Post by: Lisa Vaas | Sophos Naked Security | Published on: 11/07/2017
In September, Tesla sued an oil pipeline services company exec, claiming that he tried to impersonate Musk in an email message that sought to glean financial information about the company.
Now, the exec, Todd Katz, has struck back and sued Tesla for allegedly hacking into his Twitter account.
He doesn’t deny sending the phony email, but he says that it wasn’t criminal impersonation, given that he used such bad syntax and spelling that the Yahoo-sent message lacked credibility.
According to Tesla’s lawsuit, Katz – former chief financial officer of Quest Integrity, which provides services to oil and gas companies such as ExxonMobil, BP, Chevron and Shell – sent an email from the account firstname.lastname@example.org to Tesla chief financial officer Jason Wheeler on 3 August 2016.
That email was full of questions about Tesla’s second-quarter financial results, which had been released on that same day.
The text of the email, courtesy of The Guardian:
why you so cautious w Q3/4 gm guidance on call? also what are your thoughts on disclosing M3 res#? Pros/cons from ir pov? what is your best guess as to where we actually come in on q3/4 deliverables. honest guess? no bs. thx 4 hard work prepping 4 today
Wheeler didn’t fall for it. Instead of replying, the company launched an investigation that lead to Katz and his company. Katz eventually resigned.
Then, last week, he filed an objection to Tesla’s lawsuit, calling Tesla’s reaction “over the top” and asking that the case be thrown out because his impersonation was “preposterous”.
His suit doesn’t deny that Katz sent the email. Rather, it argues that…
Nobody who received this preposterous and grammatically deficient email ever believed it really came from Elon Musk.
Given how bad the Elon Musk impersonation had been, there was no credible impersonation, and hence no direct injury to Tesla, according to Katz’s suit.
Musk is known to be a grammar stickler and would never have sent out a message with “such atrocious syntax,” the suit maintains.
Katz’s suit goes on to claim that Tesla’s lawsuit is a “heavy-handed attempt to intimidate and silence Mr Katz, a Tesla critic.”
Katz also filed a cross-complaint against Tesla for allegedly hacking into a Twitter account, @valuationmattrs, that he uses to criticize Tesla’s business practices… and to post the court documents (PDF) for Tesla’s suit against him and his own cross-complaint.
Katz’s complaint claims that the day after Wheeler got the email from the Yahoo account, somebody logged in to his Twitter account from an IP address used by two Best Buy electronics stores close to the Tesla factory in Fremont, California.
Tesla must have sent over an employee to use a floor sample iPhone, the suit suggests, to get into Katz’s account from a non-Tesla IP address.
Katz is claiming to have suffered damages “including loss of earnings and damage to reputation” because of Tesla’s having allegedly broken into his account. He’s looking for $1 million in damages, plus legal fees.
By the way, if you’ve never checked your own Twitter data to see all the IP addresses that have accessed your account, you might be interested to know that Twitter started offering such information as a dashboard feature in July 2015.
Here’s how you can check out any suspicious activity on your account, including time and date of access, IP address and location:
- Access Twitter in your Web browser.
- Open the main menu in the top right (your profile picture) and choose Settings.
- Select Your Twitter data in the left menu.
You’ll see IP addresses and their rough location. For example, Quora’s all over my Twitter account because I granted it access to my feed so that followers can read my answers to Quora questions.
Quora’s location is listed as the US. You can look up an IP address to get more granular geolocation than that, at least for the IP address’s ISP.
If you see an IP address that doesn’t make sense in that list, as in, it’s not Quora or Klout or some other online service you’ve granted permission to, it could be one more good reason to turn on two-factor authentication (2FA).
That will help to keep your Twitter account from getting taken over, though it doesn’t protect accounts from social engineering attacks, as Black Lives Matter activist DeRay Mckesson found out when his feed began proclaiming support for Donald Trump in the spring.
We’ve seen many people’s Twitter accounts get taken over by imposters, including that of celebrities like Ringo Starr, Taylor Swift and Mark Zuckerberg.
As we said last month during National Cyber Security Awareness Month, impersonation – be it through unauthorized access to somebody’s Twitter account or pretending to be Elon Musk by using a deceptive-looking Yahoo email address – is one of those internet crimes that people seem to fail to recognize as even being a crime.
Though Naked Security has reported on plenty of internet cases of impersonation, this is the first I can recall hearing about the alleged imposter suing the person he was allegedly impersonating.
In the meantime, here’s what Tesla had to say about Katz’s counter-claim, from a statement sent to The Guardian:
The oil executive Todd Katz is perfectly capable of embarrassing himself with no help from Tesla. We did not even know that the Twitter pseudonym in question belonged to Mr Katz.
What we are most interested in discovering is what people or organizations collaborated with Mr Katz in his attempt to gain information illegally from Tesla and who or what companies may have paid him to do so. That is of great concern to us and many members of the public.
Reference Article: https://nakedsecurity.sophos.com/2016/11/07/oil-exec-accused-of-impersonating-elon-musk-in-an-email-sues-tesla-over-twitter-hack/