Now we know what the P really stands for in PwC: X-rated ads plastered over derelict corner of accountants' website A forgotten subdomain on PricewaterhouseCoopers' dot-com has been hijacked to host ads for porno websites and apps, neatly demonstrating why you should not neglect your corporate DNS records. Developer and security researcher Vitali Fedulov told The Register this week he has twice now found the pwc.com subdomain hosting a …
E&Y were my accountants for years then they did something dumb and pissed me off. They invoiced me after the VAT rate had gone back up to 20% despite having completed all the work well before that. When I was looking for another firm to replace them a mate warned me off PWC. Subsequently owing to a change in circumstances I didn't need such a large firm and a much smaller one deals with everything now.
In other news, theregister.co.uk served up ads for a scam company two days ago - one claiming that £800 iPhones are surplus stock and must be sold for £89.
This isn't the Reg's usual policy, so assuming it slipped through the net at this time when people's minds may understandably be on other things.
El Reg most likely don't serve the ads themselves but, as is the case with practically every website that serves ads, relies on a third party and therefore have little to no control over what ads are shown on this site.
As I block all content I deem of no use to me I never saw the £89 iPhones or any other exciting offers from anywhere else on the internet.
"something that will put a dent in a company's prestige and trust."
In what universe do people regard PWC as trustworthy & prestigious?
All the big bean counters have plenty of past history of being asleep at the wheel / turning a blind eye (depending if you regard it as a mistake or deliberate to keep the money rolling in) and missing major issues when auditing companies
"missing major issues" is a bit of an understatement. But hey, great tactic, applied across the financial sector: if major crime is uncovered (unlikely, but we're all humans, eh), this or that reputable business blames a "rogue employee", strikes a deal with a gov, denies liability, pays a nominal fine, carries on merrily. Quietly making sure new leaks are that much likely.
"... blames a "rogue employee", strikes a deal with a gov, ..."
The UK's National Enterprise Board funded my startup's expansion when it was four people in John's attic in Eynsham and ten thousand turnover, and wanted to take its profits now it was twenty-four people in a rented unit round the back of Tesco's on Cowley Road and a million turnover.
In the heady days of 1981, people were saying that the riskier the project sounded, the more likely a public offering was to succeed on the Denver penny stock market. But I called out my fellow directors for trying to scam investors in our planned flotation. By now I was the only one left of the original four, and the new guys were going to claim in the prospectus that our company was projecting sales of more than twice (what I never tired of telling them was) our production capacity. It wasn't really about what we could make, it was about what components were available on the world market to make the products with. There just wasn't enough of one particular part to make what they were claiming we would make, and ramping up production at the (two) suppliers would take many months, if not a few years, because they were sensible and they weren't about to throw all their eggs in this particular upstart's basket.
I refused to sign up to it. I was the only one who said "No, this isn't right, we can't do this".
I was standing up against seasoned business types in their forties, fifties and sixties (some were flying around on Concorde doing what they called "due dilligence", but in reality just racking up huge expense account bills) and one of the big five accounting firms you've all heard about - the one that surrendered its licenses in 2002, as it happens. I was twenty-eight, and living in a caravan while I was building a house in my spare time. It nearly cost me my sanity.
Eventually, after a showdown, threats against my property, my resignation, and ultimately a front page headline in the Rocky Mountain News about an investigation by the SEC (incidentally that was the first fax that I ever saw), the public offering did not go ahead.
It did cost me my dreams, and a small fortune, but I kept my integrity.
Unrepentant, the guy representing NEB said to me later, "What if it had worked, Ged?"
Nothing, as far as I can tell, has changed since 1981.
...how this was actually done. I’ve registered many domains and all the sub-domains belong to me, as far as I am aware.
It’s up to me if I activate any sub-domains. How can any other entity go to a registrar and register one of my sub-domains, ergo at whatever.pwc.com ?
Thanks for any enlightenment!
Thanks for any enlightenment!
That answer is in the article
The subdomain, when created by PwC, pointed to amyca-dev-node.azurewebsites.net, a custom Microsoft Azure subdomain created by the bean-counters to host some kind of API development system in the cloud. At some point, the accountancy goliath let its amyca-dev-node subdomain expire or lapse, allowing a miscreant to register it. When people, and search engine bots, visited amyca-devapi.pwc.com, they would be directed to the hacker-controlled amyca-dev-node.azurewebsites.net, which contained anything the miscreant wanted – in this case, a revolving set of risque ads.
In other words, there was no intrusion of the PwC network itself, or any other part of the dot-com site, just some DNS trickery and a forgotten Azure subdomain that someone swooped in and re-registered for themselves.
Hope that clears things up for you.
Hope that clears things up for you.
Not really. You don't, as a rule, "register" subdomains in any way, and therefore they can't expire or lapse unless the root domain does.
You register a domain with a Registrar, and then you create subdomains by adding A (or AAAA) records in the DNS.
the accountancy goliath let its amyca-dev-node subdomain expire or lapse, allowing a miscreant to register it
This bit is total bollocks.
1: PwC create an azure site foobar.azurewebsites.net
2: PwC setup that site in their DNS: foobar.pwc.com. CNAME foobar.azurewebsites.net.
3: PwC let the azure site lapse, but leave the DNS entry
4: foobar.pwc.com now resolves to something that doesn't exist
5: Attacker scans pwc's DNS zone for azure domains that no longer resolve
6: Attacker registers foobar.azurewebsites.net for themselves and adds miscreant code - session jacking, etc
7: Because they control the website, they can register letsencrypt certs
8: Use high value, trusted domain as link farm
As I outlined in a post below, this is entirely avoidable by MS, and not the first time this has happened. Even some MS sites got jacked (iirc some windows.com subdomains).
(edit: https://www.theregister.co.uk/2020/03/04/microsoft_subdomain_takeover/ )
(and https://www.theregister.co.uk/2019/01/23/office_365_network_hole/ )
It's like they don't know what they're doing...
7: Because they control the website, they can register letsencrypt certs
Woah, hang on. I can understand Let's Encrypt issuing a cert for foobar.azurewebsites.net but can (and would) they do that for foobar.pwc.com in this situation?
What I've read about LE in the last two years hasn't encouraged me to use them at all, but I didn't think there was a gaping hole that wide.
LE operates on the concept that if you can control what appears on https://foo.bar.com/, you can have a cert for foo.bar.com. Only if you want a wildcard cert do you have to be able to add a DNS record.
How I read it was that PWC had their subdomain directing visitors to another sub domain on the azurewebsites.net (AW.Net) which they don't own. That had originally had some PWC stuff on it but they hadn't kept up the payments/decided they didn't need anymore. So some miscreant had taken over the AW.Net subdomain and the naughty stuff was on that site. However PWC didn't remove the redirect from their subdomain to the AW.Net subdomain.
Its not an A Record, he's effectively stumbled on what is most likely an errant CNAME.
Embarassing? Yes. But a security risk or breach, hell no!
In what world does that constitue a bug bounty? To me, this just tarnishes the incredible and complex work that proper security researchers do, not to mention the fine line they walk!
Potentially a massive security hole. I don't know what client services PwC offer online, but it's entirely possible someone could have set up a fake website to find people's details. That website would appear to be part of the main website. Most people, in my experience, assuming they even look, would just see the company name, then .com on the end of the URL and assume they are dealing with the right people. It might also pass any security checks for https
A simple mistake, on PwC's part, but one that should *not* have happened. At all.
My guess is you're all wrong (as is the article).
If you go and host something on Azure (or AWS or...) you'll have some resource running on an IP address. When you've then finished with your Azure resource and you stop paying Azure for that resource, that IP address is now freed up and can be assigned to someone else.
If you don't change/take down your DNS entry, then that entry is now pointing to an IP address that you now don't control. So when someone else spins up an Azure VM and it randomly gets assigned the IP address you were using, then that VM can now be referenced by your redundant-but-still-defined DNS entry. Simple enough for that person to then spin up a web server responding to your (sub) domain name or to redirect to another server.
Unlikely to happen? Perhaps. But with free resources available from the cloud providers, easy enough to keep spinning up a VM and see if you "get lucky" with someone else's domain (although it's unlike IMHO to actually gain you any real benefit other than for the lolz).
So no, sub-domains don't get deregistered and they don't need to be "hijacked" for the circumstances described here to happen. And from the article I see no indication that is was anything more than the above - and sloppy adminstration on the part of PWC.
@HawkEye Pierce: you're wrong. PwC's DNS didn't point at the IP address of an azure machine, it pointed at an alias. IE, it was a CNAME rather than an A record.
a forgotten Azure subdomain that someone swooped in and re-registered for themselves.
Azure allow you to request any name under azurewebsites.net as long as it isn't already taken. If you want to hijack a domain, and they use azure, you simply look for DNS names that are aliases for azurewebsites.net names that no longer themselves exist. You then register that name with azure, and domain is then captured.
It's such an obvious and stupid security hole, and this isn't the first time that it has happened. Microsoft themselves have had websites captured in the same way. It's absolutely idiotic that MS haven't fixed it, by including something client specific in new domain names (either a name or a uuid), and refusing to generate new unadorned domain names under azurewebsites.net.
Its such an obvious money maker for azure as well, all that happened here is that they killed the dev app service (not even the service plan) which freed up the temp domain, and followed the official docs of setting a cname up to mask the azurewebsites subdomain. You should be able to retain service subdomains after you delete the service like you can with IP addresses to prevent exactly this, anything above the free plans should allow you to reserve your domains for a nominal surcharge without having to jump to the vastly more expensive app service environment
With AWS buckets, got more fun as it was serving JavaScript files for an analytics company.. Including to login pages. Oh the fun to be had with that one. Small mercies that they just stuck with nerferious smut rather than more insidious scripting.
Anon because I'm not saying "who's" website was compromised (fnar, fnar) like this...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
