Managing domain names is a task that enterprises often leave to the marketing department rather than the security team.
Yet expired – or ‘dropped’ – domains can pose a real security risk. Cybercriminals can hijack redundant domains and use them to carry out a range of attacks against organizations.
These range from phishing and business email compromise to ransomware and supply chain attacks. Almost any compromise where an attacker uses an ostensibly legitimate identity to overcome defences is made easier by taking over an expired domain.
Why domains are left to expire
Organizations allow domains to expire for a number of reasons. Sometimes it’s a simple mistake: a domain renewal is overlooked because a payment method has expired or the renewal contact has moved on.
But domains also drop because a brand is no longer being used, because they were set up for test and development purposes, or because they belong to a business or product that has been acquired by another company.
In April 2021, for example, Google’s Argentina domain was acquired by web designer Nicolas Kurona for a mere £2 ($2.90). The domain was quickly transferred back to Google, and there is no suggestion Kurona intended to misuse it – but it shows how easy it is to lose control of such a key, high-value asset.
“Organizations have multiple domains, and you’d expect quite a bit of governance and care around the main domain,” Phil Robinson, principal consultant and founder of Prism Infosec, told The Daily Swig.
Domains for subsidiaries or internal systems are harder to keep track of, however. “Through acquisitions, if you’re not careful you could end up with a domain that has fallen between the cracks which could then expire,” he warns.
This could then be registered by others, to use as they please.
Domains can be ‘dropped’ because of oversights or because a brand has been abandoned or acquired
What happens to expired domains?
Domain expiration follows a set process. Every domain has an expiry date on its WHOIS record. Once that date is reached, there will usually be a renewal grace period; this varies from registrar to registrar.
After that there is a redemption period, where the domain can still be reclaimed, and then a five-day ‘pending delete’ period. Subsequently it’s added to a domain drop list, which criminal hackers are known to trawl for promising targets, before being made available to buy on the open market.
How might a malicious hacker exploit an expired domain?
Cybercrooks can use dropped domains for any attack vector that exploits an organization’s identity, such as account takeovers or phishing campaigns that leverage false business invoices.
Criminal groups have even set up mail servers using expired domains. In turn, these can be used to gain access to social media accounts associated with the expired domain, or more worryingly, web services and SaaS applications.
“There are many ways attackers can use old domains to their advantage,” Tom McVey, solution architect at cloud security platform Menlo Security, told The Daily Swig.
“For example, a manufacturing organisation could forget to renew their domain ‘manufactory.com’. Attackers could then purchase the domain and use it to host a website that’s built to look just like the manufacturer’s site – except every download link secretly contains infected files.
He adds: “They could also execute phishing and social engineering attacks by emailing past clients with what looks to be a legitimate and safe email address, [such as] sales@manufactory.com.
“The attackers essentially rely on the reputation of the domain to help increase the efficacy of their attacks.”
Hijacked domains are used for identity-based attack vectors such as account takeovers or phishing campaigns
There are other, more complex vectors, such as exploiting website scripts that call up the expired domain. In one blog post, for instance, Israeli cybersecurity company Reflectiz breaks down an attack on stolen data site WeLeakInfo, as well as script-based attacks.
In a separate post, security expert Gabor Szathmari looks at how expired domains could be used to attack businesses – in this case, law firms in Australia.
Researchers, Szathmari recounted, had proved that by setting up a catch-all email server, they could gain access to a legal practice’s Office 365 and GSuite accounts, and from there confidential documents. The potential for bad actors to abuse dropped domains, the security consultant argued, is extensive.
How to check whether a domain is expired or expiring
The best way to avoid dropped domain attacks is to have a robust system for domain management. Security teams should work with others in the business, including developers and marketing teams, to ensure old domains are not left to expire. The cost of keeping old domains registered – and so protected – is small compared to the potential damage arising from not doing so.
Firms could consider commercial domain monitoring, or free services such as Expired Domains.
Penetration tests should also identify systems linked to expired domains, so that dependent systems are shut down or reconfigured. And, as Menlo Security’s Tom McVey points out, ‘zero trust’ and similar architectures can reduce the threat by removing trust for legacy domains and systems.
“This really isn’t a new problem and it illustrates organizations’ tendency to focus on their new shiny systems and forget about legacy systems or, in this case, domain names,” Jeff Goldberg, principal security architect at 1Password, tells The Daily Swig.
Domains, he adds, are often part of “shadow IT” that is registered legitimately by employees using individual email accounts, for development purposes or even to prevent phishing.
How to renew an expired domain name
If your domain name has expired, you should contact the registrar or reseller that provided your domain name registration services to find out how to renew the domain.You can ascertain your registrar of record by using this lookup tool, which is maintained by the Internet Corporation for Assigned Names (ICANN).