Sophos senior security engineer David Schwartzberg describes how scammers tried to break into his wife's online account at web-hosting firm 1&1 - via the telephone.
It was June 17th, 2011, during a Friday afternoon at 4:01pm Central Time when I received a telephone call from a guy called Mike.
Mike introduced himself and that he's in the sales department of my wife's e-commerce hosting provider, 1&1. He also mentioned that my wife had recently registered a domain name, which is true.
Mike started talking about a new service that 1&1 offers for $19.99 per month after the free 30 day trial. I was reluctant but Mike pressed hard. The conversation eventually lead that I'd give it a try to get him off the phone, after all, it's a 30 free trial, he promised they would notify me if I wasn't interested and she had nothing to lose.
Once Mike had a commitment to move forward he said he needed to verify some information before he can proceed. He began with something simple like our home address.
Then he rattled off the Customer ID number quickly. Since I wasn't logged into my wife's account (and she was out), I agreed to whatever Mike said, not knowing if it was accurate.
Then he said that in order to activate the free trial he had to log into her account and needed the password.
Whoa! Spider senses were tingling and I quickly responded with, "I'm *not* giving that to you."
At that moment I saw that this was a fairly weak attempt at social engineering to phish the password.
Mike didn't press the issue and said he'll activate the trial some other way and to have a nice day. Click.
Feeling a bit perturbed I went to check her account and changed the password immediately. I also checked her email account and saw that at about the same time Mike asked for her password there was a password request email waiting. It read:
We recently received a request to e-mail your master password to you.
Your master password is: **********
As e-mails are generally not considered entirely secure, we encourage you to change your password in your Control Panel immediately. You can log on to your Control Panel using the following link:
https://admin.1and1.com and click on 'User Settings'>'Password' in the left navigation bar.
When choosing a new password, it is best to choose one that contains a mix of numbers, lowercase, and uppercase letters.
So, I went to 1&1's main website and called their tech support department.
I explained what had happened and asked if they would *ever* call a customer and ask for their password. The answer I expected to hear was that they would never ask for a customer's password if it was an outbound call.
However, the woman on the line said that if there was a big enough issue and the customer called in, they might ask for the password if necessary. Hopefully the customer would change the password once the issue is resolved.
I also asked the employee to check the call log history if anyone named Mike has called our home number. She responded that across their departments, no one from 1&1 has spoken to us since last year.
I adamantly requested that she let her manager and 1&1's security officer know that their customer's information is being used to social engineer passwords.
As a side note, I have to say, sorry 1&1. You could have given better advice than choosing a password that contains a mix of numbers, lowercase and uppercase letters.
While that's good, it's not best because the word might still exist in a dictionary and the numbers might still be sequential. How about suggesting that your customers choose a sentence with 7 to 15 words and the first letter of each word is the basis of the password? Of course to really make it the best, mix the cases and replace some letters with numbers and/or symbols.
Here's a video by my colleague Graham Cluley, which explains how to choose a strong password, which is easy to remember but still hard to crack:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
To wrap things up, with all of the pressure Mike put on me to sign-up for the service, he did prove himself to have better talents as a sale development representative than a social engineer. Mike, you might want to consider a change in careers.
Until he does, if you have a 1&1 account, keep your senses on high alert because Mike could be calling you next.