For the Lulz: The risk of free domains (or why your old DNS provider needs to keep stuff registered)
Our “for the lulz” series focuses on entertaining anecdotes with hopefully a serious lesson at the end.
A good friend of mine who owns a small financial services firm called me a few months ago asking for a security assessment (at mates rates of course… everyone in IT, law and trades are expected to give services away for free). He is bit of a local Sydney powerhouse for loans and advisory which could net a tonne of money if someone compromised his business. Like most of these small outfits, the organisations digital infrastructure is quite tight (a website and Office365 instance for mail and files) however there was a peculiarity, namely the registrant contact email in the organisations DNS entry:
Registrant Contact Email: email@example.com
This domain was not registered and, within minutes Mercury was the proud owner of servergrade.com.au
Having looked back at the organisation, server grade was an Australian DNS registrar from 2006 till 2010 when it was acquired by uberglobal (not associated with the ride sharing company). The domain was subsequently acquired by other groups on or around 2018 and bounced around a few other groups before it was readily available for ours to take.
So why is this significant? The contact email is often associated with a godaddy account or other DNS registration group that, if accessed, would allow a threat actor to modify or change the mail records, which is where my mate was maintaining most of his corporate activities.
Over the course of several hours I registered an MX record and sought to do password resets for the email account to see if I could take over the DNS registrar and view MX records. This was ultimately unsuccessful, but it did present an awesome hypothetical- how many defunct DNS registrars are floating out there with readily available domains under management of these domains? How many of these have merged without thinking through the operational liability of maintaining domain names after the acquired entity ceases to exist?
I would recommend reading Iron Bastions article on abandoned domain names for further reading: