Hacker Hijacks Website In Extortion Attempt, GoDaddy Refuses To Talk To Actual Owner

godaddyIt’s the modern-day bureaucratic nightmare — Someone steals something that belongs to you, and the one party that could easily do something about it refuses to listen to you because its records show that the thief is the rightful owner. According to developer Naoki Hiroshima, someone lusted after his Twitter handle (@N) so badly that they went to great lengths, hijacking his personal website in a (sadly successful) extortion attempt.

Hiroshima writes about the ordeal in detail on Medium.com [via TheNextWeb] but here are the basics of the red-tape nightmare that lost him a Twitter handle worth several thousands of dollars.

In fact, writes Hiroshima, he’d received numerous potentially lucrative offers for his @N handle since he’d scored that Twitter account way back in the Twitter stone age of 2007. He claims to have had as much as $50,000 dangled in front of him for the rare, single-letter account.

In addition to the legitimate purchase attempts, he says that hackers are constantly attempting to breach this account or any of this others in an effort to get control of the Twitter handle.

Then on Jan. 20, he received an “Account Settings Change Confirmation,” notice from GoDaddy, the company through which he’d registered his personal domain name.

“If these modifications were made without your consent, please log in to your account and update your security settings,” reads the e-mail, “If you are unable to log in to your account or if unauthorized changes have been made to domain names associated with the account, please contact our customer support team for assistance: support@godaddy.com or (480) 505-8877.”

Hiroshima was not able to log in and so he called the number, as per the instructions.

“The representative asked me the last 6 digits of my credit card number as a method of verification,” he writes. “This didn’t work because the credit card information had already been changed by an attacker. In fact, all of my information had been changed. I had no way to prove I was the real owner of the domain name.”

All the rep could do was tell him to file a case report, complete with his government ID info, with GoDaddy in an attempt to prove that he was who he claimed to be. Of course, this didn’t really help because his info was no longer associated with the account.

Meanwhile, the hacker who’d hijacked his site was able to control Hiroshima’s e-mail account.

He smartly changed the e-mail address associated with his Twitter account, making sure the hacker did not have access to that much-desired public feed.

The hacker persisted in attempting to get the Twitter account e-mail changed over, but to no avail. And so the hacker began e-mailing Hiroshima, making their extortion attempt quite clear.

Reads the e-mail from the hacker, who dubbed themselves “Social Media King”:

I’ve seen you spoke with an accomplice of mine, I would just like to inform you that you were correct, @N was the target. it appears extremely inactive, I would also like to inform you that your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again D:

I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5minutes while I swap the handle in exchange for your godaddy, and help securing your data?

Meanwhile, GoDaddy confirmed it could and would not help Hiroshima because he was no longer the current registrant. To us, this is like police telling a homeowner you can’t kick out squatters because they live in the house now.

Even a promised investigation by a GoDaddy exec (contacted by Hiroshima though a mutual acquaintance) has thus far resulted in nothing.

Realizing he’d rather cede his Twitter handle and go public with the whole ridiculous story, Hiroshima finally gave in to the extortionists demands and gave up the Twitter account he’d had for almost seven years.

After the hacker handed Hiroshima back the keys to his website, they provided the following explanation for how PayPal and GoDaddy facilitated the hijacking:

- I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)

- I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case) I have not found a way to heighten godaddy account security, however if you’d like me to recommend a more secure registrar i recommend: NameCheap or eNom (not network solutions but enom.com)

Reps for PayPay, Twitter, and GoDaddy tell TheNextWeb that each of the companies is investigating the matter.

Meanwhile, Hiroshima has launched the new Twitter handle @N_is_stolen.

Read Comments4

Edit Your Comment

  1. BikerGeek79 says:

    I’m not a security expert, but it seems to me that attacks like this could be prevented by maintaining a change log of user information. In that case, GoDaddy would have the records of everyone who’s ever registered that particular domain. It’s kind of surprising that they don’t. That information, coupled with their records of the email THEY sent HIM about the account changes should prove enough to at least suspend both accounts until they can sort everything out. Because otherwise, what’s the point of sending those emails out in the first place? “If you didn’t make these account changes then tough noogies because your account is totes compromised and we’ll never listen to you about it.”

  2. evlpete says:

    I’m sure Go Daddy has a clause in the contract that the victim can’t even sue
    them for their lack ofsecurity

  3. SingleMaltGeek says:

    I’ve heard GoDaddy’s customer service sucks, but they should have locked down the domain when Hiroshima made a credible claim, especially if he forwarded them the extortion emails. But maybe Twitter can be convinced of what happened and give him back his account.

  4. CommonC3nts says:

    What kind of morons would give account access just because you know the last 4 digits of the accounts credit card.
    If you dont have the full number, then I would expect they would make you fax in all kinds of documents including drivers license to verify who you are and even possibly make you do a video chat so they can talk and see you.
    Godaddy are morons.

    Also why would paypal give out your last 4 digits????
    They are morons also.