Expiring Domains lead to Account Takeovers
After being asked by a small financial practice to look at their own digital footprint, we spent some time analysing what risks were posed from external information available on the internet, that related to the three partners in the practice. We were particularly concerned with determining if this data could be used in order to compromise either client information, or personal information on the owners themselves.
We first checked the email addresses of the partners, and there was a small amount of information available on two of the partners that was being traded by hackers as part of a much larger data set (containing data on millions of people). This data set had no passwords and was relatively harmless to the practice (it may have resulted in a small amount of spam email).
We then looked at the history of the business and saw that the present organisation was the result of a merger between two competing businesses. After the merger, the business changed its name and website (e.g. to new-company.com, instead of old-company.com). The practice, no longer using its old domain name, had not renewed it, and ‘old-company.com’ was therefore available to purchase by anyone.
As part of the exercise we had permission to purchase this old, unused, domain on their behalf. As we now owned the domain of old-company.com we also had access to any future emails that happened to be sent to the partners old email addresses. Within a few days we were receiving a small amount of confidential data to the email addresses used on the old domain e.g. partner-name@old-company.com. One of those emails came from LinkedIn, another from a bank, and another from the ‘client management’ software provider. This was relevant, as it shows the client was still using old email addresses to log in to a number of accounts…most importantly, their client management software.
Effectively, this meant that by using the old email address, we could potentially reset the passwords on the client management software, and then have full access to client data (which obviously we wouldn’t do).
With full permission from the client, we were allowed to complete this process as a proof of concept. Once proven that access was possible, we stopped at this point and provided all the details to the client, who also updated their logon email addresses. We then also transferred the old domain name to the client.
In the mean time, we also checked the old email addresses for the partners and found both these and their passwords were being traded online in a relatively recent LinkedIn data set. Again, this would have meant that, had they been used, then the LinkedIn accounts could have been compromised, allowing hackers to potentially communicate with clients via the LinkedIn platform.
The moral of the story is that you shouldn’t let old domains expire. Once you own one, hold on to it and set up an auto-renewal service with your domain registrar. When you no longer use it for websites or emails, start the process of updating the email addresses that are used to log on to systems, as well as implementing two factor authentication if a system allows it.
We regularly complete digital exposure checks in order to determine the level of risk a person or business may face. The domain and email check above are simply a small part of that assessment.