims that they posed as a PayPal employee could be completely false. But whoever is behind the attack did have the last four digits of the credit card in question, because this person used them to gain access to Hiroshima's GoDaddy account.

According to the criminal, explaining the process to Hiroshima, they called GoDaddy and gained access to his account by pretending to have lost the card on file, but told the customer service representative that they recalled the last four digits – which can be used for verification of account ownership.

Compounding the problem, the criminal noted that they were allowed to guess the first two digits of the card GoDaddy had on file to prove they were the owner of the account. They guessed correctly on the first try. Now, Hiroshima's GoDaddy account was in the hands of the criminal behind this scheme, and they altered all of the account details.

With the details changed, GoDaddy told Hiroshima that he wasn't the owner of the account, and as such, there was nothing that could be done to help him. Stuck, with few options, Hiroshima is left to deal with an attacker who wants to make a trade.

GoDaddy didn't respond to emails seeking comment for this story [see statement below], but they have told Hiroshima they are willing to assist him, now that the story is out in the open.

As Hiroshima put it:

"It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification."

Once the attacker had control over Hiroshima's GoDaddy account, they threated to delete data unless Hiroshima gave up his Twitter profile. Felling pressure, Hiroshima relented and released the @N account.

Keeping to their word, the criminal returned control of the GoDaddy account back to its rightful owner, which allowed Hiroshima to start the recovery process and attempt to protect his remaining accounts.

Twitter is investigating, but wouldn't comment further when asked for details on the status of @N.

Social engineering is an attack on the mind, and one that plays into basic human traits. In this case, if the attacker is to be believed, a PayPal representative shared information because they were under the impression they were helping a co-worker.

However, even if the criminal lied, their claims are valid, because such security blunders happen all the time. If the information is presumed to be of little value, then there is little effort made to protect it.

In this case, the last four digits of a credit card are seen as useless, because on their own they don't amount to much. But the problem is that they're often used as a means of identification, which is a bad idea no matter how you look at it.

Adding to that, the fact the criminal was allowed by GoDaddy to guess at the first two numbers of the card on the account, which are uniform to begin with, and you have a breach just waiting to happen.

These little gaps in security are what social engineers will focus on, and given that people generally want to help others, all one needs is time. Eventually they'll get what they want simply by asking.

Update:

GoDaddy's CISO, Todd Redfoot, sent the following statement:

Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy.  The hacker then socially engineered an employee to provide the remaining information needed to access the customer account.

The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers.  We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.

Update 2:

Chris Hadnagy and Michele Fincher, two well-known social engineering experts, told the Hash that this was "a pure social engineering attack from start to finish."

This would be a good opportunity to remind people to review their various accounts, passwords, and whether they allow any entities to store credit card or personal information. The attacker did his homework and came at the guy through multiple channels.  The guy in the article suggested using a Gmail password as opposed to the domain password in case of compromise and extending your TTL  - but it is a safer bet to do some things like:

Call your hosting / payment / card companies and have notes put on your account about information needed to give out your details;

Do not reuse passwords and make them stronger that you think you need;

Finally, review the companies you use to host and control things. It is a lot of work to switch companies especially if you host a lot of domains, so do your due diligence and chose one that will server your needs.

Companies that hold our information are obviously not going to any extent to protect our information, so it’s up to the individual user.  I am amazed at how easy it was for the attacker to trick PayPal.  It is something that we just can't imagine as many of us with PayPal accounts have had problems trying to do legit business with them.  So this just blows me away personally.  But it also points to the increasing number of MULTI-STAGED [Social Engineering] attacks.  This is not new, but in the last few years we are seeing much more of these popping up.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.