Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned.

Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains registered through GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world’s most trusted corporate names and brands.

In July 2018, email users around the world began complaining of receiving spam which began with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid. On December 13, 2018, a similarly large spam campaign was blasted out, threatening that someone had planted bombs within the recipient’s building that would be detonated unless a hefty bitcoin ransom was paid by the end of the business day.

Experts at Cisco Talos and other security firms quickly drew parallels between the two mass spam campaigns, pointing to a significant overlap in Russia-based Internet addresses used to send the junk emails. Yet one aspect of these seemingly related campaigns that has been largely overlooked is the degree to which each achieved an unusually high rate of delivery to recipients.

Large-scale spam campaigns often are conducted using newly-registered or hacked email addresses, and/or throwaway domains. The trouble is, spam sent from these assets is trivial to block because anti-spam and security systems tend to discard or mark as spam any messages that appear to come from addresses which have no known history or reputation attached to them.

However, in both the sextortion and bomb threat spam campaigns, the vast majority of the email was being sent through Web site names that had already existed for some time, and indeed even had a trusted reputation. Not only that, new research shows many of these domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies. 

That’s according to Ron Guilmette, a dogged anti-spam researcher who has made a living suing spammers and helping law enforcement officials apprehend online scammers. Researching the history and reputation of more than 5,000 Web site names used in each of the extortionist spam campaigns, Guilmette made a startling discovery: Virtually all of them had at one time been registered via GoDaddy.com, a Scottsdale, Ariz. based domain name registrar and hosting provider.

Guilmette told KrebsOnSecurity he initially considered the possibility that GoDaddy had been hacked, or that thousands of the registrar’s customers perhaps had their GoDaddy usernames and passwords stolen.

But as he began digging deeper, Guilmette came to the conclusion that the spammers were exploiting an obscure — albeit widespread — weakness among hosting companies, cloud providers and domain registrars that was first publicly detailed in 2016.

EARLY WARNING SIGNS

In August 2016, security researcher Matthew Bryant wrote about spammers hijacking some 20,000 established domain names to blast out junk email. A few months later, Bryant documented the same technique being used to take over more than 120,000 trusted domains for spam campaigns. And Guilmette says he now believes the attack method detailed by Bryant also explains what’s going on in the more recent sextortion and bomb threat spams.

Grasping the true breadth of Bryant’s prescient discovery requires a brief and simplified primer on how Web sites work. Your Web browser knows how to find a Web site name like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.

When someone wants to register a domain at a registrar like GoDaddy, the registrar will typically provide two sets of DNS records that the customer then needs to assign to his domain. Those records are crucial because they allow Web browsers to figure out the Internet address of the hosting provider that’s serving that Web site domain. Like many other registrars, GoDaddy lets new customers use their managed DNS services for free for a period of time (in GoDaddy’s case it’s 30 days), after which time customers must pay for the service.

The crux of Bryant’s discovery was that the spammers in those 2016 campaigns learned that countless hosting firms and registrars would allow anyone to add a domain to their account without ever validating that the person requesting the change actually owned the domain. Here’s what Bryant wrote about the threat back in 2016:

“In addition to the hijacked domains often having past history and a long age, they also have WHOIS information which points to real people unrelated to the person carrying out the attack. Now if an attacker launches a malware campaign using these domains, it will be harder to pinpoint who/what is carrying out the attack since the domains would all appear to be just regular domains with no observable pattern other than the fact that they all use cloud DNS. It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.”

SAY WHAT?

For a more concrete example of what’s going on here, we’ll look at just one of the 5,000+ domains that Guilmette found were used in the Dec. 13, 2018 bomb threat hoax. Virtualfirefox.com is a domain registered via GoDaddy in 2013 and currently owned by The Mozilla Corporation, a wholly owned subsidiary of the Mozilla Foundation — the makers of the popular Firefox Web browser.

The domain’s registration has been renewed each year since its inception, but the domain itself has sat dormant for some time. When it was initially set up, it took advantage of two managed DNS servers assigned to it by GoDaddy — ns17.domaincontrol.com, and ns18.domaincontrol.com.

GoDaddy is a massive hosting provider, and it has more than 100 such DNS servers to serve the needs of its clients. To hijack this domain, the attackers in the December 2018 spam campaign needed only to have created a free account at GoDaddy that was assigned the exact same DNS servers handed out to Virtualfirefox.com (ns17.domaincontrol.com and ns18.domaincontrol.com). After that, the attackers simply claim ownership over the domain, and tell GoDaddy to route all traffic for that domain to an Internet address they control.

Mozilla spokesperson Ellen Canale said Mozilla took ownership of virtualfirefox.com in September 2017 after a trademark dispute, but that the DNS nameserver for the record was not reset until January of 2019.

“This oversight created a state where the DNS pointed to a server controlled by a third party, leaving it vulnerable to misuse,” Canale said. “We’ve reviewed the configuration of both our registrar and nameservers and have found no indication of misuse. In addition to addressing the immediate problem, we have reviewed the entire catalog of properties we own to ensure they are properly configured.”

According to both Guilmette and Bryant, this type of hijack is possible because GoDaddy — like many other managed DNS providers — does little to check whether someone with an existing account (free or otherwise) who is claiming ownership over a given domain actually controls that domain name.

“During this entire time, and continuing to the present moment, the same bad actor(s) who were responsible for the massive wave of bomb threat bitcoin extortion spams that were emailed to five countries on December 13th, 2018 have been in a position to add, delete, or modify any DNS record associated with any domain name that uses the GoDaddy DNS service,” Guilmette said.

Contacted by KrebsOnSecurity, GoDaddy acknowledged the authentication weakness documented by Guilmette.

“After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process,” the company said in an emailed statement.

“We’ve identified a fix and are taking corrective action immediately,” the statement continued. “While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change nor was customer information exposed.”

SPAMMY BEAR

Guilmette has dubbed the criminals responsible as “Spammy Bear” because the majority of the hijacked domains used in the spam campaigns traced back to Internet addresses in Russia.

In the case of Mozilla’s Virtualfirefox.com domain, historic DNS records archived by Farsight Security show that indeed on Dec. 13, 2018 — the very same day that spammers began blasting out their bomb threat demands — the Internet address in the domain’s DNS records at GoDaddy were changed to 194.58.58[.]70, a server in the Russian Federation owned by a hosting company there called Reg.ru.

The record above, indexed by Farsight Security, shows that the Internet address for virtualfirefox.com was changed to an ISP in Russia on Dec. 13, 2018, the same day spammers used this domain and more than 5,000 others for a mass emailed bomb threat.

In fact, Guilmette found that that at least 3,500 of the commandeered domains traced back to Reg.ru and to a handful of other hosting firms in Russia. The next largest collection of fraudulently altered Internet addresses were assigned to hosting providers in the United States (456), although some of those providers (e.g. Webzilla/WZ Communications) have strong ties to Russia. The full list of Internet addresses is available here.

Guilmette’s sleuthing on the 5,000+ domains abused in both 2018 spam campaigns, combined with data from Farsight, suggest the spammers hijacked domains belonging to a staggering number of recognizable corporations who registered domains at GoDaddy, including but not limited to:

Abbott Laboratories; Ancestry.com; Autodesk; Capital One; CVS Pharmacy; SSL provider Digicert; Dow Chemical; credit card processors Elavon and Electronic Merchant Systems; Fair Isaac Corp.; Facebook; Gap (Apparel) Inc; Fifth Third Bancorp; Hearst Communications; Hilton Interntional; ING Bank; the Massachusetts Institute of Technology (MIT); McDonalds Corp.; NBC Universal Media; NRG Energy; Oath, Inc (a.k.a Yahoo + AOL); Oracle; Tesla Motors; Time Warner; US Bank; US Steel Corp.; National Association; Viacom International; and Walgreens.

In an interview with KrebsOnSecurity, Bryant said the domain hijacking technique can be a powerful tool in the hands of spammers and scammers, who can use domains associated with these companies not only to get their missives past junk and malware filters, but also to make phishing and malware lures far more believable and effective.

“This is extremely advantageous to attackers because they don’t have to pay any money to set it all up, and there’s a strong reputation attached to the domain they’re sending from,” Bryant said. “A lot of services will flag email from unknown domains as high risk, but the domains being hijacked by these guys have a good history and reputation behind them. This method also probably greatly complicates any sort of investigatory efforts after the spam campaign is over.”

WHAT CAN BE DONE?

Guilmette said managed DNS providers can add an extra layer of validation to DNS change requests, checking to see if a given domain already has internal DNS servers assigned to the domain before processing the request. Providers could nullify the threat by simply choosing a different pair of DNS servers to assign to the request. The same validation process would work similarly at other managed DNS providers.

“As long as they’re different, that ruins this attack for the spammers,” Guilmette said. “The spammers want the DNS servers to be the same ones that were already there when the domain was first set up, because without that they can’t pull of this hack. All GoDaddy has to do is see if this particularly odd set of circumstances apply in each request.”

Bryant said after he published his initial research in 2016, a number of managed DNS providers mentioned in his blog posts said they’d taken steps to blunt the threat, including Amazon Web Services (AWS), hosting provider Digital Ocean, and Google Cloud. But he suspects this is still a “fairly common” weakness and hosting providers and registrars, and many providers simply aren’t convinced of the need to add this extra precaution.

“A lot of the providers are of the opinion that it’s down to a user mistake and not a vulnerability they should have to fix,” he said. “But it’s clearly still a big problem.”

from Technology News https://krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned.

Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains registered through GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world’s most trusted corporate names and brands.

In July 2018, email users around the world began complaining of receiving spam which began with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid. On December 13, 2018, a similarly large spam campaign was blasted out, threatening that someone had planted bombs within the recipient’s building that would be detonated unless a hefty bitcoin ransom was paid by the end of the business day.

Experts at Cisco Talos and other security firms quickly drew parallels between the two mass spam campaigns, pointing to a significant overlap in Russia-based Internet addresses used to send the junk emails. Yet one aspect of these seemingly related campaigns that has been largely overlooked is the degree to which each achieved an unusually high rate of delivery to recipients.

Large-scale spam campaigns often are conducted using newly-registered or hacked email addresses, and/or throwaway domains. The trouble is, spam sent from these assets is trivial to block because anti-spam and security systems tend to discard or mark as spam any messages that appear to come from addresses which have no known history or reputation attached to them.

However, in both the sextortion and bomb threat spam campaigns, the vast majority of the email was being sent through Web site names that had already existed for some time, and indeed even had a trusted reputation. Not only that, new research shows many of these domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies. 

That’s according to Ron Guilmette, a dogged anti-spam researcher who has made a living suing spammers and helping law enforcement officials apprehend online scammers. Researching the history and reputation of more than 5,000 Web site names used in each of the extortionist spam campaigns, Guilmette made a startling discovery: Virtually all of them had at one time been registered via GoDaddy.com, a Scottsdale, Ariz. based domain name registrar and hosting provider.

Guilmette told KrebsOnSecurity he initially considered the possibility that GoDaddy had been hacked, or that thousands of the registrar’s customers perhaps had their GoDaddy usernames and passwords stolen.

But as he began digging deeper, Guilmette came to the conclusion that the spammers were exploiting an obscure — albeit widespread — weakness among hosting companies, cloud providers and domain registrars that was first publicly detailed in 2016.

EARLY WARNING SIGNS

In August 2016, security researcher Matthew Bryant wrote about spammers hijacking some 20,000 established domain names to blast out junk email. A few months later, Bryant documented the same technique being used to take over more than 120,000 trusted domains for spam campaigns. And Guilmette says he now believes the attack method detailed by Bryant also explains what’s going on in the more recent sextortion and bomb threat spams.

Grasping the true breadth of Bryant’s prescient discovery requires a brief and simplified primer on how Web sites work. Your Web browser knows how to find a Web site name like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.

When someone wants to register a domain at a registrar like GoDaddy, the registrar will typically provide two sets of DNS records that the customer then needs to assign to his domain. Those records are crucial because they allow Web browsers to figure out the Internet address of the hosting provider that’s serving that Web site domain. Like many other registrars, GoDaddy lets new customers use their managed DNS services for free for a period of time (in GoDaddy’s case it’s 30 days), after which time customers must pay for the service.

The crux of Bryant’s discovery was that the spammers in those 2016 campaigns learned that countless hosting firms and registrars would allow anyone to add a domain to their account without ever validating that the person requesting the change actually owned the domain. Here’s what Bryant wrote about the threat back in 2016:

“In addition to the hijacked domains often having past history and a long age, they also have WHOIS information which points to real people unrelated to the person carrying out the attack. Now if an attacker launches a malware campaign using these domains, it will be harder to pinpoint who/what is carrying out the attack since the domains would all appear to be just regular domains with no observable pattern other than the fact that they all use cloud DNS. It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.”

SAY WHAT?

For a more concrete example of what’s going on here, we’ll look at just one of the 5,000+ domains that Guilmette found were used in the Dec. 13, 2018 bomb threat hoax. Virtualfirefox.com is a domain registered via GoDaddy in 2013 and currently owned by The Mozilla Corporation, a wholly owned subsidiary of the Mozilla Foundation — the makers of the popular Firefox Web browser.

The domain’s registration has been renewed each year since its inception, but the domain itself has sat dormant for some time. When it was initially set up, it took advantage of two managed DNS servers assigned to it by GoDaddy — ns17.domaincontrol.com, and ns18.domaincontrol.com.

GoDaddy is a massive hosting provider, and it has more than 100 such DNS servers to serve the needs of its clients. To hijack this domain, the attackers in the December 2018 spam campaign needed only to have created a free account at GoDaddy that was assigned the exact same DNS servers handed out to Virtualfirefox.com (ns17.domaincontrol.com and ns18.domaincontrol.com). After that, the attackers simply claim ownership over the domain, and tell GoDaddy to route all traffic for that domain to an Internet address they control.

Mozilla spokesperson Ellen Canale said Mozilla took ownership of virtualfirefox.com in September 2017 after a trademark dispute, but that the DNS nameserver for the record was not reset until January of 2019.

“This oversight created a state where the DNS pointed to a server controlled by a third party, leaving it vulnerable to misuse,” Canale said. “We’ve reviewed the configuration of both our registrar and nameservers and have found no indication of misuse. In addition to addressing the immediate problem, we have reviewed the entire catalog of properties we own to ensure they are properly configured.”

According to both Guilmette and Bryant, this type of hijack is possible because GoDaddy — like many other managed DNS providers — does little to check whether someone with an existing account (free or otherwise) who is claiming ownership over a given domain actually controls that domain name.

“During this entire time, and continuing to the present moment, the same bad actor(s) who were responsible for the massive wave of bomb threat bitcoin extortion spams that were emailed to five countries on December 13th, 2018 have been in a position to add, delete, or modify any DNS record associated with any domain name that uses the GoDaddy DNS service,” Guilmette said.

Contacted by KrebsOnSecurity, GoDaddy acknowledged the authentication weakness documented by Guilmette.

“After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process,” the company said in an emailed statement.

“We’ve identified a fix and are taking corrective action immediately,” the statement continued. “While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change nor was customer information exposed.”

SPAMMY BEAR

Guilmette has dubbed the criminals responsible as “Spammy Bear” because the majority of the hijacked domains used in the spam campaigns traced back to Internet addresses in Russia.

In the case of Mozilla’s Virtualfirefox.com domain, historic DNS records archived by Farsight Security show that indeed on Dec. 13, 2018 — the very same day that spammers began blasting out their bomb threat demands — the Internet address in the domain’s DNS records at GoDaddy were changed to 194.58.58[.]70, a server in the Russian Federation owned by a hosting company there called Reg.ru.

The record above, indexed by Farsight Security, shows that the Internet address for virtualfirefox.com was changed to an ISP in Russia on Dec. 13, 2018, the same day spammers used this domain and more than 5,000 others for a mass emailed bomb threat.

In fact, Guilmette found that that at least 3,500 of the commandeered domains traced back to Reg.ru and to a handful of other hosting firms in Russia. The next largest collection of fraudulently altered Internet addresses were assigned to hosting providers in the United States (456), although some of those providers (e.g. Webzilla/WZ Communications) have strong ties to Russia. The full list of Internet addresses is available here.

Guilmette’s sleuthing on the 5,000+ domains abused in both 2018 spam campaigns, combined with data from Farsight, suggest the spammers hijacked domains belonging to a staggering number of recognizable corporations who registered domains at GoDaddy, including but not limited to:

Abbott Laboratories; Ancestry.com; Autodesk; Capital One; CVS Pharmacy; SSL provider Digicert; Dow Chemical; credit card processors Elavon and Electronic Merchant Systems; Fair Isaac Corp.; Facebook; Gap (Apparel) Inc; Fifth Third Bancorp; Hearst Communications; Hilton Interntional; ING Bank; the Massachusetts Institute of Technology (MIT); McDonalds Corp.; NBC Universal Media; NRG Energy; Oath, Inc (a.k.a Yahoo + AOL); Oracle; Tesla Motors; Time Warner; US Bank; US Steel Corp.; National Association; Viacom International; and Walgreens.

In an interview with KrebsOnSecurity, Bryant said the domain hijacking technique can be a powerful tool in the hands of spammers and scammers, who can use domains associated with these companies not only to get their missives past junk and malware filters, but also to make phishing and malware lures far more believable and effective.

“This is extremely advantageous to attackers because they don’t have to pay any money to set it all up, and there’s a strong reputation attached to the domain they’re sending from,” Bryant said. “A lot of services will flag email from unknown domains as high risk, but the domains being hijacked by these guys have a good history and reputation behind them. This method also probably greatly complicates any sort of investigatory efforts after the spam campaign is over.”

WHAT CAN BE DONE?

Guilmette said managed DNS providers can add an extra layer of validation to DNS change requests, checking to see if a given domain already has internal DNS servers assigned to the domain before processing the request. Providers could nullify the threat by simply choosing a different pair of DNS servers to assign to the request. The same validation process would work similarly at other managed DNS providers.

“As long as they’re different, that ruins this attack for the spammers,” Guilmette said. “The spammers want the DNS servers to be the same ones that were already there when the domain was first set up, because without that they can’t pull of this hack. All GoDaddy has to do is see if this particularly odd set of circumstances apply in each request.”

Bryant said after he published his initial research in 2016, a number of managed DNS providers mentioned in his blog posts said they’d taken steps to blunt the threat, including Amazon Web Services (AWS), hosting provider Digital Ocean, and Google Cloud. But he suspects this is still a “fairly common” weakness and hosting providers and registrars, and many providers simply aren’t convinced of the need to add this extra precaution.

“A lot of the providers are of the opinion that it’s down to a user mistake and not a vulnerability they should have to fix,” he said. “But it’s clearly still a big problem.”

from Amber Scott Technology News https://krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned.

Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains registered through GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world’s most trusted corporate names and brands.

In July 2018, email users around the world began complaining of receiving spam which began with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid. On December 13, 2018, a similarly large spam campaign was blasted out, threatening that someone had planted bombs within the recipient’s building that would be detonated unless a hefty bitcoin ransom was paid by the end of the business day.

Experts at Cisco Talos and other security firms quickly drew parallels between the two mass spam campaigns, pointing to a significant overlap in Russia-based Internet addresses used to send the junk emails. Yet one aspect of these seemingly related campaigns that has been largely overlooked is the degree to which each achieved an unusually high rate of delivery to recipients.

Large-scale spam campaigns often are conducted using newly-registered or hacked email addresses, and/or throwaway domains. The trouble is, spam sent from these assets is trivial to block because anti-spam and security systems tend to discard or mark as spam any messages that appear to come from addresses which have no known history or reputation attached to them.

However, in both the sextortion and bomb threat spam campaigns, the vast majority of the email was being sent through Web site names that had already existed for some time, and indeed even had a trusted reputation. Not only that, new research shows many of these domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies. 

That’s according to Ron Guilmette, a dogged anti-spam researcher who has made a living suing spammers and helping law enforcement officials apprehend online scammers. Researching the history and reputation of more than 5,000 Web site names used in each of the extortionist spam campaigns, Guilmette made a startling discovery: Virtually all of them had at one time been registered via GoDaddy.com, a Scottsdale, Ariz. based domain name registrar and hosting provider.

Guilmette told KrebsOnSecurity he initially considered the possibility that GoDaddy had been hacked, or that thousands of the registrar’s customers perhaps had their GoDaddy usernames and passwords stolen.

But as he began digging deeper, Guilmette came to the conclusion that the spammers were exploiting an obscure — albeit widespread — weakness among hosting companies, cloud providers and domain registrars that was first publicly detailed in 2016.

EARLY WARNING SIGNS

In August 2016, security researcher Matthew Bryant wrote about spammers hijacking some 20,000 established domain names to blast out junk email. A few months later, Bryant documented the same technique being used to take over more than 120,000 trusted domains for spam campaigns. And Guilmette says he now believes the attack method detailed by Bryant also explains what’s going on in the more recent sextortion and bomb threat spams.

Grasping the true breadth of Bryant’s prescient discovery requires a brief and simplified primer on how Web sites work. Your Web browser knows how to find a Web site name like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.

When someone wants to register a domain at a registrar like GoDaddy, the registrar will typically provide two sets of DNS records that the customer then needs to assign to his domain. Those records are crucial because they allow Web browsers to figure out the Internet address of the hosting provider that’s serving that Web site domain. Like many other registrars, GoDaddy lets new customers use their managed DNS services for free for a period of time (in GoDaddy’s case it’s 30 days), after which time customers must pay for the service.

The crux of Bryant’s discovery was that the spammers in those 2016 campaigns learned that countless hosting firms and registrars would allow anyone to add a domain to their account without ever validating that the person requesting the change actually owned the domain. Here’s what Bryant wrote about the threat back in 2016:

“In addition to the hijacked domains often having past history and a long age, they also have WHOIS information which points to real people unrelated to the person carrying out the attack. Now if an attacker launches a malware campaign using these domains, it will be harder to pinpoint who/what is carrying out the attack since the domains would all appear to be just regular domains with no observable pattern other than the fact that they all use cloud DNS. It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.”

SAY WHAT?

For a more concrete example of what’s going on here, we’ll look at just one of the 5,000+ domains that Guilmette found were used in the Dec. 13, 2018 bomb threat hoax. Virtualfirefox.com is a domain registered via GoDaddy in 2013 and currently owned by The Mozilla Corporation, a wholly owned subsidiary of the Mozilla Foundation — the makers of the popular Firefox Web browser.

The domain’s registration has been renewed each year since its inception, but the domain itself has sat dormant for some time. When it was initially set up, it took advantage of two managed DNS servers assigned to it by GoDaddy — ns17.domaincontrol.com, and ns18.domaincontrol.com.

GoDaddy is a massive hosting provider, and it has more than 100 such DNS servers to serve the needs of its clients. To hijack this domain, the attackers in the December 2018 spam campaign needed only to have created a free account at GoDaddy that was assigned the exact same DNS servers handed out to Virtualfirefox.com (ns17.domaincontrol.com and ns18.domaincontrol.com). After that, the attackers simply claim ownership over the domain, and tell GoDaddy to route all traffic for that domain to an Internet address they control.

Mozilla spokesperson Ellen Canale said Mozilla took ownership of virtualfirefox.com in September 2017 after a trademark dispute, but that the DNS nameserver for the record was not reset until January of 2019.

“This oversight created a state where the DNS pointed to a server controlled by a third party, leaving it vulnerable to misuse,” Canale said. “We’ve reviewed the configuration of both our registrar and nameservers and have found no indication of misuse. In addition to addressing the immediate problem, we have reviewed the entire catalog of properties we own to ensure they are properly configured.”

According to both Guilmette and Bryant, this type of hijack is possible because GoDaddy — like many other managed DNS providers — does little to check whether someone with an existing account (free or otherwise) who is claiming ownership over a given domain actually controls that domain name.

“During this entire time, and continuing to the present moment, the same bad actor(s) who were responsible for the massive wave of bomb threat bitcoin extortion spams that were emailed to five countries on December 13th, 2018 have been in a position to add, delete, or modify any DNS record associated with any domain name that uses the GoDaddy DNS service,” Guilmette said.

Contacted by KrebsOnSecurity, GoDaddy acknowledged the authentication weakness documented by Guilmette.

“After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process,” the company said in an emailed statement.

“We’ve identified a fix and are taking corrective action immediately,” the statement continued. “While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change nor was customer information exposed.”

SPAMMY BEAR

Guilmette has dubbed the criminals responsible as “Spammy Bear” because the majority of the hijacked domains used in the spam campaigns traced back to Internet addresses in Russia.

In the case of Mozilla’s Virtualfirefox.com domain, historic DNS records archived by Farsight Security show that indeed on Dec. 13, 2018 — the very same day that spammers began blasting out their bomb threat demands — the Internet address in the domain’s DNS records at GoDaddy were changed to 194.58.58[.]70, a server in the Russian Federation owned by a hosting company there called Reg.ru.

The record above, indexed by Farsight Security, shows that the Internet address for virtualfirefox.com was changed to an ISP in Russia on Dec. 13, 2018, the same day spammers used this domain and more than 5,000 others for a mass emailed bomb threat.

In fact, Guilmette found that that at least 3,500 of the commandeered domains traced back to Reg.ru and to a handful of other hosting firms in Russia. The next largest collection of fraudulently altered Internet addresses were assigned to hosting providers in the United States (456), although some of those providers (e.g. Webzilla/WZ Communications) have strong ties to Russia. The full list of Internet addresses is available here.

Guilmette’s sleuthing on the 5,000+ domains abused in both 2018 spam campaigns, combined with data from Farsight, suggest the spammers hijacked domains belonging to a staggering number of recognizable corporations who registered domains at GoDaddy, including but not limited to:

Abbott Laboratories; Ancestry.com; Autodesk; Capital One; CVS Pharmacy; SSL provider Digicert; Dow Chemical; credit card processors Elavon and Electronic Merchant Systems; Fair Isaac Corp.; Facebook; Gap (Apparel) Inc; Fifth Third Bancorp; Hearst Communications; Hilton Interntional; ING Bank; the Massachusetts Institute of Technology (MIT); McDonalds Corp.; NBC Universal Media; NRG Energy; Oath, Inc (a.k.a Yahoo + AOL); Oracle; Tesla Motors; Time Warner; US Bank; US Steel Corp.; National Association; Viacom International; and Walgreens.

In an interview with KrebsOnSecurity, Bryant said the domain hijacking technique can be a powerful tool in the hands of spammers and scammers, who can use domains associated with these companies not only to get their missives past junk and malware filters, but also to make phishing and malware lures far more believable and effective.

“This is extremely advantageous to attackers because they don’t have to pay any money to set it all up, and there’s a strong reputation attached to the domain they’re sending from,” Bryant said. “A lot of services will flag email from unknown domains as high risk, but the domains being hijacked by these guys have a good history and reputation behind them. This method also probably greatly complicates any sort of investigatory efforts after the spam campaign is over.”

WHAT CAN BE DONE?

Guilmette said managed DNS providers can add an extra layer of validation to DNS change requests, checking to see if a given domain already has internal DNS servers assigned to the domain before processing the request. Providers could nullify the threat by simply choosing a different pair of DNS servers to assign to the request. The same validation process would work similarly at other managed DNS providers.

“As long as they’re different, that ruins this attack for the spammers,” Guilmette said. “The spammers want the DNS servers to be the same ones that were already there when the domain was first set up, because without that they can’t pull of this hack. All GoDaddy has to do is see if this particularly odd set of circumstances apply in each request.”

Bryant said after he published his initial research in 2016, a number of managed DNS providers mentioned in his blog posts said they’d taken steps to blunt the threat, including Amazon Web Services (AWS), hosting provider Digital Ocean, and Google Cloud. But he suspects this is still a “fairly common” weakness and hosting providers and registrars, and many providers simply aren’t convinced of the need to add this extra precaution.

“A lot of the providers are of the opinion that it’s down to a user mistake and not a vulnerability they should have to fix,” he said. “But it’s clearly still a big problem.”

from https://krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/

Oversight (Arrangement Law).

Mistake from Simple fact: Where both the gatherings enter into an agreement are under an oversight regarding a matter of fact necessary to the agreement, the agreement is gap. A guy taking a look at a hippopotamus might in some cases be lured to pertain to a hippopotamus as a massive blunder; but he is actually also expecteded to admit that a lucky inadequacy stops him personally off creating such blunders. It is actually therefore necessary that you first off are familiar with concerning the typical membership website errors just before you set about the whole procedure. The third typical vehicle repair work mistake cars and truck managers make is not being actually available for discussion along with the technician regarding the repair process. Poor choices or even flawed processes can at times lead to errors, however that does not mean that every poor outcome is an oversight. As opposed to wallowing on the error you have actually created, concentrate on just what you can do to fix the concern. This is very important and need to be actually very carefully thought about when creating an instruction system especially made for you, and as your body system and also physical problem modifications so should your system. This was actually stated that Cullinan helped make the mistake after obtaining sidetracked when he tweeted a photo, which has given that been erased, from Emma Rock after she succeeded Absolute best Actress at 9:05 pm - simply mins before the greatest Picture goof. The most effective type of blunder is actually where the expenses are reduced however the knowing is actually high," Schoemaker says. There are actually disastrous errors that ruin a theory; but there are likewise dependent ones, which work in examining the security of an idea. When you have actually made your apologies to the others involved, your next action is actually to find what you need to carry out in order to patch factors up as well as fix your inaccuracy. This is actually the very main reason why oversights harm, to make sure that our team perform profit from all of them and don't make them repetitively. Both Gergen and Schoemaker stress that many companies seek folks that happened and brought in mistakes out in advance. Understanding being to become had merely from visible and specific truth, mistake is actually not a mistake of our expertise, yet a blunder from our opinion, providing assent to that which is actually certainly not accurate. Every terrific mistake possesses a halfway moment, a split second when it can be recalled and also probably corrected. All that takes is for one blunder to occur as well as every little thing you've operated so difficult to perform can be reduced in the blink of an eye. The one point they all have in common is the readiness to have a threat even if they may make blunders en route. From document masking, using redaction device plans and also redaction software application and lawful redaction, below are some of the standard oversights folks help make. And we all perform. Possibly our experts produce the very same blunder three times, however with any luck not four or even 5. Next opportunity you feel that you have actually slipped up, simply smile and also enjoy that you just created a large deposit into you experience account. This is actually far less complicated in an understanding culture compared to in a performance-focused society, in which mistakes are typically looked at much more harshly. Many individuals make the oversight from not securing the pre-approved finances prior to seeking properties. The longer you wait to address the error as well as your part in that, the even more time your customer, or your competition, needs to make their own narrative around just what took place and also what may happen in the future. Many individuals additionally discussed video recording footage from the minute, accentuating the expression that crossed Pharrell's skin when Jenna created the inaccuracy. You state that someone does one thing by mistake or even, in additional professional English, in error. Turning to the Middle East, he punished the 2003 infiltration from Iraq as possibly awful selection ever before created in the history from the country, and said risk-free areas ought to have been made within Syria and also purchased due to the USA' Gulf allies. You drop concentration when you live in the past times, when you keep the baggage of all the breakdowns you have actually made in your lifestyle. The second mistake lots of providers produce is to overlook and in some way miss out on the education from the vital significance from marketing. The particular errors our company will definitely consider within this short article are: They don't appropriately established their Gig, They say they'll cover anything, They over pledge and also under deliver, They don't compose the best they can, and also They just presume they're making money $4. Recognize that everyone which effectively journeys a worthwhile occupation road makes oversights at once or even an additional. Although our company have all heard the horror tales of people acquiring made use of by auto mechanics that have actually made ideas for fixings or even services that were not important, you don't want to run the risk of the chance that your auto mechanic is actually being actually honest with you, just because you are actually being affordable or . You can easily consistently request quotes as well as compare this along with four to five asks for as well as decide on the very best. Merryll Manning: Entraped On Puzzle Isle through John Howard Reid was actually published greater than twenty years ago in Australia. It is very important for you to avoid this oversight as well as be planned for other expenses like inspection prices, appraisal expenses, loan processing costs, etc There truly are actually indisputable, just selections you made accordinged to the viewpoints you had at the time. That was declared that Cullinan made the error after acquiring sidetracked when he twittered update an image, which has considering that been deleted, of Emma Rock after she won Best Starlet at 9:05 pm - just moments before the most effective Photo blunder. The best type of error is actually where the prices are actually low but the knowing is higher," Schoemaker states. Michael Keaton created the same blunder as Jenna - and on a considerably bigger phase - yet he failed to lose any type of rips for the blunder. In my THIRTEEN years as a Rhode Island Youngster Safekeeping Legal representative, I have actually observed lots of papas and mommies produce inane and also stupid decisions in the course of the training program of Rhode Isle Youngster Protection Proceedings. Make a checklist of the events coming from your life that you continuously emphasize and also can not seem to be to let go of. For every activity, write down exactly what your error was, exactly what you picked up from this blunder, and also something favorable you possess today due to the scenario. By staying clear of these common errors you will swiftly start becoming an effective communicator and also folks are going to begin respecting as well as admiring you even more. Some might be challenged by either determining one's personal, or others, for mistakes, or even by certainly not having the ability to have ownership of one's personal blunders. The issue with pointing the finger at other people for our blunder is actually that our experts will definitely suffer the discomfort and also outcomes from our error, however will not profit from that, and so bingo! Detailing in a non-defensive technique what resulted in the blunder may aid folks much better know why it occurred as well as how to avoid it down the road. If you loved this information and you would such as to obtain more information concerning yellow pages advert - simply click the up coming post - kindly see the page. Oversight # 4)) No Dating Funnel: A guy approaches a girl, individuals a smart opener, obtain's her telephone number, phones her a pair times later on, he sets up a first date and then they walk out. View that you perform not deliver a harsh consequence for a mistake that was actually provided beneficial effort. . V. USA, 66 C.C.P.A. 113, 118, C.A.D. 1231, 603 F. 2d 850, 853 (1979) (An oversight of truth is any blunder except an oversight of law." I.d.. at 855) Hynix, 414 F. Supp. Any kind of army leader that is sincere along with herself, or with those he's contacting, will accept that he has created errors in the request of armed forces energy. You as a human being actually can not prevent bring in mistakes as long as you function as well as handle along with folks.

What We Never Talk About When We Talk About Race

On 17 August 2017, Communities Secretary Sajid Javid said we need to have a talk in this country about sexual abuse, in the wake of Rotherham Labour MP Sarah Champion standing down from the Shadow Cabinet after her comments that Pakistani men only rape and abuse white girls.

This was in reference to the criminal case in which a group of eighteen men and one woman were jailed for grooming and sexually assaulting young girls in Newcastle.  The routine follows a well-worn structure; vulnerable young ladies not fully on the radar of social services or police, often coming from homes with problems that prevent the functioning of everyday life proceeding easily, are targeted by sexual offenders.

The response has, as ever, been extraordinary for the wrong reasons and equally followed a structure. The routine was to forget any action or circumstance carried out by anyone who is not one of the South Asian men who committed the crimes.  Almost like we were trying to promote racial intolerance and hide the terrible extent that child abuse runs in British society.

Sarah Champion does not to want to discuss all this though.  During an interview on BBC Radio 4 Today programme on 10 August, she merely wanted to use this opportunity to bash the left and scream that we have a ‘problem with Pakistani men raping and abusing white girls’ in this country - apparently she is also concerned about increases in Islamophobia when she discusses this issue.  She went on to whine about a politically-correct conspiracy by management in social services to deny the ethnicity of perpetrators.

Here we go again.

Champion later went on to publish an article saying the same thing in the national hate rag The Sun; all while she was SC Minister for Women and Equalities.

Today the press are trying to make a big thing of her departure but frankly she got off lightly. The only criticism I have for the Labour leadership in this case is they did not fire Champion; instead letting her resign from her Shadow Cabinet position.  She is no better than a hate preacher and has no place in public life.

On the same edition of the Today programme, Lord Ken MacDonald made his now-oft-quoted point that this was ‘a profoundly racist crime’.  This is wrong from the off (prejudiced it might be but not racist) but also plays into the narrative.

Later on in the day we got some sense and balance, courtesy of Woman’s Hour, where Jenny Murray interviewed Laura Seebohm from an organisation called Changing Lives; plus Detective Inspector Claire Wheatley who worked on the Operation Sanctuary. Changing Lives has been involved in helping out women with traumatic and abusive lives for ten years

Laura spoke of the victims sharing treats like previous abuse, poor mental health and sexual violence in their lives; being groomed sometimes from childhood.  Girls and women in these situations often fail to come forward for fear they will not be believed.

DI Wheatley spoke of concerns that had existed over the victim’s behaviour and ‘certain lifestyle characteristics, helping to create for many the feeling they were not victims and making it difficult to identify where abuse was taking place.  It was ‘absolutely the case’ some victims thought these criminals were their boyfriends according to Laura.

So by engaging with victims and support groups, a better understanding for all is achieved, sex offenders stopped and jailed and vulnerable people better empowered. Meanwhile, the media shouts about the criminal’s ethnicity and achieves nothing.

One result of this is to make victim services stronger and more bespoke; including knocking the police into line to take this shit seriously.  DI Wheatley talked of the ‘massive cultural change’ taken place within the police force in understanding sexual exploitation and moves to improve prevention. Funding cuts also made the job more difficult.

Both speakers agreed the case in Newcastle was extreme, not any kind of norm. Ongoing investigations involving white offenders have so far failed to catch media attention in the same way (though no doubt of some perpetrators turn out to be Eastern European they will be all over it).

Woman’s Hour made an effort along with their guests to look at the complex narrative going on, the details of the victim’s lives and what put them in harms way, the ‘reality of life’ as Laura put it of girls and young women known to social services for some time, perhaps through the criminal justice system or homelessness, with the sadly common drug and alcohol dependency thrown in too. In partnership with the police, Changing Lives were able to engage with the girls directly and help bring this case against their abusers, gaining a full understanding of the level of grooming.

It is a terrible judgement of the supposedly flagship news programme Today that they spit out their venomous shite; while Jenny Murray and co show them how it is done an hour later, but that is for another article.

But still, we need to talk about race.  Not avoid it and duck the important questions right?

The biggest problem with any discussion about race in Britain is we never talk about white people. White people are not a race it seems; we are just ‘normal’, average (well most of you are certainly that) and when we commit any crime, our race goes unmentioned.  In the case of child abuse, this is a particularly problematic oversight.

White people have fucked kids for years.  They like fucking their own kids; pre-teens in particular.  Within the institutions: the family; the scouts, sports clubs and public schools. The Catholic Church have fucked many unwanted, vulnerable children, they have taken away children birthed by vulnerable young girls who suffered moral judgement and then for many years taken into a form of slavery.

None of us talk about these crimes in the same way.  The Catholic Church is not seen as some humanity-hating outside force that has come into ‘our’ society from outside to pollute and destroy it.  Nobody tries to pull the crosses from around the necks of any woman walking down the street (thankfully).

Here’s another thing to discuss; the girls who were victimised here had something in common. ‘They were all white’ I hear you cry. They were all vulnerable too.  Why were they vulnerable?  

Lord MacDonald repeatedly referred to the idea of how these girls are seen as ‘trash’ who can be exploited easily. As other abuse scandals have shown, social services and the police were often directly involved in letting down the victims of these terrible crimes, either through lack of resources or on purpose.  We know police were often informed about inappropriate relationships between grown men and teenage girls and just as often this was dismissed.  Parents of victims were told their daughter had made a lifestyle choice; no investigation necessary.  Some were even suggested to be actively working as prostitutes (another group of people treated like worthless shit in Britain).  One officer in Newcastle was eventually fired because he refused to investigate one of the now-jailed perpetrators.  

Then the terrible news breaks and we hear from many quarters (such as known far right extremists) that we ‘knew’ this was happening all along.  Really?  Then why didn’t you do something about it big man?  Where have been the patrols of concerned white men and women in these towns and cities looking out for vulnerable white girls being pulled off the streets and into the clutches of Muslim sex beasts?  

British society sees these victims as trash.  Infamous polls have been taken where alarmingly high amounts of people respond that the way a woman dresses in public can lead to rape.  We pass groups of youths in the streets every day and do not give a rusty fuck what they are doing and who with.  The police are too busy to care.  The social services are fighting for dear life on skeletal budgets cut for political reasons.

I have heard it said that Muslim girls are never treated like this.  Well, some of them are and they suffer as much as anyone, but they also get ignored because they are not politically useful.  ‘Ah but what about the cultural aspect’ I hear some cry.

Let us talk about a cultural aspect here.  Young Muslim girls, as part of cultural practices, can be subjected to scrutiny in ways many (myself included) find invasive, with parents making decisions for them, etc. Again they are not the only group who live like this but it does happen.  One perhaps positive aspect though is parents have more potential to know where their kids are, certainly in the evening or later.

Young people are often vulnerable and like other groups, they are often this way because wider society and it’s institutions do not care about them or fail them in some way. There is no judgment from me towards parents or social workers or anyone else that does a job so hard it makes my head ache thinking about it; but where these failures take place, it produces vulnerability and it is not like the rest of society take up the slack on protection and care.

No doubt the perpetrators of all this vileness look down on their victims, but which sexual predators do not? In fact if you go to many places in the world including countries closer to home, there is often an assumption that English women and girls are ‘easy’.

Most of the people who claim to be worried about this are not.  It does not matter to them, just like everything else they complain about. Most live very materially-easy lives. You only really care about yourselves and the suffering of others is immaterial.  In order to justify this, certain narratives must be told, invented and firmly believed in to make you feel less horrible.

There is no South Asian Muslim sex conspiracy at work here; there are no councils who do not want to face the issue of ‘Muslim rape’ in their local areas and there is no concern for the victims among the far right scum who look to make political capital from thee terrible situations.

So, another group of young girls were subjected to systematic sexual abuse at the hands of an organised gang of sexual predators, able to do so in part due to the low status the victims had in British society; a society where some of the most well known people and highest institutions have been directly involved in terrible acts of sexual abuse too and never been punished.  

Yes Mr Javid, let’s have a good, long talk about sexual abuse in Britain.

‘How long will this go on?’ screams the ever calm and balanced Daily Mail.  As long as Britain does not give a fuck about it’s most vulnerable.