New Tactics playbook has emerged - Expired Domain Scarfing

Over the last several weeks we have been investigating a new issue that we have only seen a handful of times before. The attack is not new but we starting to see it being used on popular domains such as domains use by campaigns for public office, corporate domains, Government IT and technology contractors and security related companies.

The attack is simple in how it is executed and is providing access to third party systems using common password reset scripts on websites. Here's how it works.

How the attack is being carried out

1. A company or organization fails to register a domain name that basically has been abandoned

2. Threat actors register the domain and setup email servers with wildcard acceptance of messages

3. Threat actors then look in previous data dumps for information relevant to the domain such as an account at the domain

4. Threat actors then scan popular websites such as hosting domains, official Government sites or other sites password reset features

5. If a successful response is seen the original companies third party account password is reset and the threat actor now has access to the third party website of the original domain owner

We also believe that this method has been used to collect sensitive information on business operations. The only way to really prevent this is to ensure that you never let any domains expire. We started receiving reports of 2 factor authentication tripping on accounts and when we researched it, we determined that these threat actors were attempting to reset a password and login to very specific account.

Don't forget third party Phone and Fax services

One additional note here is that services like eFax or virtual PBX systems may also be vulnerable to attack using a number previously assigned to a company.

#Domainsusedinattacks #Domain #Attack


Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2018 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business Jigsaw Security is an operator of WIMAX networks and is operating under license WQVC235 as a common carrier, non-common carrier and private communications operator. Jigsaw Security operates cable and satellite services. Courses may be provided by a third party authorized training partner in some cases. Some training is only available for cleared and US Citizens. Courses approved by the North Carolina Department of Public Safety Private Protective Services Board for licensing and CE credits. JPM program insurance is provided by an authorized Jigsaw Security Insurance Partner and is not underwritten by Jigsaw Security. For insurance information please contact our JPM program manager. Jigsaw Security operates a network through our NCBroadband brand.