Attackers can spend a lot of time recovering abandoned domain names because they can use them to access sensitive customer email or data.
E-mail holds the keys to the kingdom. All password resets go through email, and abandoning an old domain name allows attackers to easily re-register the old domain and recover data. This problem is particularly acute for law firms where partnerships often form, dissolve, and merge, as security researcher Gabor Szathmari points out. A merger or acquisition often results either in a change of brand for the new firm, with its new associated domain name, or in the abandonment of the old brand and the old domain name by the acquired firm. It is dangerous to let these old domains expire. “In the United States, 2017 was a record year for law firm mergers,” wrote the researcher. “There have been 102 mergers or acquisitions between large law firms and probably several thousand between small firms.”
To give an idea of the magnitude of the problem, Gabor Szathmari re-registered old domain names for several law firms that had merged, and set up an email server. And, without hacking anything, he claims to have received a constant stream of confidential information, including bank correspondence, invoices from other law firms, sensitive client legal documents, and LinkedIn updates. (He then returned the domain names to their original owners).
Using abandoned domain names to commit fraud
However, according to the researcher, it would be easy to use the same technique to commit fraud. “By reestablishing an online store that once operated on a now abandoned domain name, malicious actors could download the original web pages from archive.org, then take orders and make new payments by masquerading as an online store. fully functional, “he said by email. “If the old online store had a customer relationship management system (CRM) or a MailChimp, criminals could access the list of old customers by resuming these accounts with a password reset by mail electronic, “he added. They could offer them a special discount code to encourage them to place orders that would never be delivered. And there is no limit to this kind of fraud. “
Expired domain names are updated and published daily by domain name registers in the form of domain name repository lists. You don’t have to be a genius to download these lists on a daily basis and compare them to news of mergers and acquisitions in professional announcements, or simply re-register any domain name as you please. Gabor Szathmari was also able to use re-registered domain names to access third-party passwords using HaveIBeenPwned.com and SpyCloud.com. These two services verify the domain name, but the process is easy to bypass when you are the owner of the domain in question. As the reuse of passwords remains commonplace, Mr. Szathmari explains that he could easily have used these third party passwords to compromise the affected employees, including their professional and personal lives.
Keep its old domains
Prevention is better than cure. Domain names are cheap, and retaining ownership of old domains is like paying for an insurance policy against cyberattacks, but at an unbeatable price. Szathmari recommends setting up a catch-all email service that redirects all incoming email to a trusted administrator, someone who can review correspondence to former and current staff, also to redirect password reset emails for online services.
Do not leave the subdomain
Subdomain hijacking consists, for an attacker, of seizing a subdomain, like subdomain.yourdomain.com. This usually happens when the domain owner closes a service running on the subdomain, and forgets to update the registration of his DNS subdomain which continues to point to a nonexistent service. At the start of the year, Microsoft made this beginner’s mistake by failing to secure two sub-domains that spammers were using to promote online poker casinos. If Microsoft, itself a security software publisher, can make this error, then no company is immune. This case of subdomain takeover is very common: a company creates a subdomain to point to a third-party service, such as GitHub Pages, Heroku or Shopify. If, for example, it terminates this service and deletes its GitHub Pages account, an attacker can then re-register this GitHub Pages account (since it is now accessible to all visitors) and publish what he wants on subdomain.yourdomain. com.
Prevent a subdomain buyout
None of the sophisticated and expensive security tools that exist can prevent the takeover of a subdomain. In this area, everything is a matter of coordination. Who manages your company’s DNS? Who approves the use of subdomains for support tickets or e-commerce, or who completes the forms? Where is the filing cabinet, digital or paper, which documents and verifies the ownership of subdomains when they are no longer in use? Security is a process, not a product, and this becomes very clear when it comes to resolving the issue of redeeming subdomains. This can become a problem especially in large companies where IT and security are handled by separate departments. Managing DNS entries is usually IT’s responsibility – getting my stuff online so I can do my job. But, once it’s online, who makes sure it’s still in use? Which department is responsible for this verification? Given the triviality of a subdomain takeover attack, the damage to your brand’s reputation it can create, and the little effort it takes to fix it – just change the DNS settings – you could say it’s worth incorporating regular subdomain checking into the corporate security flow.