How, knowing only the person’s name and email address, attackers gained access to all his accounts and remotely destroyed information on all his devices
A very interesting article appeared today on wired.com . Literally in one hour, the author of the article, Matt Honan, hacked into Amazon, GMail, Apple and Twitter accounts and deleted information on his iPad, iPhone and MacBook remotely. Among other things, he lost all the photographs of his daughter from her birth, many documents and most of the correspondence. What is very interesting in this story is how an attacker gained access to an Amazon account and AppleID - for this, nothing was needed except information and a phone available on the network.
The attacker liked Matt's three-letter Twitter. In order to get it, he did a little research, during which he discovered that Mat's Twitter account contained a link to his personal website, which, in turn, contained his GMail address. Having a GMail address, the attacker began the process of password recovery. Since Matt didn’t have two-step authorization, Google on the first password recovery screen provided a kindly obfuscated alternative address: m****n@me.com. By matching this pattern with the gmail address mhonan@gmail.com, the attacker received the author's Apple email.
The first thing that an attacker needed in order to proceed to the interesting part was Matt's address, which was easily detected by the WhoIs service in the information about his personal site. Having the address, the attacker called Amazon and said that he is the owner of the account and wants to add a new credit card. To verify that the attacker is indeed the owner of the account, Amazon asked for the address, name and email - all this information the attacker already had, and he successfully entered the number of a non-existent credit card generated in advance on one of the specialized sites.
Then he called Amazon again and said that he had lost access to his Amazon account. Amazon asked for a name, address, and credit card number. After providing this information (the credit card number added in the previous step approached), the attacker was able to add a new email address to the account to which he reset the password. In your Amazon account you can see the list of saved credit cards, where, for security reasons, only the last four digits of the number are displayed.
Then the attacker calls AppleCare, where he is asked for the name, address and last four digits of a credit card, and they give him a temporary password for the .me account. To this account, the attacker recovers the password from GMail, and to GMail the password from Twitter. Using AppleId, it also deletes all information from iPhone, iPad and MacBook using Find My Phone and Find My Mac services. The sad end of the story.
Later, Matt contacted Apple, where he was told that in this particular case, the internal regulations were not fully observed, and that Apple takes user safety very seriously. A request from Wired was also sent to Amazon, but so far no response has been received.
Today, three days after all this happened, the guys from Wired in a few minutes were able to completely repeat the entire focus twice - from the address and name to access to Amazon and Apple accounts with all the ensuing consequences.
The attacker liked Matt's three-letter Twitter. In order to get it, he did a little research, during which he discovered that Mat's Twitter account contained a link to his personal website, which, in turn, contained his GMail address. Having a GMail address, the attacker began the process of password recovery. Since Matt didn’t have two-step authorization, Google on the first password recovery screen provided a kindly obfuscated alternative address: m****n@me.com. By matching this pattern with the gmail address mhonan@gmail.com, the attacker received the author's Apple email.
The first thing that an attacker needed in order to proceed to the interesting part was Matt's address, which was easily detected by the WhoIs service in the information about his personal site. Having the address, the attacker called Amazon and said that he is the owner of the account and wants to add a new credit card. To verify that the attacker is indeed the owner of the account, Amazon asked for the address, name and email - all this information the attacker already had, and he successfully entered the number of a non-existent credit card generated in advance on one of the specialized sites.
Then he called Amazon again and said that he had lost access to his Amazon account. Amazon asked for a name, address, and credit card number. After providing this information (the credit card number added in the previous step approached), the attacker was able to add a new email address to the account to which he reset the password. In your Amazon account you can see the list of saved credit cards, where, for security reasons, only the last four digits of the number are displayed.
Then the attacker calls AppleCare, where he is asked for the name, address and last four digits of a credit card, and they give him a temporary password for the .me account. To this account, the attacker recovers the password from GMail, and to GMail the password from Twitter. Using AppleId, it also deletes all information from iPhone, iPad and MacBook using Find My Phone and Find My Mac services. The sad end of the story.
Later, Matt contacted Apple, where he was told that in this particular case, the internal regulations were not fully observed, and that Apple takes user safety very seriously. A request from Wired was also sent to Amazon, but so far no response has been received.
Today, three days after all this happened, the guys from Wired in a few minutes were able to completely repeat the entire focus twice - from the address and name to access to Amazon and Apple accounts with all the ensuing consequences.