Reused domain names allow access to trustees’ records
Domain name management is a serious matter
Security specialists have long recognised the risk posed by dropped domain names. Within the field, it’s also common knowledge that cybercriminals can get hold of sensitive data by using e-mail addresses linked to such domain names. Yet many organisations still don’t have their domain name management in order, as we saw again last week. An ethical hacker picked up a number of domain names previously held by trustee firms, and used the names to gain access to confidential financial information about 258 of the trustees’ clients. The incident was very like an earlier case involving the Utrecht Youth Services Agency, where a similar oversight led to the disclosure of thousands of confidential files.
Dropped domain names continue to attract mail traffic
Trustees are professionals appointed to look after their clients’ financial affairs. A client will often use their trustee’s e-mail address in their own communications. As a result, mail traffic to the address will frequently continue, even when the trustee switches to a new address, e.g. following a merger, takeover or name change. What the ethical hacker at the centre of the recent case did was re-register a number of domain names previously held by trustees, but subsequently dropped. He then set up the mail servers to forward all mail addressed to the domains. He identified the domain names to re-register from data lost by telecoms provider Odido earlier this year, which included various trustees’ e-mail addresses.
A known risk that often has practical consequences
The possibility of data security being compromised by the release and re-registration of domain names has been recognised for some time. In 2019, a similar situation arose involving the Utrecht Youth Services Agency, when unauthorised access to clients’ medical records was obtained using domain names once linked to the Agency. We are one of the organisations that have promoted awareness of this risk. A re-registered domain name can potentially provide access not only to mail traffic, but also to systems that hold confidential data. That can happen if a password reset can be requested using an address at the re-registered domain.
Low threshold, hidden risk
Technically speaking, the threshold to incidents of this type is low. Re-registering a domain name dropped by another organisation is cheap, commonplace and requires no technical expertise. Yet the potential impact is considerable, because systems and users often trust ‘known’ e-mail addresses without further verification. Consequently, inadequate management of digital resources leads to problems, even though there has been no active breach of security.
Organisational causes
In many cases, the underlying causes are organisational. Where trustee firms are concerned, frequent mergers and acquisitions in recent years have played a role. Organisation names have changed, driving turnover of domain names, and the old domain names haven’t always been retained or monitored. Within a lot of organisations, the security team doesn’t see the phase-out of old domain names as something they should be focusing on. Often, it isn’t even clear who’s responsible for it. Meaning that no one is thinking about dependencies linked to e-mail traffic and systems.
Domain name management is a serious matter
As the latest incident makes clear, domain name management is a vital element of digital risk management. Cancelled domain names represent a material risk to an organisation’s security and reputation. In the reported cases, a risk with direct implications for client confidentiality. Given that larger organisations can have hundreds or even thousands of domain names, it’s very important to monitor your organisation’s domain name portfolio and lookalike registrations. For advice on how to keep an eye on things and react promptly, visit the SIDN BrandGuard page.
