Stolen: perl.com and other domains—was Web.com socially engineered?
A pile of high-value .com domains are still missing in action after they were stolen and resold by miscreants unknown. Perl.com was among them.
Some observers are pointing the finger of blame at Web.com—specifically its subsidiary Network Solutions. Could this be the sex.com debacle all over again? That took five years to resolve.
Hopefully perl.com will be back quicker than that. In this week’s Security Blogwatch, we sudo vi /etc/hosts.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Poor old Windows.
“How you dune?”
What’s the craic? Lawrence Abrams reports—Perl.com domain stolen, now using IP address tied to malware:
Perl.com is a site owned by Tom Christiansen and has been used since 1997 to post news and articles about the Perl programming language. … The domain was stolen in September 2020 while at Network Solutions, transferred to a registrar in China on Christmas Day, and finally moved to the Key-Systems registrar on January 27th.
…
It wasn't until the last transfer that the IP addresses assigned to the domain were changed. … The IP address … has a long history of being used in … malware campaigns.
…
Until the domain hijacking is resolved, perl.org is recommending that users do not use perl.com as a CPAN mirror. [And] it is strongly advised not to visit perl.com until the domain is back in the hands of The Perl Foundation.
And Richard Speed dashes off this—Hijackers appear to have seized control of 33-year-old … domain:
The hijack appears to have followed the age-old path of an attacker pouncing on a compromised account and swiping the domain. … Perl.org is unaffected.
…
Prior to the change, Tom Christiansen was listed as the domain administrative contact. … A hijacking of Christiansen's account seems a possibility. … Shortly after the hijacking, the domain … turned up as available to buy for $190k on afternic.com [which] is part of the GoDaddy organisation.
We turn to the famous capital letter-hating author brian d foy—@briandfoy_perl—who tweets thuswise:
Huh, it looks like there was some snafu with the perl.com domain registration and now it's registered under someone else. … The proper address for perl.com is 151.101.2.132. Put that in your /etc/hosts and you should get to the right site. … Anyone using a perl.com host for their CPAN mirror should use cpan.org instead.
…
We've temporarily set up the perl.com site at perldotcom.perl.org. … There's no news on the recovery progress. Everyone who needs to be talking is talking to each other and it's just a process now. … Network Solutions is working with Tom Christiansen, the rightful registrant, on the recovery of the perl.com domain.
There is no estimated timeline for its recovery but the process is underway. … We're in the long, boring phase now.
An isolated incident? Nope. Here’s bhartzer:
I’ve seen other domains get stolen recently, it seems to be about the same time: patterns.com, piracy.com, perl.com … neurologist.com and chip.com. … All stolen at around the same time.
…
With Patterns, the thief hacked the Network Solutions account, put the domain under privacy, transferred it to a Chinese registrar, and then put the old whois data back. They then tried to sell it on Sedo and Afternic for 10 percent of what it’s worth.
…
My advice is to lock down your domains, register them for at least 5 years, and if there are changes deal with them quickly. … Definitely use 2FA if it’s offered … there are a lot of registrars still using less secure platforms. So moving to a more secure registrar can help.
…
Once a domain is transferred it’s much harder to get back. It can be done, but it’s a lot of work to unravel it all.
A lot of work? As Dave Piscitello explained, a long time ago, Documentation is Key:
When victims of domain name hijackings contact our Security Team for guidance, we will ask … "Do you have any way to demonstrate to your sponsoring registrar that the registration or use of the domain is rightfully yours?" … Sadly, many parties who contact us haven't considered that they will have to prove that the domain is theirs to use.
…
You will need to provide documentation to registrars or dispute resolution service provider that proves an association existed between you … (the one who has legitimately registered the domain name) and the hijacked domain name or account, prior to the incident.
But how could this happen at a totally legit registrar such as NetSol? gmack scoffs at the thought:
You make it sound like Network Solutions has never made that sort of mistake before. NetSol is one of the least secure registrars and has a history of transferring domains over the phone or with a fax.
The most famous case was of course sex.com where they argued that they had no responsibility to even try to fix the problem. There are still scattered reports of domains being stolen from them.
But fogihujy is a touch more circumspect:
There's always the chance someone social-engineered their way past the registrar's access control, or that they got some kind of access to the registrar's systems. Or the domain owner simply didn't read an email properly and clicked the wrong link.
There's too little information to draw conclusions at this point.
Back in my day everyone on the internet was nice. drankinatty waxes prosaic:
Not too long ago … domain registration and ownership was a simple matter, whois noted all details, including name, addresses, telephone (and fax) numbers and e-mail addresses. Not a care or thought was given to the registration details being available in the world of the honest actor.
But since that time, [as with] all manner of life and politics, dishonest actors, so lacking in integrity and moral character, set about making mischief and perverting every aspect of available information and data, either for personal gain or to sow general chaos. To such an extent that if you look at the time, toil, resources and effort expended in defensive measures, it likely surpasses the amounts spent in the pursuit of normal business operations.
…
Having experienced the world pre–NCSA Mosaic … it is truly a sad reflection on humanity.
If only we knew how it happened. classichasclass thinks they do:
[Floodgap.com] was part of this. I just talked to a very helpful person in NetSol's security department and she looked through the ticket. It was initiated by a web chat, and they produced official looking but completely fraudulent documents (photo ID, utility bill, business license, etc.) to prove identity.
So this was socially engineered and apparently for multiple domains. They're supposed to contact me tomorrow for more on the post mortem.
Meanwhile, GBE goes all poetic on us:
I used to dislike Perl. Then I learned PHP in order to maintain a pile of somebody else's code. And my feelings for Perl faded into insignificance.
Then I met a beggar who had no feet. And thought to myself, "At least he doesn't have to maintain PHP code."
The moral of the story?
Do whatever you can to prevent your domains getting stolen, including MFA and red-teaming a social-engineering attack on your registrar.
And finally
If you ever wanted to feel sorry for Windows, watch this
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
This week’s zomgsauce: Andre Iv (via Unsplash)