This is a true cybercrime story, which hit my friend Tom. Click here to read the story from the beginning.
Saturday, March 27, 10:23 PM EDT
The dark figure waited at his computer for DreamHost support to respond to his chat request. He had requested the password be reset, eight times since 9:35, since he had tricked them into adding his email address to the account. But he hadn’t been receiving the password-reset messages in his email.
Brian answered the chat. “Hi there, how can I help you.”
Now impersonating Tom, the legitimate owner of the account, he explained his problem as best he could. “I’m trying to get login info in my new email address, but not receiving email from DreamHost.” He gave Brian the account ID and email address.
“You’re already logged into the panel, if you’re talking to me,” Brian said.
“Yes,” the dark figure replied. That was true. He was logged into the administration panel, just not into Tom’s account. Not yet. But hopefully soon. He told Brian that he had recently updated the email address, and that he needed to use the new address, not the old one.
Brian replied, “Both are actually listed on your account.” He explained that Tom could use the administration panel to make any changes he needed.
Yes, the dark figure said, he’d tried that many times, but it wasn’t working. He kept getting an error, he said in his typical broken English.
Brian asked him to try it again.
So he did. Of course, he didn’t actually try anything. His story was a complete fiction, but a believable one. He described the steps he would have gone through, had he actually had access to Tom’s administration panel. Every value he would type, every checkbox he would check, every button he would click on. Click to continue »