The Orphaned Internet Domain Risk

I have clicked on company websites of social media acquaintances, and something is not right: Slight errors in formatting, encoding errors for special German characters.

Then I notice that some of the pages contain links to other websites that advertize products in a spammy way. However, the links to the spammy sites are embedded in this alleged company websites in a subtle way: Using the (nearly) correct layout, or  embedding the link in a ‘news article’ that also contains legit product information – content really related to the internet domain I am visiting.

Looking up whois information tells me that these internet domain are not owned by my friends anymore – consistent with what they actually say on the social media profiles. So how come that they ‘have given’ their former domains to spammers? They did not, and they didn’t need to: Spammers simply need to watch out for expired domains, seize them when they are available – and then reconstruct the former legit content from public archives, and interleave it with their spammy messages.

The former content of legitimate sites is often available on the web archive. Here is the timeline of one of the sites I checked:

Clicking on the details shows:

  • Last display of legit content in 2008.
  • In 2012 and 2013 a generic message from the hosting provider was displayed: This site has been registered by one of our clients
  • After that we see mainly 403 Forbidden errors – so the spammers don’t want their site to be archived – but at one time a screen capture of the spammy site had been taken.

The new site shows the name of the former owner at the bottom but an unobtrusive link had been added, indicating the new owner – a US-based marketing and SEO consultancy.

So my take away is: If you ever feel like decluttering your websites and free yourself of your useless digital possessions – and possibly also social media accounts, think twice: As soon as your domain or name is available, somebody might take it, and re-use and exploit your former content and possibly your former reputation for promoting their spammy stuff in a shady way.

This happened a while ago, but I know now it can get much worse: Why only distribute marketing spam if you can distribute malware through channels still considered trusted? In this blog post Malwarebytes raises the question if such practices are illegal or not – it seems that question is not straight-forward to answer.

Visitors do not even have to visit the abandoned domain explicitly to get hacked by malware served. I have seen some reports of abandoned embedded plug-ins turned into malicious zombies. Silly example: If you embed your latest tweets, Twitter goes out-of-business, and its domains are seized by spammers – you Follow Me icon might help to spread malware.

If a legit site runs third-party code, they need to trust the authors of this code. For example, Equifax’ website recently served spyware:

… the problem stemmed from a “third-party vendor that Equifax uses to collect website performance data,” and that “the vendor’s code running on an Equifax Web site was serving malicious content.”

So if you run any plug-ins, embedded widgets or the like – better check out regularly if the originating domain is still run by the expected owner – monitor your vendors often; and don’t run code you do not absolutely need in the first place. Don’t use embedded active badges if a simple link to your profile would do.

Do a painful boring inventory and assessment often – then you will notice how much work it is to manage these ‘partners’ and rather stay away from signing up and registering for too much services.

Update 2017-10-25: And as we speak, we learn about another example – snatching a domain used for a Dell backup software, preinstalled on PCs.

6 Comments Add yours

  1. Joseph Nebus says:

    I wouldn’t have thought of the plug-ins problem. Admittedly part of that is I haven’t got many plug-ins for my personal site (just the occasional embedded tweet). My work, though, that does depend on some external sites and while most of those are major open-source thingies like OpenLayers that doesn’t mean they won’t evaporate someday.

    1. elkement says:

      I started to look very closely at third-party embedded content when I checked if and how my sites and blogs will be compliant with upcoming changes in EU data protection law. I (… in fact anybody anywhere in the world ‘targeting’ EU visitors …) will be much more accountable for how users data are handled at ‘my’ site. If I outsource operations to WordPress I have to have a reasonable contract with them and understand how they handle data and what the risk is for visitors.
      That’s also the main reason I am paying now for an ad-free plan – so that at least those ads will not be able to siphon off visitors’ data via ‘third-party cookies’ and the like. I have also removed embedded tweets, and I am close to removing all social media sharing buttons which facilitate tracking, too.

      BTW – this might, again :-), impact your Austrian clicks – I am testing all kinds of cookie managers, privacy tools, different browsers and crank them up to the most paranoid level until websites are barely usable :-) I am particularly unhappy with the way handles third-party cookies – for commenting and liking I have turn off all my protections that work well with all other social media sites – so I consider to have one special browser only for visiting WordPress sites.

  2. Ed Davies says:

    Hmm, interesting. Short-lived keys verified by the likes of Let’s Encrypt are all very well for the domains themselves but perhaps this points towards an argument for tying them back to the owner’s longer-term keys somehow.

    1. elkement says:

      That’s a good point! The site I showed the timeline for does not enforce the redirect to HTTPS, but they are actually using a short-lived certificate issued by Comodo, and they use Cloudflare.
      I am using a similar reverse proxy solution based on Let’s Encrypt. As happy as I was about how easy the transition to HTTPS was, I also started thinking about how easy it would be for scammers to make their sites look more trustworthy …

  3. Very interesting observations. The abandoned plugins sounds particularly subtle.

    Now imagine someone abandoning a site and the site being picked up with extra and non-spammy content. In the meantime the original site owner makes a success of their brand, on a new site. And the new owner of the old site maintains the content in line with the new site – this could be completely and automatically mirrored. They would have some interesting options:
    – sell back the site on a ransom basis
    – sell advertising channels to the brands competitors
    – hijack the brand
    And all that for 12 bucks a year.

    1. elkement says:

      I would not be surprised if something like this has already happened somewhere – as my observations and articles I read later were just some random findings, not at all something I searched for in ‘investigative mode’. So such ‘domain capture’ might occur often.

      I also wonder if all this will be covered by possibly tighter regulation of ‘the internet’ – as eminent security experts discuss and demand now in relation to Internet of Things and recent malware epidemics.
      E.g. a very long ‘cool off’ grace period after a domain has expired or perhaps additional scrutiny of people who try to register a domain that had been owned by somebody else before would help.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.