Abandoned Domain Takeover

Hanno Böck

What happens when a web service dies?

Equifax’s Latest Security Foil: A Defunct Web Service

Wall Street Journal, 2017-10-13

What happened?

Equifax had used a service called Fireclick, referencing the domain netflame.cc

Fireclick was shut down in 2015, domain expired

2017: Fireclick domain delivers fake Flash installer malware

Abandoned Domain Takeover

Hanno's blog, 2017-09-05

Idea: Scan web pages, check if domains from src references resolve
Yahoo Web Analytics
Yahoo Web Analytics was discontinued in 2012
Flickr still included their code in June 2017
Impact: Mostly harmless, domain still belongs to Yahoo
Nonexisting Azure subdomain
Azure free account
Code included by dozens of web pages, mostly local US newspapers
Vast majority on two IP addresses by same company, contacted their abuse department
No answer, but code was removed within days
Biggest user of that script: Saline Courier
Tried to contact them via mail, no answer, code remained
Saline Courier
Saline Courier
Saline Courier
Saline Courier
We could not just look for abandoned domains, but domains that may be abandoned in the future
How long will they keep their domain? And who will get it afterwards?
In the Equifax case they included code that apparently nobody was using for years and nobody was aware of. This is utterly irresponsible.
Ask yourself who's allowed to execute code on your webpage. Make sure you know and trust them.
If you include code from a service that no longer exists it's quite obvious you don't know what code is running on your webpage.

Thirdparty Javascript Takeaways

  • Know your thirdparty code
  • Avoid thirdparty code if possible
  • Remove unused or obsolete thirdpary code