I work at a ccTLD (.IS), and lately we are seeing a *lot* of new accounts immediately registering multiple domains that all had been registered in the past. I suspect we're not the only ccTLD that sees this.
We know of at least two instances of this being used to take over social media accounts that had e-mails in expired domains set as backup e-mail addresses.
This seems to be organized and well-resourced.
Please double-check you don't use e-mails in any expired domains anywhere.
@RyunoKi many of these domains have been expired for years. It doesn't seem the malicious actor behind it snipes just-expired domains.
Could be compared to last activity in the database.
Companies tend to track these for Monthly Active User reports.
It's not that hard, actually:
Get a list of users.
Filter for last login older than a year.
Read the associated email addresses.
Extract the domain from those.
Remove common ones like gmail or riseup.
Check the registration date for the remaining.
If it was registered recently, block that user account from logging in again.
@RyunoKi sure, Facebook and other services could totally do that. But we're the domain registry, so we're on the other end of that problem.
Best you could do is listing all those domains (which I could imagine you aren't allowed to).
So your approach in the OP was the right way.
SIDN (responsible for the .nl TLD) recently opened a program to warn about this. I guess they were seeing the same...
Yeah, when a .nl domain expires there is a quarantine period of 40 days. In this period only the previous owner of the domain can reactivate it. This is a safety measure to prevent domain hijacking.
In this period SIDN looks at the MX DNS requests coming in for this domain (these identify the mailservers to be used) . They can only see what DNS resolver wants to know this, and only the first request every few hours, because DNS resolvers cache the results. A DNS resolver usually services a bunch of different servers/users/customers so you never know for sure who is asking.
They don't know what email address the email was directed at. They don't know the address or domain of the sender. They don't know the exact volume of email. They simply have some estimates that give a risk-score.
I assume this score is basically calculated like this: if the DNS resolver of banks or other important institutions makes a connection it gets a high risk-score. If there are a lot of different servers attempting connection it'll get a medium risk-score. If they predominantly see low quality DNS resolvers, usually connected to spam servers, etc, it'll get a low risk-score.
@rysiek I'm guessing the target isn't just social media accounts -- they probably also want to take over NPM packages and slip in malware.
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!