An attacker wants access to your hosting, to infect your websites or steal your data. However, your hosting is well secured. How is this attacker going to get in?
Well, let’s see. Anyone can do something called a WhoIs lookup, in which public information from your website registration is displayed; from this information they get your email address. Now they have the username for your hosting account, and which company you are hosting with.
Next they contact your host’s helpline and request a password reset.
“Can you confirm the card ending 1234?”
The attacker hangs up. They call the common money processors and request a password reset. Eventually they find one. They are asked to answer a security question, to which they respond they can’t remember the answer. As a backup they are asked for the last four digits of the primary card.
They now have access to your online wallet. Useful, but not what they’re after. The attacker uses the online control panel to get your address, along with other critical information.
They call your email provider, and request a password reset. Email accounts are valuable, and often very well protected. They are asked for a variety of information to confirm that they are you; such as your address, a security question, and other details that have already been stolen. Then they’re asked for your mother’s maiden name.
A common question, but information the attacker doesn’t yet have. They quickly check Facebook, or a genealogy website they’re subscribed to. They give your mother’s maiden name, and are given a one-time login code for your email.
And that’s all they need. They go to your hosting account and request a password reset link be sent to the primary email account. Using the temporary login code they reset your hosting password, and they’re in. They can infect any files they like, steal your data, or even hold your websites to ransom.
This sounds incredibly unlikely, doesn’t it? There’s no way all of this information would be handed over by customer service representatives, surely? Unfortunately, this example is actually based heavily off a real world example: When a hosting account was hijacked and ransomed for the incredibly valuable Twitter handle @N.