When the venerable “perl.com” domain which supports the Perl scripting language went offline last week, there was some initial speculation that the domain had been allowed to lapse and had been opportunistically re-registered by a third party. However, after some detective work a more sophisticated and troubling story is beginning to emerge.
It has been reported that that “perl.com” and several other domains, amongst them “piracy.com” were taken over via the Network Solutions account with which they were registered. To cover their tracks, the attackers then enabled privacy for the domain’s registration (“WHOIS”) data, switched the registration to a Chinese registrar, and finally reinstated the original public “WHOIS” registration data to obscure the change.
Once the attacker was in control of the domain, and with the real owner none the wiser, the domain was offered for sale at a fraction of its true value.
More worryingly in the case of perl.com, as well as hosting a Perl website, the domain was used as an alternate distribution channel for Perl libraries. Disturbingly, the IP address to which it currently points has been used in the past to distribute malware. This exposes the potential for malware distribution through a “supply chain attack”, where security is compromised by a compromised upstream supplier unwittingly distributing malware over what is supposed to be a secure channel.
Control of a domain gives an attacker the ability to control DNS, which as well as disabling existing resources can be used for phishing and malware attacks. Although a domain stolen in this manner can generally be recovered, it can take a considerable time. Although these are high-profile domains and the registrar has acknowledged that this is a case of theft, the “perl.com” site is still down after nearly a week.
Theft of domains, as well as social media and other accounts is a concern for any business with an internet presence, raising issues from governance down. There are a number of simple steps that a business can take to manage the risks, including using functional email addresses for management, and enabling two factor authentication to secure the accounts, as well as the email accounts that are used to manage them.
If these issues are a concern in your organisation, please contact us to find out how our Security Operations Centre can proactively monitor your network for suspicious activity.