Theft of Newtek domains is a reminder to stay vigilant

Issue

Last week a web services company (Newtek) responsible for hosting over 100,000 e-commerce based websites and email servers had three of its core domains stolen.  These domains originally hosted software that allowed customers of these services to manage their websites.

The attackers then replaced the application that users would normally use to manage their websites with his own application in the form of a live chat service.  When users logged in, they believed themselves to be chatting with a helpful admin, when in fact they were communicating with the attacker.

Impact

The full impact of this is still being determined.  However, corporate email for many of their customers became unavailable, business websites no longer resolved, and sensitive information was most likely communicated to the attacker.

Recommendations

InGuardians recommends that all businesses consider domain hijacking as a potential event in their Business Continuity Plans (BCP).  It’s important to stay vigilant in ensuring continued ownership of domains. It’s also important to have plans to use secondary domains for web and email traffic in the event of having lost ownership of a domain.

InGuardians recommends building your own capabilities to gather counter-intelligence and to proactively monitor your organizations’ digital footprint.  Consider scripts or services for monitoring DNS changes to the domains that you control.

 

Wikipedia list these options as a means to prevent an unwanted domain transfer:

  • Use strong email passwords and enable two-factor authentication if available.
  • Disable POP if your email provider is able to use a different protocol.
  • Tick the setting “always use https” under email options.
  • Make sure to renew your domain registration in a timely manner – with timely payments and register them for at least five (5) years.
  • Use a domain-name registrar that offers enhanced transfer protection, i.e., “domain locking” and even consider paying for registry locking.

Additional Resources

https://krebsonsecurity.com/2018/02/domain-theft-strands-thousands-of-web-sites/
https://en.m.wikipedia.org/wiki/Domain_hijacking