Leading domain name registrar Web.com announced last week that it had discovered a data breach that likely involves millions of customer accounts. This massive exposure of account information did not contain credit card numbers, but is likely to lead to an explosion of phishing scams as the detailed personal information can be connected directly to websites and their owners.
The August 2019 domain name registrar breach
The breach appears to have happened in late August of this year, and involved Web.com subsidiaries Register.com and Network Solutions, but was not discovered by internal security until the middle of October.
Web.com issued a statement indicating that standard contact information attached to a domain name registration was accessed by the intruder: full names, billing addresses, phone numbers, email addresses and information about the services the account holder is subscribed to. The company claimed that credit card information was encrypted and not compromised, but even without that the information that was leaked provides plenty of opportunity for phishing scams.
In an interview with Brian Krebs, the company claimed that passwords are also secured by PCI payment card industry encryption and they did not believe that they were compromised. Nevertheless, Web.com and its associated companies have required affected users to reset their passwords.
There was no official indication of how many customers were affected by this breach, but the number is likely in the millions. The three companies are estimated to have about 10 million customers combined. The records of an additional 12 million prior customers may have also been compromised.
Network Solutions was the first domain name registrar, and until 1999 was the only company that registered top-level domains. The company is currently the fifth-largest registrar in the world and the third-largest in the United States.
Ongoing security issues at Network Solutions
Any domain name registrar of the size of Network Solutions is bound to attract hackers, but the company has experienced similar data breaches dating back to 2009.
The company’s first breach a decade ago exposed not just personally identifiable information, but credit card numbers as well. At the time the company had only about half a million customers.
The following year, a widely-used site widget was compromised and may have passed malware to as many as 5,000,000 websites.
The potential for phishing scams
The potential risk of this breach depends heavily on how much access the attackers had to passwords.
Network Solutions claims that the passwords are “encrypted” – presumably meaning that they are hashed. It would be unlikely for attackers to crack properly hashed passwords, but not impossible. Exfiltrating the data would give them ample time and resources with which to do it, on top of the six weeks that they already appear to have been roaming the network before they were detected. The company did not reveal enough information about password access to be certain as to what the exact level of risk is. Regardless, any customers of these domain name registrars should change their passwords immediately.
That long period of access also raises questions about what sort of malware or backdoors the attackers might have planted during their stay. Six weeks is more than enough time to embed multiple means of continual access in the domain name registrar’s system, allowing attackers to do things like surreptitiously log password entries and store credit card numbers.
Even if customer passwords are fully safe at this point, the email addresses and information that the cyber criminals absconded with presents a serious risk in terms of highly targeted phishing scams. Alexander García-Tobar, CEO and co-founder of Valimail, expanded on what the specific result of the theft of this information could be:
“Network Solutions’ data breach exposed account holders’ contact and service information, which is all that cyber criminals need to execute highly tailored, convincing phishing attacks and impersonation attempts. Phishing campaigns often follow hot on the heels of breaches like this, targeting the victims with fake security warnings that look like they came from the breached company. If successful, these attacks can lead to account takeover, identity theft and other scams. Sender identity-based email security solutions are a powerful defense that can stop impersonation-based phishing emails from ever entering inboxes.”
The most likely result of this incident is a major uptick in phishing emails. The personally identifiable information retrieved from this attack gives hackers the tools they need to inspire trust in the target, convincing them to click on a malicious link in a phishing email that leads to malware installation or credential theft.
Losing control over a domain name, even for just a brief period, is one of the worst PR disasters a company can experience. Attackers can cause a variety of damage. It wouldn’t be difficult to redirect users to a bogus lookalike site used to capture personal information and credit card numbers. An even simpler attack would be to automatically redirect all visitors to a site that loads malware or ransomware. Hackers might also simply deface the site or post inflammatory comments.
It can be difficult to regain control of a domain name once it is stolen. The burden of proof largely falls on the victim, as this ICANN advice page points out. The process becomes much more difficult if the hackers quickly transfer the stolen domain name to a new registrar, which can potentially be done inside of one day.
The problem is compounded by the fact that paper records are generally not sent to domain owners. Be sure to keep copies of any email receipts and correspondence that you receive from a domain name registrar that mentions the site name. It’s also possible to use prior published advertising, a credit card or bank payment history, a contract that mentions transfer of the domain name, or any other kind of legal or tax filings that mention the domain name, but this process can potentially take a long time when dealing with a new registrar that does not have any existing customer records of yours. Law enforcement authorities should also be notified of any domain name theft or phishing scams that might occur.