A few months back I was working with a customer that was having the worst day of their lives. Attackers had taken full control of their most critical digital asset – their domains and the domains of their customers.
The organization affected was an agency. They built and managed sites for their customers and in a relatively short period they lost access to their site and their emails. In this article I’ll share what happened, and offer tips that would have made things a lot harder for the attackers to hijack their domains.
Tactics, Techniques, and Procedures (TTP) Employed
The attackers were able to take control of the users account by hijacking the users SIM card. There are a couple different names for this attack – port out scam, SIM swapping, SIM hacking – but the objective is the same, transfer cellular information to a new SIM card. This allows the attacker to take control of your phone number – allowing them to gain access to text messages, and calls. In this instance, the attacker was able to social engineer the agent at a major telecom and transfer the account info to a new SIM.
The attackers then used this to hijack the customers email account by using the forgot password feature and phone authentication. With control of the email, the attackers proceeded to attack the organizations financial institutions and registrar. They were unsuccessful in transferring funds, but were successful in hijacking a number of their domains (6 domains from the customer, including their organizations and 5 of their critical customers).
In a 48 hour time span, the attackers were able to hijack their domains, take control of their emails and redirect their domains, and associated traffic, to new locations that were used to distribute malicious payloads to unsuspecting visitors.
The financial loss was estimated in the 10’s of thousands of dollars in a one week period and the reputation impact was monumental. Because of transfer / validation rules between registrars, the impact lasted close to 7 days. Ironically, the burden was now on the customer to prove they were the real owners of the domain and not an attacker trying to hijack to the domains and every Registrar has it’s own workflows.
Unfortunately, this is not as targeted as you might thing; attacks like this happen every day.
Protecting Your Domain[s] Investments
I won’t speak to SIM hijacking issue. Instead, I’ll focus on what can be done to educe the risk against this, and similar, types of attack:
- Use unique credentials for critical assets. Similar to using unique passwords on every site, when thinking of credentials you use for critical digital assets, I recommend the same approach. This means you should leverage an obscure, unrelated, email for your account. Free email providers like Gmail, Outlook and others, make it extremely easy to create. Tools like Password Managers make it easy to manage.
- Functionally isolate your domains domains. Do not mix personal and customer domains. In the event that your company account becomes compromised your customers won’t be affected. The principle of functional isolation is that you don’t use something for more than its intended purpose.
- Enable auto-renew to avoid expiration. The biggest contributor to domains being hijacked is human error, specifically forgetting to renew. If your domains are critical, set their renewals for as long a term as possible, then set reminders. It’s a good habit to perform quarterly reviews of your account to verify what is and isn’t set to renew during the next Quarter.
- Verify accuracy of contact information. This goes hand-in-hand with #3, the leading reason that renewals fail is because a customer removes the auto-renew but then fails to keep their contact information up to date. The end result is the customer never receives the auto-renew reminder in their email, or the Registrar is unable to call them to confirm expiration intent.
- Deploy additional authentication controls when logging in and making changes (2FA / MFA). Most registrars offer the ability to employ additional authentication controls when logging into your account. You should employ this on any system that allows it, and instead of using SMS trying using something like a Time-based One-Time Password application (e.g., Google Authenticator). Where I’d like to see Registrar’s improve their security is to deploy additional authentication controls for changes to your account, where the authentication control is different than what you used to log in. In this instance, we’d be moving from 2FA -> MFA…
- Leverage privacy to protect your personal information. The key to social engineering is knowing just enough about the target to piece together the parts you need to trick someone into believing you are the target. Do this, and you win. It makes no sense to use unique credentials on your account if you’re going to publicly announce the information via WHOIS. Deploying privacy makes it where the information you use to register your domain is not publicly accessible. Employ privacy if it’s an option.
- Lock your domain with the Registrar. Many registrars will give you a “lock” option. This makes it where changes can’t be made without further confirmation from you, the domain holder. Where possible, I’d encourage you work with registrar to understand exactly how their “lock” feature works.
- Monitor domains for nefarious / malicious misuse. Employ monitors to maintain visibility on the state of your domains. I use Sucuri for my monitoring. I specially look at things like WHOIS and DNS changes. In the example above, the customer went 5 days before realizing something had happened, monitoring would have notified him the minute the DNS / WHOIS changes were made.
Tips For the Paranoid
If you own and manage domains, you can ask your Registrar about Extensible Provisional Protocol (EPP) codes. To put it into context, unauthorized changes to zone files are a leading contributor to malware injections and it’s also one of the easier ones to mitigate by preventing unauthorized changes to your zone files.
The Internet Corporation for Assigned Names and Numbers (ICANN) enabled the EPP codes to add additional security for domains:
|clientDeleteProhibited||Prevents a domain from being deleted.|
|clientTransferProhibited||Prevents a domain from being transferred from one registrar to another|
|clientUpdateProhibited||Prevents any changes to be made to the domain at all, even from authorized contacts.|
Note: The clientUpdateProhibited option is the most severe and should only be used if you’re confident in your abilities.
Lastly, you can employ a Registry Lock. Similar to the recommendation above, a registry lock introduces additional controls when making changes that makes it hard for Registrars to make changes. To do this you’d have to engage each Registry directly to see what features they offer.
There is obviously a delicate balance between security and convenience, use the recommendations above at your own discretion.