A domain name once left behind can catch up with you – by giving fraudsters access to a treasure trove of sensitive information.
Cybercriminals can use an abandoned domain name to obtain all manner of private information belonging to the company that formerly owned the domain, as well as to its clients and employees, a researcher warns.
Gabor Szathmari has described how a new domain owner can, among other things, take control of the previous owner’s email accounts associated with the domain. From there, the ill-intentioned domain owner can access confidential information or hijack the user’s accounts on a variety of online services – and with little effort and zero hacking prowess to boot.
To demonstrate the rather little-known risks, a team led by Szathmari re-registered six expired domain names, some of which previously belonged to several Australian law firms. Any and all email accounts associated with the domains were then configured to forward all incoming email messages that were intended for the domains’ former owners to a “catch-all” email service controlled by the researchers. The team then “sat back and waited for the emails to come in”.
And come in they did, with the number of email messages received over a three-month period topping 25,000. Having separated the wheat from the chaff, they found true gems in a number of the emails. This included highly sensitive information about the legal practice and its clients, such as transcripts of court proceedings and other sensitive legal documents, as well as supplier invoices, bank statements, etc.
Digging deeper, the researchers showed that they would have easily been able to impersonate the legal practitioners in order to con their clients or to regain access to the firms’ Office 365 and G Suite accounts by resetting the passwords.
By combining information that is available on data breach search tools SpyCloud and HaveIBeenPwned and by abusing password reset functions on social media, they could also have easily hijacked some of the personal or work-related accounts of legal professionals on the platforms, especially on LinkedIn, where the potential victims often used their business email addresses. The same dangers were found to apply to user accounts on profession-specific web portals.
All that you can’t leave behind
The research focused on domain names once owned by Australian law firms, since these firms, and obviously not only in Australia, often merge or are acquired, sometimes leaving their old domain names to expire. Domain name drop lists are easily found on the internet.
Of course, other businesses aren’t spared the risks. Speaking to CSO, Szathmari elaborated on the dangers of domain name abandonment for online stores and its customers. “By reinstating an online web shop formerly running on an abandoned domain name, bad actors could download the original web pages from archive.org, then take new orders and payments by posing as a fully functioning web shop,” he wrote.
The easiest way in which organizations can prevent this threat is to auto-renew their domain names, even if they’re no longer in use, for an indefinite period of time. Other preventative measures include closing, changing or disassociating user accounts once registered with work-related email addresses, utilizing two-factor authentication wherever available, as well as always creating strong and unique passwords.
written by Tomas Foltyn, ESET We Live Security