The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.
A DNS lookup on the domain az.mastercard.com on Jan. 14, 2025 shows the mistyped domain name a22-65.akam.ne.
From June 30, 2020 until January 14, 2025, one of the core Internet servers that MasterCard uses to direct traffic for portions of the mastercard.com network was misnamed. MasterCard.com relies on five shared Domain Name System (DNS) servers at the Internet infrastructure provider Akamai [DNS acts as a kind of Internet phone book, by translating website names to numeric Internet addresses that are easier for computers to manage].
All of the Akamai DNS server names that MasterCard uses are supposed to end in “akam.net” but one of them was misconfigured to rely on the domain “akam.ne.”
This tiny but potentially critical typo was discovered recently by Philippe Caturegli, founder of the security consultancy Seralys. Caturegli said he guessed that nobody had yet registered the domain akam.ne, which is under the purview of the top-level domain authority for the West Africa nation of Niger.
Caturegli said it took $300 and nearly three months of waiting to secure the domain with the registry in Niger. After enabling a DNS server on akam.ne, he noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe. Apparently, MasterCard wasn’t the only organization that had fat-fingered a DNS entry to include “akam.ne,” but they were by far the largest.
Had he enabled an email server on his new domain akam.ne, Caturegli likely would have received wayward emails directed toward mastercard.com or other affected domains. If he’d abused his access, he probably could have obtained website encryption certificates (SSL/TLS certs) that were authorized to accept and relay web traffic for affected websites. He may even have been able to passively receive Microsoft Windows authentication credentials from employee computers at affected companies.
But the researcher said he didn’t attempt to do any of that. Instead, he alerted MasterCard that the domain was theirs if they wanted it, copying this author on his notifications. A few hours later, MasterCard acknowledged the mistake, but said there was never any real threat to the security of its operations.
“We have looked into the matter and there was not a risk to our systems,” a MasterCard spokesperson wrote. “This typo has now been corrected.”
Meanwhile, Caturegli received a request submitted through Bugcrowd, a program that offers financial rewards and recognition to security researchers who find flaws and work privately with the affected vendor to fix them. The message suggested his public disclosure of the MasterCard DNS error via a post on LinkedIn (after he’d secured the akam.ne domain) was not aligned with ethical security practices, and passed on a request from MasterCard to have the post removed.
MasterCard’s request to Caturegli, a.k.a. “Titon” on infosec.exchange.
Caturegli said while he does have an account on Bugcrowd, he has never submitted anything through the Bugcrowd program, and that he reported this issue directly to MasterCard.
“I did not disclose this issue through Bugcrowd,” Caturegli wrote in reply. “Before making any public disclosure, I ensured that the affected domain was registered to prevent exploitation, mitigating any risk to MasterCard or its customers. This action, which we took at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure.”
Most organizations have at least two authoritative domain name servers, but some handle so many DNS requests that they need to spread the load over additional DNS server domains. In MasterCard’s case, that number is five, so it stands to reason that if an attacker managed to seize control over just one of those domains they would only be able to see about one-fifth of the overall DNS requests coming in.
But Caturegli said the reality is that many Internet users are relying at least to some degree on public traffic forwarders or DNS resolvers like Cloudflare and Google.
“So all we need is for one of these resolvers to query our name server and cache the result,” Caturegli said. By setting their DNS server records with a long TTL or “Time To Live” — a setting that can adjust the lifespan of data packets on a network — an attacker’s poisoned instructions for the target domain can be propagated by large cloud providers.
“With a long TTL, we may reroute a LOT more than just 1/5 of the traffic,” he said.
The researcher said he’d hoped that the credit card giant might thank him, or at least offer to cover the cost of buying the domain.
“We obviously disagree with this assessment,” Caturegli wrote in a follow-up post on LinkedIn regarding MasterCard’s public statement. “But we’ll let you judge— here are some of the DNS lookups we recorded before reporting the issue.”
Caturegli posted this screenshot of MasterCard domains that were potentially at risk from the misconfigured domain.
As the screenshot above shows, the misconfigured DNS server Caturegli found involved the MasterCard subdomain az.mastercard.com. It is not clear exactly how this subdomain is used by MasterCard, however their naming conventions suggest the domains correspond to production servers at Microsoft’s Azure cloud service. Caturegli said the domains all resolve to Internet addresses at Microsoft.
“Don’t be like Mastercard,” Caturegli concluded in his LinkedIn post. “Don’t dismiss risk, and don’t let your marketing team handle security disclosures.”
One final note: The domain akam.ne has been registered previously — in December 2016 by someone using the email address um-i-delo@yandex.ru. The Russian search giant Yandex reports this user account belongs to an “Ivan I.” from Moscow. Passive DNS records from DomainTools.com show that between 2016 and 2018 the domain was connected to an Internet server in Germany, and that the domain was left to expire in 2018.
This is interesting given a comment on Caturegli’s LinkedIn post from an ex-Cloudflare employee who linked to a report he co-authored on a similar typo domain apparently registered in 2017 for organizations that may have mistyped their AWS DNS server as “awsdns-06.ne” instead of “awsdns-06.net.” DomainTools reports that this typo domain also was registered to a Yandex user (playlotto@yandex.ru), and was hosted at the same German ISP — Team Internet (AS61969).
Im baffled at Mastercard’s response, to be so dimissive and seeminly quite hostile is a strange response from such a large entity.
Not really. They pointed out that the emperor wasn’t wearing any clothes, and the emperor responded accordingly. Large corporations are not friendly, they are definitely not your friend, and if you bother them they will squash you.
> DomainTools reports that this typo domain also was registered to a Yandex user (playlotto@yandex.ru), and was hosted at the same German ISP — Team Internet (AS61969).
Team Internet (AS61969) is running ParkingCrew. So this is probably not related to any of the yandex users.
> […] was hosted at the same German ISP — Team Internet (AS61969).
This is just a Domain Parking vendor. There is no malware hosted, but a lot of ads. You point your domains there and get money for the delivered ads.
I would interpret the situation that someone just leveraged the typo to earn money, but not actively doing any harm.
I mean, these domains are not really high (browser) traffic domains.
Feels more like they got automatically re-registered once they expired.
Many companies do that, hoping there are still back links generating traffic or even that the domain might be worth something.
2023 Net Profit at Mastercard was over $11 billion. Data from Statista.
So it was exploited for a couple of years, then abandoned! Then rediscovered 6 years later.
Doing the right thing is never wrong, though the response from Mastercard was poor. If it had been my decision, I would have sent a ‘thank you’ with a Platinum Mastercard that had at least a $300 credit balance to help offset any expenses. A huge callout to Philippe Caturegli on behalf of security practitioners everywhere.
It’s a shame that Mastercard haven’t compensated for the good deed for the time and costs for the Good Samaritan deeds that
I also think that the UK’s BT should not have stopped the open community using Yellow Pages to reference to addressing IP as many of you experienced folks may remember! And when devices were ypmaster and ypslave in SunOS and similar BSD Unix variations. master and slave are also not used for obvious reasons. We’ll done @krebsonsecurity
Very Poor Response by Mastercard, as if it was from someone who didn’t understand or care. If I was Mastercard I would have sent a gracious note with a $300 reimbursement card for the registration, and another card with a thank-you for their time and trouble over Mastercard’s error.
Let’s see if I have this right: Akamai has no auditing process to determine if a routing goes to a non-responding (dead letter) address? Not trying to absolve MC of this oversight; in 1980s Cuckoo’s Egg was written to describe how a team of German hackers had made their way into Defense Dept. mainframes, discovered in a sub-dollar accounting error and confirmed via a network of pagers that alerted Cliff Stol (the author) to intrusion/attempts.
I feel the new climate (political and otherwise) will be fewer and fewer mea culpas and more and more threatening lawsuits or FBI action if you don’t take that defamatory LinkedIn post down.
It’s not Akamai’s fault. They could check their clients’ NS settings as a courtesy but it’s not their responsibility nor is it in their control.
Didn’t MasterCard pay a couple billion for a security company called Recorded Future lately?
What else are you guys expecting from a credit card company?
If “there was not a risk to our systems”, then why did Mastercard care about the LinkedIn post and want it taken down? That seems like saying “It’s not a problem, but don’t talk about the thing we say is not a problem”.
Reminds me of the Seinfeld episode where Kramer gets all the calls for MOVIEFONE.