Follow

I work at a ccTLD (.IS), and lately we are seeing a *lot* of new accounts immediately registering multiple domains that all had been registered in the past. I suspect we're not the only ccTLD that sees this.

We know of at least two instances of this being used to take over social media accounts that had e-mails in expired domains set as backup e-mail addresses.

This seems to be organized and well-resourced.

Please double-check you don't use e-mails in any expired domains anywhere.

@rysiek The flipside to this, of course, is that when you use a domain for e-mail you should think of it as a commitment to hold on to that domain forever, or at least many years after you stop using it. #InfoSec

@rysiek I guess my cleveland.freenet.edu email is safe.

@RyunoKi many of these domains have been expired for years. It doesn't seem the malicious actor behind it snipes just-expired domains.

@rysiek
Could be compared to last activity in the database.

Companies tend to track these for Monthly Active User reports.

@rysiek
It's not that hard, actually:

Get a list of users.
Filter for last login older than a year.
Read the associated email addresses.
Extract the domain from those.
Remove common ones like gmail or riseup.
Check the registration date for the remaining.

If it was registered recently, block that user account from logging in again.

@RyunoKi sure, Facebook and other services could totally do that. But we're the domain registry, so we're on the other end of that problem.

@rysiek
Got that.
Best you could do is listing all those domains (which I could imagine you aren't allowed to).

So your approach in the OP was the right way.

@kingannoy @rysiek that’s a great idea but I wonder what the original owner of the domain is supposed to do with that information. They don’t know who is trying to contact them and at that point it’s already too late to re-register the domain.

@lx @kingannoy the way I read it, it's not too late -- the *reason* SIDN gets the data is *because* the domain has expired and remains not registered. If somebody registered it, SIDN would not be getting the MX DNS requests (and responding with NXDOMAIN).

@rysiek @kingannoy Ah okay, I see now. But then this is just a nice addition on top of the bounces the sender is presumably already seeing, right?

@lx @kingannoy yeah, the point is not about the sender, it's about the (previous) domain owner, who usually gets zero information that there is (supposedly valuable) mail traffic coming in.

@rysiek @lx

Yeah, when a .nl domain expires there is a quarantine period of 40 days. In this period only the previous owner of the domain can reactivate it. This is a safety measure to prevent domain hijacking.

In this period SIDN looks at the MX DNS requests coming in for this domain (these identify the mailservers to be used) . They can only see what DNS resolver wants to know this, and only the first request every few hours, because DNS resolvers cache the results. A DNS resolver usually services a bunch of different servers/users/customers so you never know for sure who is asking.

They don't know what email address the email was directed at. They don't know the address or domain of the sender. They don't know the exact volume of email. They simply have some estimates that give a risk-score.

I assume this score is basically calculated like this: if the DNS resolver of banks or other important institutions makes a connection it gets a high risk-score. If there are a lot of different servers attempting connection it'll get a medium risk-score. If they predominantly see low quality DNS resolvers, usually connected to spam servers, etc, it'll get a low risk-score.

@rysiek I'm guessing the target isn't just social media accounts -- they probably also want to take over NPM packages and slip in malware.
jfrog.com/blog/npm-package-hij

@rysiek is the .is registry performing identify verification of domain owners?

@rysiek how are you performing the verification process?

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!