A research group headed by Gabor Szathmari demonstrated the risks associated with domain names that were abandoned by their owners for some reason. If the registration of a domain name is not prolonged, the registrar sets a grace period (usually 30 days) while the previous owner can still reclaim it. If it doesn’t happen the domain will be available to purchase. There are many services that publish lists of such domains divided into groups, for example, for various business spheres.
The researchers purchased several domains that previously belonged to Australian legal companies to carry out their experiment. Together with the domain names, they got access to the corresponding emails. They set up the catch-all function that allows the collection of emails for any address on the domain (even if they do not exist anymore) in a general inbox. According to Bleeping Computer, as a result the researchers had about 25,000 emails a month later, containing notifications, reports, requests and other important information from the previous owners’ clients and partners in addition to spam.
The risks are higher than that. As a rule, the corporate email address is used for password resets in various online services. The researchers successfully went through all the steps leading up to resetting the password in the G Suite account tied to their email address. They decided not to reset the password on ethic grounds. In addition to this, it is widely known that employees often use their corporate email to register in various social networks, such as Twitter, Facebook and LinkedIn. The researchers managed to receive all the necessary information to reset passwords of former staff of the company that previously owned the domain, so they were able to steal their personal data.
Gabor Szathmari and his colleagues highly recommend domain owners, businesses and organizations above all, to think about the results of their research. The best way to avoid the problems they described is, of course, to prolong the domain registration in time. If a company ceases to exist or does not want to continue using its domain for some reason, it must take preventive measures. At least it should notify its clients and partners that it stops using a domain and the corresponding email addresses, unsubscribe from all notifications with sensitive details and delete the corporate email accounts. Current and former employees should also change the email addresses associated with their accounts in social networks. And finally, the researchers add that two-factor authentication will protect against account hijacking in most cases.
