This blog is progressively turning into my “omg, wtf, did he/she do what I think they just did?” moments. This one was caused by someone that isn’t one of our customers, so I am going to toss their name out for the world to see, and show people that you really do need to watch who you hire to do your computer work.
So, we have a customer who hosts his account with us. Lots of people do, this particular customer, who we will call x.com, also is a customer of rescuecom.com, which is where the shenanigans start.
Someone called in, stating that the x.com site was down, and mail forwards were failing. I checked the site and confirmed that it was indeed down, so I attempted to ping the IP which I could, and proceeded to do the troubleshooting stuffs that my job entails. (Not going to go step by step what I did, as it would take too long to type.) After determining that the server was not passing requests to the IP properly I restarted the Virtuozzo VPS. This brought the site up but I wanted to investigate further. I let the person on the phone know that the site was back up but I wanted to determine the cause of the problem with the IP and if it was alright to email him once I had found more information. He asked if I had his email address, I let him know what email address I had on file, he asked me to change it. So up until this point I had no reason to suspect the other person on the other end of the phone wasn’t the customer, but I wasn’t providing any information regarding the account or changing anything so I had no need to verify the account until this point. I asked the person on the other end to verify the account, and he flipped out, stating that he was the president of rescuecom.com and that if I wouldn’t do that then he was going to take the account to other hosting.
Now this is where I ask for a little common sense. First off, Josh (Kaplan) from Rescuecom.com is not mentioned anywhere on x.com’s account. This person can not verify any account information, and is requesting that I make changes to the account, that if made would give him access to the entire account, and have the ability to effectively hijack the entire account. From reading Josh’s background (built a support desk team) he should know all about social engineering and know that protecting customer requires that you have the customer verify information before you make any changes. Second making threats on an account your not listed on does not make a whole lot of sense. Lastly toting that your the president of a computer repair company to someone, when your being a jerk, probably isn’t the wisest thing you could do.
And if anyone cares, I fixed the issue with x.com’s ip, it simply had a server configuration issue where the IP got dropped. Simple.