We aware that one of the powerful attack method in the hacking world is Social Engineering. Here is a story how social engineering attack helped a hacker to extort a twitter account worth $50,000.
Naoki Hiroshima, an app developer, registered his one letter handle @N in 2007. He says since he registered the account, he faced several troubles. One letter twitter handles are rare, worth a lot of money.
He says that even he got an offer up to $50,000 for his twitter handle. However, he declined to sell it. But, not all attempts to obtain the account have been friendly. Hackers have often attempted to steal his account by sending phishing emails.
But this time, Naoki got bad luck. A Hacker managed to compromise his website with social engineering attack. The main target of the hacker is the twitter handle. He threatens Naoki that he will never his domain, if he fails to hand over his twitter handle. So, Naoki finally agreed to give the twitter handle to the hacker.
After get access to the @N, hacker explained how he was able to compromise his website and provided few security tips to prevent himself from being victim in future.
Manipulated employees at Paypal and Godaddy:
The attack started from Paypal. The hacker called up Paypal and social engineered an employee into handing over the last four digits of Naoki's card.
He then called up Godaddy and said he lost his card data but he remembers the last four number. Godaddy let the attacker to guess the first two digits of the card. He successfully guessed the digits and has been given access to the account.
Naoki was using email ID hosted in his website for the Twitter account. The attacker attempted to reset the twitter password. Meanwhile, Naoki realized the attack and immediately changed the email id of Twitter to gmail. So, the attacker was not able to get access to twitter account.
He also attempt to trick the Twitter into handing over the account but Twitter asked the attacker to give more info. So, he dropped the plan and blackmailed the Naoki to give his handle.
As the domain's registrant details have been changed and Godaddy is not helping Naoki, he finally agreed to exchange the twitter handle for his godaddy account.
Naoki said that he is disappointed with the Godaddy & paypal and he is planning to leave them as soon as possible.
"Stupid companies may give out your personal information (like part of your credit card number) to the wrong person. Some of those companies are still employing the unacceptable practice of verifying you with the last some digits of your credit card. " Naoki said in his blog.
Currently, the attacker has control of the twitter handle @N. Naoki is using N_is_Stolen for his account.