A security researcher commandeered a country’s expired top-level domain to save it from hackers
In mid-October, a little-known but critically important domain name for one country’s internet space began to expire.
The domain — scpt-network.com — was one of two nameservers for the .cd country code top-level domain, assigned to the Democratic Republic of Congo. If it fell into the wrong hands, an attacker could redirect millions of unknowing internet users to rogue websites of their choosing.
Clearly, a domain of such importance wasn’t supposed to expire; someone in the Congolese government probably forgot to pay for its renewal. Luckily, expired domains don’t disappear immediately. Instead, the clock started on a grace period for its government owners to buy back the domain before it was sold to someone else.
By chance, Fredrik Almroth, a security researcher and co-founder of cybersecurity startup Detectify, was already looking at nameservers of country code top-level domains (or ccTLDs), the two-letter suffixes at the end of regional web addresses, like .fr for France or .uk for the United Kingdom. When he found this critical domain name was about to expire, Almroth began to monitor it, assuming someone in the Congolese government would pay to reclaim the domain.
But nobody ever did.
By the end of December, the clock was almost up and the domain was about to fall off the internet. Within minutes of the domain becoming available, Almroth quickly snapped it up to prevent anyone else from taking it over — because, as he told TechCrunch, “the implications are kind of huge.”
It’s rare but not unheard of for a top-level domain to expire.
In 2017, security researcher Matthew Bryant took over the nameservers of the .io top-level domain, assigned to the British Indian Ocean Territory. But malicious hackers have also shown interest in targeting top-level domains hack into companies and governments that use the same country-based domain suffix.
Read more on TechCrunch
Taking over a nameserver is not supposed to be an easy task because they are a vital part of how the internet works.
Every time you visit a website your device relies on a nameserver to convert a web address in your browser to the machine-readable address that tells your device where on the internet to find the site you’re looking for. Some liken nameservers to the phone directory of the internet. Sometimes your browser looks no further than its own cache for the answer, and sometimes it has to ask the nearest nameserver for the answer. But the nameservers that control top-level domains are considered authoritative and know where to look without having to ask another nameserver.
With control of an authoritative nameserver, malicious hackers could run man-in-the-middle attacks to silently intercept and redirect internet users going to legitimate sites to malicious webpages.
These kinds of attacks have been used in sophisticated espionage campaigns aimed at cloning websites to trick victims into handing over their passwords, which hackers use to get access to company networks to steal information.
Worse, Almroth said with control of the nameserver it was possible to obtain valid SSL (HTTPS) certificates, allowing for an attacker to intercept encrypted web traffic or any email mailbox for any .cd domain, he said. To the untrained eye, a successful attacker could redirect victims to a spoofed website and they would be none the wiser.
“If you can abuse the validation schemes used to issue certificates, you can undermine the SSL of any domain under .cd as well,” Almroth said. “The capabilities of being in such a privileged position is scary.”
Almroth ended up sitting on the domain for about a week as he tried to figure out a way to hand it back. By this point the domain had been inactive for two months already and nothing had catastrophically broken. At most, websites with a .cd domain might have taken slightly longer to load.
Since the remaining nameserver was running normally, Almroth kept the domain offline so that whenever an internet user tried to access a domain that relied on the nameserver under his control, it would automatically timeout and pass the request to the remaining nameserver.
In the end, the Congolese government didn’t bother asking for the domain back. It spun up an entirely new but similarly named domain — scpt-network.net — to replace the one now in Almroth’s possession.
We reached out to the Congolese authorities for comment but did not hear back.
ICANN, the international non-profit organization responsible for internet address allocation, said country code top-level domains are operated by their respective countries and its role is “very limited,” a spokesperson said.
For its part, ICANN encouraged countries to follow best practices and to use DNSSEC, a cryptographically more secure technology that makes it nearly impossible to serve up spoofed websites. One network security engineer who asked not to be named as they were not authorized to speak to the media questioned whether DNSSEC would be effective at all against a top-level domain hijack.
At least in this case, it’s nothing a calendar reminder can’t solve.
In mid-October, a little-known but critically important domain name for one country’s internet space began to expire. The domain — scpt-network.com — was one of two nameservers for the .cd country code top-level domain, assigned to the Democratic Republic of Congo. If it fell into the wrong hands, an attacker…
