An Australian company that manages internet domain name registrations acknowledged that it was partially responsible for a web domain hijacking that left Public Access Networks (Panix), a New York internet hosting company, without an internet address last weekend.
An error by Melbourne IT allowed fraudsters using stolen credit cards to take control of Panix.com, Public Access Networks internet domain, early last Saturday, US Eastern Standard Time, according to Ed Ravin, a Panix system administrator. The hijacking deprived some Panix customers of email access for two days, and shone a light on what some contend are holes in the system for managing internet domain transfers, according to Ravin and others.
Panix regained control of its internet domain on Monday, after Melbourne IT reversed the registration change that transferred ownership of Panix.com to an unknown party Saturday night. However, some customers were still experiencing problems on Tuesday as the transfer changes worked their way through the worldwide network of domain name servers that manage requests for internet addresses, Ravin says.
The hijackers somehow exploited a "loophole" in the process used to verify requests for domain transfers with the party that owns a web domain, according to an email message sent to Panix's founder and president Alexis Rosen from Bruce Tonkin, chief technology officer at Melbourne IT. About 5,000 customers were affected and some of them may have lost 100 or more email messages over the weekend, Rosen said in an interview.
According to a recently updated policy from the Internet Corporation for Assigned Names and Numbers (ICANN), requests to transfer domains between two domain registrars require the registrar who will be taking over control of an internet domain to receive approval for the transfer from an administrator at the "losing" registrar - the organisation that will be ceding control of a domain. ICANN also requires an email to be sent to both registrars involved in the transfer and allows five days for the losing registrar to cancel the transfer.
However, an error at Melbourne IT allowed an individual or individuals to use an account at Melbourne IT reseller Fibranet Services to gain control of the Panix.com domain without the permission of Panix staff or Panix.com's domain registrar, Dotster, in Washington, Tonkin wrote.
The administrative contact for the Panix domain at Dotster, the company's registrar, was not contacted before the transfer went through, as required by ICANN. Panix also was left in the dark about the transfer and only realised what was going on when it lost control of its domain on Saturday, Ravin said.
An investigation by Fibranet revealed that the account to which ownership of the Panix.com domain was transferred was fraudulent and set up with stolen credit cards, Tonkin said.
The loophole that led to the unauthorised transfer has been closed and Australian authorities are investigating the fraudulent account. Some security features do exist to prevent hijacking, including a domain registration locking feature that automatically denies transfer requests. However, such a feature was not used for the Panix domain, he wrote.
There is no evidence that misdirected email and web traffic were being harvested for information. The hijacking is probably an instance of internet "vandalism" that was intended to make a point, rather than siphon off sensitive information, Ravin said.