Tesla attack started with a single phone call

Last weekend, Tesla Motors had their website and Twitter accounts hijacked by individuals looking to play a joke.

They used their access to deface the company’s website and spam a computer repair shop in Illinois, posting their number along with a promise of a free Tesla to callers. The “free car” promotion was posted to the hijacked @TeslaMotors account and the account used by Elon Musk, the company CEO.

While the incident generated plenty of attention, it wasn’t complex. According to a statement from Tesla, the problems started with a phone call to AT&T. Someone posing as a Tesla employee convinced an AT&T customer support representative to forward calls to a non-Tesla number.

After that, the attackers went to Network Solutions (the registrar responsible for TeslaMotors.com) and used the forwarded number to add a new contact email address to the domain admin account.

Once that was done, password resets were issued, and because the attackers controlled the added email address, they were able to access the Network Solutions account, altering DNS and MX (mail exchanger / email) records. The MX changes also helped them gain control over the Twitter accounts, which the attackers maintained for a few hours.

In short, this was a planned, point-to-point troll of an attack.

The Tesla incident highlights a complicated problem for businesses. Support representatives are paid to help. Their jobs are to assist the customer and make their business experience as positive as possible. One thing they are rarely allowed to do is deny a customer, not without a good excuse.

Thus a knowledgeable attacker, armed with a solid story (or excuse), and basic information can usually get their way by targeting support.

Yet, if the business tightens security controls on the support network, that could lead to customers being denied access to services, resulting in a lower quality of experience, which hurts the business overall. Often, support staff are treated as a known, acceptable risk, because customer experience will always trump security in a majority of settings.

AT&T is no exception; in fact the Tesla incident isn’t the first time their support people have been targeted as part of a larger attack. In 2012, attackers targeted AT&T in order to compromise the Gmail account of CloudFlare CEO Matthew Prince.

AT&T isn’t the only company vulnerable to this attack either. Earlier this year, at least two support representatives at GoDaddy were tricked in to releasing my personal account to an attacker, and all he needed to do was Photoshop a state ID and pretend to be me using public WHOIS data.

In the end Tesla was able to recover, but the damage had been done as far as those responsible were concerned.

The attackers, suspected to have ties to Lizard Squad, wanted to play games – amusing themselves and others. That’s exactly what happened, and rarely does a company plan for trolling attacks, or rather attacks that are based on pure amusement.

For those interested, OpenDNS has some interesting data on the Tesla incident, including some added details on the DNS servers used to redirect traffic to the “hacked” website. As it turns out, while no one was targeted with anything malicious, some of the domains tied to the DNS used in the Tesla incident were rather shady.