A few days ago, you may have read the news that Tesla Motors had their website and Twitter accounts hijacked by pranksters. OpenDNS has a blog post that goes into great technical detail.
The website was defaced and Elon Musk's Twitter account was taken over. Then, they posted the phone number of a small computer repair and told people to call to get their "free Tesla".
It was a simple social engineering attack. Tesla stated that the pranksters started with a phone call to AT&T. Someone good at social engineering posed as a Tesla employee and tricked an AT&T customer support rep to forward calls to a number not owned by Tesla.
Next, they went to Tesla's domain registrar (Network Solutions) and added a new email address to the domain admin account using the fraudulently forwarded phone number.
Then, they reset the passwords, and since the pranksters had control over the new email address, accessed the Tesla Network Solutions account and altered the DNS and mail exchanger (MX) records. With the MX-record change, they got control over Musk's Twitter account for a few hours.
We should be glad that this was a well thought-out prank by digital delinquents (Possibly Lizard Squad) and not a real attack.
The pranksters did put a finger on a very sore spot though. Support Reps are hired and rewarded to help. It's their job to solve problems and assist customers. Saying NO to a customer is the last thing they are trained to do, but sometimes this is the correct action. Someone who knows what they are doing are usually able to social engineer Tech Support and get the data to get in.
Especially Support Reps should be given security awareness training within an inch of their lives, to make sure that these types of exploits are blocked from the start.
