Threat Intelligence Blog

Posted October 1, 2013

A wise man once said, “There is there is nothing new under the sun.” This has been proven true again in the recent attacks against several media company websites, including the New York Times, in which the Syrian Electronic Army (SEA) is believed to have used targeted phishing, also known as “spearphishing”, attacks against domain name registrars to fool employees into giving them access to the organizations’ accounts.

Phishing attacks against domain name registration companies, aka registrars, generally follow a well-known attack methodology. The process involves sending targeted phishing emails to individuals who control domain name registration and configuration accounts. In theory, if you can get access to the person who controls the domain names for an organization, you can control the keys to their online presence.

In 2008, attackers successfully phished credentials from the registrants of domain names at some of the top registrars, capturing hundreds of domain name management login credentials. The collection of stolen credentials happened to include the domain names of CheckFree Corp. (now known as Fiserv), an online check payment processing agent for many of the banks in the United States.

Phishing attacks against registrars allowed the bad actors to make bulk changes to DNS settings and redirect legitimate domain names to a server in the Ukraine. Phishing against banks and other retail online businesses have become commonplace in the past decade. The same method of attack against registrars used in 2008 now appears to be the weapon of choice of the SEA.

The weakness in this attack methodology resides in the human factor, with the registrar employees responsible for managing the domain names for various organizations. They were socially engineered into divulging critical data that allowed access to the domain name management environment. SEA apparently used the same tactics to get control of the New York Times’ domain name. According to Melbourne IT, the registrar of record for, the attackers gained access to a reseller account on their system that contained the domain names of the New York Times and other organizations. This allowed the attackers to modify the DNS settings of the domain names and redirect traffic intended for to another server for a period of time.

The following tips can help protect your organization from similar issues:

  • Make sure that anyone in your organization who has domain name registration login control is aware of this attack methodology. Don’t give out login information to your registrar or any other domain name management accounts you have. Make sure you know WHO has access to manage domain names at your organization. Develop and enforce policies and internal controls if you haven’t already.
  • Work with a reputable open source intelligence firm that provides monitoring and alerting of critical chatter and threatening online activities occurring online that may indicate your organization is being targeted.
  • Work with your registrar. Have them request that the registries for your domain names lock them with all three of the status settings below. Ensure that your registrar cannot complete the task of locking domain names themselves. If they “have the keys” to make this happen, you’re not solving anything. Your registrar should be able to make the requests to the registries have this done, but not be able to directly configure the settings themselves.
    • ServerDeleteProhibited: This status code means that the domain name cannot be deleted from the registry.
    • ServerTransferProhibited: This status code means that the domain name cannot be transferred from one registrar to another.
    • ServerUpdateProhibited: This status code tells the registry to reject requests to update name servers, update auth codes, or sync the domain name.

The EPP status only supports domain names in the following top-level domain names (TLDs): .com, .net, .org, .biz, .info, .mobi, .asia, .ca, .cc, .co, .cn, .de, .in, .me, .tv, .us, and .ws. Other TLDs and ccTLDs for other countries may support RRP: Registry-Lock statuses.

When considering protection for all of your domain names, work with your registrar and registry to properly configure the server lock status to protect your domain names from experiencing unauthorized modifications.

Additional Posts

Bitsquatting Explained in 900 Words or Less: Part I

Bitsquatting is a relatively new term derived from combining the phrases "bit flipping" and ...

“Obamacare” Affordable Care Act Offers Opportunity for Identity Theft, Phishing

The Affordable Care Act ("ACA"), often referred to as Obamacare, is ostensibly designed to make it ...