ICANN warning against registrar impersonation phishing attacks

Summary:How realistic is an attack that successfully hijacks a domain by social engineering the domain's registrar? Pretty realistic according to ICANN's recently released advisory on preventing Registrar Impersonation Phishing Attacks :In this Advisory, SSAC describes generic forms of this type of attack.

How realistic is an attack that successfully hijacks a domain by social engineering the domain's registrar? Pretty realistic according to ICANN's recently released advisory on preventing Registrar Impersonation Phishing Attacks :

In this Advisory, SSAC describes generic forms of this type of attack. We

Domain Transfer ICANN
consider types and formats of information included in legitimate email messages that various registrars use when corresponding with customers. We discuss how phishers manipulate these information types and formats to create a bogus correspondence that is designed to socially engineer1 the registrar’s customer into visiting an impersonated registrar web site. The attacker designs the impersonated web site to dupe the customer into disclosing domain management account names and credentials. We discuss some of the current recommended practices to minimize or prevent phishing attacks employed by common phishing targets such as financial institutions and large corporations. We recommend measures that registrars can take to make their correspondences with registrants less "phishable” and identify ways for registrants to detect and avoid falling victim to this form of phishing.

Some of the most notable cases of domain hijacking through impersonation of the real owner in order to socially engineer the registrar to give up to domain, are the Panix.com incident (2005), Hushmail.com incident (2005), as well as, Sex.com, Nike.com and Ebay.de all have been victims of domain hijacking, the details of which you can in can find in a detailed retrospective of Domain Hijacking.

The attacks rely on basic social engineering tactics such as visual spoofing of the registrar's login page, personalization in the phishing email send to the registrant using the data obtained from the public WHOIS record for the domain owner. What follows is a targeted mailing of the phishing email including a the typical phishing URL in the following format :

myaccount.session-83040251 .godaddy.com. nextid.li/AccountConfirmation/account.aspx myaccount.session-8787227 .godaddy.com. filxcii.tv/AccountConfirmation/account.aspx myaccount.session-10677 .godaddy.com. userport.li/AccountConfirmation/account.aspx myaccount.session-6104002 .godaddy.com. iriikfrt.ch/AccountConfirmation/account.aspx myaccount.session-83040251 .godaddy.com. nextid.li/AccountConfirmation/account.aspx

The advisory contains some practical tips for both, registrars and registrants on protecting against such social engineering attempts, so consider going through it.

Topics: Social Enterprise

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.