How hackers tried to break into my wife's 1&1 account - via the phone

Filed Under: Data loss, Phishing, Privacy

Sophos senior security engineer David Schwartzberg describes how scammers tried to break into his wife's online account at web-hosting firm 1&1 - via the telephone.

Phone receiverIt was June 17th, 2011, during a Friday afternoon at 4:01pm Central Time when I received a telephone call from a guy called Mike.

Mike introduced himself and that he's in the sales department of my wife's e-commerce hosting provider, 1&1. He also mentioned that my wife had recently registered a domain name, which is true.

Mike started talking about a new service that 1&1 offers for $19.99 per month after the free 30 day trial. I was reluctant but Mike pressed hard. The conversation eventually lead that I'd give it a try to get him off the phone, after all, it's a 30 free trial, he promised they would notify me if I wasn't interested and she had nothing to lose.

Once Mike had a commitment to move forward he said he needed to verify some information before he can proceed. He began with something simple like our home address.

Then he rattled off the Customer ID number quickly. Since I wasn't logged into my wife's account (and she was out), I agreed to whatever Mike said, not knowing if it was accurate.

Then he said that in order to activate the free trial he had to log into her account and needed the password.

Whoa! Spider senses were tingling and I quickly responded with, "I'm *not* giving that to you."

At that moment I saw that this was a fairly weak attempt at social engineering to phish the password.

Mike didn't press the issue and said he'll activate the trial some other way and to have a nice day. Click.

Feeling a bit perturbed I went to check her account and changed the password immediately. I also checked her email account and saw that at about the same time Mike asked for her password there was a password request email waiting. It read:

We recently received a request to e-mail your master password to you.

Your master password is: **********

As e-mails are generally not considered entirely secure, we encourage you to change your password in your Control Panel immediately. You can log on to your Control Panel using the following link:

https://admin.1and1.com and click on 'User Settings'>'Password' in the left navigation bar.

When choosing a new password, it is best to choose one that contains a mix of numbers, lowercase, and uppercase letters.

1&1So, I went to 1&1's main website and called their tech support department.

I explained what had happened and asked if they would *ever* call a customer and ask for their password. The answer I expected to hear was that they would never ask for a customer's password if it was an outbound call.

However, the woman on the line said that if there was a big enough issue and the customer called in, they might ask for the password if necessary. Hopefully the customer would change the password once the issue is resolved.

I also asked the employee to check the call log history if anyone named Mike has called our home number. She responded that across their departments, no one from 1&1 has spoken to us since last year.

I adamantly requested that she let her manager and 1&1's security officer know that their customer's information is being used to social engineer passwords.

As a side note, I have to say, sorry 1&1. You could have given better advice than choosing a password that contains a mix of numbers, lowercase and uppercase letters.

While that's good, it's not best because the word might still exist in a dictionary and the numbers might still be sequential. How about suggesting that your customers choose a sentence with 7 to 15 words and the first letter of each word is the basis of the password? Of course to really make it the best, mix the cases and replace some letters with numbers and/or symbols.

Here's a video by my colleague Graham Cluley, which explains how to choose a strong password, which is easy to remember but still hard to crack:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

To wrap things up, with all of the pressure Mike put on me to sign-up for the service, he did prove himself to have better talents as a sale development representative than a social engineer. Mike, you might want to consider a change in careers.

Until he does, if you have a 1&1 account, keep your senses on high alert because Mike could be calling you next.

, , ,

You might like

15 Responses to How hackers tried to break into my wife's 1&1 account - via the phone

  1. It's a cautionary tale - No one is completely immune to this kind of "attack".

  2. hyujsn · 1158 days ago

    I never answer unknown senders, so how do they get into my accounts to send me phishing mail from people I know? I have changed the pw and it has stopped.

  3. susanllewis · 1158 days ago

    I've had two calls - on my cell phone - from some group saying they were with a "legal attorney firm" and OH MY GOD something was wrong with my Social Security Account and it was urgent that I call!

    So I did. I got bounced all over the place every time I asked them again who they were,what they wanted, etc. I just played dumb and had a bit of fun with them.
    '
    They, of course, needed my Social Security number to "check something out" and I wouldn't give it to them and when I told them I worked for the District Attorneys office and would have to call them back, why, they hung-up on me.

    Haven't heard a word since.

  4. Aidan · 1157 days ago

    Why didn't you say "Sorry not interested" and hang up. I don't know why people are so reluctant to do this, do you think he's going to come round and smack you for hanging up! The other alternative is just put the phone down and go and have a cup of coffee, that way you hopefully tie his line up for twenty minutes or so.

    • DSchwartzberg · 1157 days ago

      Aidan, I actually was slightly interested. Also working with Sophos sales folks daily I understand from their experiences how difficult cold/warm calling leads can be. Maybe I have a soft spot for sales folks?

      There came a point in the conversation where I was willing to give the service a try for my wife. Since there was a free trial it made sense. Once the request for the password came, all bets were off and I realized what was up.

      There are various ways to handle telemarketers to turn the tables and get a good laugh. I've actually done your suggestion before and was surprised that the telemarketer was still on the line after ~20 minutes. That's dedication! Then I hung up. Twenty minutes later there was a knock at the front door. To my surprise it was the telemarketer! He smacked me....

  5. I have identified a major security breach with my bank - not the first one either. Last time it took 15 months and they only agreed to talk to me after I reported them to the banking ombudsman.__So I contacted them with the new breach. Customer services called me. I explained. She said she would tell the technical people. I asked that they contact me, but was told that they do not talk to customers. So I have no confidence that anything will be done.__Thus I will have to report them to the FSA and the Data Protection commissioner because they consider themselves above talking to people who find problems with their systems.

  6. We're having this problem in the UK at the moment with a large ring of scammers calling people on their mobile (cell) phone and offering incredible deals, but they need more information...
    The thing is, they know names, addresses, and the network the person is on already. And yet all companies are denying they've had a security breach. That information can only come from one source, the phone network operators.

    I rarely answer unknown numbers on my mobile, but I ran a check on the number that kept coming up three times a day and found thousands on-line reporting the scam. That was going back over a month and it's still going on.

    These days you can't really trust any company to hold your data correctly, and that's why I NEVER give out information to anyone who has called me. I'll call them back on their national number and they can put me through if it's something I'm interested in.

  7. Mark · 1081 days ago

    I have a problem with my 1&1 account. I called up to resolve it. The person asked me for some information to verify that I was who I said it was.

    This was an inbound call to 1and1.

    The asked me to verify the name on the account, the email on the account... and then... for my account password???

    Wait... Why do you need to know my password? The guy said to verify the account.

    Why should any company require your password to verify that you are the account holder except for when I'm logging into my account myself on their website?

    What if that account password is used for other things as well.

    Yes, once my problem is resolved, I will be resetting the password on that account.

    And I hope that they're not storing these passwords in their internal databases as plaintext so that an internal customer support rep can view these passwords to verify them on the phone with customers.

    I don't see why anybody should need to know what a customers password is... ever!

    • dave · 352 days ago

      I am sorry but some of these responses are difficult to believe, especially being a 1an1 customer for the last ten years. I have never had any of these problems with security or being asked of my password.

      Every time I need to contact customer, technical support I go through the standard procedure for account verification (which is my pin # and name) but never password ever requested from an agent.

      #1 - The 1and1 agent is corrupt.
      #2 - Maybe the # you dialed was incorrect?

      I am a IT consultant and been in the field for the last thirty years. Passwords should always be 7 digits or more with different combinations. People just don't understand security and I don't think you either understand as well Mark.

  8. Tim · 892 days ago

    Had this exact call about 20 mins ago (UK) and it went much the same way for me. The guy laughed when I said I wouldn't give him my password and said something about many customers don't like to give their password and I suppose it's because security is all the rage these days... funny man!

  9. Ian · 890 days ago

    It seems like they are on the warpath!

    I received a call about 1 hour ago from 1&1 sales offering their MyWebsite package and asked for my password which left me flabbergasted. I asked her if that was standard procedure and she said yes. I told the lady I wasn't interested and she transferred me right away to her supervisor, who told me he was setting me up more the package and hung up before I could say anything. This led me to believe this is a scam... After talking to their customer support for nearly an hour I just realized they just have horrible policies.

    I received an email from 1&1 saying thank you for signing up for the package.
    After talking to 3 agents who all apparently require passwords to cancel the service, I eventually got transferred to a supervisor who did cancel it.

    How on Earth could they sign me up for the package without my password or my consent and yet claim to not be able to cancel it without it? I'm very tempted to cancel my domain now too.

    So... I did get it cancelled without uttering my password, but it took an hour to do it...

  10. Neville Young · 877 days ago

    Thanks, David, for an interesting article.

    I just had the same call. Same thing - the sales spiel on the offer (too polite to hang up, dammit), sending me a password reminder, and asking for the whole password. When I declined to do this they put me onto a supervisor who kindly offered to temporarily change the password, then I could change it back later (hmmmm) - could I please just give some personal info to confirm that I was me? No, sorry, I could not ... I made my excuses and left.

    I find it incredibly hard to believe that it really could be 1&1 as it is so fantastically sloppy, if it were really them, to ask for the whole password. The whole call seemed at every level to pass the Duck Test.

    And yet, and yet: if you go look at the 1&1 site and want to reset my password for somedomain.org.uk then the first thing you have to do is tell it my account number 123456789. So whoever sent me the password (then asked me to read it to them!) must have had my account number. How is this possible if they are not a 1&1 employee? I can't see a way of guessing or finding out account numbers - how did they get it??

    Hmmmm. I smell a large and hairy rat here. How about some or any of these, or something else:

    1. It's legit, and 1&1 have incredibly sloppy security and really will call you up, just like a scammer would, and ask you your whole password over the phone. I don't like this explanation much.

    2. It's not legit, but someone has stolen account numbers (without passwords) from 1&1, or there is someone dishonest working at 1&1 who is accessing the account numbers. I don't like this explanation much.

    3. It's not legit, but there is some way of getting 1&1 account numbers from publicly available information. (???) I don't like this explanation much.

    4. It's not legit, but someone has rung 1&1 pretending to be me, and pleaded for my forgotten account number, as "I" need to reset my password and can't without it. And 1&1 have taken pity and given "me" the account number. I don't like this explanation much.

    I don't like any of these explanations much. Is there another one?

    Of course, if like Ian I then get email saying they've signed me up for their service, I will know that it is (1). aaargh. What a depressing thought.

    I have written to 1&1 hoping they can shed some light on this rather odd turn of events.

    Watch this space ...

  11. Neville Young · 876 days ago

    Hi David

    Just a little followup on yesterday's comment. I had a nice prompt reply from 1&1 saying, inter alia, "Please disregard such calls since we do not suggest reset password not unless you requested for it." Which is interesting.

    Fortunately, they add: "If you have any further questions please do not hesitate to contact us." I do, in fact, have further questions: how did the alleged scammers, if they are not 1&1 staff, get my account number to perform the password-send request; and why do 1&1 store my password in plaintext and email it out on request?

    I will read their replies with great interest.

    :)

  12. Ken Edwards · 783 days ago

    I have just got off the phone to a 1&1 call handler (based in the Phillipines) requesting my full password to check that I am the account holder.

    I am still angry that a company with the profile of 1&1 requests full passwords to validate accounts. What a bunch of ameteurs!!! It could a the very least be a selection of characters from the password.

    What happens if the account is hacked and the hacker chnages the password!!! Duh!!

    Yours, still fuming!!!

  13. Robert Walker · 711 days ago

    Seems it is genuine 1and1 , got the same phone call, I assumed it was a scam until I got an email from 1and1 about it a few days later. Search for 1and1 "Search engine marketing service" and you find it easily. Also seems they do ask for passwords for the control panel over the phone.

    So apparently not a scam but after an introduction like that hardly feel like going for it :).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

David Schwartzberg is a Senior Security Engineer at Barracuda Networks, a security company where he specializes in network security. Utilizing his 6 years accounting experience and combined 17 years InfoTech and InfoSec experience, he speaks regularly with technology executives and professionals to help protect their corporate secrets and stay compliant. David holds a black belt in Taekwondo and is an amateur competitor. You can follow David on Twitter as @DSchwartzberg.