Iron Bastion’s cybersecurity expert Gabor Szathmari, recently published novel research on abandoned internet domains, and how they are a significant cyber risk which threatens businesses and in particular the Australian legal profession.
What is an Abandoned Domain Name?
A domain name is a name you can register to identify your business on the internet. For Australia businesses, this is typically a domain name ending in
.com.au, such as example.com.au.
Annual registration fees are required to maintain ownership of a domain name. Businesses often end up with many of these domains and typically a low-level technical person becomes the person responsible for managing the domain name renewal. For smaller businesses, this can be clerical staff or the web design company hired to build the business’s website, or an outsourced IT support provider.
Domain name renewals can often be forgotten or considered to be a waste of money if the domain names are no longer in use because of a branding change, or company restructuring. Once someone stops paying for an internet domain name, after a certain grace period, it becomes available for anyone to re-register.
At this point, the domain is considered abandoned and anyone (including criminals with bad intentions) can re-register the abandoned domain with no additional identity or ownership verification whatsoever.
Abandoned Domains Provide Access to a Trove of Data
Once the domain is re-registered the abandoned domain can be set up for a 'catch-all' email service meaning emails, often containing sensitive information destined for the previous owner, end up in the hands of a criminal. In addition, online services often only rely on an email address as a single factor for password resets meaning online services once held by staff of the previous owner can be hijacked.
Consequently, the effect of seizing control over an abandoned domain can be devastating for a business.
Even if the business has merged or wound-up sensitive information and documents are often exchanged over emails between clients, colleagues, vendors, suppliers, and service providers. Recent research published by security researchers, Gabor Szathmari and Jeremiah Cruz demonstrate that they were able to:
- access confidential documents of former clients;
- access confidential email correspondence;
- access personal information of former clients;
- hijack personal user accounts (LinkedIn, Facebook, etc.) of former staff working in their new jobs; and
- hijack professional user accounts (Commonwealth Courts Portal, LEAP, etc.) of former staff by re-registering abandoned domain names belonging to former businesses.
Because you or your staff's online presence can be tied to a former domain name in unexpected ways, criminals are able to access sensitive data belonging to your current business – the research suggests.
What You Can Do to Protect Your Business
As the news article published by the Australian Cyber Security Centre earlier this month summarises, the following steps should be taken to minimise the risk to your business:
- Keep renewing your old domain name indefinitely and do not let them expire and be abandoned, especially if the domain name was once used for email.
- Close cloud-based user accounts that were registered with the old domain email address (this can be difficult to do for domains with a large number of email addresses).
- Unsubscribe the email notifications which may feature sensitive data such as Text-to-email services and banking notifications.
- Advise clients to update their address book.
- Enable two-factor authentication, where the feature is supported for online services.
- Use unique and complex passwords.
The best preventive measures you can take is relatively simple, as J.M. Porup from CSOOnline.com writes: “Better safe than sorry. Domain names aren't expensive, and keeping old domains in your possession is the cheapest cybersecurity insurance policy you'll ever purchase”.
Your IT staff or IT service provider should never leave them to expire. If the domain name is already expired, “unsubscribing from notifications that include sensitive details is an obvious course of action”, adds Bleeping Computer. “Closing the accounts that use the business emails, or at least disassociating them, is also a solution, albeit not all employees may heed the request.”
Iron Bastion also recommends to change or remove the business email address from online user accounts (e.g. LinkedIn, Facebook) when a business is about to wound-up.
Finally, we suggest enabling two-factor authentication (2FA or MFA) where the feature is supported for online services is the most powerful security measure to protect your accounts from hostile password resets. Read our illustrated article from a previous post detailing how you can set up 2FA/MFA on the Office 365 and G Suite email platforms.
The full report and further recommendations are available in the original report.
About Iron Bastion
Iron Bastion are Australia’s phishing and cybersecurity experts. We provide cybersecurity consulting with specialised solutions to combat phishing. Our team are qualified cybersecurity professionals, and all our staff and operations are based in Australia.