PayPal and GoDaddy tricked into robbing man of $50,000 Twitter handle

Naoki Hiroshima, stripped of the coveted Twitter username “@N,” details in an online post the recipe for the theft, which the hacker happily explained to him.

The “@N” handle purportedly would fetch $50,000 on the market and, through a series of “social engineering” messages to PayPal and GoDaddy, Hiroshima was extorted into giving it up.

Here’s the sad chronicle:

First, “I checked my email which uses my personal domain name (registered with GoDaddy) through Google Apps. I found the last message I had received was from GoDaddy with the subject ‘Account Settings Change Confirmation,’” Hiroshima writes.

From: <support@godaddy.com> GoDaddy
To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 12:50:02 -0800
Subject: Account Settings Change Confirmation

Dear naoki hiroshima,

You are receiving this email because the Account Settings were modified for the following Customer Account:

XXXXXXXX

There will be a brief period before this request takes effect.

If these modifications were made without your consent, please log in to your account and update your security settings.

If you are unable to log in to your account or if unauthorized changes have been made to domain names associated with the account, please contact our customer support team for assistance: support@godaddy.com or (480) 505-8877.

Please note that Accounts are subject to our Universal Terms of Service.

Sincerely,
GoDaddy

Then, Hiroshima attempted to log in to his GoDaddy account, but failed. A GoDaddy representative asked him the last six digits of his credit card number to verify he was who he claimed to be. Confirmation on GoDaddy was unsuccessful because his credit card data had already been changed by an attacker. In fact, all of his information had been changed.

“I soon realized, based on my previous experiences being attacked, that my coveted Twitter username was the target,” Hiroshima writes. “The attacker had compromised my Facebook account in order to bargain with me.”

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 15:55:43 -0800
Subject: Hello.

I’ve seen you spoke with an accomplice of mine, I would just like to inform you that you were correct, @N was the target. it appears extremely inactive, I would also like to inform you that your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again D:

I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5minutes while I swap the handle in exchange for your godaddy, and help securing your data?

Shortly thereafter, Hiroshima received an unsatisfactory response from GoDaddy --

From: change@godaddy.com
To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 17:49:41 -0800
Subject: Update [Incident ID: 21773161] — XXXXX.XXX

Unfortunately, Domain Services will not be able to assist you with your change request as you are not the current registrant of the domain name. As the registrar we can only make this type of change after verifying the consent of the registrant. You may wish to pursue one or more of the following options should you decide
to pursue this matter further:

1. Visit http://who.godaddy.com/ to locate the Whois record for the domain name and resolve the issue with the registrant directly.

2. Go to http://www.icann.org/dndr/udrp/approved-providers.htm to find an ICANN approved arbitration provider.

3. Provide the following link to your legal counsel for information on submitting legal documents to GoDaddy: http://www.godaddy.com/agreements/showdoc.aspx?pageid=CIVIL_SUBPOENA GoDaddy now considers this matter closed.

GoDaddy asked the attacker if it was cool to change account information, but the company didn’t bother asking Hiroshima if it was OK.  

He received this follow-up email from the attacker --

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 18:50:16 -0800
Subject: …hello

Are you going to swap the handle? the godaddy account is ready to go. Password changed and a neutral email is linked to it.

Hiroshima decided that ceding the account right away would be the only way to avoid an irreversible disaster.

From: <*****@*****.***> Naoki Hiroshima
To: <swiped@live.com> SOCIAL MEDIA KING
Date: Mon, 20 Jan 2014 19:41:17 -0800
Subject: Re: …hello

I released @N. Take it right away.

Hiroshima received this response --

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 19:44:02 -0800
Subject: RE: …hello

Thank you very much, your godaddy password is: V;Mz,3{;!’g&

if you’d like I can go into detail about how I was able to gain access to your godaddy, and how you can secure yourself

The attacker then provides a tutorial --

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 19:53:52 -0800
Subject: RE: …hello

- I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)

- I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case) I have not found a way to heighten godaddy account security, however if you’d like me to
recommend a more secure registrar i recommend: NameCheap or eNom (not network solutions but enom.com)

One of the most chilling parts of Hiroshima’s chronicle --

“It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification,” he writes.

The attacker confirmed the unbelievable --

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 20:00:31 -0800
Subject: RE: …hello

Yes paypal told me them over the phone (I was acting as an employee) and godaddy let me “guess” for the first two digits of the card

Guessing the two digits correctly was a cinch.

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 20:09:21 -0800
Subject: RE: …hello

I got it in the first call, most agents will just keep trying until they get it

In addition to parting with “@N,” Hiroshima plans to split with GoDaddy and PayPal too. 

ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves.