Email holds the keys to the kingdom. All of your password resets go through email, and dropping an old domain name makes it easy for attackers to re-register the old domain and get your stuff.
The problem is particularly serious for law firms where partnerships form, dissolve and often merge, underlines security researcher Gabor Szathmari. A merger or acquisition usually involves either a new branding for the new business, with a corresponding new domain name, or the acquired business abandoning its old branding and old domain name. Letting these old domains expire is dangerous.
âIn the United States, 2017 was a banner year for leading law firm mergers with 102 mergers or acquisitions during the year,â writes Szathmari. âAt the level of petty legal practice, the number should number in the thousands.
To test how serious the problem is, Szathmari re-registered old domain names for several law firms that had merged, set up an email server, and without hacking anything, he says he received a constant stream of confidential information, including bank correspondence, invoices from other law firms, sensitive client legal documents and updates from LinkedIn. (Szathmari strives to return affected domain names to their original owners.)
Using abandoned domain names to commit fraud
The same technique, he says, could easily be used to commit fraud. âBy re-establishing an online store that previously ran on an abandoned domain name,â he wrote in an email to CSO, âbad actors could download the original web pages from archive.org, then pick up new ones. orders and new payments by pretending to be an online store. “
âIf the old online store had a CRM system or MailChimp ran marketing campaigns,â he adds, âcriminals could gain access to the list of old customers by taking over those accounts with a password reset. goes by e-mail. They could give them a special discount. code to encourage them to submit orders that would never be delivered. Sky is the limit. “
Expiring domain names are published daily by domain name registries as drop-down lists of domain names. You don’t have to be a criminal mastermind to download these listings daily and compare them with the news of mergers and acquisitions in the relevant professional ads, or simply re-register any domain name they like.
Szathmari was also able to use the re-registered domain names to access third-party breach passwords using HaveIBeenPwned.com and SpyCloud.com. Both services require domain name verification, a defense that is easily bypassed once you own the domain in question. Because password reuse remains rampant, Szathmari writes that he could easily have used these third-party passwords to compromise affected employees, including their professional and personal lives.
How long should you keep these old domains?
Prevention is better than cure. Domain names aren’t expensive, and keeping old domains in your possession is the cheapest cybersecurity insurance policy you’ll ever buy.
Szathmari recommends setting up a catch-all email service that redirects all incoming emails to a trusted administrator, someone who can review correspondence to past and current staff, and reset emails from password for online services.
Don’t give up on this subdomain either.
Subdomain hijacking occurs when an attacker takes control of a subdomain, such as subdomain.yourdomain.com. This usually happens when the domain owner stops a service running on the subdomain and forgets to update their DNS subdomain record which continues to point to a nonexistent service.
Earlier this year, Microsoft made the rookie mistake, failing to secure two subdomains that spammers use to promote online poker casinos. If Microsoft, a mature security-focused software maker, can make this mistake, there’s a good chance your organization will too.
A common occurrence of a subdomain takeover involves an organization setting up a subdomain to point to a third-party service, such as GitHub Pages, Heroku, or Shopify. If your organization later terminates this service and deletes its GitHub Pages account, for example, an attacker can re-register this GitHub Pages account (since it is now available to all users) and post whatever they want to subdomain.yourdomain .com.
How to prevent a subdomain takeover
None of the expensive and sophisticated security tools available can prevent a subdomain takeover, only organizational collaboration. Who manages your company’s DNS? Who approves the uses of subdomains for support tickets or ecommerce or to fill in the blank? Where is the filing cabinet, digital or paper, that documents and enforces subdomain checking when no longer in use?
Security is a process, not a product, and this truism is brought to light when addressing the issue of subdomain takeovers. This can be particularly problematic in large organizations where IT and Security have their own separate departments. Managing DNS entries is usually a computer function: bringing my thingumajigger online so that I can do my job. Once it’s online, who makes sure it’s still in use? Who owns this function?
Given how trivial a subdomain takeover attack is, how much damage to your brand’s reputation it can create, and little effort is needed to fix it – just change your DNS settings – it’s worth considering how to incorporate regular subdomain checking into your security workflow.
Copyright Â© 2020 IDG Communications, Inc.