In August 2019 a well-known computer magazine released an online article referring to ifa-codes.com. Readers were recommended to save this domain in advance and be ready to enter a coupon code released in their print magazine in order to get a free ticket to the IFA convention. Upon clicking the link we realized that the domain has no A or CNAME record, yet.
Using dig to query from a terminal confirmed this. No ANSWER section is given in the output.
Our favorite domain registrar was able to buy the domain for us as it was unused and available. After lots of ideas ranging from a fake scam page to a rick-roll redirect we opted to not put any website up and just leave it without a valid record. Unfortunately we could not find the right person to contact about this issue, either. After all, the domain should provide some frontend for the computer magazine readers to get their vouchers.
A few days later the managing director of IFA contacted me and told me he really wants to buy this domain from us. They already had registered “ifa-code.com” (singular; note the missing ‘s’ character) but somewhere along the way of communication with the computer magazine someone added that ‘s’. People make errors – nothing new here.
Being the “white hat” kind of
hackers people, we immediately created a Permanent Redirect to the real domain so users can start using the website and the computer magazine does not have to action a recall. We did this free of charge and signed a contract that we do not change this redirect while the promotion is running. The managing director invited us to the IFA convention at his charge as a thank you gift. Thanks for that!
What could have happened?
If the website was not about entering a code from your favorite computer magazine but about ordering things and/or making payments, this could have been much, much worse. An attacker can easily save all your address and credit card data and sell or use it to make payments on your behalf.
If the attacker saves your data and then redirects you to the legitimate website, you probably wouldn’t even notice what happened and just re-enter your data and everything would be normal. There is pre-made, open-source software that has a perfect copy of most popular login sites that is easily combined with a domain takeover attack. A real-looking URL with HTTPS and a real-looking login form trick even the most experienced users into giving away their login credentials.
How should I protect myself?
Admittedly, surfing cross-origin (from a magazine to something NOT ending with the magazine domain) and being sure that both websites relate to the same company is a hard thing. Just watching for HTTPS (TLS, formerly SSL) is not enough, because it only ensures that the traffic is encrypted and you actually talk to the server with that domain. This can as well be the hackers’ domain. Imprints don’t have to be correct and can even be a copy of the legitimate website.
If you enter payment information prefer staying in the same domain context (something.computermagazine.com) or use trusted payment providers like PayPal or SOFORT.
If you enter personal information use an Identity Provider such as Verimi or one of the many social logins and ensure to only share required information.
A way more common approach for a domain takeover is the hostile subdomain takeover. This attack targets users of service that allow you to register a subdomain under their domain. Think of something like my-awesome-software.github.io or supercompany-registration.heroku.com. It’s fast and easy to get those domains and spread links to them across the interwebz. But if you decide to remove your subdomain, because you stopped maintaining my-awesome-software and your company supercompany does not accept new registrations, you WILL open a hole and make the subdomain susceptible to a hostile subdomain takeover.
At this point, really anyone can register these subdomains at GitHub or Heroku and all the links spread all over the internet will suddenly link to whatever page the attacker runs there. And yes, they will have valid HTTPS as well.
Be safe! Take care!
- Phishing (https://github.com/DarkSecDevelopers/HiddenEye)