Email Attack via a Recycled Domain

email icon

A software engineering friend fell victim to an almost-successful attack on his Facebook account. The attacker seemed to have a database of email addresses and user physical locations (i.e. cities, states, small countries). If the email’s domain name wasn’t registered, the attacker constructed a domain registration and directed its email to a mailbox he controls. He can then change the password on any account tied to that email address. To mask the attack further, he connected via a VPN pipe ending in the victim’s general location.

If an email address matches an account on the targeted web site (Facebook, for example), then the attacker can intercept the password reset email sent to the previously-dormant email address. The attacker then resets the password and takes over the account, at least until the account owner detects the unexpected password change. This may take a while on Facebook since it often relies on long-lived authentication tokens instead of re-transmitting the password.

This attack works really well when a site lets users provide a list of their email addresses, and then logs in to the account when any one of them is used (Facebook). That’s how my friend was caught: he had used an email for a few years and then changed to another. He left the old email in place. He let the domain name lapse.

One comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.