Slipshod Security, Human Frailty Made @N Ripe for Plucking
The @N saga isn't over. Naoki Hiroshima, the original owner of the purloined Twitter account, still doesn't have it back -- but for now there's no tweeting going on by Badal_News, which appears to have taken it over. GoDaddy admitted its staff unwittingly helped a scammer gain access to information that propelled a chain of events leading to the extortion of @N. Twitter is looking into the matter.
01/30/14 1:23 PM PT
GoDaddy has admitted one of its employees handed out customer information to a scammer who carried out a scheme to obtain a prime Twitter account, according to press reports.
Naoki Hiroshima, a developer at Echofon, this week detailed how the scammer was able to force him to hand over his prime Twitter account, @N.
The scammer used social engineering to accomplish his goal, obtaining Hiroshima's personal information to impersonate him. The scammer was able to provide enough information to convince customer service representatives at PayPal and GoDaddy that he was Hiroshima, according to Hiroshima.
The customer service representatives then reset the account permissions, Hiroshima said, allowing the scammer to take over. By gaining access to Hiroshima's personal email account, which was linked to his GoDaddy-hosted domain name, the scammer was able to extort the @N Twitter account from Hiroshima.
PayPal reportedly denied handing out any credit card details, personal, or financial information related to Hiroshima's account. It also dismissed suggestions that his PayPal account was compromised and claimed its customer service employees were trained to prevent attempts at social engineering. The company reportedly has reached out to Hiroshima to offer assistance.
GoDaddy, on the other hand, reportedly has admitted one of its customer service workers was duped into resetting Hiroshima's account. The company's chief information security officer, Todd Redfoot, confirmed to TechCrunch that the scammer had a great deal of the information he needed to access Hiroshima's account and was able to convince the employee to divulge the remaining details.
Hiroshima reportedly has regained access to his GoDaddy account, and the company is refining training methods to avoid similar situations in the future and better ensure customer security.
GoDaddy and Twitter did not respond to our requests to comment for this story.
"The reason that social engineering is being used more these days is that some of the technical vulnerabilities have been ameliorated," Roger L. Kay, principal analyst at Endpoint Technologies, told TechNewsWorld.
"Microsoft and some of the others have gotten very good at reducing exploits through the browser or the application or the operating system. The easiest and the fastest way in is through the weakest link, which is a person, and therefore social engineering has become a more prevalent tactic recently because it works," he explained.
Hiroshima noted on his new Twitter account, @N_is_stolen, that GoDaddy had offered assistance but revealed Twitter was unable to help him as it was unable to verify him as the original account holder. The @N handle now appears to be parked by someone who was able to quickly grab it.
Hacking for Profit
Social hacking incidents in which desired Twitter accounts are the target are far from uncommon. Wired writer Mat Honan, who goes by the handle @mat, had his iPad and MacBook remotely wiped because hackers gained access to his iCloud account while grabbing his Twitter account. A Twitter user who uses the handle @blanket lost access to his account for a while as well.
Hackers are eager to get their hands on short handles and those consisting of brief words because they hope to profit by selling them to other users. Hiroshima was once offered US$50,000 for @N, he said.
Onus on Companies, Users
The onus of keeping scammers out of accounts that could be held hostage or otherwise attacked is on both the company and the user, said David Monahan, research director of security and risk management at Enterprise Management Associates.
"It may be something as simple as when you establish an account, you give them a callback number," he told TechNewsWorld. "We've been doing that with remote devices for years, having callback modems so that if someone tries to hack into a device, it calls you back [to confirm your identity]."
Avoiding using publicly available information on your account helps too, Monahan said. Giving unrelated answers to security questions -- for instance, giving a movie title in place of your mother's maiden name -- and using password managers to store this information could help consumers lock out social engineering hackers.