Email holds the keys to the kingdom. All your password resets go through email, and abandoning an old domain name makes it easy for attackers to re-register the old domain and get your stuff.
The problem is especially grave for law firms where partnerships form, dissolve, and merge often, security researcher Gabor Szathmari points out. A merger or acquisition typically involves either new branding for the new firm, with a new domain name to match, or the acquired firm dropping their old branding and domain name. Letting those old domains expire is dangerous.
“In the US, 2017 was a record year for top-tier law firm mergers with 102 mergers or acquisitions in the year,” Szathmari writes, “At the small legal practice level, the number is likely to be in the thousands.”
To test just how bad the problem is, Szathmari re-registered old domain names for several law firms that had merged, set up an email server, and without hacking anything, he says he received a steady stream of confidential information, including bank correspondence, invoices from other law firms, sensitive legal documents from clients, and updates from LinkedIn. (Szathmari is working to return the affected domain names to their original owners.)
Using abandoned domain names to commit fraud
The same technique, he says, could easily be used to commit fraud. “By reinstating an online web shop formerly running on an abandoned domain name,” he writes in an email to CSO, “Bad actors could download the original web pages from archive.org, then take new orders and payments by posing as a fully functioning web shop.”
“If the former web shop had a CRM system or MailChimp running marketing campaigns,” he adds, “criminals could access the list of the former customers by taking over those accounts with an email-based password reset. They could offer them a special discount code to encourage them to submit orders which would never be delivered. The sky is the limit.”
Expiring domain names are published daily by domain name registries in the form of domain name drop lists. It doesn’t take a criminal mastermind to download those lists daily and cross-reference them against news of mergers and acquisitions in the relevant trade pubs, or just re-register any domain name that catches their fancy.
Szathmari was also able to use the re-registered domain names to access third-party breach passwords using HaveIBeenPwned.com and SpyCloud.com. Both services require domain name verification, an easily bypassed defense once you own the domain in question. Because password re-use remains rampant, Szathmari writes that he could easily have used those third-party passwords to compromise affected employees, including their business and personal lives.
How long should you hang onto those old domains?
Better safe than sorry. Domain names aren’t expensive, and keeping old domains in your possession is the cheapest cybersecurity insurance policy you’ll ever purchase.
Szathmari recommends setting up a catch-all email service that redirects all incoming email to a trusted administrator, someone who can review correspondence addressed former and current staff, and password reset emails for online services.
Don’t abandon that subdomain, either
Subdomain hijacking is when an attacker takes over a subdomain, such as subdomain.yourdomain.com. This usually happens when the domain owner shuts down a service running on the subdomain, and forgets to update their DNS subdomain record that continues to point to a nonexisting service.
Earlier this year Microsoft made this rookie mistake, failing to secure two subdomains that spammers used to promote online poker casinos. If Microsoft, a mature security-focused software maker, can make this mistake, odds are your organization can, too.
A common subdomain takeover occurrence involves an organization setting up a subdomain to point to a third-party service, such as GitHub Pages, Heroku, or Shopify. If your organization later ends that service and deletes its GitHub Pages account, for instance, then an attacker can re-register that GitHub Pages account (since it’s now available to all comers) and publish whatever they like at subdomain.yourdomain.com.
How to Prevent a Subdomain Takeover
None of the fancy-schmancy expensive security tools out there can prevent a subomain takeover, only organizational working-togetherness. Who manages your company’s DNS? Who approves subdomain uses for support ticketing or e-commerce or fill-in-the blank? Where is the binder, digital or paper, that documents and enforces checking subdomains when they are no longer in use?
Security is a process, not a product, and this truism comes into focus when solving the problem of subdomain takeovers. This can be especially a problem in larger organizations where IT and security have their own separate departments. Managing DNS entries is typically an IT job function–make my online thingumajigger go live so I can do my job. Once it’s live, who’s keeping track that it’s still in use? Whose job function is that?
Given how trivial a subdomain takeover attack is, how much reputational damage to your brand it can create, and little effort is required to fix it–simply edit your DNS settings–it is worth considering how to integrate regular subdomain checking into your security workflow.
Copyright © 2020 IDG Communications, Inc.
