A software engineering friend fell victim to an almost-successful attack on his Facebook account. The attacker seemed to have a database of email addresses and user physical locations (i.e. cities, states, small countries). If the email’s domain name wasn’t registered, the attacker constructed a domain registration and directed its email to a mailbox he controls. He can then change the password on any account tied to that email address. To mask the attack further, he connected via a VPN pipe ending in the victim’s general location.
If an email address matches an account on the targeted web site (Facebook, for example), then the attacker can intercept the password reset email sent to the previously-dormant email address. The attacker then resets the password and takes over the account, at least until the account owner detects the unexpected password change. This may take a while on Facebook since it often relies on long-lived authentication tokens instead of re-transmitting the password.
This attack works really well when a site lets users provide a list of their email addresses, and then logs in to the account when any one of them is used (Facebook). That’s how my friend was caught: he had used an email for a few years and then changed to another. He left the old email in place. He let the domain name lapse.