Don't abandon your domain to cyber criminals

DNS
ACSC
Cyber security

Losing control of your email service is devastating, even if your company has merged or shut down. A domain name is a core foundation of every business and email is an essential service.

Allowing corporate domain names to expire puts businesses at risk, potentially exposing clients’ personal and confidential information, client-legal privileged information and financial details.

Domain name abandonment allows cyber criminals to gain access to, or reset passwords for, online services and profession-specific portals, according to independent cyber security researcher Gabor Szathmari.

Domain name abandonment is not a well-known security risk; however it can cause lasting reputational damage to individuals and businesses.

Pandora's box

Email, besides being used for communication, is required for signing up for online services.

People often change jobs and end up with multiple user accounts on these services, with the old user accounts often abandoned. Online services usually rely on a single factor to reset passwords, that is, only an email address may be required to regain access if the password is forgotten.

So whoever has control over the domain and is able to set up a basic email service can capture password reset emails.

By taking full control over previously abandoned domain names formerly belonging to legal practices, the researcher claims to have accessed:

  • confidential documents of the former clients
  • confidential documents of the former practice
  • confidential email correspondence
  • personal information of former clients.

Further, he claims that the research showed it would be possible to:

  • impersonate legal practitioners to defraud former clients and fellow practitioners;
  • regain access to the former legal practices Office 365 and G Suite account, potentially gaining access to any email and documents not deleted on the platforms
  • hijack personal user accounts, such as LinkedIn and Facebook, of the legal professionals practising in their new jobs.

Protect yourself and your clients

To prevent this from happening to your business, the researcher recommended that you:

  • keep renewing their former firm’s domain name indefinitely
  • close user accounts that were registered with the business email address (e.g. Dropbox, Commonwealth Courts Portal, PayPal)
  • change or remove the business email address from online user accounts (e.g. LinkedIn, Facebook)
  • unsubscribe from email notifications that usually features sensitive data (Text-to-email services, mobile phone billing notifications)
  • advise your clients to update their address book
  • enable two-factor authentication (2FA or multi-factor authentication) where the feature is supported for online services
  • use unique and complex passwords.

Essential mitigation strategies can be found in our Essential Eight.

For more information or advice, email ASD.Assist@defence.gov.au or call us on 1300 CYBER1 (1300 292 371).

Date
September 11th, 2018

Related content