How PayPal and GoDaddy made me give away a $ 50,000 Twitter account

I had a rare Twitter login - @N. Yes, only one letter. I was offered $ 50,000 for it. They often wanted to steal it. Password recovery instructions constantly came to me in the mail. Unfortunately, at the moment, I lost @N. Hackers took him.

On January 20, 2014 at lunch, I received a message from PayPal with a verification code. Someone tried to steal my PayPal account. I ignored and continued to eat.

Later that day, I checked my mail, which uses my domain name (registered with GoDaddy) via Google Apps. The last message was from GoDaddy with the topic “Account Settings. Changes are confirmed. "
')

From: <support@godaddy.com> GoDaddy
To: <*****@***** .***> Naoki Hiroshima
Date: Mon, Jan 20, 2014 12:50:02 -0800
Subject: Account Settings Change Confirmation

Dear Naoki Hiroshima,
You have received this email because your account settings have been changed to the following Client Number:
XXXXXXXX

After some time, your request takes effect.

If these changes were made without your consent, please log in to your account and update your security settings.

If you are unable to log in to your account or, if changes are made in an unauthorized manner, please contact our customer support: support@godaddy.com or (480) 505-8877.

Please note the Universal Terms of Service.

Respectfully,
Godaddy

I tried to log in to my GoDaddy account, but could not. I called GoDaddy and explained the situation. An employee asked me for the last 6 digits of my credit card as a verification method. But nothing happened. Credit card details have already been changed. In fact, all the data in the account changed. I did not have the opportunity to prove that I was the real owner of the domain name.

A GoDaddy employee suggested that I fill out an appeal on GoDaddy. I sent all that was required to confirm the identity and account, the answer should have come within 48 hours. I thought that would be enough to confirm the ownership of the account.

Beginning of extortion

Most websites use email as a verification method. If the email account is hacked, the attacker can easily reset the password. Taking control of my domain name on GoDaddy, the attacker received my mail on the domain.

Soon I realized that the goal was a Twitter account. Oddly enough, but I received a message on Facebook from Twitter about the change of mail. Most likely the attacker wanted to reset the password, but I still changed the mail. I put the mail is not on the domain, but a neutral account.

The attacker tried to reset the Twitter password several times and found that he did not receive letters to reset the letters. Since it took time to change the MX record of my domain, which is managed by the email server. The attacker created a ticket # 16134409 on the Zendesk support page.

N, Jan 20 01:43 PM:
Twitter username: @n
Your email: *****@*****.***
Last sign in: December
Mobile number (optional): n / a
Anything else? (optional): I do not receive a password reset message to my email. Can you manually send me a message?

But Twitter requires the attacker to provide more detailed information in order to continue and the attacker drops the case.

Later I learned that the attacker had compromised my Facebook account in order to bargain with me. I was terrified when friends started asking me about strange behavior on my Facebook.

Finally, I received a letter from the attacker. The attacker began to extort.

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@***** .***> Naoki Hiroshima
Date: Mon, Jan 20, 2014 3:55:43 -0800
Subject: Hello.

I saw you talking to my accomplice, I just wanted to let you know that you were right. @N was the goal. I would also like to inform you that your GoDaddy domains are at my disposal.

I see you run quite a few good websites, at the moment everything on the sites is untouched. Are you ready to compromise? We need access to @N, in exchange for your GoDaddy account.

Soon after, I received a reply from GoDaddy.

From: change@godaddy.com
To: <*****@***** .***> Naoki Hiroshima
Date: Mon, Jan 20, 2014 5:49:41 -0800
Subject: Update [Incident ID: 21773161] - XXXXX.XXX

Unfortunately, the domain service is not able to help you with your change request until you are the owner of the domain name. As a registrar, we are entitled to make changes only after confirmation of consent from the owner. You can also try to solve the problem with one of several options:

1. Visit who.godaddy.com to find the Whois record for the domain and resolve the issue with the owner.
2. On www.icann.org/dndr/udrp/approved-providers.htm find an ICANN arbitration provider.
3. Provide the following link to your lawyer for information on filing legal documents for GoDaddy: www.godaddy.com/agreements/showdoc.aspx?pageid=CIVIL_SUBPOENA GoDaddy now considers this issue closed.

I was refused because I am not the “owner”. I was furious that GoDaddy could not find the true owner, and did not recognize me.

My colleague was able to connect me with GoDaddy executive support. They tried to contact the security service, but nothing happened. Perhaps because of the holiday.

Then I received a message from the attacker.

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@***** .***> Naoki Hiroshima
Date: Mon, Jan 20, 2014 6:50:16 -0800
Subject: ... hello
Well, bail? GoDaddy account ready to go. The password has been changed and the neutral email is linked to the account.

I remembered what happened to the mat and came to the conclusion that giving up an account would immediately become the only way to avoid a catastrophe. So I replied to the attacker:

From: <*****@*****.***> Naoki Hiroshima
To: <swiped@live.com> SOCIAL MEDIA KING
Date: Mon, 20 Jan 2014 19:41:17 -0800
Subject: Re: ... hello
I deleted @N. Take it now.

I changed my @N username to @ N_is_stolen. Farewell, my problematic username for the moment.

I received an answer.

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@***** .***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 19:44:02 -0800
Subject: RE: ... hello

Thank you very much, your GoDaddy password: *******
If you want, I can tell you how I accessed your GoDaddy account and how you can secure yourself.

The attacker quickly took control of the username and I again gained access to my GoDaddy account.

PayPal and GoDaddy attack method

I asked the hacker how my GoDaddy account was hacked and I got this reply:

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@***** .***> Naoki Hiroshima
Date: Mon, Jan 20, 2014 7:53:52 PM -0800
Subject: RE: ... hello

- I contacted PayPal technical support and, using a number of very simple technical tricks, I received the last four digits of your plastic card number (you can eliminate this vulnerability by contacting PayPal technical support and asking a company specialist to add a note to your account that prohibits reporting -or technical information by phone).

- I called GoDaddy and told them that I had lost the card, but I remembered the last four digits, the agent agreed and I confirmed (00-09 in your case). I have not found a way to increase the security of the GoDaddy account, However, if you want me to recommend more secure registrars, then I recommend: NameCheap or Enom.

It’s hard to decide which of the facts is more shocking, that PayPal gave the attacker the last four digits of my credit card on the phone, or that GoDaddy accepted them as a verification test. When I asked about this, the attacker replied:

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@***** .***> Naoki Hiroshima
Date: Mon, Jan 20, 2014 8:00:31 -0800
Subject: RE: ... hello

Yes, PayPal told me on the phone (I acted as an employee) and GoDaddy allowed me to “guess” the first two digits of the card.

But to correctly guess the first two numbers is not so easy?
Note (This is actually easy: money.howstuffworks.com/personal-finance/debt-management/credit-card1.htm )

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@***** .***> Naoki Hiroshima
Date: Mon, Jan 20, 2014 8:09:21 -0800
Subject: RE: ... hello

I guessed right from the first call, most agents just wait until they get them.

He was lucky that he was able to guess two numbers. The fact is, GoDaddy allowed him to keep trying to remember until he picked them up. Insane.

Avoid custom email domains

My GoDaddy account has been restored, I was able to access my email. I have changed my email address and now I’m using **@gmail.com for several web services. Using Google Apps, the email address using the domain feels good, but it has a chance to be stolen if the domain server is under threat. If I used an@gmail.com email address for my Facebook, the attacker would not be able to log in to my Facebook account.

If you use Google Apps with your email address to access various websites, I strongly recommend that you stop doing so. Use an@gmail.com to login.

In addition, I also strongly recommend that you use a longer TTL to record MX, just in case. I had 1 hour TTL, and that is why I did not have time to keep receiving letters after losing DNS control. If it was a weekly TTL, I would have more chances to find stolen accounts.

Using two-factor authentication is required. This is probably what prevented the attacker from entering my PayPal account. Although this situation shows that even two-factor authentication does not always help.

Conclusion

Stupid companies can give out your personal information (for example, part of your credit card number) to the left person. Some of these companies still use the practice of confirming through the last digits of your card.

To avoid their carelessness, do not allow companies such as PayPal and GoDaddy to use card binding. I plan to leave GoDaddy and PayPal as soon as possible.

UPD:
I really wanted to share this article with you. But not a lot of translation skills, translated as he could, used translators. Immediately apologize for that.