Hacking law firms with abandoned domain names(medium.com)
medium.com
Hacking law firms with abandoned domain names
https://medium.com/@gszathmari/hacking-law-firms-abandoned-domain-name-attack-560979e0b774
38 comments
Having consulted for many law firms over the years, they are notoriously stingy when it comes to taking care of their IT infrastructure. Almost all of them are low-hanging fruit due to this. Especially as more and more of them started getting rid of in-house people and began to solely use MSP types.
As someone who has done IT for law firms, administrated law firms, and owned a law firm, I endorse this statement.
I have dealt with firms that pay tens of thousands per month in physical space rental that will balk at the idea of a couple-few thousand per year for IT/web infrastructure/maintenance/etc.
Lawyers are probably not especially more cheapskate than other people, but I would not exactly be surprised if we are.
I have dealt with firms that pay tens of thousands per month in physical space rental that will balk at the idea of a couple-few thousand per year for IT/web infrastructure/maintenance/etc.
Lawyers are probably not especially more cheapskate than other people, but I would not exactly be surprised if we are.
[deleted]
https://www.webhostingtalk.com/showthread.php?t=1726800 it seems so, here is a law firm on a $8/mo cpanel server with every service under the sun running on the box (SSH, FTP, https, pop, IMAP and so on) and hundreds (maybe thousands) of actors with some form of privileged access to platform (CGI, modphp, ftp and so on). host -t mx yourlawfirm.com before commissioning their services. Some people are blind to the risk, and unfortunately some communities push/protect sloppy solutions like the above as "secure".
cPanel is pretty secure and was the industry standard before AWS/Azure/GCP and their ilk came along. You act like user jailing isn't a thing.
Cpanel is a fucking joke, on day one they launched their federated ID (yes scary concept) I reported a 101 xss in it, they can't do anything right, that's as late as 2016. Industry standard, don't make me laugh. How have you came to the conclusion of "pretty secure" please don't tell PHP base_dir and some shitty non containerised jail shell is all it takes? Respect to Igor at cloudlinux for trying to tackle the problem, about the only implementation which one would be able to sleep at night with, but can we stop polishing a turd.
Something that came into my mind after reading this:
Let's say your name is Jon Doe and you've purchased domain.tld that was previously-used by some company. So you create to yourself [email protected], and figure out that the previous owner had an employee named Jon that used it as a primary or secondary email across dozens of most popular services.
How the hell do you proceed with your account creation?
The entirety of the web is built on the notion that email addresses are unique, but there are multiple cases in which that might not be the case. What are your options then? [email protected]?
Let's say your name is Jon Doe and you've purchased domain.tld that was previously-used by some company. So you create to yourself [email protected], and figure out that the previous owner had an employee named Jon that used it as a primary or secondary email across dozens of most popular services.
How the hell do you proceed with your account creation?
The entirety of the web is built on the notion that email addresses are unique, but there are multiple cases in which that might not be the case. What are your options then? [email protected]?
Hotmail addresses used to expire after a period of inactivity lol. I pranked one of my high-school buddies by re-registering his old email. At first he was just very confused, then I realised he had probably used that address as a recovery email for a bunch of stuff, and was able to recover passwords for his new email address. Lucky for him I'm not the kind of person to take a joke too far.
Reset password, delete account, then create a new one?
Not all services make it easy to delete accounts, and even in some cases because they soft-delete stuff (let's not get into the problems with that), you still can't use an email that was previously used.
Change the email address for accounts you can't delete to jon2@
Add a tag:
[email protected]
If the service will accept that of course. It's perfectly valid, and you'll know if it works when you get the confirmation email.While common, I don't think this is a standard, so it will vary by service provider or email server. According to spec, "+" can be a valid part of an email address:
Without quotes, local-parts may consist of any
combination of alphabetic characters, digits, or any of
the special characters
! # $ % & ' * + - / = ? ^ _ ` . { | } ~
https://tools.ietf.org/html/rfc3696#page-5I’ve had many experiences where one day a site will stop handling + correctly and I can no longer sign into my account. More common is the registration form allows + but the sign in does not, or I can subscribe to an email newsletter but not unsubscribe.
As far as the service is concerned, that's simply an entirely different email address. You might as well do [email protected]. Since you control domain.tld, you can of course receive any email sent to it.
But the point the GP was making is that email addresses are treated by services as if the will always be tied to the same person, but that's simply not true.
But the point the GP was making is that email addresses are treated by services as if the will always be tied to the same person, but that's simply not true.
This only works with Gmail, and copycats
I worked for a conglomerate a few years ago but had a simple email. I realized my email was recycled after I started receiving all kinds of unusual emails... like emails for an old personal eBay account. It was funny at first, but it was definitely a security liability for himself and the company as I was occasionally sent emails I'm sure I should not have been included on (he was a higher level, and was part of several mailing lists that were not purged after he left).
I recently registered a domain name and set wild card email forwards to my yahoo address. I suddenly start receiving emails with confidential attachments (like employee/vendor payment settlements, disbursements, hr communications, etc.). These emails are from a very large company. I recognized we had phonetically similar sounding domain names. Only one letter was different. Whenever somebody misspelt the domain name in the email, i got that email.
Yeah I get similar mails - my email address is the same as that of an insurance company, but with two letters switched. I only get one every week or so, I just reply and say 'you probably meant to send this to [correct email address]'. Although some people just don't understand and start sending me replies, arguing how I'm wrong... I just ignore those from that point on.
This is known as typo-squatting and is not always done accidentally.
An interesting related technique is known as bit-squatting where you register domain names of a target company 1 bit different from the original.
It can be used for receiving emails, phishing sites, capturing internal DNS requests that have gone rogue due to bit errors (due to anything from hardware errors to cosmic rays).
There is a really good talk by Artem Dinaburg from Blackhat about it (first talk about it? I think) https://media.blackhat.com/bh-us-11/Dinaburg/BH_US_11_Dinabu...
An interesting related technique is known as bit-squatting where you register domain names of a target company 1 bit different from the original.
It can be used for receiving emails, phishing sites, capturing internal DNS requests that have gone rogue due to bit errors (due to anything from hardware errors to cosmic rays).
There is a really good talk by Artem Dinaburg from Blackhat about it (first talk about it? I think) https://media.blackhat.com/bh-us-11/Dinaburg/BH_US_11_Dinabu...
I had a look through the paper, that's very interesting!
The talk is available here https://www.youtube.com/watch?v=9WcHsT97suU
The talk is available here https://www.youtube.com/watch?v=9WcHsT97suU
I bought a four character dot com domain after it had failed to be renewed by a Bank.
Let’s just say that setting up a catchall for that domain generated countless hours of entertainment.
Highly unsophisticated people will put the dumbest things in emails to their bankers.
On the other hand there were rare heartbreaking instances where families would beg to find a way to keep their homes or cars.
I always forwarded those on to the intended recipient.
Let’s just say that setting up a catchall for that domain generated countless hours of entertainment.
Highly unsophisticated people will put the dumbest things in emails to their bankers.
On the other hand there were rare heartbreaking instances where families would beg to find a way to keep their homes or cars.
I always forwarded those on to the intended recipient.
> I always forwarded those on to the intended recipient.
And this didn't generate any electronic knocks-on-your-door??
And this didn't generate any electronic knocks-on-your-door??
They didn't seem to care.
Isn't the name of a bank usually trademarked? And often trademarked domains are much easier disputed? A bank could way easier take back the domain, no?
Since he mentioned it was a 4-letter domain, it could be the bank had a mark for a longer name but used the LLLL for customer convenience? The fact they failed to renew suggests it wasn't an acronym in common use - like HSBC, for example.
Yes. It was an abbreviation for the bank and it was a small regional bank in a rural area that eventually folded into another company.
Probably yes, but that commenter can still have their fun in the meantime.
Whether he's in the clear or not, this sounds like an excellent way to get sued.
He seems to be in Australia. I don't think white hat security researchers are at as much risk there as they are in the US or the EU.
By the end he claims to have gotten a $250000 reward bvy facebook, which he has not claimed. Sounds to me like he has no intention of taking that reward, if true.
Am I the only one incensed at the fact that unlike haveibeenpwned, spycloud stores the passwords in the database, right next to the usernames?
he sure took it to a whole other level by accessing third party sites and accounts using the hacked credentials.
They didn't actually access those accounts, they only verified that they could. Definitely more likely to get peoples' hackles up, but worth bearing in mind. Quote:
> As for all other services, we did not complete the final step of the password resets for privacy reasons meaning we did not log into or take over the user accounts, or access any information stored in online services, although we could have.
> As for all other services, we did not complete the final step of the password resets for privacy reasons meaning we did not log into or take over the user accounts, or access any information stored in online services, although we could have.
>> We did not complete the final step ... for privacy reasons
But they did read a ton of email they knew was private? Censoring it for public consumption doesn't change the fact that they accessed it.
Anybody doing this kind of thing in Australia should be familiar with the 'Cybercrime Act 2001' model. In NSW it is implemented in Part 6 of the Crimes Act 1900, and other states also mirror the Cth legislation with various modifications. Some of these (eg Criminal Code 1995 (Cth) s 478.1 / Crimes Act 1900 s 308H) are absolute liability offences, so it is not necessary to prove anything about your intent. Read the definitions in, eg, Criminal Code 1995 s 476.1 for how broad they go ('guided or unguided electromagnetic energy').
The federal offences have to be within the constitutional limits on Cth legislative power, so they 'only' apply to Cth computers/data or when 'the access to, or modification of, the restricted data is caused by means of a carriage service', i.e. The Internet. So they can usually be applied.
These provisions are extremely broad, so there's a lot resting on prosecutorial discretion. Nobody can say for sure whether these things breach the act, but there are plenty of ways to interpret the provisions and cast the actions within them. For example, they might have impaired the electronic communication to or from a computer per s 477.3, and it's not like they were asking anyone first. Also 'here are some private emails we received' is just so plausibly within 'unauthorised access to restricted data'. Probably talk to a lawyer before hitting the big Publish button on Medium Dot Com, and maybe refrain from actually deliberately receiving people's emails, especially when everyone already knows that email compromise = everything and there's nothing to prove.
https://www.legislation.gov.au/Details/C2018C00298/Html/Volu...
http://www6.austlii.edu.au/cgi-bin/viewdb/au/legis/nsw/conso...
But they did read a ton of email they knew was private? Censoring it for public consumption doesn't change the fact that they accessed it.
Anybody doing this kind of thing in Australia should be familiar with the 'Cybercrime Act 2001' model. In NSW it is implemented in Part 6 of the Crimes Act 1900, and other states also mirror the Cth legislation with various modifications. Some of these (eg Criminal Code 1995 (Cth) s 478.1 / Crimes Act 1900 s 308H) are absolute liability offences, so it is not necessary to prove anything about your intent. Read the definitions in, eg, Criminal Code 1995 s 476.1 for how broad they go ('guided or unguided electromagnetic energy').
The federal offences have to be within the constitutional limits on Cth legislative power, so they 'only' apply to Cth computers/data or when 'the access to, or modification of, the restricted data is caused by means of a carriage service', i.e. The Internet. So they can usually be applied.
These provisions are extremely broad, so there's a lot resting on prosecutorial discretion. Nobody can say for sure whether these things breach the act, but there are plenty of ways to interpret the provisions and cast the actions within them. For example, they might have impaired the electronic communication to or from a computer per s 477.3, and it's not like they were asking anyone first. Also 'here are some private emails we received' is just so plausibly within 'unauthorised access to restricted data'. Probably talk to a lawyer before hitting the big Publish button on Medium Dot Com, and maybe refrain from actually deliberately receiving people's emails, especially when everyone already knows that email compromise = everything and there's nothing to prove.
https://www.legislation.gov.au/Details/C2018C00298/Html/Volu...
http://www6.austlii.edu.au/cgi-bin/viewdb/au/legis/nsw/conso...
Related: https://news.ycombinator.com/item?id=17704828