IEDR admits blame for hack that brought down Google and Yahoo

Kevin Murphy, November 9, 2012, Domain Registries

IEDR, the Irish ccTLD registry, has admitted that an attack on its own web servers was responsible for google.ie and yahoo.ie being hijacked last month.

In a detailed statement, the registry said that hackers spent 25 days probing for weaknesses in its systems, before eventually breaking in through a vulnerability in the Joomla content management software.

This enabled the attackers to upload malicious PHP scripts and access the back-end database, according to the statement. They then redirected yahoo.ie and google.ie to an Indonesian web site.

It’s a reverse of position for IEDR, which had appeared to blame one of its registrars (believed to be Mark Monitor) for the lapse in security when the hack was discovered last month.

IEDR told ZDNet October 11: “an unauthorised change was made to two .ie domains on an independent registrar’s account which resulted in a change of DNS nameservers”.

But today it said instead: “The IEDR investigation also confirmed that neither the Registrar of the affected domains nor its systems had any responsibility for this incident.”

The registry has filed a complaint with the Irish police over the incident, and apologized to its customers for the disruption.

It also said it plans to roll out a Domain Lock service to help prevent hijacking in future, though I doubt such a service would have prevented this specific incident.

Only 2% of phishing attacks use cybersquatted domain names

Kevin Murphy, October 25, 2012, Domain Registries

The number of cybersquatted domain names being used for phishing is falling sharply and currently stands at just 2% of attacks, according to the Anti-Phishing Working Group.

The APWG’s first-half 2012 report (pdf) identified 64,204 phishing domains in total.

Of those, the group believes that only 7,712 (12%) were actually registered by the phishers themselves. The rest belonged to innocent third parties and had been compromised.

That’s a steep drop from 12,895 domains in the second half of 2011 and 14,650 in the first half of 2011.

Of the 7,712 phisher-owned domains, about 66% were being use to phish Chinese targets, according to the APWG.

The group’s research found only 1,350 that contained a brand name or a misspelling of a brand name.

That’s down from 2,232 domains in the second-half of 2011, representing just 2% of all phishing domains and 17% of phisher-owned domains.

The report states:

Most maliciously registered domain strings offered nothing to confuse a potential victim. Placing brand names or variations thereof in the domain name itself is not a favored tactic, since brand owners are proactively scanning Internet zone files for such names.

As we have observed in the past, the domain name itself usually does not matter to phishers, and a domain name of any meaning, or no meaning at all, in any TLD, will usually do.

Instead, phishers almost always place brand names in subdomains or subdirectories. This puts the misleading string somewhere in the URL, where potential victims may see it and be fooled. Internet users are rarely knowledgeable enough to be able to pick out the “base” or true domain name being used in a URL.

Taken as a percentage of attacks, brand-jacking is clearly a pretty low-occurrence offence, according to the APWG’s numbers.

In absolute numbers, it works out to about 7.5 domain names per day that are being use to phish and contain a variation of the brand name being targeted.

Unsurprisingly, the APWG found that Freedom Registry’s .tk — which offers free registration — is the TLD being abused most often to register domains for phishing attacks.

More than half of the phisher-owned domains were in .tk, according to the report.

What the hell happened to Go Daddy last night?

Kevin Murphy, September 11, 2012, Domain Registrars

Thousands — possibly millions — of Go Daddy customers suffered a four-hour outage last night, during a suspected distributed denial of service attack.

The company has not yet revealed the cause of the downtime, which started at 1725 UTC last night, but it bears many of the signs of DDoS against the company’s DNS servers.

During the incident, godaddy.com was inaccessible. DI hosts with Go Daddy; domainincite.com and secureserver.net, the domain Go Daddy uses to provide its email services, were both down.

The company issued the following statement:

At 10:25 am PT, GoDaddy.com and associated customer services experienced intermittent outages. Services began to be restored for the bulk of affected customers at 2:43 pm PT. At no time was any sensitive customer information, such as credit card data, passwords or names and addresses, compromised. We will provide an additional update within the next 24 hours. We want to thank our customers for their patience and support.

Several Go Daddy sites I checked remained accessible from some parts of the world initially, only to disappear later.

Others reported that they were able to load their Go Daddy webmail, but that no new emails were getting through.

This all points to a problem with Go Daddy’s DNS, rather than with its hosting infrastructure. People able to view affected sites were likely using cached copies of DNS records.

Close to 34 million domains use domaincontrol.com, Go Daddy’s primary name server, for their DNS. The company says it has over 10 million customers.

Reportedly, Go Daddy started using Verisign’s DNS for its home page during the event, which would also point to a DNS-based attack.

The outage was so widespread that the words “GoDaddy” and “DNS” quickly became trending topics on Twitter.

The web site downforeveryoneorjustme.com, which does not use Go Daddy, also went down as thousands of people rushed to check whether their web sites were affected.

Some outlets reported that Anonymous, the hacker group, had claimed credit for the attack via an anonymous (small a) Twitter account.

Companies the size of Go Daddy experience DDoS attacks on a daily basis, and they build their infrastructure with sufficient safeguards and redundancies to handle the extra traffic.

This leads me to believe that either yesterday’s attack was either especially enormous, or that somebody screwed up.

The fact that the company has not yet confirmed that external malicious forces were at work is worrying.

Either way it’s embarrassing for Go Daddy, which is applying for three new gTLDs which it plans to self-host.

Several reports have already speculated that the attack could be revenge for one or more of Go Daddy’s recent PR screw-ups.

The company has promised an update later today.

Architelos launches new gTLD anti-abuse tool

Kevin Murphy, August 15, 2012, Domain Services

Architelos, having consulted on about 50 new gTLD applications, has refocused on its longer-term software-based game plan with the recent launch of a new anti-abuse tool for registries.

NameSentry is a software-as-a-service offering, currently being trialed by an undisclosed number of potential customers, designed to make it easier to track abusive domains.

Architelos gave us a demo of the web site yesterday.

The service integrates real-time data feeds from up to nine third-party blocklists – such as SURBL and SpamHaus – into one interface, enabling users to see how many domains in their TLD are flagged as abusive.

Users can then drill down to see why each domain has been flagged – whether it’s spamming, phishing, hosting malware, etc – and, with built-in Whois, which registrar is responsible for it.

There’s also the ability to generate custom abuse reports on the fly and to automate the sending of takedown notices to registrars.

CEO Alexa Raad and CTO Michael Young said the service can help streamline the abuse management workflow at TLD registries.

Currently, Architelos is targeting mainly ccTLDs – there’s more of them – but before too long it expects start signing new gTLD registries as they start coming online.

With many new gTLD applicants promising cleaner-than-clean zones, and with governments leaning on their ccTLDs in some countries, there could be some demand for services such as this.

NameSentry is priced on a subscription basis, based on the size of the TLD zone.

ICANN fixes new gTLD portal bugs

Kevin Murphy, July 23, 2012, Domain Policy

ICANN has brought its new gTLD program customer service portal back online after about five days of patching-related downtime.

In a notice posted late last night, ICANN said the delay was due to the wait for a vendor patch. ICANN said:

A recent, proactive review of the CSC system identified potential vulnerabilities. To address these vulnerabilities, the CSC portal was taken offline while vendor-provided patches were applied. There have been no known compromises to any data.

New gTLD applicants will now have to log in to their TLD Application System accounts, which use the Citrix remote terminal software, to use their customer service tools.

Non-applicants will be able to ask customer service questions via email.

The Knowledge Base — essentially a program FAQ — is still offline, but ICANN said it hopes to bring it back up within a few days.