Typo left MasterCard open to hackers for years
A typo in MasterCard’s DNS configuration left the company open to hackers for years, it has emerged.
As first reported by Krebs On Security, from June 2020 until this month one of az.mastercard.com’s nameservers was set as akam.ne rather that akam.net, a domain used by DNS resolution provider Akamai.
The .ne version, in Niger’s ccTLD, was unregistered until security researcher Philippe Caturegli discovered the typo and spent $300 to secure the domain and check to see how much traffic it was getting, before handing it to MasterCard.
Had Caturegli been a bad actor, he could have used the domain to set up a man-in-the-middle attack, diverting a big chunk of traffic intended for mastercard.com to the server of his choosing.
MasterCard said its systems were not at risk and the typo has been corrected, Krebs reports.
MasterCard files UDRP on “priceless” geo domains
MasterCard recently registered several “priceless” domain names including the names of major cities and has filed cybersquatting complaints on seven more belonging to third parties.
The credit card company has this week entered UDRP complaints on pricelessistanbul.com, pricelessamsterdam.com, pricelessnewyork.com, pricelessmexico.com, pricelesslosangeles.com, pricelessparis.com and pricelesslondon.com.
The domains were registered separately by four different registrants over the last couple of years and are all parked, mostly with Go Daddy’s default parking page.
Interestingly, MasterCard also hand-registered several “priceless+city” domains at the end of November, including pricelessberlin.com, pricelesssydney.com pricelessmoscow.com, pricelessshanghai.com, pricelessmadrid.com and pricelessbangkok.com.
The company has not filed UDRP complaints about domains such as pricelessrome.com or pricelesssanfrancisco.com, which appear to belong to some of the same registrants.
It has also left the names of other popular city-break destinations unregistered. Domains such as pricelessprague.com, pricelessathens.com and pricelessdublin.com are currently available.
Could the company be working on a marketing campaign targeted only to specific cities?
The company has form when it comes to enforcing its long-held “priceless” trademark. It notably won control of priceless.org in an uncontested UDRP in 2007.
Recent Comments