back to article Now we know what the P really stands for in PwC: X-rated ads plastered over derelict corner of accountants' website

A forgotten subdomain on PricewaterhouseCoopers' dot-com has been hijacked to host ads for porno websites and apps, neatly demonstrating why you should not neglect your corporate DNS records. Developer and security researcher Vitali Fedulov told The Register this week he has twice now found the pwc.com subdomain hosting a …

  1. SuperGeek

    PwC

    Porn with Compromise?

    1. sanmigueelbeer Silver badge

      Re: PwC

      Porn, we come.

    2. Anonymous Coward
      Anonymous Coward

      Re: PwC

      Problems with Clients might be more apt for PwC, given how many they have lost in the past year.

      1. JimboSmith Silver badge

        Re: PwC

        E&Y were my accountants for years then they did something dumb and pissed me off. They invoiced me after the VAT rate had gone back up to 20% despite having completed all the work well before that. When I was looking for another firm to replace them a mate warned me off PWC. Subsequently owing to a change in circumstances I didn't need such a large firm and a much smaller one deals with everything now.

    3. razorfishsl Silver badge

      Re: PwC

      Pen** With C**ts

    4. Francis Boyle Silver badge

      Re: PwC

      Probably will Cock-up!

    5. HildyJ Silver badge
      Devil

      Re: PwC

      Damn. That was supposed to be an internal website for bored auditors.

  2. Dave 126 Silver badge

    In other news, theregister.co.uk served up ads for a scam company two days ago - one claiming that £800 iPhones are surplus stock and must be sold for £89.

    This isn't the Reg's usual policy, so assuming it slipped through the net at this time when people's minds may understandably be on other things.

    1. Joe Drunk

      El Reg most likely don't serve the ads themselves but, as is the case with practically every website that serves ads, relies on a third party and therefore have little to no control over what ads are shown on this site.

      As I block all content I deem of no use to me I never saw the £89 iPhones or any other exciting offers from anywhere else on the internet.

      1. quxinot Silver badge

        And this, right here, is why adblock is an absolute requirement for any internet-displaying device.

        Advertisers say that they've cleaned their act up.... but if it's not every last one, with no bad actors, then they all get painted with the same brush--and for good reason.

  3. Franklin

    The domain amyca-dev-node.azurewebsites.net now has a Web page that says "Comming Soon." Not sure if it was placed there by the miscreants or by PwC, but somebody certainly can't spell!

    1. Jedit
      Coat

      "somebody certainly can't spell!"

      Indeed. It's supposed to be "cumming".

      (Mine's the dirty rainmac.)

  4. tiggity Silver badge

    Really?

    "something that will put a dent in a company's prestige and trust."

    In what universe do people regard PWC as trustworthy & prestigious?

    All the big bean counters have plenty of past history of being asleep at the wheel / turning a blind eye (depending if you regard it as a mistake or deliberate to keep the money rolling in) and missing major issues when auditing companies

    1. IGotOut Silver badge

      Re: Really?

      In what universe do people regard PWC as "trustworthy & prestigious?"

      The same one where Gartner's "Magic Quadrant" is seen as guide to who you should spend your money with.

    2. Fred Dibnah Silver badge

      Re: Really?

      "...the company could see its reputation suffer from being associated with these shady pages..."

      I agree, if I ran a porn company I wouldn't want to have anything to do with PWC.

    3. Anonymous Coward
      Anonymous Coward

      Re: missing major issues when auditing companies

      "missing major issues" is a bit of an understatement. But hey, great tactic, applied across the financial sector: if major crime is uncovered (unlikely, but we're all humans, eh), this or that reputable business blames a "rogue employee", strikes a deal with a gov, denies liability, pays a nominal fine, carries on merrily. Quietly making sure new leaks are that much likely.

      1. sitta_europea

        Re: missing major issues when auditing companies

        "... blames a "rogue employee", strikes a deal with a gov, ..."

        The UK's National Enterprise Board funded my startup's expansion when it was four people in John's attic in Eynsham and ten thousand turnover, and wanted to take its profits now it was twenty-four people in a rented unit round the back of Tesco's on Cowley Road and a million turnover.

        In the heady days of 1981, people were saying that the riskier the project sounded, the more likely a public offering was to succeed on the Denver penny stock market. But I called out my fellow directors for trying to scam investors in our planned flotation. By now I was the only one left of the original four, and the new guys were going to claim in the prospectus that our company was projecting sales of more than twice (what I never tired of telling them was) our production capacity. It wasn't really about what we could make, it was about what components were available on the world market to make the products with. There just wasn't enough of one particular part to make what they were claiming we would make, and ramping up production at the (two) suppliers would take many months, if not a few years, because they were sensible and they weren't about to throw all their eggs in this particular upstart's basket.

        I refused to sign up to it. I was the only one who said "No, this isn't right, we can't do this".

        I was standing up against seasoned business types in their forties, fifties and sixties (some were flying around on Concorde doing what they called "due dilligence", but in reality just racking up huge expense account bills) and one of the big five accounting firms you've all heard about - the one that surrendered its licenses in 2002, as it happens. I was twenty-eight, and living in a caravan while I was building a house in my spare time. It nearly cost me my sanity.

        Eventually, after a showdown, threats against my property, my resignation, and ultimately a front page headline in the Rocky Mountain News about an investigation by the SEC (incidentally that was the first fax that I ever saw), the public offering did not go ahead.

        It did cost me my dreams, and a small fortune, but I kept my integrity.

        Unrepentant, the guy representing NEB said to me later, "What if it had worked, Ged?"

        Nothing, as far as I can tell, has changed since 1981.

        1. Rich 11 Silver badge

          Re: missing major issues when auditing companies

          Greed, they want you to say, is good. Except it isn't.

          Good on you, Ged.

        2. Intractable Potsherd Silver badge

          Re: missing major issues when auditing companies

          A fine and heartening example of ethics being applied to business. It is a shame that you were driven out of business by inveterate liars, though. Thanks for recounting the story!

  5. Anonymous Coward
    Anonymous Coward

    I don’t understand...

    ...how this was actually done. I’ve registered many domains and all the sub-domains belong to me, as far as I am aware.

    It’s up to me if I activate any sub-domains. How can any other entity go to a registrar and register one of my sub-domains, ergo at whatever.pwc.com ?

    Thanks for any enlightenment!

    1. JimboSmith Silver badge

      Re: I don’t understand...

      Thanks for any enlightenment!

      That answer is in the article

      The subdomain, when created by PwC, pointed to amyca-dev-node.azurewebsites.net, a custom Microsoft Azure subdomain created by the bean-counters to host some kind of API development system in the cloud. At some point, the accountancy goliath let its amyca-dev-node subdomain expire or lapse, allowing a miscreant to register it. When people, and search engine bots, visited amyca-devapi.pwc.com, they would be directed to the hacker-controlled amyca-dev-node.azurewebsites.net, which contained anything the miscreant wanted – in this case, a revolving set of risque ads.

      In other words, there was no intrusion of the PwC network itself, or any other part of the dot-com site, just some DNS trickery and a forgotten Azure subdomain that someone swooped in and re-registered for themselves.

      Hope that clears things up for you.

      1. Alister Silver badge

        Re: I don’t understand...

        Hope that clears things up for you.

        Not really. You don't, as a rule, "register" subdomains in any way, and therefore they can't expire or lapse unless the root domain does.

        You register a domain with a Registrar, and then you create subdomains by adding A (or AAAA) records in the DNS.

        the accountancy goliath let its amyca-dev-node subdomain expire or lapse, allowing a miscreant to register it

        This bit is total bollocks.

        1. Victor Ludorum
          Facepalm

          Re: I don’t understand...

          I think it's a bit ambiguous, but the way I read it is that PwC let their amyca-dev-node Azure subdomain lapse, but their amyca-dev PwC subdomain was still pointing to it. Someone worked this out and set up a new Azure subdomain.

          1. Tom 38 Silver badge

            Re: I don’t understand...

            1: PwC create an azure site foobar.azurewebsites.net

            2: PwC setup that site in their DNS: foobar.pwc.com. CNAME foobar.azurewebsites.net.

            3: PwC let the azure site lapse, but leave the DNS entry

            4: foobar.pwc.com now resolves to something that doesn't exist

            5: Attacker scans pwc's DNS zone for azure domains that no longer resolve

            6: Attacker registers foobar.azurewebsites.net for themselves and adds miscreant code - session jacking, etc

            7: Because they control the website, they can register letsencrypt certs

            8: Use high value, trusted domain as link farm

            As I outlined in a post below, this is entirely avoidable by MS, and not the first time this has happened. Even some MS sites got jacked (iirc some windows.com subdomains).

            (edit: https://www.theregister.co.uk/2020/03/04/microsoft_subdomain_takeover/ )

            (and https://www.theregister.co.uk/2019/01/23/office_365_network_hole/ )

            It's like they don't know what they're doing...

            1. Rich 11 Silver badge

              Re: I don’t understand...

              7: Because they control the website, they can register letsencrypt certs

              Woah, hang on. I can understand Let's Encrypt issuing a cert for foobar.azurewebsites.net but can (and would) they do that for foobar.pwc.com in this situation?

              What I've read about LE in the last two years hasn't encouraged me to use them at all, but I didn't think there was a gaping hole that wide.

              1. Tom 38 Silver badge

                Re: I don’t understand...

                LE operates on the concept that if you can control what appears on https://foo.bar.com/, you can have a cert for foo.bar.com. Only if you want a wildcard cert do you have to be able to add a DNS record.

        2. JimboSmith Silver badge

          Re: I don’t understand...

          How I read it was that PWC had their subdomain directing visitors to another sub domain on the azurewebsites.net (AW.Net) which they don't own. That had originally had some PWC stuff on it but they hadn't kept up the payments/decided they didn't need anymore. So some miscreant had taken over the AW.Net subdomain and the naughty stuff was on that site. However PWC didn't remove the redirect from their subdomain to the AW.Net subdomain.

          1. chuBb. Bronze badge

            Re: I don’t understand...

            CName record on the PWC domain pointing to azurewebsites.net

            https://en.wikipedia.org/wiki/CNAME_record

            https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain

        3. Anonymous Coward
          Anonymous Coward

          Re: I don’t understand...

          Its not an A Record, he's effectively stumbled on what is most likely an errant CNAME.

          Embarassing? Yes. But a security risk or breach, hell no!

          In what world does that constitue a bug bounty? To me, this just tarnishes the incredible and complex work that proper security researchers do, not to mention the fine line they walk!

          1. Tom 38 Silver badge

            Re: I don’t understand...

            Is it a security hole? You betcha, you can capture domain cookies, which could lead to privilege escalation on other pwc websites.

            1. Stuart Castle Silver badge

              Re: I don’t understand...

              Potentially a massive security hole. I don't know what client services PwC offer online, but it's entirely possible someone could have set up a fake website to find people's details. That website would appear to be part of the main website. Most people, in my experience, assuming they even look, would just see the company name, then .com on the end of the URL and assume they are dealing with the right people. It might also pass any security checks for https

              A simple mistake, on PwC's part, but one that should *not* have happened. At all.

        4. razorfishsl Silver badge

          Re: I don’t understand...

          nope.. they had a shitty re-direct.....

          Which they failed to remove.....

      2. Pascal Monett Silver badge

        Right, so basically PwC created a sub-domain, decided not to keep it alive, and someone else took control. That's not hacking in any way, shape or form.

    2. Hawkeye Pierce

      Re: I don’t understand...

      My guess is you're all wrong (as is the article).

      If you go and host something on Azure (or AWS or...) you'll have some resource running on an IP address. When you've then finished with your Azure resource and you stop paying Azure for that resource, that IP address is now freed up and can be assigned to someone else.

      If you don't change/take down your DNS entry, then that entry is now pointing to an IP address that you now don't control. So when someone else spins up an Azure VM and it randomly gets assigned the IP address you were using, then that VM can now be referenced by your redundant-but-still-defined DNS entry. Simple enough for that person to then spin up a web server responding to your (sub) domain name or to redirect to another server.

      Unlikely to happen? Perhaps. But with free resources available from the cloud providers, easy enough to keep spinning up a VM and see if you "get lucky" with someone else's domain (although it's unlike IMHO to actually gain you any real benefit other than for the lolz).

      So no, sub-domains don't get deregistered and they don't need to be "hijacked" for the circumstances described here to happen. And from the article I see no indication that is was anything more than the above - and sloppy adminstration on the part of PWC.

      1. Tom 38 Silver badge

        Re: I don’t understand...

        @HawkEye Pierce: you're wrong. PwC's DNS didn't point at the IP address of an azure machine, it pointed at an alias. IE, it was a CNAME rather than an A record.

        a forgotten Azure subdomain that someone swooped in and re-registered for themselves.

        Azure allow you to request any name under azurewebsites.net as long as it isn't already taken. If you want to hijack a domain, and they use azure, you simply look for DNS names that are aliases for azurewebsites.net names that no longer themselves exist. You then register that name with azure, and domain is then captured.

        It's such an obvious and stupid security hole, and this isn't the first time that it has happened. Microsoft themselves have had websites captured in the same way. It's absolutely idiotic that MS haven't fixed it, by including something client specific in new domain names (either a name or a uuid), and refusing to generate new unadorned domain names under azurewebsites.net.

        1. chuBb. Bronze badge

          Re: I don’t understand...

          Its such an obvious money maker for azure as well, all that happened here is that they killed the dev app service (not even the service plan) which freed up the temp domain, and followed the official docs of setting a cname up to mask the azurewebsites subdomain. You should be able to retain service subdomains after you delete the service like you can with IP addresses to prevent exactly this, anything above the free plans should allow you to reserve your domains for a nominal surcharge without having to jump to the vastly more expensive app service environment

    3. Anonymous Coward
      Anonymous Coward

      Re: I don’t understand...

      Some excellent answers, thank you everyone!

  6. Anonymous Coward
    Anonymous Coward

    I've seen similar..

    With AWS buckets, got more fun as it was serving JavaScript files for an analytics company.. Including to login pages. Oh the fun to be had with that one. Small mercies that they just stuck with nerferious smut rather than more insidious scripting.

    Anon because I'm not saying "who's" website was compromised (fnar, fnar) like this...

  7. Anonymous Coward
    Anonymous Coward

    Pussy Boots!

    Interestingly, I found a YouTube link for a commercial promoting Pussy Boots fur slippers at Grace Bros.

    https://www.youtube.com/watch?v=DwA5xRN08jE

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020