Culling domain names needs to be discussed. It is not an activity that should be taken lightly and requires a lot of due diligence and careful planning. This blog discusses the risks of culling domains and outlines the steps brands can take to protect themselves.
Corporate organisations often grow large domain name portfolios through the evolution of new brands, products and acquisitions. Generally, it is the responsibility of a System Administrator or IT Manager to ensure that these domain names do not expire.
After a domain name portfolio hits a certain size, it can perceived to be expensive and cumbersome to manage. It is normal for organisations to occasionally consider pairing back their domain name portfolios. “Culling” is a term used to describe the action of deliberately letting domain names expire.
The risks of culling domain names
The issue with culling domain names is that they are often targeted by criminal 3rd parties who can re-register an expired or deleted domain name with no ownership verification or checks needed.
Once a domain name is re-registered, the 3rd party has complete control. Cyber criminals can implement a simple catch-all email to receive any and all correspondence associated with the domain name. They can also use the email accounts to recover passwords to online services. A simple password reset can allow a cyber criminal to gain access to a myriad of services from email, social media accounts and hosting environments to government portals.
Research published by security researchers, Gabor Szathmari and Jeremiah Cruzof demonstrate that 3rd parties who re-registered domain names can:
- access confidential documents of former clients;
- access confidential email correspondence;
- access personal information of former clients;
- hijack personal user accounts (LinkedIn, Facebook, etc.) of former staff working in their new jobs; and
- hijack professional user accounts (Commonwealth Courts Portal, LEAP, etc.) of former staff by re-registering abandoned domain names belonging to former businesses.
Merger & acquisition (M&A) events are particularly risky. It is quite normal for companies to retire brands after an M&A event and expire the associated domain names. Cyber criminals closely monitor M&A events for abandoned domains in order to steal possibly confidential intelligence.
Szathmari and Cruzof Case Study – Legal Firms
During a three month period, Szathmari and Cruzof researched the issue of legal firms culling domain names and how they could be potentially be used against firms. They re-registered six abandoned domain names, some of which formerly belonged to Australian legal practices. A summary of the information they were able to obtain was:
- approximately 25,000 emails in total;
- emails and documents of a sensitive nature;
- the recovery of actual passwords (previously exposed in public data breaches and were later published on Spycloud) of approximately thirty legal professionals; and
- successfully attempted password recovery of many popular online services and profession-specific portals
How do cyber criminals target Australian domain names?
Expired .au domain names are published on an official domain name drop list. the list shows the date and time that domain names are eligible to be purged. It is broken down into two separate spreadsheets – domain names that have “expired” and another for domain names that have been “deleted” either by the owner, the Registrar or AuDA.
As these lists are publicly available, basic scripts can pinpoint domain names that are live, have mail services or DNS records associated with them. Domain names can be prioritised based on different metrics, such as traffic, queries and DNS services so cyber criminals can target “the best” culled domain names available. They can also target specific industries and go for keywords, such as “law”, “legal” or “firm” etc.
Managing the Risk
Using a Red Amber Green (RAG) analysis we have outlined the severity of risk of expiring domain names, based on the domain names history and use:
- Red Domain names should under no circumstances be expired because in the wrong hands can cause significant damage to your business (competitors, cyber-criminals etc).
- Orange Domain names represent some repetitional risk if expired, but would not impact your core business.
- Green Domain name are unlikely to damage your business if expired, but caution is still recommended and consequences understood.
Domain Name Expiry Business Risks – RAG
|Domain Name Type||Expiry Operational Risks||Expiry Business Risks|
|core business domains||
|branded parked domains||
|product domain names||
|unbranded parked domains||
Steps to Cull Domain Names
Below are some steps to consider before culling domain names:
- Understand the domain name history and use. Talk to colleagues with good corporate knowledge of your business but if there is no such resource, review sites such as the Wayback Machine. This will provide historic snap shots of any live iterations of the domain name’s website.
- Conduct a Google search for any reference to the website. Searching site:www.yourdomain.com.au will provide any cached pages and simply searching “www.yourdomain.com.au” will find any 3rd party reference to your domain name and there are numerous backlink checkers that will source backlinks on the web.
- Conduct a DNS lookup and ensure that there are no services in the zone file. For example, if you find an MX record it could be that email services have been set up at some point and could be used for forms and actual email accounts etc. Any DNS record identified should be investigated before culling the domain name.
- Consult internally. Before making a decision to cull domain names, distribute the list internally. You’ll be surprised what your colleagues may know about domain names history and broader consultation shares the decision within the business.
Brandsec is a corporate domain name management and brand protection company that look after many of Australia, New Zealand and Asia’s top publicly listed brands. We provide monitoring and enforcement services, DNS, SSL Management, domain name brokerage and dispute management and brand security consultation services.