https://portswigger.net/daily-swig/how-expired-web-domains-help-criminal-hackers-unlock-enterprise-defenses

 
      
The Daily Swig
[ ]
( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) Regions Hacking News Data Breaches 
Cyber-attacks Vulnerabilities Bug Bounties More About
Africa Asia Europe Middle East Latin America North America Oceania
View all US news
 

APT focus

Take a closer look at Iran's state-sponsored hacking groups

Regions
Latest Hacking News Hacking Tools Hacking Techniques Pen Testing
Cloud Security Database Security Email Security Network Security
View all hacking news
 

Movers and shakers

OWASP stirs up web app threat categories in 2021

Hacking news
Latest Data Breaches Data Leak Organizations Enterprise Security
View all data breach news
 

In focus

Software supply chain attacks - everything you need to know

Data Breaches
Latest Cyber-attacks Cybercrime Cyber Warfare DDoS Attacks Supply
Chain Attacks
View all cyber-attack news
 

Special report

North Korean cyber-threat groups become top-tier adversaries

Cyber Attacks
Latest Vulnerabilities Zero-Day News RCE XSS SQL Injection SSRF CSRF
XS Leaks
View all security vulnerability news
 

I, robot

Machine learning security vulnerabilities are a growing threat

Vulnerabilities
Bug Bounty News VDP News Research OSINT
View all bug bounty news
 

Bug Bounty Radar

The latest programs for October 2021

Bug bounties
Interviews Analysis Research Deep Dives Browsers Ransomware Phishing
Malware Encryption Privacy Mobile IoT Policy and Legislation Machine
learning DNS Open Source Hardware Authentication Events
View all infosec industry news
 

Cybersecurity conferences

A schedule of events in 2021 and beyond

More topics

How expired web domains help criminal hackers unlock enterprise
defenses

Stephen Pritchard 16 December 2021 at 12:59 UTC
Updated: 16 December 2021 at 13:01 UTC
Internet Infrastructure OpSec Deep Dives
Twitter WhatsApp Facebook Reddit LinkedIn Email

Allow domains to 'drop' and you're increasing the effectiveness of a
variety of attacks

How expired domains help criminal hackers unlock enterprise defenses

Managing domain names is a task that enterprises often leave to the
marketing department rather than the security team.

Yet expired - or 'dropped' - domains can pose a real security risk.
Cybercriminals can hijack redundant domains and use them to carry out
a range of attacks against organizations.

These range from phishing and business email compromise to ransomware
and supply chain attacks. Almost any compromise where an attacker
uses an ostensibly legitimate identity to overcome defences is made
easier by taking over an expired domain.

Why domains are left to expire

Organizations allow domains to expire for a number of reasons.
Sometimes it's a simple mistake: a domain renewal is overlooked
because a payment method has expired or the renewal contact has moved
on.

But domains also drop because a brand is no longer being used,
because they were set up for test and development purposes, or
because they belong to a business or product that has been acquired
by another company.

In April 2021, for example, Google's Argentina domain was acquired by
web designer Nicolas Kurona for a mere PS2 ($2.90). The domain was
quickly transferred back to Google, and there is no suggestion Kurona
intended to misuse it - but it shows how easy it is to lose control
of such a key, high-value asset.


RELATED Flaws in Tonga's top-level domain left Google, Amazon
vulnerable to takeover


"Organizations have multiple domains, and you'd expect quite a bit of
governance and care around the main domain," Phil Robinson, principal
consultant and founder of Prism Infosec, told The Daily Swig.

Domains for subsidiaries or internal systems are harder to keep track
of, however. "Through acquisitions, if you're not careful you could
end up with a domain that has fallen between the cracks which could
then expire," he warns.

This could then be registered by others, to use as they please.


URL search barDomains can be 'dropped' because of oversights or
because a brand has been abandoned or acquired


What happens to expired domains?

Domain expiration follows a set process. Every domain has an expiry
date on its WHOIS record. Once that date is reached, there will
usually be a renewal grace period; this varies from registrar to
registrar.

After that there is a redemption period, where the domain can still
be reclaimed, and then a five-day 'pending delete' period.
Subsequently it's added to a domain drop list, which criminal hackers
are known to trawl for promising targets, before being made available
to buy on the open market.

How might a malicious hacker exploit an expired domain?

Cybercrooks can use dropped domains for any attack vector that
exploits an organization's identity, such as account takeovers or
phishing campaigns that leverage false business invoices.

Criminal groups have even set up mail servers using expired domains.
In turn, these can be used to gain access to social media accounts
associated with the expired domain, or more worryingly, web services
and SaaS applications.

"There are many ways attackers can use old domains to their
advantage," Tom McVey, solution architect at cloud security platform
Menlo Security, told The Daily Swig.


Read more of the latest internet infrastructure news


"For example, a manufacturing organisation could forget to renew
their domain 'manufactory.com'. Attackers could then purchase the
domain and use it to host a website that's built to look just like
the manufacturer's site - except every download link secretly
contains infected files.

He adds: "They could also execute phishing and social engineering
attacks by emailing past clients with what looks to be a legitimate
and safe email address, [such as] sales@manufactory.com.

"The attackers essentially rely on the reputation of the domain to
help increase the efficacy of their attacks."


Browser search fieldHijacked domains are used for identity-based
attack vectors such as account takeovers or phishing campaigns


There are other, more complex vectors, such as exploiting website
scripts that call up the expired domain. In one blog post, for
instance, Israeli cybersecurity company Reflectiz breaks down an
attack on stolen data site WeLeakInfo, as well as script-based
attacks.

In a separate post, security expert Gabor Szathmari looks at how
expired domains could be used to attack businesses - in this case,
law firms in Australia.

Researchers, Szathmari recounted, had proved that by setting up a
catch-all email server, they could gain access to a legal practice's
Office 365 and GSuite accounts, and from there confidential
documents. The potential for bad actors to abuse dropped domains, the
security consultant argued, is extensive.

How to check whether a domain is expired or expiring

The best way to avoid dropped domain attacks is to have a robust
system for domain management. Security teams should work with others
in the business, including developers and marketing teams, to ensure
old domains are not left to expire. The cost of keeping old domains
registered - and so protected - is small compared to the potential
damage arising from not doing so.

Firms could consider commercial domain monitoring, or free services
such as Expired Domains.


YOU MIGHT ALSO LIKE UK Department for Transport inadvertently served
pornographic content to site visitors


Penetration tests should also identify systems linked to expired
domains, so that dependent systems are shut down or reconfigured.
And, as Menlo Security's Tom McVey points out, 'zero trust' and
similar architectures can reduce the threat by removing trust for
legacy domains and systems.

"This really isn't a new problem and it illustrates organizations'
tendency to focus on their new shiny systems and forget about legacy
systems or, in this case, domain names," Jeff Goldberg, principal
security architect at 1Password, tells The Daily Swig.

Domains, he adds, are often part of "shadow IT" that is registered
legitimately by employees using individual email accounts, for
development purposes or even to prevent phishing.

How to renew an expired domain name

If your domain name has expired, you should contact the registrar or
reseller that provided your domain name registration services to find
out how to renew the domain.

You can ascertain your registrar of record by using this lookup tool,
which is maintained by the Internet Corporation for Assigned Names
(ICANN).

Further registrar information can be found on the ICANN-Accredited
Registrar list.

However, if an expired domain has been taken over, you may have to
pay the new owners to regain control.

Where losing control of domain names is concerned, prevention is
manifestly better, and cheaper, than the cure.


RECOMMENDED 'Over-permissive' authentication checks left 190
Australian organizations vulnerable to business email compromise
attacks

Internet Infrastructure OpSec Deep Dives Cybercrime Data Leak Email
Security Hacking News Hacking Techniques Authentication Network
Security Vulnerabilities Pen Testing Secure Development Organizations
Industry News Enterprise Phishing Ransomware Supply Chain Attacks
Database Security Google Social Engineering Research
Stephen Pritchard

Stephen Pritchard

@s_pritchard

Twitter WhatsApp Facebook Reddit LinkedIn Email
This page requires JavaScript for an enhanced user experience.
Latest Posts

Enterprise security

SAP squashes SQLi, XSS bugs in December patch round 16 December 2021 
Enterprise security SAP squashes SQLi, XSS bugs in December patch
round

UK government plans to become 'global cyber power'

16 December 2021 UK government plans to become 'global cyber power' 
National Cyber Security Centre leads scheme to increase capabilities

Propane distributor Superior Plus admits ransomware breach

15 December 2021 Propane distributor Superior Plus admits ransomware
breach Clean up and damage assessment underway

Related stories

This page requires JavaScript for an enhanced user experience.

Enterprise security

SAP squashes SQLi, XSS bugs in December patch round 16 December 2021 
Enterprise security SAP squashes SQLi, XSS bugs in December patch
round

UK government plans to become 'global cyber power'

16 December 2021 UK government plans to become 'global cyber power' 
National Cyber Security Centre leads scheme to increase capabilities

What's in a (domain) name?

How expired domains help criminal hackers unlock enterprise defenses 
16 December 2021 What's in a (domain) name? How expired domains help
criminal hackers unlock enterprise defenses

Propane distributor Superior Plus admits ransomware breach

15 December 2021 Propane distributor Superior Plus admits ransomware
breach Clean up and damage assessment underway

Burp Suite

Web vulnerability scanner Burp Suite Editions Release Notes

Vulnerabilities

Cross-site scripting (XSS) SQL injection Cross-site request forgery
XML external entity injection Directory traversal Server-side request
forgery

Customers

Organizations Testers Developers

Company

About PortSwigger News Careers Contact Legal Privacy Notice

Insights

Web Security Academy Blog Research The Daily Swig
PortSwigger Logo Follow us

(c) 2021 PortSwigger Ltd.