back to article Perl.com theft blamed on social engineering attack: Registrar 'convinced' to alter DNS records by miscreants

The short-lived theft of Perl.com in late January is believed to have been the result of a social engineering attack that convinced registrar Network Solutions to alter the domain's records without valid authorization. In a blog post published on Sunday, Perl.com website editor Brian D. Foy said as much, noting that while …

  1. Dan 55 Silver badge

    It could have been worse

    Instead of good old-fashioned domain flipping and taking the money and running, they could have made a copy of the website and loaded it with malware.

    1. Korev Silver badge
      Joke

      Re: It could have been worse

      You mean like PERL?

      1. J27 Silver badge

        Re: It could have been worse

        Don't be so cruel, I wouldn't wish that on anybody.

  2. Terry 6 Silver badge

    Focus

    Best not to focus on the specific domain/user/owner.

    The fact that Perl.com or any other can be hijacked needs to be the focus here.

    1. alain williams Silver badge

      Re: Focus

      No doubt that some manager at Network Solutions has said that "lessons will be learned" and then immediately gone back to sleep.

    2. bombastic bob Silver badge
      Unhappy

      Re: Focus

      From the article: a social engineering attack that convinced registrar Network Solutions to alter the domain's records without valid authorization.

      Network Solutions - they're pretty much the OLDEST one out there, as i recall. Used to be 'internic'. I set up a domain with them in 1995. Still registered there, too. I was under the impression they had safety procedures in place to PREVENT this kind of thing.

      Apparently they need to review their internal procedures...

      1. Alan Brown Silver badge

        Re: Focus

        "Apparently they need to review their internal procedures..."

        sex.com, social engineering. NightSoil

        The more things change the more they remain the same

  3. Will Godfrey Silver badge
    Headmaster

    Bah Humbug

    So the registrar wasn't persuaded, but somehow became convinced that the ownership change was valid.

  4. Pascal Monett Silver badge

    A social engineering attack

    "All sides understood that Perl.com belonged to Tom and it was a simple matter of work to resolve it "

    If all sides understood, then how come somebody got conned into changing the records ?

    I know nothing about how DNS records are managed, but if someone can get a hold of something that doesn't belong to them with a simple phone call or email, then security needs to be tightened up somewhere. My website is insignificant, but if someone managed to take it away from me, I'd be pretty pissed.

    1. simkin

      Re: A social engineering attack

      So imagine you're a customer service agent at Network Solutions.

      100 times a day clueless domain owners phone you and tell you they forgot their password or for whatever other reason can't get into their accounts or change their information.

      99.999% of the time it turns out they're real and just need help.

      How do you as a customer service agent reliably identify the one time they aren't?

      1. Anonymous Coward
        Anonymous Coward

        Re: A social engineering attack

        The tradeoff between convenience and security depends in part upon how much damage is done by a security breach. That in turn depends on the blast radius (i.e., what asset is being compromised and what else can be done with it) and the difficulty/cost of recovery (i.e., how much work/money/time will it take to put things right again, if possible, and what else will be lost/damaged in the meantime)? Given the potential for enormous damage from domain name theft including malware distribution, compromise of customer and other downstream confidential information, and in some cases the simple loss of assets worth thousands or millions of currency units, the tradeoff needs to be made pretty heavily in favour of security. When one factors in the difficulty of recovery -- days to weeks in "simple" cases like this one up to months to years plus court costs, etc. in more difficult ones -- it becomes apparent that convenience simply must take a back seat, at least until a faster, more robust recovery mechanism is available.

        What does that mean? The answer to your question is simple: you don't. You send a recovery code by postal mail to the administrative contact's address on file. Whatever changes the person on the other end of the call wants to make will simply have to wait. That's far better than the consequences of domain theft. This happens to be a specific case of a much more general problem: there is currently no reliable way for any human to authenticate his or her identity. The best means by far is the shared secret, which is specific to a particular relationship and usually the thing that's been lost due to carelessness or stupidity. The right tradeoff here is to stop punishing people who maintain secure custody of their shared secrets in order to provide a better experience for people who don't.

        1. Paul Hovnanian Silver badge

          Re: A social engineering attack

          "Whatever changes the person on the other end of the call wants to make will simply have to wait. That's far better than the consequences of domain theft."

          That's up to each customer. For some, the security of a domain name is paramount. For others, immediate restoration is critical (business lost far exceeds the damage done by a temporarily wayward domain). The problem seems to be that the criticality is only determined at the time the customer's site has failed. Then, the car has broken down, the dog died, there are six children crying and unfed in soiled diapers. And the landlord is pounding on the door with a past-due rent bill. And now my web site is broken. At least that's how the scammers make it sound.

          Perhaps there could be some pre-negotiated process, selected by the user at the time of domain purchase to set a level of identity verification. At least it will make the customer think carefully about how well to secure that password. And if it was a legitimate emergency, well .... shame about the dog.

  5. fronty
    WTF?

    How is stuff like this still happening, it's 2021 for God's sake.

    1. cd

      NetSol is still living in 1999.

      1. a_yank_lurker Silver badge

        Or is it 1899?

  6. Sitaram Chamarty

    a few years ago...

    maybe 2014, or 2015, or thereabouts, TCS (my employer, Tata Consultancy Services) was "hacked" (1) the same way.

    I'm really too lazy to look it up but I think that was also NetSol when that happened.

    Looks like they haven't learnt any lessons or modified any of their processes to cover this!

    ----

    (1) "hacked", in quotes because everyone said we got hacked and we had to go around explaining that it was actually the DNS provider that was "hacked"

  7. cawfee
    Thumb Up

    Props to whoever chose the thumbnail for this article. 10/10

  8. Morten Bjoernsvik

    whois

    So nobody did monitor the `whois perl.com`

    1. Anonymous Coward
      Anonymous Coward

      Re: whois

      I see what you are saying, but with some whois fields redacted for privacy reasons more recently, it's become more difficult.

      My money would be on an element of impersonation - and yes I have had to do that on behalf of clients before (one died & one was incommunicado for hours).

  9. Lost in Cyberspace

    Inadvertently assisted the theft of a domain

    I once found myself inadvertently helping someone steal a domain.

    I visited a shop to help the owner/manager recover his domain from an ex-employee that set it up.

    The website was definitely for the shop I was actually sat in, everything checked out... shop name, address, phone number was the same as above the door. The manager had access to the sales/admin emails so we were able to reset passwords and transfer domain ownership. The manager was a key holder, the shop was open and staff / customers were milling about.

    Couldn't really get much more proof of ownership than that. Did the job, got paid, emailed a receipt.

    Turns out that the 'manager' and some of the team were actually staff that were about to leave and set up on their own. He was sabotaging the website and social network accounts on the way out.

    My email receipt reached the 'real' boss, who aggressively threatened all sorts of things. I tactfully reminded him that I'd done what the manager in the shop had asked me to do, and that I didn't know this person on the phone. If he could provide proof of business ownership (not a ltd company) I'd gladly switch it back and he could claim the cost from the rogue employees. I didn't hear anything else.

    Who do you trust?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021