
Metasploit website hijacked via fax - robk
http://grahamcluley.com/2013/10/metasploit-website-hijacked-pro-palestinian-hackers/
======
michaelt
Made me wonder what registrar major internet companies use. Fortunately, whois
can tell us:

    
    
      facebook.com -> markmonitor
      google.com -> markmonitor
      amazon.com -> markmonitor
      youtube.com -> markmonitor
      yahoo.com -> markmonitor
      baidu.com -> markmonitor
      wikipedia.org -> markmonitor
      linkedin.com -> markmonitor
      ebay.com -> markmonitor
      bing.com -> markmonitor
      microsoft.com -> markmonitor
      paypal.com -> markmonitor
      flickr.com -> markmonitor
      blogger.com -> markmonitor
      wordpress.com -> markmonitor
      live.com -> corporatedomains
      twitter.com -> corporatedomains
      apple.com -> corporatedomains
      cnn.com -> corporatedomains
      theguardian.com -> tucows
      TinyURL.com -> tucows
      theguardian.com -> tucows
      huffingtonpost.com -> melbourneit
      t.co -> melbourneit
      bitly.com -> godaddy
      barackobama.com -> godaddy
      dell.com -> safenames
      reddit.com -> gandi
      imgur.com -> enom
      ycombinator.com -> easydns
      craigslist.org -> netsol
    

I don't know whether markmonitor deliberately try to get popular websites as
clients, aiming for some sort of halo effect.

~~~
C1D
I was surprised to see melbourneIT up there since I live in the same city
they're based in. I'm wondering why an American company is using an Australian
registrar, can anyone enlighten me?

~~~
pallandt
I was curious about that as well.

I checked their website and they offer both affiliate and reseller programs.
My best guess is that it's actually a 3rd party that sold the domains, yet a
whois lookup returns the name of the parent company/true registrar. From what
I can remember, domains purchased through OpenSRS's white-label domain
reseller program still reveal that Tucows is the registrar, regardless from
what partner of theirs you bought it from.

Maybe someone with more knowledge can help out.

~~~
geoffpado
I don't have any more insider knowledge than just seeing it discussed before,
but Melbourne IT acquired Verisign's brand management service, which is where
they picked up most of their big name clients:
[http://www.zdnet.com/melbourne-it-salvages-verisign-
business...](http://www.zdnet.com/melbourne-it-salvages-verisign-business-for-
us50m-1339288557/)

~~~
pallandt
It's clear now, thank you!

------
ChuckMcM
Remarkably powerful tool the FAX machine, to many bureaucracies have them
connected directly into the brain.

------
keidian
Bit of trivia I didn't see noted: Web.com is the parent company of both NetSol
and Register.com

------
cosmie
What, no phone call to verify the changes with the account holder on file? I
would have hoped that was standard procedure...

~~~
mischanix
Phone verification may have been performed using a phone number listed on the
fake fax, if at all.

~~~
cosmie
That was precisely my point, and why I'm so confused. You do not verify change
requests _with_ the change request, you verify it with details from the system
of record.

A classic example of this would be submitting a change of address to USPS or
modifying an email address on an account. You don't verify that change with
the _new_ information, but rather by sending notification or confirmation to
the previous address/email. The fact that a registrar wouldn't enforce such a
process is... upsetting.

~~~
bradleyland
Preface: Ah, the smell of contempt in the morning! This post turned out to be
pretty contemptible/cynical, but domain registration & management is a bit of
a peeve of mine. I used to run an "IT consulting" company, and have thus
developed the requisite jaded viewpoint from dealing with all of those
customers who don't understand/value the responsibility of domain ownership.

Every day, registrars are inundated with calls from incompetent domain owners
who haven't kept their domain information up to date, and have lost control of
their domain in some way or another. The registrars provide a process to
recover your domain name, but that process relies heavily on human judgement.

I think most programmers/technologists would be horrified at just how easily
the process can be gamed. I've recovered no less than 5 domain names for
friends/customers over the years, and I'm always shocked at how easy it is. If
you can produce believable looking letterhead, and have done at least some
cursory information gathering on the company in question, you can usually game
the system.

The reason this giant hole exists is because of customer service incentives. A
large number of domain owners aren't responsible technology people. They're
mom & pops, or some middle-manager who kind-of-sort-of understands the
internet. They're people wearing many hats, and have never used a program like
1Password or LastPass to keep track of their important information. To add
insult to injury, these same people are bombarded with fake domain renewal
letters that result in their domain being hijacked by some shady business.

The registrars end up handling the backside clean up for all of these
incompetencies, and customers demand it. If a domain registrar began requiring
the kind of verification that we'd expect, many people would simply lose their
domain names and never do business with said registrar again. The registrars
know this, so they make it (too) easy to recover a domain.

IMO, there are two solutions:

A regulatory body steps up and says: Domain owners are responsible for keeping
your domain information and security credentials current. If you lose them,
you will have to successfully navigate a lengthy and expensive verification
process. The process will be standardized across the industry, and non-
compliance will result in heft fines for the registrar.

Alternatively, the option is given to domain registrants to treat their
registration with a higher level of scrutiny. A kind of "I take
responsibility" flag for your domain that significantly raises the bar for
recovering the domain should you lose control of it.

Neither of these will happen, because there is not enough incentive. The
majority of domain owners will never be targeted in the manner illustrated
here, so the service is unimportant to us. There aren't enough large companies
to justify offering secure domain registration as a service. The rest of the
world _needs_ the easy recovery process because they're not
competent/responsible enough to maintain control of their domain name.

------
ateevchopra
No standard procedure ? Someone really gonna get fired !

"Hacking like its 1964" \- Loved it

------
gnu8
Nice, show 'em how it's done!

------
ebilgenius
Why are all these hackers pro-palestine?

~~~
cma
If they were sampled evenly from world population, it would be what you would
expect.

~~~
corin_
Agreed, but that sample wouldn't get many people who shout out their opinion
without being asked by it (a majority may support Palestine, but far less
actively make their voices heard about it, on either side)

