How expired web domains help criminal hackers unlock enterprise defenses

Managing a company’s security can feel like trying to keep an old, leaky boat afloat. As soon as you find and plug one hole, water starts spraying in from a new one.

Now, security experts are warning about another often overlooked security vulnerability that can affect any organization, regardless of scale, industry, or location: expired or “dropped” domains.

Chances are that your organization has dropped domains as its grown, evolved, and tried different projects. It’s common to buy domains for testing or developing a new project, only to let it go should it be abandoned. Domains can also fall by the wayside through mergers and acquisitions, rebranding, or other business-related changes.

However, by compromising these domains once they become unused, threat actors can use them as a springboard to launch a range of attacks, from email and domain spoofing to business email compromise (BEC) to infecting systems with ransomware.

 

Business Email Compromise (BEC) scams surpassed US$1.86 billion in losses in 2020. BEC is the costliest types of cybercrime according to the 2020 Internet Crime Report by the Federal Bureau of Investigation (FBI). LIFARS can assist your business in securing your email servers as well as carrying it remediation and forensics if an attack has taken place.

 

In this way, dropped domains can be a threat both to your company, your customers, and your supply chain partners.

Even the mighty Google has been found carelessly handling some of their domains. In April of this year, Nicolas Kurona, a 30-year old Argentinian, was able to buy Google’s expired Argentina domain (“google.com.ar”) for just 270 pesos, or $2.90. In this instance, Google was lucky that it was someone who didn’t mean any harm who bought the domain and not a cybercriminal intended on wreathing havoc on its platform.

Typically, registrars give individuals and businesses plenty of opportunities to reacquire their domains. Usually, alerts are sent out when a domain is about to expire regarding its registration period. Owners are also typically provided with a reclamation period and one where the domain is pending deletion.

If a domain is still not reregistered, it’s then placed on a drop list of domains that will soon be back up for sale. Many threat actors trawl these drop lists, hoping to identify some juicy targets for a domain hijacking attempt.

Once an attacker gains ownership of a dropped domain and it has not been properly scrubbed from a business’ ecosystem, the possibilities for exploiting it are nearly endless. For one, attackers can set up a website, online application, or even email server using a known domain for that company. That makes it much more effective at carrying out various types of social engineering attacks, such as phishing or spoofing. This can lead to credential theft, obtaining valuable documents or IP, stealing financial information, or even unauthorized access to protected systems.

It can also be used to gain access to accounts with other SaaS applications or platforms, social media accounts, or anywhere else where it might help identify the company.

These types of attacks are relatively unsophisticated and can be carried out by just about anyone. However, it can also be used to initiate attacks using more technical means, such as exploiting website scripts that reference the expired domain, intercepting communications using catch-all email servers, or script-based attacks.

With that in mind, organizations should always take managing their various domains seriously. That means keeping track of all their domains, whether they are active, unused, expiring, or already expired. If a domain is being dropped on purpose, it should always properly be scrubbed from all relevant systems, and the affected parties should be informed of this and warned of potential imposter actions.

There are many free tools to help you check the status of your domains, including the official ICANN lookup tool. Finally, you should always ensure that you are buying domains from ICANN- accredited registrars.