The Coming Storm


16
Mar 20

The Web’s Bot Containment Unit Needs Your Help

Anyone who’s seen the 1984 hit movie Ghostbusters likely recalls the pivotal scene where a government bureaucrat orders the shutdown of the ghost containment unit, effectively unleashing a pent-up phantom menace on New York City. Now, something similar is in danger of happening in cyberspace: Shadowserver.org, an all-volunteer nonprofit organization that works to help Internet service providers (ISPs) identify and quarantine malware infections and botnets, has lost its longtime primary source of funding.

Image: Ghostbusters.

Shadowserver provides free daily live feeds of information about systems that are either infected with bot malware or are in danger of being infected to more than 4,600 ISPs and to 107 national computer emergency response teams (CERTs) in 136 countries. In addition, it has aided the FBI and other nations’ federal law enforcement officials in “sinkholing” domain names used to control the operations of far-flung malware empires.

In computer security lexicon, a sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by experts and/or law enforcement officials. Typically, a sinkhole is set up in tandem with some kind of legal action designed to wrest control over key resources powering a malware network.

Some of these interventions involving ShadowServer have been documented here, including the Avalanche spam botnet takedown, the Rustock botnet takeover, the Gameover malware botnet seizure, and the Nitol botnet sneak attack. Last week, Shadowserver was instrumental in helping Microsoft kneecap the Necurs malware network, one of the world’s largest spam and malware botnets.

Image: Shadowserver.org

Sinkholing allows researchers to assume control over a malware network’s domains, while redirecting any traffic flowing to those systems to a server the researchers control. As long as good guys control the sinkholed domains, none of the infected computers can receive instructions about how to harm themselves or others online.

And Shadowserver has time and again been the trusted partner when national law enforcement agencies needed someone to manage the technical side of things while people with guns and badges seized hard drives at the affected ISPs and hosting providers.

But very recently, Shadowserver got the news that the company which has primarily funded its operations for more than 15 years, networking giant Cisco Systems Inc., opted to stop providing that support.

Cisco declined to respond to questions about why it withdrew funding. But it did say the company was exploring the idea of supporting the organization as part of a broader support effort by others in the technology industry going forward.

“Cisco supports the evolution of Shadowserver to an industry alliance enabling many organizations to contribute and grow the capabilities of this important organization,” the company said in a written statement. “Cisco is proud of its long history as a Shadowserver supporter and will explore future involvement as the alliance takes shape.”

To make matters worse, Shadowserver has been told it needs to migrate its data center to a new location by May 15, a chore the organization reckons will cost somewhere in the neighborhood of $400,000.

“Millions of malware infected victims all over the world, who are currently being sinkholed and protected from cybercriminal control ​by Shadowserver, may lose that critical protection – just at the time when governments and businesses are being forced to unexpectedly stretch their corporate security perimeters and allow staff to work from home on their own, potentially unmanaged devices, and the risk of another major Windows worm has increased,” Shadowserver wrote in a blog post published today about their financial plight.
Continue reading →


12
Mar 20

Live Coronavirus Map Used to Spread Malware

Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software.

A recent snapshot of the Johns Hopkins Coronavirus data map, available at coronavirus.jhu.edu.

In one scheme, an interactive dashboard of Coronavirus infections and deaths produced by Johns Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware.

Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme. The kit costs $200 if the buyer already has a Java code signing certificate, and $700 if the buyer wishes to just use the seller’s certificate.

“It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. “Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!”

The sales thread claims the customer’s payload can be bundled with the Java-based map into a filename that most Webmail providers allow in sent messages. The seller claims in a demonstration video that Gmail also allows it, but the video shows Gmail still warns recipients that downloading the specific file type in question (obscured in the video) can be harmful. The seller says the user/victim has to have Java installed for the map and exploit to work, but that it will work even on fully patched versions of Java. Continue reading →


11
Mar 20

Crafty Web Skimming Domain Spoofs “https”

Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that one of its Web sites had been hacked and retrofitted with code that steals credit card and login data. While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site’s source code: “http[.]ps” (the actual malicious domain does not include the brackets, which are there to keep readers from being able to click on it).

This crafty domain was hidden inside the checkout and login pages for grandwesternsteaks.com, a meat delivery service owned by Cheney Bros. Inc., a major food distributor based in Florida. Here’s what a portion of the login page looked like until earlier today when you right-clicked on the page and selected  “view-source”:

The malicious domain added to the HTML code for grandwesternsteaks.com (highlighted in orange) fetched a script that intercepted data entered by customers, including credit card details and logins. The code has since been removed from the site.

Viewing the HTML source for the malicious link highlighted in the screenshot above reveals the obfuscated card-skimming code, a snippet of which is pictured below:

The obfuscated card skimming code is full of references to “ants” and “cockroaches,” which is enough to give any site owner the heebie-jeebies.

A simple search on the malicious domain “http[.]ps” at HTML search service publicwww.com shows this code is present on nearly a dozen other sites, including a music instrument retailer, an herbal pharmacy shop in Europe, and a business in Spain that sells programmable logic controllers — expensive computers and circuit boards designed to control large industrial operations. Continue reading →


28
Feb 20

FCC Proposes to Fine Wireless Carriers $200M for Selling Customer Location Data

The U.S. Federal Communications Commission (FCC) today proposed fines of more than $200 million against the nation’s four largest wireless carriers for selling access to their customers’ location information without taking adequate precautions to prevent unauthorized access to that data. While the fines would be among the largest the FCC has ever levied, critics say the penalties don’t go far enough to deter wireless carriers from continuing to sell customer location data.

The FCC proposed fining T-Mobile $91 million; AT&T faces more than $57 million in fines; Verizon is looking at more than $48 million in penalties; and the FCC said Sprint should pay more than $12 million.

An FCC statement (PDF) said “the size of the proposed fines for the four wireless carriers differs based on the length of time each carrier apparently continued to sell access to its customer location information without reasonable safeguards and the number of entities to which each carrier continued to sell such access.”

The fines are only “proposed” at this point because the carriers still have an opportunity to respond to the commission and contest the figures. The Wall Street Journal first reported earlier this week that the FCC was considering the fines.

The commission said it took action in response to a May 2018 story broken by The New York Times, which exposed how a company called Securus Technologies had been selling location data on customers of virtually any major mobile provider to law enforcement officials.

That same month, KrebsOnSecurity broke the news that LocationSmart — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America. Continue reading →


24
Feb 20

Zyxel Fixes 0day in Network Storage Devices

Patch comes amid active exploitation by ransomware gangs

Networking hardware vendor Zyxel today released an update to fix a critical flaw in many of its network attached storage (NAS) devices that can be used to remotely commandeer them. The patch comes 12 days after KrebsOnSecurity alerted the company that precise instructions for exploiting the vulnerability were being sold for $20,000 in the cybercrime underground.

Based in Taiwan, Zyxel Communications Corp. (a.k.a “ZyXEL”) is a maker of networking devices, including Wi-Fi routers, NAS products and hardware firewalls. The company has roughly 1,500 employees and boasts some 100 million devices deployed worldwide. While in many respects the class of vulnerability addressed in this story is depressingly common among Internet of Things (IoT) devices, the flaw is notable because it has attracted the interest of groups specializing in deploying ransomware at scale.

KrebsOnSecurity first learned about the flaw on Feb. 12 from Alex Holden, founder of Milwaukee-based security firm Hold Security. Holden had obtained a copy of the exploit code, which allows an attacker to remotely compromise more than a dozen types of Zyxel NAS products remotely without any help from users.

A snippet from the documentation provided by 500mhz for the Zyxel 0day.

Holden said the seller of the exploit code — a ne’er-do-well who goes by the nickname “500mhz” –is known for being reliable and thorough in his sales of 0day exploits (a.k.a. “zero-days,” these are vulnerabilities in hardware or software products that vendors first learn about when exploit code and/or active exploitation shows up online).

For example, this and previous zero-days for sale by 500mhz came with exhaustive documentation detailing virtually everything about the flaw, including any preconditions needed to exploit it, step-by-step configuration instructions, tips on how to remove traces of exploitation, and example search links that could be used to readily locate thousands of vulnerable devices.

500mhz’s profile on one cybercrime forum states that he is constantly buying, selling and trading various 0day vulnerabilities.

“In some cases, it is possible to exchange your 0day with my existing 0day, or sell mine,” his Russian-language profile reads.

The profile page of 500mhz, translated from Russian to English via Google Chrome.

PARTIAL PATCH

KrebsOnSecurity first contacted Zyxel on Feb. 12, sharing a copy of the exploit code and description of the vulnerability. When four days elapsed without any response from the vendor to notifications sent via multiple methods, this author shared the same information with vulnerability analysts at the U.S. Department of Homeland Security (DHS) and with the CERT Coordination Center (CERT/CC), a partnership between DHS and Carnegie Mellon University.

Less than 24 hours after contacting DHS and CERT/CC, KrebsOnSecurity heard back from Zyxel, which thanked KrebsOnSecurity for the alert without acknowledging its failure to respond until they were sent the same information by others.

“Thanks for flagging,” Zyxel’s team wrote on Feb. 17. “We’ve just received an alert of the same vulnerabilities from US-CERT over the weekend, and we’re now in the process of investigating. Still, we heartily appreciate you bringing it to our attention.”

Earlier today, Zyxel sent a message saying it had published a security advisory and patch for the zero-day exploit in some of its affected products. The vulnerable devices include NAS542, NAS540, NAS520, NAS326, NSA325 v2, NSA325, NSA320S, NSA320, NSA310S, NSA310, NSA221, NSA220+, NSA220, and NSA210. The flaw is designated as CVE-2020-9054.

However, many of these devices are no longer supported by Zyxel and will not be patched. Zyxel’s advice for those users is simply “do not leave the product directly exposed to the internet.”

“If possible, connect it to a security router or firewall for additional protection,” the advisory reads.

Holden said given the simplicity of the exploit — which allows an attacker to seize remote control over an affected device by injecting just two characters to the username field of the login panel for Zyxel NAS devices — it’s likely other Zyxel products may have related vulnerabilities.

“Considering how stupid this exploit is, I’m guessing this is not the only one of its class in their products,” he said.

CERT’s advisory on the flaw rates it at a “10” — its most severe. The advisory includes additional mitigation instructions, including a proof-of-concept exploit that has the ability to power down affected Zyxel devices.

Continue reading →


18
Feb 20

Encoding Stolen Credit Card Data on Barcodes

Crooks are constantly dreaming up new ways to use and conceal stolen credit card data. According to the U.S. Secret Service, the latest scheme involves stolen card information embedded in barcodes affixed to phony money network rewards cards. The scammers then pay for merchandise by instructing a cashier to scan the barcode and enter the expiration date and card security code.

This phony reloadable rewards card conceals stolen credit card data written to a barcode. The barcode and other card data printed on the card have been obfuscated. Image: U.S. Secret Service.

Earlier this month, the Secret Service documented a recent fraud incident in Texas involving a counterfeit club membership card containing a barcode, and a card expiration date and CVV printed below the barcode.

“Located underneath the barcode are instructions to the cashier on the steps necessary to complete the transaction,” reads an alert the Secret Service sent to law enforcement agencies. “They instruct the cashier to select card payment, scan the barcode, then enter the expiration date and CVV. In this instance, the barcode was encoded with a VISA credit card number.” Continue reading →


17
Feb 20

Pay Up, Or We’ll Make Google Ban Your Ads

A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic.

A redacted extortion email targeting users of Google’s AdSense program.

Earlier this month, KrebsOnSecurity heard from a reader who maintains several sites that receive a fair amount of traffic. The message this reader shared began by quoting from an automated email Google’s systems might send if they detect your site is seeking to benefit from automated clicks. The message continues:

“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”

The message goes on to warn that while the targeted site’s ad revenue will be briefly increased, “AdSense traffic assessment algorithms will detect very fast such a web traffic pattern as fraudulent.”

“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended. It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!”

The message demands $5,000 worth of bitcoin to forestall the attack. In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate.

The reader who shared this email said while he considered the message likely to be a baseless threat, a review of his recent AdSense traffic statistics showed that detections in his “AdSense invalid traffic report” from the past month had increased substantially. Continue reading →


8
Feb 20

Dangerous Domain Corp.com Goes Up for Sale

As an early domain name investor, Mike O’Connor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years O’Connor refused to auction perhaps the most sensitive domain in his stable — corp.com. It is sensitive because years of testing shows whoever wields it would have access to an unending stream of passwords, email and other proprietary data belonging to hundreds of thousands of systems at major companies around the globe.

Now, facing 70 and seeking to simplify his estate, O’Connor is finally selling corp.com. The asking price — $1.7 million — is hardly outlandish for a 4-letter domain with such strong commercial appeal. O’Connor said he hopes Microsoft Corp. will buy it, but fears they won’t and instead it will get snatched up by someone working with organized cybercriminals or state-funded hacking groups bent on undermining the interests of Western corporations.

One reason O’Connor hopes Microsoft will buy it is that by virtue of the unique way Windows handles resolving domain names on a local network, virtually all of the computers trying to share sensitive data with corp.com are somewhat confused Windows PCs. More importantly, early versions of Windows actually encouraged the adoption of insecure settings that made it more likely Windows computers might try to share sensitive data with corp.com.

At issue is a problem known as “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

Windows computers on an internal corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the umbrella term for a broad range of identity-related services in Windows environments. A core part of the way these things find each other involves a Windows feature called “DNS name devolution,” which is a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources.

For instance, if a company runs an internal network with the name internalnetwork.example.com, and an employee on that network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; typing “\\drive1\” alone will suffice, and Windows takes care of the rest.

But things can get far trickier with an internal Windows domain that does not map back to a second-level domain the organization actually owns and controls. And unfortunately, in early versions of Windows that supported Active Directory — Windows 2000 Server, for example — the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.

Compounding things further, some companies then went on to build (and/or assimilate) vast networks of networks on top of this erroneous setting.

Now, none of this was much of a security concern back in the day when it was impractical for employees to lug their bulky desktop computers and monitors outside of the corporate network. But what happens when an employee working at a company with an Active Directory network path called “corp” takes a company laptop to the local Starbucks?

Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”

In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain.

INSTANT CORPORATE BOTNET, ANYONE?

That’s according to Jeff Schmidt, a security expert who conducted a lengthy study on DNS namespace collisions funded in part by grants from the U.S. Department of Homeland Security. As part of that analysis, Schmidt convinced O’Connor to hold off selling corp.com so he and others could better understand and document the volume and types of traffic flowing to it each day.

During an eight month analysis of wayward internal corporate traffic destined for corp.com in 2019, Schmidt found more than 375,000 Windows PCs were trying to send this domain information it had no business receiving — including attempts to log in to internal corporate networks and access specific file shares on those networks.

For a brief period during that testing, Schmidt’s company JAS Global Advisors accepted connections at corp.com that mimicked the way local Windows networks handle logins and file-sharing attempts.

“It was terrifying,” Schmidt said. “We discontinued the experiment after 15 minutes and destroyed the data. A well-known offensive tester that consulted with JAS on this remarked that during the experiment it was ‘raining credentials’ and that he’d never seen anything like it.”

Likewise, JAS temporarily configured corp.com to accept incoming email.

“After about an hour we received in excess of 12 million emails and discontinued the experiment,” Schmidt said. “While the vast majority of the emails were of an automated nature, we found some of the emails to be sensitive and thus destroyed the entire corpus without further analysis.”

Schmidt said he and others concluded that whoever ends up controlling corp.com could have an instant botnet of well-connected enterprise machines.

“Hundreds of thousands of machines directly exploitable and countless more exploitable via lateral movement once in the enterprise,” he said. “Want an instant foothold into about 30 of the world’s largest companies according to the Forbes Global 2000? Control corp.com.” Continue reading →


28
Jan 20

Wawa Breach May Have Compromised More Than 30 Million Payment Cards

In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach.

On the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker’s Stash began selling card data from “a new huge nationwide breach” that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states.

The fraud bazaar Joker’s Stash on Monday began selling some 30 million stolen payment card accounts that experts say have been tied back to a breach at Wawa in 2019.

Two sources that work closely with financial institutions nationwide tell KrebsOnSecurity the new batch of cards that went on sale Monday evening — dubbed “BIGBADABOOM-III” by Joker’s Stash — map squarely back to cardholder purchases at Wawa.

On Dec. 19, 2019, Wawa sent a notice to customers saying the company had discovered card-stealing malware installed on in-store payment processing systems and fuel dispensers at potentially all Wawa locations.

Pennsylvania-based Wawa says it discovered the intrusion on Dec. 10 and contained the breach by Dec. 12, but that the malware was thought to have been installed more than nine months earlier, around March 4. The exposed information includes debit and credit card numbers, expiration dates, and cardholder names. Wawa said the breach did not expose personal identification numbers (PINs) or CVV records (the three-digit security code printed on the back of a payment card).

A spokesperson for Wawa confirmed that the company today became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the data security incident announced by Wawa on December 19, 2019.

“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” Wawa said in a statement released to KrebsOnSecurity. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”

“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” the statement continues. “Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges.”

Gemini Advisory, a New York-based fraud intelligence company, said the biggest concentrations of stolen cards for sale in the BIGBADABOOM-III batch map back to Wawa customer card use in Florida and Pennsylvania, the two most populous states where Wawa operates. Wawa also has locations in Delaware, Maryland, New Jersey, Virginia and the District of Columbia.

According to Gemini, Joker’s Stash has so far released only a small portion of the claimed 30 million. However, this is not an uncommon practice: Releasing too many stolen cards for sale at once tends to have the effect of depressing the overall price of stolen cards across the underground market.

“Based on Gemini’s analysis, the initial set of bases linked to “BIGBADABOOM-III” consisted of nearly 100,000 records,” Gemini observed. “While the majority of those records were from US banks and were linked to US-based cardholders, some records also linked to cardholders from Latin America, Europe, and several Asian countries. Non-US-based cardholders likely fell victim to this breach when traveling to the United States and utilizing Wawa gas stations during the period of exposure.”

Gemini’s director of research Stas Alforov stressed that some of the 30 million cards advertised for sale as part of this BIGBADABOOM batch may in fact be sourced from breaches at other retailers, something Joker’s Stash has been known to do in previous large batches.

Gemini monitors multiple carding sites like Joker’s Stash. The company found the median price of U.S.-issued records in the new Joker’s Stash batch is currently $17, with some of the international records priced as high as $210 per card.

“Apart from banks with a nationwide presence, only financial institutions along the East Coast had significant exposure,” Gemini concluded.

Representatives from MasterCard did not respond to requests for comment. Visa declined to comment for this story, but pointed to a series of alerts it issued in November and December 2019 about cybercrime groups increasingly targeting fuel dispenser merchants. Continue reading →


24
Jan 20

Does Your Domain Have a Registry Lock?

If you’re running a business online, few things can be as disruptive or destructive to your brand as someone stealing your company’s domain name and doing whatever they wish with it. Even so, most major Web site owners aren’t taking full advantage of the security tools available to protect their domains from being hijacked. Here’s the story of one recent victim who was doing almost everything possible to avoid such a situation and still had a key domain stolen by scammers.

On December 23, 2019, unknown attackers began contacting customer support people at OpenProvider, a popular domain name registrar based in The Netherlands. The scammers told the customer representatives they had just purchased from the original owner the domain e-hawk.net — which is part of a service that helps Web sites detect and block fraud — and that they were having trouble transferring the domain from OpenProvider to a different registrar.

The real owner of e-hawk.net is Raymond Dijkxhoorn, a security expert and entrepreneur who has spent much of his career making life harder for cybercrooks and spammers. Dijkxhoorn and E-HAWK’s CEO Peter Cholnoky had already protected their domain with a “registrar lock,” a service that requires the registrar to confirm any requested changes with the domain owner via whatever communications method is specified by the registrant.

In the case of e-hawk.net, however, the scammers managed to trick an OpenProvider customer service rep into transferring the domain to another registrar with a fairly lame social engineering ruse — and without triggering any verification to the real owners of the domain.

Specifically, the thieves contacted OpenProvider via WhatsApp, said they were now the rightful owners of the domain, and shared a short screen grab video showing the registrar’s automated system blocking the domain transfer (see video below).

“The support agent helpfully tried to verify if what the [scammers] were saying was true, and said, ‘Let’s see if we can move e-hawk.net from here to check if that works’,” Dijkxhoorn said. “But a registrar should not act on instructions coming from a random email address or other account that is not even connected to the domain in question.”

Dijkxhoorn shared records obtained from OpenProvider showing that on Dec. 23, 2019, the e-hawk.net domain was transferred to a reseller account within OpenProvider. Just three days later, that reseller account moved e-hawk.net to another registrar — Public Domain Registry (PDR).

“Due to the previously silent move to another reseller account within OpenProvider, we were not notified by the registrar about any changes,” Dijkxhoorn said. “This fraudulent move was possible due to successful social engineering towards the OpenProvider support team. We have now learned that after the move to the other OpenProvider account, the fraudsters could silently remove the registrar lock and move the domain to PDR.”

REGISTRY LOCK

Dijkxhoorn said one security precaution his company had not taken with their domain prior to the fraudulent transfer was a “registry lock,” a more stringent, manual (and sometimes offline) process that effectively neutralizes any attempts by fraudsters to social engineer your domain registrar.

With a registry lock in place, your registrar cannot move your domain to another registrar on its own. Doing so requires manual contact verification by the appropriate domain registry, such as Verisign — which is the authoritative registry for all domains ending in .com, .net, .name, .cc, .tv, .edu, .gov and .jobs. Other registries handle locks for specific top-level or country-code domains, including Nominet (for .co.uk or .uk domains), EURID (for .eu domains), CNNIC for (for .cn) domains, and so on.

According to data provided by digital brand protection firm CSC, while domains created in the top three most registered top-level domains (.com, .jp and .cn) are eligible for registry locks, just 22 percent of domain names tracked in Forbes’ list of the World’s Largest Public Companies have secured registry locks.

Unfortunately, not all registrars support registry locks (a list of top-level domains that do allow registry locks is here, courtesy of CSC). But as we’ll see in a moment, there are other security precautions that can and do help if your domain somehow ends up getting hijacked.

Dijkxhoorn said his company first learned of the domain theft on Jan. 13, 2020, which was the date the fraudsters got around to changing the domain name system (DNS) settings for e-hawk.net. That alert was triggered by systems E-HAWK had previously built in-house that continually monitor their stable of domains for any DNS changes.

By the way, this continuous monitoring of one’s DNS settings is a powerful approach to help blunt attacks on your domains and DNS infrastructure. Anyone curious about why this might be a good approach should have a look at this deep-dive from 2019 on “DNSpionage,” the name given to the exploits of an Iranian group that has successfully stolen countless passwords and VPN credentials from major companies via DNS-based attacks. Continue reading →