This morning when I checked my email I got a nice email from my server hosting provider titled "Root password reset". That's not usually a good sign when you haven't done any password resets recently.
The email was a service request response from the provider asking for confirmation to reset the root account on my server. I responded that this appeared to be a hack attempt, got online to chat with them and got the details of what happened.
An attacker had registered a domain,
chrisdouble.co.nz, this morning. They rang my hosting provider to say they were me, and to reset the email address in my account to that domain. They managed to convince them to do this.
Once that was done they were able to get into the customer service portal for the server. No server maintenance could be done there but they got access to my phone number, billing details and the ability to raise service requests.
They raised a service request to reset the root password on the server. The service response was that they couldn't do this as the server was set up to use SSH keys and passwords were disabled. The attackers response to that was to ask them to physically access the server and re-enable password logins.
The support person emailed back to confirm this request but the email to the attackers domain bounced. They then emailed the previous address, which is my real email, and that was the one I read this morning.
While I was talking to the support person to resolve the issue the attacker was on the phone with this hosting company as well, trying to prove their identity as me. They had a number of personal details and it seemed to be a pretty well thought out social engineering attempt. In the end they realised we were fishing for information from them and they hung up.
It is amazing how close they got to being able to gain access to the server. If I hadn't been awake to read that email and respond quickly support would most likely have given them access. I've now arranged a protocol with them to prevent this from happening again.
If anyone I know receives an email or contact from
chrisdouble.co.nz it is not me. If you are unsure you can ask for me to sign a message with GPG. My GPG fingerprint can be obtained by contacting me directly. Because the attacker gained access to the service portal they have a reasonable amount of identifying information (address, phone number, date of birth, etc). Don't take any of these as information to confirm an unusal contact as being me.