Email holds the keys to the kingdom. All your password resets go through email, and abandoning an old domain name makes it easy for attackers to re-register the old domain and get your stuff.
The problem is especially grave for law firms where partnerships form, dissolve, and merge often, security researcher Gabor Szathmari points out. A merger or acquisition typically involves either new branding for the new firm, with a new domain name to match, or the acquired firm dropping their old branding and domain name. Letting those old domains expire is dangerous.
"In the US, 2017 was a record year for top-tier law firm mergers with 102 mergers or acquisitions in the year," Szathmari writes, "At the small legal practice level, the number is likely to be in the thousands."
To test just how bad the problem is, Szathmari re-registered old domain names for several law firms that had merged, set up an email server, and without hacking anything, he says he received a steady stream of confidential information, including bank correspondence, invoices from other law firms, sensitive legal documents from clients, and updates from LinkedIn. (Szathmari is working to return the affected domain names to their original owners.)
Using abandoned domain names to commit fraud
The same technique, he says, could easily be used to commit fraud. "By reinstating an online web shop formerly running on an abandoned domain name," he writes in an email to CSO, "Bad actors could download the original web pages from archive.org, then take new orders and payments by posing as a fully functioning web shop."
"If the former web shop had a CRM system or MailChimp running marketing campaigns," he adds, "criminals could access the list of the former customers by taking over those accounts with an email-based password reset. They could offer them a special discount code to encourage them to submit orders which would never be delivered. The sky is the limit."
Expiring domain names are published daily by domain name registries in the form of domain name drop lists. It doesn't take a criminal mastermind to download those lists daily and cross-reference them against news of mergers and acquisitions in the relevant trade pubs, or just re-register any domain name that catches their fancy.
Szathmari was also able to use the re-registered domain names to access third-party breach passwords using HaveIBeenPwned.com and SpyCloud.com. Both services require domain name verification, an easily bypassed defense once you own the domain in question. Because password re-use remains rampant, Szathmari writes that he could easily have used those third-party passwords to compromise affected employees, including their business and personal lives.
How long should you hang onto those old domains for?
Better safe than sorry. Domain names aren't expensive, and keeping old domains in your possession is the cheapest cybersecurity insurance policy you'll ever purchase.
Szathmari recommends setting up a catch-all email service that redirects all incoming email to a trusted administrator, someone who can review correspondence addressed former and current staff, and password reset emails for online services.