November 13, 2018

If you own a domain name that gets decent traffic and you fail to pay its annual renewal fee, chances are this mistake will be costly for you and for others. Lately, neglected domains have been getting scooped up by crooks who use them to set up fake e-commerce sites that steal credit card details from unwary shoppers.

For nearly 10 years, Portland, Ore. resident Julie Randall posted pictures for her photography business at julierandallphoto-dot-com, and used an email address at that domain to communicate with clients. The domain was on auto-renew for most of that time, but a change in her credit card details required her to update her records at the domain registrar — a task Randall says she now regrets putting off.

Julierandallphoto-dot-com is now one of hundreds of fake ecommerce sites set up to steal credit card details.

That’s because in June of this year the domain expired, and control over her site went to someone who purchased it soon after. Randall said she didn’t notice at the time because she was in the middle of switching careers, didn’t have any active photography clients, and had gotten out of the habit of checking that email account.

Randall said she only realized she’d lost her domain after failing repeatedly to log in to her Instagram account, which was registered to an email address at julierandallphoto-dot-com.

“When I tried to reset the account password through Instagram’s procedure, I could see that the email address on the account had been changed to a .ru email,” Randall told KrebsOnSecurity. “I still don’t have access to it because I don’t have access to the email account tied to my old domain. It feels a little bit like the last ten years of my life have kind of been taken away.”

Visit julierandallphoto.com today and you’ll see a Spanish language site selling Reebok shoes (screenshot above). The site certainly looks like a real e-commerce shop; it has plenty of product pages and images, and of course a shopping cart. But the site is noticeably devoid of any SSL certificate (the entire site is http://, not https://), and the products for sale are all advertised for roughly half their normal cost.

A review of the neighboring domains that reside at Internet addresses adjacent to julierandallphoto-dot-com (196.196.152/153.x, etc.) shows hundreds of other domains that were apparently registered upon expiration over the past few months and which now feature similar http-only online shops in various languages pimping low-priced, name brand shoes and other clothing.

Until earlier this year, wildcatgroomers-dot-com belonged to a company in Wisconsin that sold equipment for grooming snowmobile trails. It’s now advertising running shoes. Likewise, kavanaghsirishpub-dot-com corresponded to a pub and restaurant in Tennessee until mid-2018; now it’s pretending to sell cheap Nike shoes.

So what’s going here?

According to an in-depth report jointly released today by security firms Flashpoint and RiskIQ, the sites are almost certainly set up simply to siphon payment card data from unwary shoppers looking for specific designer footwear and other clothing at bargain basement prices.

“We have observed more than 800 sites hosting these brand impersonation/skimming stores since June 2018,” the report notes.

“This group’s strategy appears rather simple: the perpetrators set up a large number of stores impersonating as many popular brands as possible and drive traffic to these fake stores with a variety of methods,” the report continues. “Some visitors will attempt to make purchases, entering their payment information into the payment form where the skimmer copies it and sends it to a drop server. The payment page even displays badges from various security companies in order to appear more legitimate.”

The report tracks the work of Magecart — the name given to a collective of at least seven cybercrime groups involved in hacking Web sites to steal payment card data. On Nov. 4, KrebsOnSecurity published Who’s in Your Online Shopping Cart?, which looked at a network of hacked sites that fit the Magecart profile.

Credit card data stolen by these various Magecart groups invariably gets put up for sale at online cybercrime shops, the security firms found. In addition, some Magecart actors will sell access to hacked online stores, allowing crooks who buy this access to receive a live feed of freshly-stolen payment card details for as long as the site remains compromised.

Flashpoint and RiskIQ say they have been working with two other non-commercial anti-abuse organizations, Abuse.ch and Shadowserver to “sinkhole” or quietly assume control over hacked domains that are used for Magecart activities. These latter two organizations provide automated reporting to affected organizations. Anyone responsible for managing a range of Internet addresses can sign up at Shadowserver.org to have those ranges monitored for domains compromised by Magecart tools.

Meanwhile, as Julie Randall’s experience shows, it pays to stay on top of any domain registrations you may have. Giving up on a long-held domain name — particularly one tied to your name — is always a tough call, because you simply never know what it will be used for when it falls into someone else’s hands.

If you’re on the fence about whether to renew a domain and it’s one of several you own, it may make sense to hold onto it and simply forward any incoming traffic to a domain you do want people to visit. In the event you decide to relinquish a domain, make sure you take stock of any online accounts you created with email addresses tied to that domain and move those to another email address, as those accounts will likely come under someone else’s control when the domain expires.


32 thoughts on “That Domain You Forgot to Renew? Yeah, it’s Now Stealing Credit Cards

  1. Jeremy

    When I gave up on my photography business I shut down my website and let it expire. It didn’t take long for it to be taken over by the same kind of scams. Though even when I had control of it I had near constant “attacks” and login attempts from eastern European IP addresses. So I don’t doubt that once the address went up for sale it got grabbed by one of the folks trying to login all those times.

    1. Tacitus

      Thing is, *every* website is under constant attack from bots probing its defenses. Even the logs of a site that barely has any real traffic at all will fill with such attempts looking for poorly configured software packages and unpatched exploits.

  2. The Sunshine State

    I get those domain name renewals every once in a while, EasyDns.com told me that they are for SEO signup , not looking to hijack the domain.

    1. CALVIN HODGSON

      This is about domains that have expired, not emails from spammers.

  3. Kallen Web Design

    One of the challenges of forwarding a domain you no longer need to use but want to keep to a domain you want more traffic for, is depending how it is set up google can see this as duplicate content and penalize the site you want traffic for. You can set up a 301 redirect on the old domain but this will require keeping an active hosting account for the old domain, often adding an additional annual cost beyond simply keeping the old domain registered.

    1. CALVIN HODGSON

      Cloudflare free plan allows 301 redirection without the need for a hosting plan.

  4. Michael Hawkins

    Maybe the best solution here would be for some industrious domain registrar/DNS provider to provide a very cheap “parked” domain service where domain names go to die. Make it a one time cost of say $10 USD that kills the domain for ten years and then releases it back into the wild.

    1. Anon404

      Or perhaps registrars shouldnt let unrenewed domains names be bought by anyone for a period of time, say 6 months, after it has expired, unless the original customer has indicated they are selling it.

      1. CALVIN HODGSON

        Registrars have to follow what ICANN states. There is a 30 day grace period after a domain expires to renew it.

        Better question is, why isn’t the consumer have auto renew enabled? Even if it is just for the domain and not the hosting, auto renew offers that protection against forgetting about your domain expiring.

        1. Eric

          Auto-renew only works if your credit card information on file still works.

  5. Dennis

    What I’ve been noticing lately, Brian, is that there’s a lot of those mom-and-pop shop domains (possibly abandoned) that are used to host phishing sites. When I get one of those phishing scammy emails to my own address (usually at least one a day) I try to check the link that they want you to click and notify the domain owner. Unfortunately I rarely hear back, as the domains are probably already abandoned.

  6. Jett

    Excellent article Brian – as always. I come across many hijacked domains in my research and sometimes I feel like there is no rhyme or reason behind some of them. This article has cleared some of that misconception up for me. Also, I downloaded the RiskIQ Flashpoint in-depth report you linked in your story. Awesome read. I like how they added the “Joker” to the front page of the report, nice touch!

  7. woot

    got a small family owned Italian restaurant near me. they let the domain expire without knowing it. and someone from another country bought it and put shoes or clothing on the site for sale. probably to steal ID and credit card info.

  8. Moike

    I periodically validate a bunch of business web sites in my geographic area. A trend is small that business owners without a web store interact and attract most new business via Facebook. So they drop their web site for business efficiency and operate only from Facebook. The more popular sites or names are quickly taken over and converted to either Ad networks or fake E-stores.

    1. Eric

      That’s a shame. Anyone that is Facebook only is dead to me.

  9. Gabor Szathmari

    When we did our research on abandoned domains earlier, my mate and I were discussing this theoretical attack scenario and here it is.

    We found tons of Aussie and international web shops on ExpiredDomains.net waiting for someone to pick them up and restore the original site from web.archive.org.

    Our research was focusing on law firms and we found that businesses providing professional services are also at risk because of a large amount of PII data these businesses handle.

    As your article points out, Brian, the victims’ social media accounts were hijacked by the forgotten password feature. Similarly, we found business accounts such as Dropbox and Office 365 registered with the abandoned domains: https://blog.ironbastion.com.au/hacking-law-firms-abandoned-domain-name-attack/

    They are potentially stuffed with sensitive files like contracts and the scanned copies of personal documents waiting for someone to hijack them through a password reset.

    On a side note, data breaches like these involving Personal Data (the terminology for PIIs in Australia) have to be reported to the Information Commissioner under the Notifiable Data Breaches Scheme

    1. Soy Tenley

      “Our research was focusing on law firms…”

      I suggest this :

      As the government requires the firms as well as the lawyers to have special registration with the state, seems to me the government should have the authority to decide who gets to use the domain name, restricting the use of the domain to other similarly registered professionals.

      If the domain is abandoned or the current owner fails to pay for registration, ownership reverts to the state, and the domain name cannot be acquired by anyone without state approval. After a long time period during which the original site contents are to be archived offline, if necessary, then the state will release the domain for anyone to use.

      With the pressure to ‘privatize government functions’ this function / service might be contracted out to a private business, which means another can of worms if the business fails in its responsibilities, or the contract is given to a different business.

      Oh, well.

      So, Brian, what are your plans for this website when you are no longer an investigative journalist?

  10. anarak

    Great story. I recently went hunting for a pair of Nikes that are hard to find. I was shocked at the number of websites I came across that had a strong whiff of illegitimacy – shoes marked 30 percent less for sale on domains that appeared to have been hijacked. I was nearly duped by one of them since the web pages themselves were well-constructed and didn’t have elementary grammar errors. But overall I think this is a much larger problem that we all ever realized.

  11. K.D.H

    I lived this same nightmare. I lost everything from a breach while creating a website. I lost my business, and much much more. My attacker managed to target and access my personal data, financial data, and my children’s iCloud accounts. My attack took place November 8th of last year and continued on. I knew someone had system/root access but at the time didn’t know how to stop it. I was phished via wix, and wordpress daily. I clicked a link within an email that appeared to be from Wix-dot-com and the rest is history. I wish I had enough time and space to type this story out in full. Take it from me, someone who lost everything from my attacker that this is very much real life. I never knew what Identity Theft could do to a person until now.

    Great Post, Brian.

  12. Michelle

    Can someone help me out? I’m not understanding or getting the link between an expired domain and these shopping sites. In the case of Julie Randall and her expired domain julierandallphoto-dot-com, is it the scammer’s hope that I go to julierandallphoto-dot-com because I want to hire a photographer, but instead, see cheap name brands that are knockoffs, and then decide what the hell, I’m going to buy me some cheap Nike’s? Why don’t they just create their own domains for this crap? It’s early and I haven’t had my coffee yet, so please excuse me if this was something obvious in Brian’s article that I simply overlooked.

    1. BrianKrebs Post author

      The scammers are driving traffic to these domains via a variety of means. The people they’re targeting don’t know anything about Julie’s old domain.

      The attackers may also be doing things to make their fake ecommerce sites more findable when people search for specific name-brand items online, although I have no idea if that’s actually happening in this case or not.

      1. Jos

        They do it to benefit from the domain reputation. Short-lived domains are more likely to be uncategorized and suspicious.

        Using a long-standing domain name prevents protection mechanisms from blocking access or otherwise displaying warnings (proxies, surfing protection, …).

    2. TW

      Re-using a domain name that already has some positive reputation probably means the scammer’s site will be more effective than one that uses a brand new domain name. Some web security products have a feature to block access to recently registered domain names, for example.

    3. Jon

      Thank you, Michelle. I had the same question.

      The answer about domain reputation makes some sense. Though I work for a large law firm and we had a client who registered a (strange-sounding) domain name that had not been set up yet. It expired and somebody took it *immediately*. In this case, the domain had no reputation and the name was of no value.

      The attorney had some idea about the perp turning around and suing the legit people for cybersquatting. He made it sound like a common thing, but I don’t know any more than that.

  13. Emily

    When I transferred my business to the Internet, created a website, made a logo here https://www.logaster.com/ , in time I got rid of my logo, which they saw on another website. Not only the logo was stolen from me, but also photos and, in general, almost everything that I invented for my site!

  14. Web Host Pro

    Working for web hosting service https://webhost.pro we see domains expire often that customers simply forgot about. We try to send emails but many times the email on file was not current. This is a just a reminder to keep your emails current and add a file with expire dates so you have several reminders.

    1. Kehila

      As long as you don’t have any important email addresses linked to your unwanted domain name, I think it should be OK to just make it show a blank html and then let it expire.

    2. timeless

      I’m currently thinking this over. I’ve inherited a couple domains…

      Part of the problem is that there’s essentially no way to know where a domain is used (especially including email addresses).

      At the very least, recording the all inbound email addresses + senders and the addresses of all URLs on the domain for a bit, plus searching for the domain / reverse link searching for the urls and working to scrub them seems like an approach one should take.

      For any email addresses, one should probably find the senders and delete accounts/update their pointers/unsubscribe the addresses.

      But doing this is fairly time consuming…

  15. Domainchap

    All my client websites are registered for at least 3 years.
    And i make a point to check that twice per year, some are good for more than 5 years. The fact that you run a business and register a domain name for one year is absurd.
    i worked with some control freak who wanted to own their domain, and they forgot to renew the domain after one year. Their very good domain name is now redirecting to a yoga business, and there is zero chance they recover it ever. So they spent some good cash in rebranding.

  16. Laura Harvsey

    We had this happen with one of our client domains, but a lot of times they aren’t malicious phishing attempts, they are people just using the expired domains as part of a PBN (private blog network)

    If you do a quick Google search you’ll realize it’s a massive booming industry, reselling domains like this

Comments are closed.