A business merger or restructure can leave existing Internet domains suddenly surplus to requirements. So what’s the harm in simply allowing them to expire? Recent research highlights the perils of letting old domains slip out of your control…
Domain registry and expiry: what’s the deal?
Technically, you never actually own a domain name outright; you only ever lease it. So if it doesn’t get renewed, a domain name eventually ends up back on a domain registry database. From here, it can be passed on to a reseller - and can ultimately end up in the hands of a completely new user.
For IT managers, renewal of active domains is a routine admin matter. And in fact, most resellers enable you to set up an auto-renew arrangement so there’s no action required at your end. Even after the expiry date has passed, all major registries give you plenty of prompts and a generous grace period to re-register.
So it’s practically impossible to let a domain name expire ‘by mistake’. For it to fall out of your control, there has to be a conscious decision on your part not to renew it.
The problems with domain abandonment laid bare…
Of course, for most businesses, as well as your Web pages, your domain also hosts your email services. But if you have closed down the old Website - and those old emails are no longer in use, then what’s the problem if the domain were to simply expire?
Threat 1: The Resurrected Website
After expiry and beyond the grace period, your old domain becomes available for re-registration. A threat actor takes charge of the domain and uses it to host a series of pages to pass themselves off as your company (bearing in mind that not all your customers will be aware of your recent rebrand).
Savvy scammers could even go a step further here. Let’s say they take a guess that you were using a marketing automation platform on the old site (MailChimp, for instance). Using an email-based password reset, they gain access to a contact list of former customers and send out some amazing special offers to encourage a flurry of payments.
Chances are, either you or someone else would pick up on this fraud attempt pretty quickly before notifying your local law enforcement agency. But this was a smash and grab raid. The scammers fully expected to be shut down within a short period - but not before they managed to elicit a batch of fraudulent payments - damaging your reputation in the process.
Threat 2: The Email Treasure Trove
A team headed up by security researcher, Gabor Szathmari recently carried out an experiment to see how much information they could glean simply by re-registering the domain names of businesses.
The team focused on law firms; the reason being that last year saw a record number of law firm mergers - and with a new business comes a rebrand and, inevitably, the need for a new domain.
The team re-registered six abandoned business domains. They were then able to change the MX records of the domain to set up catch-all email services. From this, they were able to receive all email correspondence sent to the addresses linked to the domain.
In total, the team got hold of about 25,000 messages. Along with lots of spam, this also included a treasure trove of sensitive information relating to the firms and their clients, communications to staff and valuable financial information.
What’s more, by registering to breach notification websites, the researchers were also able to gain access to passwords used by staff at the former firms. Given that so many people are still guilty of reusing passwords, it raised the possibility of logging into currently used services with the same passwords.
Over-zealous asset management can sometimes cause you problems. With the likes of SaaS subscriptions, it’s good practice to keep an eye out for under-used subscriptions and remove them from your IT estate. But domains are a different story: just because they are no longer used doesn’t mean you should lose control of them.