Yeah, we got phished, ICANN admits after crypto hack

ICANN has confirmed that a phishing attack was responsible for the hacking of its Twitter account last night.

The Org placed this statement, which suggested that the attack may have been more sophisticated than you might have thought, on its home page earlier this evening:

On 11 February 2025, ICANN became aware of a successful phishing attack on our ICANN X [Twitter] account. We are investigating the root cause of the issue and working to resolve it as soon as possible. ICANN uses multi-factor authentication on all social media platforms and has confirmed that none of our other accounts have been impacted.

The hack saw ICANN’s Twitter account tweet several messages promoting a newly created memecoin cryptocurrency called $DNS, presumably to scam would-be investors out of money.

The compromise, which seemed to be timed to close of business in ICANN’s home in California, did not last long and the tweets were swiftly deleted.

Now ICANN seems to have confirmed that one of its staffers was phished to obtain @ICANN’s login credentials, but the fact that the account was protected by multi-factor authentication creates an additional wrinkle.

Twitter offers three MFA methods — codes delivered via SMS, a mobile authenticator app, or a hardware token.

In each case, logging in requires the user to have a physical device in their hand to create the secondary login credential. The victim would have had to provide this time-limited one-time password to the attacker too.

I hope the staffer who got suckered, presumably a member of the comms team, isn’t getting too much of a bollocking today, as these kinds of attacks are increasingly sophisticated and managing online life increasingly complex.

Just a day earlier, the well-known BBC political journalist Nick Robinson, who presents the popular Today show on Radio 4, got phished in what one assumes was a very similar way and for an identical purpose.

This BBC article goes into some detail about the attack on Robinson, including screenshots of the phishing email he fell for, and goes a way to explain how even somebody trained to avoid this kind of stuff can have a moment of vulnerability.

While few of Robinson’s one million Twitter followers could have seriously believed that Today had launched a memecoin, it’s more plausible that somebody familiar with crypto and somewhat aware of ICANN could have believed that ICANN would. The two areas of tech increasingly intersect nowadays.

When the attack proved successful, the bad guy must have thought all of her Christmases had come at once.

ICANN says it is going to post more information to its cybersecurity incident log as its investigation progresses.

If it turns out the phish was successful because somebody didn’t check the domain name of the link they were clicking on, it could be fascinating reading.

Typo left MasterCard open to hackers for years

A typo in MasterCard’s DNS configuration left the company open to hackers for years, it has emerged.

As first reported by Krebs On Security, from June 2020 until this month one of az.mastercard.com’s nameservers was set as akam.ne rather that akam.net, a domain used by DNS resolution provider Akamai.

The .ne version, in Niger’s ccTLD, was unregistered until security researcher Philippe Caturegli discovered the typo and spent $300 to secure the domain and check to see how much traffic it was getting, before handing it to MasterCard.

Had Caturegli been a bad actor, he could have used the domain to set up a man-in-the-middle attack, diverting a big chunk of traffic intended for mastercard.com to the server of his choosing.

MasterCard said its systems were not at risk and the typo has been corrected, Krebs reports.

GoDaddy ordered to stop lying about crappy security

GoDaddy has agreed to roll out some pretty basic security measures and has been told to stop lying about how secure its hosting is, under an agreement with US regulators.

It turns out that the company, while claiming that security “was at the core of everything we do”, was failing to do some pretty basic stuff like installing software patches, retiring end-of-life servers, or securing internet-facing APIs.

Its settlement with the Federal Trade Commission finds that GoDaddy engaged in “false or misleading” advertising and orders that it “must not misrepresent in any manner” its security profile in future.

The FTC complaint (pdf), filed in 2023 after reports of mass hacking incidents, states:

Despite its representations, GoDaddy was blind to vulnerabilities and threats in its hosting environment. Since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats.

The complaint says that GoDaddy had a slack patching regime that was left up to individual product teams to execute, with no centralized management.

This meant thousands of boxes in its Shared Hosting environment were subject to critical vulnerabilities that allowed bad guys to get in and steal data such as user credentials and credit card info for months.

The complaint also describes a custom internet-facing API designed to enable customer support staff to access details about managed WordPress users, such as login credentials.

This API was apparently open to the internet, unfirewalled, used plaintext for credentials, and had no multi-factor authentication in place, again enabling hackers to steal data.

One or more “threat actors” abused this lax security to pwn tens of thousands of servers between October 2019 and December 2022, according to the complaint.

The settlement (pdf), in which GoDaddy does not admit or deny any wrongdoing, does not come with an associated fine.

Instead, GoDaddy has agreed to a fairly extensive list of requirements designed to increase the security of its hosting services.

Hackers break .mobi after Whois domain expires

It’s probably a bad idea to let a critical infrastructure domain expire, even if you don’t use it any more, as Identity Digital seems to be discovering this week.

White-hat hackers at WatchTowr today published research showing how they managed to undermine SSL security in the entire .mobi TLD, by registering an expired domain previously used as the registry’s Whois server.

Identity Digital, which now runs .mobi after a series of acquisitions, originally used whois.dotmobiregistry.net for its Whois server, but this later changed to whois.nic.mobi and the original domain expired last December.

WatchTowr spotted this, registered the name, and set up a Whois server there, which went on to receive 2.5 million queries from 135,000 systems in less than a week.

Sources of the queries included security tools such as VirusTotal and URLSCAN, which apparently hadn’t updated the hard-coded Whois URL list in their software, the researchers said.

GoDaddy and Domain.com were among the registrars whose Whois tools were sending queries to the outdated URL, WatchTowr found.

Incredibly, so was Name.com, which is owned by Identity Digital, the actual .mobi registry.

More worryingly, it seems some Certificate Authorities, responsible for issuing the digital certificates that make SSL work, were also using the old Whois address to verify domain ownership.

WatchTowr says it was possible to obtain a cert for microsoft.mobi by providing its own email address in a phony Whois record served up by its bogus Whois server.

“Effectively, we had inadvertently undermined the CA process for the entire .mobi TLD,” the researchers wrote.

They said they would have also been able to send malicious code payloads to vulnerable Whois clients.

While WatchTowr’s research doesn’t mention ICANN, it might be worth noting that the change from whois.dotmobiregistry.net to whois.nic.mobi is very probably a result of .mobi’s transition to a standardized gTLD registry contract, which requires all registries to use the whois.nic.[TLD] format for their Whois servers.

As a pre-2012 gTLD, .mobi did not have this requirement until it signed a new Registry Agreement in 2017. There are still some legacy gTLDs, such as .post, that have not migrated to the new standard URL format.

The WatchTowr research, with a plentiful side order of cockiness, can be read in full here.

Newly launched .zip already looks dodgy

A trawl through the latest zone file for Google’s newly launched .zip gTLD reveals that it is likely to be used in malware and phishing attacks.

.zip is of course also a filename extension used by the ZIP archive format, often used to compress and email multiple files at once, and many domains registered in the .zip gTLD in the last few days seem ready to capitalize on that potential for confusion.

I counted 3,286 domains in the May 14 zone file, and a great many of them appear to relate to email attachments, financial documents, software updates and employment information.

I found 133 instances of the word “update”, with sub-strings such as “attach”, “statement”, “download” and “install” also quite common.

Some domains are named after US tax and SEC forms, and some appear to be targeting employees at their first day of work.

I don’t know the intent of any of these registrants, of course. It’s perfectly possible some of their domains could be put to benign use or have been registered defensively by those with security concerns. But my gut says at least some of these names are dodgy.

Google went into general availability with eight new TLDs last Wednesday, and as of yesterday .zip was the only one to rack up more than a thousand names in its zone file.

The others were .dad (913 domains), .prof (264), .phd (605), .mov (463), .esq (979), .foo (665) and .nexus (330).

Dynadot takes down its own web site after apparent breach

Dynadot took the drastic move of turning off its own web site last week after noticing an apparent security breach.

The registrar also reset all of its customers’ passwords, acknowledging the pair of moves were “extremely inconvenient”.

It’s not clear from the company’s statement whether there really had been an attack or whether it overreacted

It said “our system noticed irregular activity” but later brought its site back up after staff “investigated and determined there was not a threat”.

The company said it has engaged “cyber security experts” to help it out in future.

DNS Abuse Institute names free tool NetBeacon, promises launch soon

NetBeacon has been picked as the name for the DNS Abuse Institute’s forthcoming free abuse-reporting tool.

The tool is expected to launch in early June, after software was donated by CleanDNS accelerated the development cycle, according to Institute director Graeme Bunton.

The system was previously using the working title CART, for Centralized Abuse Reporting Tool, as I blogged in February.

CleanDNS CEO Jeff Bedser is also on the board of Public Interest Registry, which funds DNSAI. Bunton wrote that PIR approved the use of the CleanDNS software under its conflict of interest policy, with Bedser recusing himself.

NetBeacon is expected to provide a way for authenticated abuse reporters to file complaints in a normalized fashion, potentially streamlining the workflow of registrars that subsequently have to deal with them.

Bunton has said that the service will be free at both ends, funded by non-for-profit PIR.

GoDaddy hack exposed a million customer passwords

GoDaddy’s systems got hacked recently, exposing up to 1.2 million customer emails and passwords.

The attack started on September 6 and targeted Managed WordPress users, the company’s chief information security officer Demetrius Comes disclosed in a blog post and regulatory filing this week.

The compromised data included email addresses and customer numbers, the original WordPress admin password, the FTP and database user names and passwords, and some SSL private keys.

In cases where the compromised passwords were still in use, the company said it has reset those passwords and informed its customers. The breached SSL certs are being replaced.

GoDaddy discovered the hack November 17 and disclosed it November 22.

It sounds rather like the attack may have been a result of a phishing attack against a GoDaddy employee. The company said the attacker used a “compromised password” to infiltrate its WordPress provisioning system.

Comes wrote in his blog post:

We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection

You may recall that GoDaddy came under fire last December for punking its employees with a fake email promising an end-of-year bonus, which turned out to be an “insensitive” component of an anti-phishing training program.

About 500 staff reportedly failed the test.

XYZ counting standard sales as “premiums” because its fees are so expensive

Portfolio gTLD registry XYZ appears to be counting regular sales of domains in certain TLDs as “premium” wins, because the base reg fee is so high.

The company said in a recent blog post that it sold over 270 “premium” names in October, but it added the following caveat:

Premium XYZ Registry domains refer to premium domains for extensions with standard and premium domains, and XYZ’s premium namespaces such as .Cars, .Storage, .Tickets, .Security, etc.

So if a name in a .com-equivalent priced TLD such as .xyz had been flagged as a premium by the registry and sold for a few thousands bucks, that counts as a premium sale, but any sale at all in .cars, where all domains cost a few thousand bucks regardless of the second-level string, also counts as a premium.

This reporting practice appears to bring in .security, .storage, .protection, .car, .auto, and .theatre, which all retail for four figures as standard. It also includes .tickets, where you won’t get much change out of a grand. It doesn’t include the fourth member of the cars family, .autos, where domains are priced as .com-equivalent.

I’m not sure how I feel about this.

You can’t accuse the registry of being misleading — it’s disclosing what it’s doing pretty prominently mid-post, not even reducing the font size.

And you can’t reasonably argue that a standard $3,000 .cars domain, which renews at $3,000 a year, for example, has less claim to the adjective “premium” than a domain in .hair that has a premium-tier EPP code selling for $3,000 but renewing at $20.

It just feels weird to see the word used in this way for what appears to be the first time.

Whois rule changes that nobody likes get approved anyway

ICANN’s Generic Names Supporting Organization Council has approved a handful of changes to Whois policy, despite the fact that pretty much nobody was fully on-board with the proposals and how they were made.

The new recommendations call for a new field in Whois records to flag up whether the registrant is a private individual, whose privacy is protected by law, or a legal entity like a company, which have no privacy rights.

But the field will be optional, with no obligation for registries or registrars to use it in their Whois services, which has angered intellectual property interests, governments and others.

The working group that came up with the recommendations also declined to find that Whois records should come with an anonymized registrant email address as standard. This absence of change was also adopted by the Council, causing more disappointment.

In short, nothing much is happening to Whois records for the foreseeable future as a result of these policy changes.

But the process to arrive at this conclusion has highlighted not just the deep divisions in the ICANN community but also, some argue, deficiencies in the ICANN process itself.

The Expedited Policy Development Process working group that has since 2018 been looking at the interaction between Whois and privacy protection law, primarily the European Union’s General Data Protection Regulation, had been asked two final questions earlier this year, to wrap up its long-running work.

First, should registrars and registries be forced to distinguish between legal and natural persons when deciding what data to publish in Whois?

Second, should there be a registrant-based or registration-based anonymized email published in Whois to help people contact domain owners and/or correlate ownership across records?

The answer on both counts was that it’s up to the registry or registrar to decide.

On legal versus natural, the EPDP decided that ICANN should work with the technical community to create a new field in the Whois standard (RDAP), but that there should be no obligation for the industry to use it.

On anonymized email addresses, the working group recommendations were even hand-wavier — they merely refer the industry to some legal advice on how to implement such a system in a GDPR-compliant way.

While this phase of the EPDP’s work was super-fast by ICANN standards (taking about nine months) and piss-weak with its output, it nevertheless attracted a whole lot of dissent.

While its tasks appeared straightforward to outsiders, it nevertheless appears to have inherited the simmering tensions and entrenched positions of earlier phases and turned out to be one of the most divisive and fractious working groups in the modern ICANN period.

Almost every group involved in the work submitted a minority statement expressing either their displeasure with the outcome, or with the process used to arrive at it, or both. Even some of the largely positive statements reek of sarcasm and resentment.

EPDP chair Keith Drazek went to the extent of saying that the minority statements should be read as part and parcel of the group’s Final Report, saying “some groups felt that the work did not go as far as needed, or did not include sufficient detail, while other groups felt that certain recommendations were not appropriate or necessary”.

This Final Report constitutes a compromise that is the maximum that could be achieved by the group at this time under our currently allocated time and scope, and it should not be read as delivering results that were fully satisfactory to everyone.

The appears to be an understatement.

The Intellectual Property Constituency and Business Constituency were both the angriest, as you might expect. They wanted to be able to get more data on legal persons, and to be able to reverse-engineer domain portfolios using anonymous registrant-baed email addresses, and they won’t be able to do either.

The Governmental Advisory Committee and Security and Stability Advisory Committee both expressed positions in line with the IPC/BC, dismayed that no enforceable contract language will emerge from this process.

Councilor Marie Pattullo of the BC said during the GNSO Council vote last Wednesday that the work “exceeds what is necessary to protect registrant data” and that the EPDP failed to “preserve the WHOIS database to the greatest extent possible”.

The “optional differentiation between legal and natural persons is inadequate”, she said, resulting in “a significant number of records being needlessly redacted or otherwise being made unavailable”. The approved policies contain “no real policy and places no enforceable obligations on contracted parties”, she said.

IPC councilor John McElwaine called the EPDP “unfinished work” because the working group failed to reach a consensus on the legal/natural question. The IPC minority statement had said:

Requiring ICANN to coordinate the technical community in the creation of a data element which contracted parties are free to ignore altogether falls far short of “resolving” the legal vs. natural issue. And failing to require differentiation of personal and non-personal data fails to meet the overarching goal of the EPDP to “preserve the WHOIS database to the greatest extent possible” while complying with privacy law.

But McElwaine conceded that “a minority of IPC members did favor these outputs as being minor, incremental changes that are better than nothing”.

The BC and IPC both voted against the proposals, but that was not enough to kill them. They would have needed support from at least one councilor on the the other side of the GNSO’s Non-Contracted Parties House, the Non-Commercial Stakeholders Group, and that hand was not raised.

While the NCSG voted “aye”, and seemed generally fine with the outcome, it wasn’t happy with the process, and had some stern words for its opponents. It said in its minority statement:

The process for this EPDP has been unnecessarily long and painful, however, and does not reflect an appreciation for ICANN’s responsibility to comply with data protection law but rather the difficulty in getting many stakeholders to embrace the concept of respect for registrants’ rights…

With respect to the precise issues addressed in this report, we have stressed throughout this EPDP, and in a previous PDP on privacy proxy services, that the distinction between legal and natural is not a useful distinction to make, when deciding about the need to protect data in the RDS. It was, as we have reiterated many times, the wrong question to ask, because many workers employed by a legal person or company have privacy rights with respect to the disclosure of their personal information and contact data. The legal person does not have privacy rights, but people do.

While welcoming the result, the Registrars Stakeholder Group had similar concerns about the process, accusing its opponents of trying to impose additional legal risks on contracted parties. Its minority statement says:

it is disappointing that achieving this result was the product of significant struggle. Throughout the work on this Phase, the WG revisited issues repeatedly without adding anything substantially new to the discussion, and discussed topics which were out of scope. Perhaps most importantly, the WG was on many occasions uninterested in or unconcerned with the legal and financial risks that some proposed obligations would create for contracted parties in varying jurisdictions or of differing business models, or the risks to registrants themselves.

The Registries Stakeholder Group drilled down even more on the “out of scope” issue, saying the recommendation to create a new legal vs natural field in Whois went beyond what the working group had been tasked with.

They disagreed with, and indeed challenged, Drazek’s decision that the discussion was in-scope, but reluctantly went ahead and voted on the proposals in Council in order to finally draw a line under the whole issue.

The question of whether the legal vs natural question has been in fact been resolved seems to be an ongoing point of conflict, with the RySG, RrSG and NCSG saying it’s finally time to put the matter to bed and the IPC and BC insisting that consensus has not yet been reached.

The RySG wrote that it is “well past time to consider the issue closed” and that the EPDP had produced a “valuable and acceptable outcome”, adding:

The RySG is concerned that some have suggested this issue is not resolved. This question has been discussed in three separate phases of the EPDP and the result each time has been that Contracted Parties may differentiate but are not required to do so. This clearly demonstrates that this matter has been addressed appropriately and consistently. A perception that this work is somehow unresolved could be detrimental to the ICANN community and seen as undermining the effectiveness of the multistakeholder model.

Conversely, the BC said the report “represents an unfortunate failure of the multistakeholder process” adding that “we believe the record should state that consensus opinion did not and still does not exist”.

The IPC noted “a troubling trend in multistakeholder policy development”, saying in a clear swipe at the contracted parties that “little success is possible when some stakeholders are only willing to act exclusively in their own interests with little regard for compromise in the interest of the greater good.”

So, depending on who you believe, either the multistakeholder process is captured and controlled by intransigent contracted parties, or it’s unduly influenced by those who want to go ultra vires to interfere with the business of selling domains in order to violate registrant privacy.

And in either case the multistakeholder model is at risk — either “agree to disagree” counts as a consensus position, or it’s an invitation for an infinite series of future policy debates.

Business as usual at the GNSO, in other words.