How Expired Web Domains Help Hackers Unlock Business Defenses


Allow domains to ‘give up’ and you increase the effectiveness of a variety of attacks

Managing domain names is a task that companies often leave to the marketing department rather than the security team.

Yet expired – or “abandoned” – domains can pose a real security risk. Cybercriminals can hijack redundant domains and use them to carry out a series of attacks against organizations.

These range from phishing and business email compromise to ransomware and supply chain attacks. Almost all compromises where an attacker uses a supposedly legitimate identity to overcome defenses are facilitated by taking control of an expired domain.

Why domains expire

Organizations allow domains to expire for a number of reasons. Sometimes it’s a simple mistake: a domain renewal is skipped because a payment method has expired or the renewal contact has changed.

But domains also fall because a brand is no longer in use, because they were created for testing and development purposes, or because they belong to a company or a product that was acquired by another business.

In April 2021, for example, Google’s Argentina domain was acquired by web designer Nicolas Kurona for just £ 2 ($ 2.90). The domain was quickly transferred back to Google, and there is no indication that Kurona intends to misuse it, but it shows how easy it is to lose control of such a key and large asset. value.

RELATED Tonga’s top-level domain flaws left Google and Amazon vulnerable to takeover

“Organizations have multiple domains, and you’d expect a lot of governance and care around the primary domain,” said Phil Robinson, senior consultant and founder of Prism Infosec. The daily sip.

However, the areas of subsidiaries or internal systems are more difficult to track. “Through acquisitions, if you’re not careful, you could end up with an area that has fallen through the cracks which could then expire,” he warns.

This could then be recorded by others, for use as they wish.

url search barDomains can be “abandoned” due to oversights or because a trademark has been abandoned or acquired

What happens to expired domains?

Domain expiration follows a defined process. Each domain has an expiration date on its WHOIS record. Once this date is reached, there will usually be a renewal grace period; it varies from registrar to registrar.

After that, there is a redemption period, during which the domain can still be recovered, and then a five-day “deletion pending” period. Subsequently, it is added to a repository list of domains, which criminal hackers are known to look for promising targets, before being made available to buy on the open market.

How could a malicious hacker exploit an expired domain?

Cyber ​​crooks can use abandoned domains for any attack vector that exploits an organization’s identity, such as account takeovers or phishing campaigns that exploit fake commercial invoices.

Criminal groups have even set up mail servers using expired domains. In turn, these can be used to access social media accounts associated with the expired domain, or more worryingly, web services and SaaS applications.

“There are many ways that attackers can use legacy domains to their advantage,” said Tom McVey, solution architect at the Menlo Security cloud security platform. The daily sip.

Learn about the latest news on the Internet infrastructure

“For example, a manufacturing organization might forget to renew its ‘’ domain. Attackers could then buy the domain and use it to host a website designed to look like the manufacturer’s site, except that each download link secretly contains infected files.

He adds: “They could also execute phishing and social engineering attacks by sending emails to former customers with what appears to be a legitimate and secure email address, [such as]

“Attackers primarily rely on domain reputation to help increase the effectiveness of their attacks.”

Browser search fieldHacked domains are used for identity-based attack vectors such as account takeovers or phishing campaigns

There are other more complex vectors, such as operating scripts from websites that call the expired domain. In a blog post, for example, Israeli cybersecurity firm Reflectiz decrypts an attack on stolen data site WeLeakInfo, as well as script-based attacks.

In a separate article, security expert Gabor Szathmari examines how expired domains could be used to attack businesses – in this case, law firms in Australia.

Researchers, Szathmari said, had proven that by setting up a catch-all mail server, they could access a law firm’s Office 365 and GSuite accounts, and from there to confidential documents. According to the security consultant, the potential for bad actors to abuse abandoned domains is considerable.

How to check if a domain is expired or about to expire

The best way to avoid abandoned domain attacks is to have a robust system for domain management. Security teams should work with others in the business, including developers and marketing teams, to make sure old domains don’t expire. The cost of maintaining old domains registered – and therefore protected – is small compared to the potential damage resulting from not doing so.

Businesses might consider monitoring commercial domains or free services such as expired domains.

YOU MAY ALSO LIKE UK Department for Transport inadvertently disseminated pornographic content to site visitors

Penetration testing should also identify systems related to expired domains, so that dependent systems are shut down or reconfigured. And, as Menlo Security’s Tom McVey points out, “zero trust” and similar architectures can reduce the threat by removing trust from domains and legacy systems.

“This is really not a new problem and it illustrates the tendency of organizations to focus on their shiny new systems and forget about existing systems or, in this case, domain names,” said Jeff Goldberg, senior architect. security at 1Password. The daily sip.

Domains, he adds, are often part of “shadow IT” that is legitimately registered by employees using individual email accounts, for development purposes or even to prevent phishing.

How to renew an expired domain name

If your domain name has expired, you should contact the registrar or reseller who provided your domain name registration services to find out how to renew the domain.

You can verify your registrar using this search tool, which is maintained by the Internet Corporation for Assigned Names (ICANN).

Further information on Registrars can be found on the ICANN Accredited Registrar List.

However, if an expired domain has been taken over, you may need to pay the new owners to regain control.

When it comes to losing control of domain names, prevention is clearly better and cheaper than cure.

ADVISED Over-permissive authentication checks left 190 Australian organizations vulnerable to business email compromise attacks


Comments are closed.