domain theft saga

Tom Metro tmetro+gnhlug at gmail.com
Wed Mar 31 01:12:59 EDT 2010 

For those of you not on the BLU list, you might find this an interesting
read:

http://old.nabble.com/Dreamhost-account-hacked-td28062149s24859.html

In brief, a directed attack using social engineering was perpetrated
against my domain registrar, Dreamhost, and due to multiple failures on
their part, they granted the attacker access to my account, froze me
out, and hampered my ability to halt the attack.

This started Saturday night, and by Sunday afternoon, given lax response
from Dreamhost, the attacker had succeeded in transferring my vl.com
domain, which is considered of high value due to being only two letters,
to a foreign registrar located in the Bahamas.

Included in my posts are laughable chat transcripts between the attacker
and the Dreamhost support personnel, where support people were more than
happy to update contact info, supply plain text passwords, and force
through a domain transfer.

Clearly, humans were the weakest link in this system.

The good news is that the attacker never succeeded in compromising my
email account use as the domain contact (despite a few attempts) and the
foreign registrar has been convinced that there was enough fishy about
the transfer to put modifications on hold. So for the time being my name
server records are safe, and they haven't gained access to my vl.com
email traffic. (Though I'm pretty sure they only care about the domain
itself.)

Monday the attackers made attempts to reset the password on my
Google hosted account used as the contact address for the domain.
Undoubtedly so they can leverage it to send a forged letter to the
foreign registrar. This attack included another attempt to social 
engineer the Dream host support people (where the DNS was hosted for 
this other Google hosted domain; Google uses your ability to add a CNAME 
record to a domain's DNS as proof of account ownership), but fortunately 
by this point they were wise to the trick. Amazing they hadn't yet 
disabled the "live chat" support feature that enabled key parts of the 
forgery (though it appears to be now).

Tuesday morning the foreign registrar concluded their investigation, 
agreeing that it was fraudulent circumstances and started th return 
process. No news since thing.

I've reported the attack to the local police and the FBI, and had a long 
conversation with the supervisor of the FBI Cyber Squad in Boston.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

More information about the gnhlug-discuss mailing list