[BreachExchange] Abandoning a domain name can come back to bite you, research shows

Destry Winant destry at riskbasedsecurity.com
Mon Oct 15 09:45:25 EDT 2018


Cybercriminals can use an abandoned domain name to obtain all manner
of private information belonging to the company that formerly owned
the domain, as well as to its clients and employees, a researcher

Gabor Szathmari has described how a new domain owner can, among other
things, take control of the previous owner’s email accounts associated
with the domain. From there, the ill-intentioned domain owner can
access confidential information or hijack the user’s accounts on a
variety of online services – and with little effort and zero hacking
prowess to boot.

To demonstrate the rather little-known risks, a team led by Szathmari
re-registered six expired domain names, some of which previously
belonged to several Australian law firms. Any and all email accounts
associated with the domains were then configured to forward all
incoming email messages that were intended for the domains’ former
owners to a “catch-all” email service controlled by the researchers.
The team then “sat back and waited for the emails to come in”.

And come in they did, with the number of email messages received over
a three-month period topping 25,000. Having separated the wheat from
the chaff, they found true gems in a number of the emails. This
included highly sensitive information about the legal practice and its
clients, such as transcripts of court proceedings and other sensitive
legal documents, as well as supplier invoices, bank statements, etc.

Digging deeper, the researchers showed that they would have easily
been able to impersonate the legal practitioners in order to con their
clients or to regain access to the firms’ Office 365 and G Suite
accounts by resetting the passwords.

By combining information that is available on data breach search tools
SpyCloud and HaveIBeenPwned and by abusing password reset functions on
social media, they could also have easily hijacked some of the
personal or work-related accounts of legal professionals on the
platforms, especially on LinkedIn, where the potential victims often
used their business email addresses. The same dangers were found to
apply to user accounts on profession-specific web portals.

All that you can’t leave behind

The research focused on domain names once owned by Australian law
firms, since these firms, and obviously not only in Australia, often
merge or are acquired, sometimes leaving their old domain names to
expire. Domain name drop lists are easily found on the internet.

Of course, other businesses aren’t spared the risks. Speaking to CSO,
Szathmari elaborated on the dangers of domain name abandonment for
online stores and its customers. “By reinstating an online web shop
formerly running on an abandoned domain name, bad actors could
download the original web pages from archive.org, then take new orders
and payments by posing as a fully functioning web shop,” he wrote.

The easiest way in which organizations can prevent this threat is to
auto-renew their domain names, even if they’re no longer in use, for
an indefinite period of time. Other preventative measures include
closing, changing or disassociating user accounts once registered with
work-related email addresses, utilizing two-factor authentication
wherever available, as well as always creating strong and unique

More information about the BreachExchange mailing list