Iron Bastion’s cybersecurity expert Gabor Szathmari, recently published novel research on abandoned domains, and how they are a significant cyber risk which threatens businesses and in particular the Australian conveyancing profession.

What is an Abandoned Domain Name?

A domain name is a name you can register to identify your business on the internet. For Australian businesses, this is typically a domain name ending in “.com.au”, such as “example.com.au”.

Annual registration fees are required to maintain ownership of a domain name. Conveyancing practices often end up with many of these domains and typically a low-level technical person becomes the person responsible for managing the domain name renewal. For smaller businesses, this can be clerical staff or the web design company hired to build the business’s website, or an outsourced IT support provider.

Domain name renewals can often be forgotten or considered to be a waste of money if the domain names are no longer in use because of a branding change, or company restructuring. Once someone stops paying for an internet domain name, after a certain grace period, it becomes available for anyone to re-register.

At this point, the domain is considered abandoned and anyone (including criminals with bad intentions) can re-register the abandoned domain with no additional identity or ownership verification whatsoever.

Abandoned Domains Provide Access to a Trove of Data

Once the domain is re-registered the abandoned domain can be set up for a ‘catch-all ‘email service meaning emails, often containing sensitive information destined for the previous owner, end up in the hands of a criminal. In addition, online services often only rely on an email address as a single factor for password resets meaning online services once held by staff of the previous owner can be hijacked.

Consequently, the effect of seizing control over an abandoned domain (formerly belonging to a conveyancing firm) can be devastating for any business. Even if the practice has merged or wound-up emails can potentially end up on the criminals’ email server running on the former domain name of a conveyancing practice – as sensitive information and documents are often exchanged over emails between clients, colleagues, vendors, suppliers, and service providers.

Recent research published by security researchers, Gabor Szathmari and Jeremiah Cruz demonstrate that they were able to:

  • access confidential documents of former clients;
  • access confidential email correspondence;
  • access personal information of former clients;
  • hijack personal user accounts (LinkedIn, Facebook, etc.) of former staff working in their new jobs; and
  • hijack professional user accounts of former staff by re-registering abandoned domain names belonging to former businesses.

What You Can Do to Protect Your Practice

As the news article published by the Australian Cyber Security Centre earlier this month summarises, the following steps should be taken to minimise the risk to your business:

  • Keep renewing your old domain name indefinitely and do not let them expire and be abandoned, especially if the domain name was once used for email.
  • Close cloud-based user accounts that were registered with the old domain email address (this can be difficult to do for domains with a large number of email addresses).
  • Unsubscribe to the email notifications which may feature sensitive data such as Text-to-email services and banking notifications.
  • Advise clients to update their address book.
  • Enable two-factor authentication, where the feature is supported for online services.
  • Use unique and complex passwords.

The best preventive measures you can take is relatively simple, as J.M. Porup from CSOOnline.com writes:

“Better safe than sorry. Domain names aren’t expensive, and keeping old domains in your possession is the cheapest cybersecurity insurance policy you’ll ever purchase”.

Your IT staff or IT service provider should never leave them to expire. If the domain name is already expired, unsubscribing from notifications that include sensitive details is an obvious course of action”, adds Bleeping Computer. “Closing the accounts that use the business emails, or at least disassociating them, is also a solution, albeit not all employees may heed the request.”

In summary, it is recommended that you Unsubscribe to email notifications which may features sensitive data and from online user accounts (e.g. LinkedIn, Facebook) when a business is about to be wound-up.

Finally, enabling two-factor authentication (2FA or MFA) where the feature is supported for online services is the most powerful security measure to protect your accounts from hostile password resets.

This article was written by Gabor Szathmari, cybersecurity expert at Iron Bastion.