Manual hijacking: hacked for being called Mercedes

If your name’s LV Ferrari Cartier-Krug, it’s probably time to think more carefully about password security; hacking just got personal.

In November I blogged about a Google study that explored the issue of manual hijacking – in which cyber criminals spend time and effort exploiting individual victims’ accounts, often through targeted spear phishing attacks. The study found that hijackers, once they have control of an email account, will search for other accounts they can exploit, then “send scam emails in your name – for instance asking for money from your contacts” because the people “included in the contact list of a hijacked account were 36 times more likely to be hijacked themselves”.

Now a story emerges of a manual hijacker who wasn’t interested in bank details or opportunities to scam contacts…

Motherboard reports that Mercedes Beach, a graphic designer from New York, recently suffered a hack targeted specifically at her by a hacker who wanted “only one thing: her Tumblr URL, mercedes.tumblr.com.”

Having received notifications from Instagram and Amazon that someone was attempting to access her accounts, Beach “received a phone call from a man with an English accent who said he was a Google employee… The caller said that he was going to send a verification code to her phone and asked her to read it out”. She did. Only when the caller had hung up did she realise she’d given away her two-step verification details.

When she went to access her Gmail account she found herself locked out.

In a panic, she started changing other passwords to protect her other accounts. While logged into another email account, she received the following message:

mercedes

Here’s the deal, I hacked your accounts because I wanted your Tumblr URL ‘Mercedes’. I now have all of your personal information and access to this email.

I’ll give you your old blog and email back, on the condition you let me keep the ‘Mercedes’ URL.

Deal?

Deal indeed. Beach saw that her Tumblr account had already changed to mercedes-beach.tumblr.com and that her password had been changed. Mercedes.tumblr.com was now inaccessible. She asked for her passwords back and the hacker complied.

As Motherboard notes, “A Mercedes Benz official Tumblr already exists and seems to be doing well. It seems likely the person who stole Beach’s Tumblr URL planned to try to sell it on somewhere, or use it for further deceit.”

I imagine that publicity surrounding this story will soon see the good folk of Tumblr return the Mercedes account to Mercedes Beach.

The story does highlight an important issue, however: password safety. Guard your passwords with your life. They’re the master keys that give access to your whole online life. Always use complex passwords, never reuse passwords, and never give your passwords away to people who phone you up. And if your name sounds like a luxury brand, be especially careful.

 

Information security

Organisations concerned about information security, whether through password vulnerabilities to their own systems, or relating to their employees’ other accounts being hacked, would do well to implement an information security management system (ISMS), as set out in the international information security standard ISO 27001.

For more information on ISO 27001, and to see how IT Governance’s packaged ISO 27001 implementation solutions can help organisations of any size, sector or location to implement an ISMS at a fixed price, and in a way that suits their organisation’s needs, please click here for more information >>