Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Where did my domain go? InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Where did my domain go?

Published: 2008-05-30
Last Updated: 2008-05-30 12:25:15 UTC
by Mark Hofman (Version: 1)
1 comment(s)

This is a question you don’t want to be asking yourself looking at where your main web page should be.   Steve L, wrote in yesterday and mentioned that the Comcast network web site at looked like it was under construction.  I wrote it off as website maintenance (sorry Steve).  I guess it was a little bit more than that (in my defence it was an under construction notice, which some people put up when performing maintenance on their site).  That changed a little later on in the evening.   

Comcast had their domain snaffled away from them.   The account Comcast uses with Network Solutions was used to alter the records and redirect the site.  It won’t be the last time this happens.  People have reported Phishing increased attempts to gain access to registrar accounts.   The registrar I use is actively training its clients to click links in the numerous emails they send promoting stuff, probably not one of their better ideas and I doubt they are on their own in this practice.

There is money to be made in domain names.  We all understand the value of branding and getting the right name can help launch a product, company or people.   Registrars earn their living by providing as many names as possible, the process therefore has to be easy and flexible, hence the click here in emails.  Now hands up who can actually remember the userid and password they use for their registrar?  (ps feel free to mail them in   ).  Pretty much every time I need to do something with the registrar I have to request the password or, depending on the registrar, you can fax a request, on letterhead, through to them for action.  In a past life when we needed access to the client’s domain information, we would typically just fax through a request to the registrar on letterhead (yes with permission).  About 30 minutes later we’d have access to the domain.  I’m not saying it is still as easy, but.....

Which brings me to a friend of mine (no sniggering Mike), his mate had his domain name taken from him.  It came up for registration and due to timezones, he paid late.  Turns out someone was watching the domain and snapped it up as soon as it expired.  Two years of building a brand, gone in a few minutes.  He could get it back for a bargain, USD$10,000.   In another case the email address associated with the registrar account was changed (letterhead request), then a simple password reset and a transfer, voila one domain name gone.   If you spend some time on certain sites, you soon see that there are groups dedicated to grabbing desirable domain names, especially those that have established sites.  Of course the SPAM and malware delivery side of the business does equally well.

The moral of the story, protecting something as seemingly trivial as the userid and password of the account used to manage your domain names can make or break a business.  Luckily some registrars play ball and help out in these situations, but around the globe there are certainly some challenges.

Mark H - Shearwater

1 comment(s)
Diary Archives