
Hacking law firms with abandoned domain names - gszathmari
https://medium.com/@gszathmari/hacking-law-firms-abandoned-domain-name-attack-560979e0b774
======
LeonM
This is why you need to take DNS seriously. It's a single point of failure.
It's often overlooked, but losing administrative access to a (former) domain
name is really, really bad. It's not just email, the hacker can also buy
certificates, hijack or transfers the domain (if domain is not locked) and
more.

Related:
[https://news.ycombinator.com/item?id=17704828](https://news.ycombinator.com/item?id=17704828)

------
arminiusreturns
Having consulted for many law firms over the years, they are notoriously
stingy when it comes to taking care of their IT infrastructure. Almost all of
them are low-hanging fruit due to this. Especially as more and more of them
started getting rid of in-house people and began to solely use MSP types.

~~~
checkyoursudo
As someone who has done IT for law firms, administrated law firms, and owned a
law firm, I endorse this statement.

I have dealt with firms that pay tens of thousands per month in physical space
rental that will balk at the idea of a couple-few thousand _per year_ for
IT/web infrastructure/maintenance/etc.

Lawyers are probably not especially more cheapskate than other people, but I
would not exactly be surprised if we are.

------
r3bl
Something that came into my mind after reading this:

Let's say your name is Jon Doe and you've purchased domain.tld that was
previously-used by some company. So you create to yourself jon@domain.tld, and
figure out that the previous owner had an employee named Jon that used it as a
primary or secondary email across dozens of most popular services.

How the hell do you proceed with your account creation?

The entirety of the web is built on the notion that email addresses are
unique, but there are multiple cases in which that might not be the case. What
are your options then? jon2@domain.tld?

~~~
Freak_NL
Add a tag:

    
    
        jon+servicename@domain.ltd
    

If the service will accept that of course. It's perfectly valid, and you'll
know if it works when you get the confirmation email.

~~~
bdcravens
While common, I don't think this is a standard, so it will vary by service
provider or email server. According to spec, "+" can be a valid part of an
email address:

    
    
        Without quotes, local-parts may consist of any 
        combination of alphabetic characters, digits, or any of 
        the special characters
    
            ! # $ % & ' * + - / = ?  ^ _ ` . { | } ~
    

[https://tools.ietf.org/html/rfc3696#page-5](https://tools.ietf.org/html/rfc3696#page-5)

------
ihon
I recently registered a domain name and set wild card email forwards to my
yahoo address. I suddenly start receiving emails with confidential attachments
(like employee/vendor payment settlements, disbursements, hr communications,
etc.). These emails are from a very large company. I recognized we had
phonetically similar sounding domain names. Only one letter was different.
Whenever somebody misspelt the domain name in the email, i got that email.

~~~
badideaprojects
This is known as typo-squatting and is not always done accidentally.

An interesting related technique is known as bit-squatting where you register
domain names of a target company 1 bit different from the original.

It can be used for receiving emails, phishing sites, capturing internal DNS
requests that have gone rogue due to bit errors (due to anything from hardware
errors to cosmic rays).

There is a really good talk by Artem Dinaburg from Blackhat about it (first
talk about it? I think) [https://media.blackhat.com/bh-
us-11/Dinaburg/BH_US_11_Dinabu...](https://media.blackhat.com/bh-
us-11/Dinaburg/BH_US_11_Dinaburg_Bitsquatting_WP.pdf)

~~~
jstanley
I had a look through the paper, that's very interesting!

The talk is available here
[https://www.youtube.com/watch?v=9WcHsT97suU](https://www.youtube.com/watch?v=9WcHsT97suU)

------
godzillabrennus
I bought a four character dot com domain after it had failed to be renewed by
a Bank.

Let’s just say that setting up a catchall for that domain generated countless
hours of entertainment.

Highly unsophisticated people will put the dumbest things in emails to their
bankers.

On the other hand there were rare heartbreaking instances where families would
beg to find a way to keep their homes or cars.

I always forwarded those on to the intended recipient.

~~~
bkor
Isn't the name of a bank usually trademarked? And often trademarked domains
are much easier disputed? A bank could way easier take back the domain, no?

~~~
dazc
Since he mentioned it was a 4-letter domain, it could be the bank had a mark
for a longer name but used the LLLL for customer convenience? The fact they
failed to renew suggests it wasn't an acronym in common use - like HSBC, for
example.

~~~
godzillabrennus
Yes. It was an abbreviation for the bank and it was a small regional bank in a
rural area that eventually folded into another company.

------
akeck
Whether he's in the clear or not, this sounds like an excellent way to get
sued.

~~~
gnu8
Yeah definitely the wrong people to piss off.

~~~
ahje
Someone using this in order to take criminal advantage of the previous owner's
email address will most likely be using a fake identity, and most likely not
care about lawsuits.

------
GiuseppaAcciaio
Am I the only one incensed at the fact that unlike haveibeenpwned, spycloud
stores the passwords in the database, right next to the usernames?

------
bestnameever
he sure took it to a whole other level by accessing third party sites and
accounts using the hacked credentials.

~~~
tekacs
They didn't actually access those accounts, they only verified that they
could. Definitely more likely to get peoples' hackles up, but worth bearing in
mind. Quote:

> As for all other services, we did not complete the final step of the
> password resets for privacy reasons meaning we did not log into or take over
> the user accounts, or access any information stored in online services,
> although we could have.

~~~
cormacrelf
>> We did not complete the final step ... for privacy reasons

But they did read a ton of email they knew was private? Censoring it for
public consumption doesn't change the fact that they accessed it.

Anybody doing this kind of thing in Australia should be familiar with the
'Cybercrime Act 2001' model. In NSW it is implemented in Part 6 of the Crimes
Act 1900, and other states also mirror the Cth legislation with various
modifications. Some of these (eg Criminal Code 1995 (Cth) s 478.1 / Crimes Act
1900 s 308H) are absolute liability offences, so it is not necessary to prove
anything about your intent. Read the definitions in, eg, Criminal Code 1995 s
476.1 for how broad they go ('guided or unguided electromagnetic energy').

The federal offences have to be within the constitutional limits on Cth
legislative power, so they 'only' apply to Cth computers/data or when 'the
access to, or modification of, the restricted data is caused by means of a
carriage service', i.e. The Internet. So they can usually be applied.

These provisions are extremely broad, so there's a lot resting on
prosecutorial discretion. Nobody can say for sure whether these things breach
the act, but there are plenty of ways to interpret the provisions and cast the
actions within them. For example, they might have impaired the electronic
communication to or from a computer per s 477.3, and it's not like they were
asking anyone first. Also 'here are some private emails we received' is just
so plausibly within 'unauthorised access to restricted data'. Probably talk to
a lawyer before hitting the big Publish button on Medium Dot Com, and maybe
refrain from actually deliberately receiving people's emails, especially when
everyone already knows that email compromise = everything and there's nothing
to prove.

[https://www.legislation.gov.au/Details/C2018C00298/Html/Volu...](https://www.legislation.gov.au/Details/C2018C00298/Html/Volume_2#_Toc520809589)

[http://www6.austlii.edu.au/cgi-
bin/viewdb/au/legis/nsw/conso...](http://www6.austlii.edu.au/cgi-
bin/viewdb/au/legis/nsw/consol_act/ca190082/#s308)

