Gabor Szathmari discusses how expired domain names can be used to hack law firms. He explains how domain names expire in Australia and how to find expired domains that may be valuable. Szathmari then details how he registered expired domain names related to law firms and began receiving sensitive emails, documents, and access to password recovery portals. He concludes by providing tips for preventing this type of attack and how red and blue teams can use expired domains.

1. Hacking law firms
with abandoned
domain names
“You had better keep your expiring domain names alive”

2. gabor:~$ whoami
Gabor Szathmari@gszathmari
Cyber security expert @ Iron Bastion
Privacy advocate @ CryptoAUSTRALIA

3. Which one is real?
OptusGames.com.au
TheWestPacCentre.com.au
wmWoolworthsMoneyCreditCard.com.au

4. @gszathmari

5. Overview
•How domain names die?
•How to find good domain names?
•Hacking law firms – The examples
•Tips for individuals & red/blue
teams

6. Let’s go!

7. How domain names die?
.au domain lapsing:
1. Active
2. ‘Expired Hold’ (30 days)
3. ‘Expired Pending Purge’ (1 day)
4. Purged at 1.00pm (AEST)
5. Available for new registration

9. How to find
good
domain names?

10. The manual method 1.
$ cat RO_expired-domain-
names_au_daily_2018-09-08.csv | grep law
2018-09-04,04:13:42,joshlawelectrical.com.au
2018-09-04,04:30:04,comslaw.org.au
2018-09-04,05:37:05,lawyersforbusiness.net.au
[…]

11. Keywords
Backlinks Dmoz rating
The manual method 2.

12. Workflow
1. Identify good sounding names
2. How the website looked like?  web.archive.org
3. Look up domain reputation
(for proxy and spam filter bypass)
4. Backlinks (DMoz / Ahrefs)
5. Register domain
6. Profit!

13. Hacking law firms
with abandoned
domains

14. Reasons to target law firms
•Merge and get acquired frequently
•Low-security businesses
•Manage sensitive data and high-value
payments

15. Reasons to NOT target law firms
#1: Tendency to sue people

16. What we did
1. Identified valuable expired
domain names
2. Registered domain name
3. Added our MX hosts – ‘catch all’
4. Started receiving emails

17. Question 1.
What are the auDA
requirements to register
a .com.au domain?

18. Question 1.
1. Must be one of these:
•Registered business
•Sole trader
•Incorporated association
•Trade mark owner
2. Must provide ABN/ACN/ARBN/TM#
3. Be able to tick a box

20. Loot #1:
Statements and
notifications

26. Text-to-email
service

27. Loot #2:
Legal documents

28. Family legal matter

29. Family legal matter

30. Tax invoice

31. Client enquiry

32. Negotiation strategy

33. Negotiation strategy

34. Bank statements

35. Par-tay! 🎉

36. Loot #3:
Password
recovery

38. Question 2.
What are the domain
verification methods on
‘Havibeenpwned’?

39. Question 2.
•Email – e.g. postmaster@
•Website – Meta tag and file upload
•DNS – TXT record

42. SpyCloud.com

44. Casual observation
Lawyers are:
•guilty of using crappy passwords
•tend to reuse them across multiple
websites

45. Loot #4:
Password
resets

65. Loot #5:
Professional-
specific portals

73. What else we could’ve accessed?
•NSW Online Registry
•PayPal (accounts@mylawfirm.com.au)
•Google AdWords
•G Suite admin panel
•Office 365 admin portal

74. Recap
•Sensitive data in emails
•List of email accounts at
haveibeenpwned
•Passwords from SpyCloud
•Password reset emails

75. How to prevent pwnage? (1/2)
•Keep renewing the domain name indefinitely;
•Close user accounts that were registered with the
business email address
(e.g. Dropbox, Commonwealth Courts Portal, PayPal);
•Change or remove the business email address from
online user accounts (e.g. LinkedIn, Facebook);

76. How to prevent pwnage? (2/2)
•Unsubscribe from email notifications that usually features
sensitive data (Text-to-email services, mobile phone billing
notifications);
•Advise your clients to update their address book;
•Enable two-factor authentication where the feature is
supported for online services; and
•Use unique and complex passwords.

77. Red Teams
Blue Teams

78. Abandoned versus new domains
Better reputation:
•Backlinks/SEO on Google
•Proxy category
•Spam – Not flagged as a newly
registered domain

79. Blue Teams – Protect my organisation
•Phishing against my organisation
•Information leakage (via ‘catch all’ email service)
•Shadow IT takeover (e.g. rogue Dropbox accounts)
•www. or *.  Web traffic / API traffic / iframe/
embedded content hijacking
•Haveibeenpwned, SpyCloud

80. Red Teams – Security assessments
•Ideal for phishing campaigns
•Gather leaked credentials
•Provides access to 3rd party
online services

81. Question 3.
Can you name three
domain reputation
services?*
* Used by proxy servers

82. Question 3.
• Fortinet - http://url.fortinet.net/rate/submit.php
• McAfee - https://www.trustedsource.org/en/feedback/url
• Trend Micro - https://global.sitesafety.trendmicro.com/index.php
• Symantec WebPulse Site Review -
https://sitereview.bluecoat.com/
• Barracuda Central -
http://www.barracudacentral.org/report/website-category

83. Tooling
•Ubuntu + Postfix + Dovecot
•Domain registration:
•Manual
•API – Above.com
•Domain backorders
•‘Drop catch’ services
(e.g. www.dropcatch.com, www.drop.com.au)

84. Summary
•Expired domains are tied to your
personal/professional online presence in
unexpected ways
•Overlooked attack vector (Red Teams)
•Achilles’s Heel of your organisation (Blue Teams)
•ProTip™️: Keep your domain names registered

85. Fun facts
In this research, we:
•Registered six abandoned domain names
•Received approximately 25,000 emails in
total
•Won $250,000 from Mark Zuckerberg
himself (we are yet to claim the prize)

86. Questions?
https://blog.gaborszathmari.me/2018/08/22/ha
cking-law-firms-abandoned-domain-name-
attack/
@gszathmari