{"id":4460,"date":"2018-02-12T21:47:18","date_gmt":"2018-02-12T16:17:18","guid":{"rendered":"https:\/\/qadit.com\/blog\/?p=4460"},"modified":"2018-02-12T21:47:18","modified_gmt":"2018-02-12T16:17:18","slug":"domain-theft-strands-thousands-of-web-sites","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/domain-theft-strands-thousands-of-web-sites\/","title":{"rendered":"Domain Theft Strands Thousands of Web Sites"},"content":{"rendered":"

Newtek Business Services Corp.<\/strong> [NASDAQ:NEWT], a Web services conglomerate that operates more than 100,000 business Web sites and some 40,000 managed technology accounts, had several of its core domain names stolen over the weekend. The theft shut off email and stranded Web sites for many of Newtek\u2019s customers.<\/p>\n

An email blast Newtek sent to customers late Saturday evening made no mention of a breach or incident, saying only that the company was changing domains due to \u201cincreased\u201d security. A copy of that message can be read here<\/a>\u00a0(PDF).<\/p>\n

In reality, three of their core domains were hijacked by a Vietnamese hacker, who replaced the login page many Newtek customers used to remotely manage their Web sites (webcontrolcenter[dot]com<\/strong>) with a live Web chat service. As a result, Newtek customers seeking answers to why their Web sites no longer resolved correctly ended up chatting with the hijacker instead.<\/p>\n

\"\"<\/a><\/p>\n

The PHP Web chat client that the intruder installed on Webcontrolcenter[dot]com, a domain that many Newtek customers used to manage their Web sites with the company. The perpetrator can be seen in this chat using the name \u201cadmin.\u201d Click to enlarge.<\/p>\n<\/div>\n

In a follow-up email sent to customers 10 hours later<\/a> (PDF), Newtek acknowledged the outage was the result of a \u201cdispute\u201d over three domains,\u00a0webcontrolcenter[dot]com, thesba[dot]com, and crystaltech[dot]com. <\/b><\/p>\n

\u201cWe strongly request that you eliminate these domain names from all your corporate or personal browsers, and avoid clicking on them,\u201d the company warned its customers. \u201cAt this hour, it has become apparent that as a result over the dispute for these three domain names, we do not currently have control over the domains or email coming from them.\u201d<\/p>\n

The warning continued: \u201cThere is an unidentified third party that is attempting to chat and may engage with clients when visiting the three domains.\u00a0It is imperative that you do not communicate or provide any sensitive data at these locations.\u201d<\/p>\n

Newtek did not respond to requests for comment.<\/p>\n

Domain hijacking is not a new problem, but it can be potentially devastating to the victim organization. In control of a hijacked domain, a malicious attacker could seamlessly conduct phishing attacks to steal personal information, or use the domain to foist malicious software on visitors.<\/p>\n

Newtek is not just a large Web hosting firm: It aims to be a one-stop shop for almost any online service a small business might need. As such, it\u2019s a mix of very different business units rolled up into one since its founding in 1998, including lending solutions, HR, payroll, managed cloud solutions, group health insurance and disaster recovery solutions.<\/p>\n

\u201cNEWT\u2019s tentacles go deep into their client\u2019s businesses through providing data security, human resources, employee benefits, payments technology, web design and hosting, a multitude of insurance solutions, and a suite of IT services,\u201d reads a Sept. 2017 profile<\/a> of the company at SeekingAlpha<\/strong>, a crowdsourced market analysis publication.<\/p>\n

\"\"<\/p>\n

Newtek\u2019s various business lines. Source: Newtek.<\/p>\n<\/div>\n

<\/span><\/p>\n

\"\"<\/p>\n

Reached via the Web chat client he installed at webcontrolcenter[dot]com, the person who claimed responsibility for the hijack said he notified Newtek five days ago about a \u201cbug\u201d he found in the company\u2019s online operations, but that he received no reply.<\/p>\n

A Newtek customer who resells the company\u2019s products to his clients said he had to spend much of the weekend helping clients regain access to email accounts and domains as a result of the incident. The customer, who asked to remain anonymous, said he was shocked that Newtek made little effort to convey the gravity of the hijack to its customers \u2014 noting that the company\u2019s home page<\/a> still makes no mention of the incident.<\/p>\n

\u201cThey also fail to make it clear that any data sent to any host under the domain could be recorded (email passwords, web credentials, etc.) by the attacker,\u201d he said. \u201cI\u2019m floored at how bad their communication was to their users. I\u2019m not surprised, but concerned, that they didn\u2019t publish the content in the emails directly on their website.\u201d<\/p>\n

The source said that at a minimum Newtek should have expired all passwords immediately and required resets through non-compromised hosts.<\/p>\n

\u201cAnd maybe put a notice about this on their home page instead of relying on email, because a lot of my customers can\u2019t get email right now as a result of this,\u201d the source said.<\/p>\n

There are a few clues that suggest the perpetrator of these domain hijacks is indeed being truthful about both his nationality and that he located a bug in Newtek\u2019s service. Two of the hijacked domains were moved to a Vietnamese domain registrar (inet.vn).<\/p>\n

This individual gave me an email address to contact him at \u2014 hd2416@gmail.com<\/strong> \u2014 although he has so far not responded to questions beyond promising to reply in Vietenamese. The email is tied to two different Vietnamese-language social networking profiles.<\/p>\n

A search at Domaintools<\/a>\u00a0indicates that this address is linked to the registration records for four domains, including one (giakiemnew[dot]com) that was recently hosted on a dedicated server operated by Newtek\u2019s legacy business unit Crystaltek [full disclosure: Domaintools is an advertiser on this site]. Recall that Crystaltek[dot]com was among the three hijacked domains.<\/p>\n

In addition, the domain giakiemnew[dot]com was registered through Newtek Technology Services<\/strong>, a domain registration service offered by Newtek. This suggests that the perpetrator was in fact a customer of Newtek, and perhaps did discover a vulnerability while using the service.<\/p>\n

Read the Full Article here: >Krebs on Security<\/a><\/b><\/p>\n","protected":false},"excerpt":{"rendered":"

Newtek Business Services Corp. [NASDAQ:NEWT], a Web services conglomerate that operates more than 100,000 business Web sites and some 40,000 managed technology accounts, had several of its core domain names stolen over the weekend. The theft shut off email and stranded Web sites for many of Newtek\u2019s customers. An email blast Newtek sent to customers … <\/p>\n

Continue reading “Domain Theft Strands Thousands of Web Sites”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[12],"tags":[293],"class_list":["post-4460","post","type-post","status-publish","format-standard","hentry","category-itsec","tag-wonder-information"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-19W","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4460","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=4460"}],"version-history":[{"count":1,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4460\/revisions"}],"predecessor-version":[{"id":4461,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4460\/revisions\/4461"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=4460"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=4460"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=4460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}