Login
The Chinese company in charge of handing out domain names ending in β.topβ has been given until mid-August 2024 to show that it has put in place systems for managing phishing reports and suspending abusive domains, or else forfeit its license to sell domains. The warning comes amid the release of new findings that .top was the most common suffix in phishing websites over the past year, second only to domains ending in β.com.β
Image: Shutterstock.
On July 16, the Internet Corporation for Assigned Names and Numbers (ICANN) sent a letter to the owners of the .top domain registry. ICANN has filed hundreds of enforcement actions against domain registrars over the years, but in this case ICANN singled out a domain registry responsible for maintaining an entire top-level domain (TLD).
Among other reasons, the missive chided the registry for failing to respond to reports about phishing attacks involving .top domains.
βBased on the information and records gathered through several weeks, it was determined that .TOP Registry does not have a process in place to promptly, comprehensively, and reasonably investigate and act on reports of DNS Abuse,β the ICANN letter reads (PDF).
ICANNβs warning redacted the name of the recipient, but records show the .top registry is operated by a Chinese entity called Jiangsu Bangning Science & Technology Co. Ltd. Representatives for the company have not responded to requests for comment.
Domains ending in .top were represented prominently in a new phishing report released today by the Interisle Consulting Group, which sources phishing data from several places, including the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus.
Interisleβs newest study examined nearly two million phishing attacks in the last year, and found that phishing sites accounted for more than four percent of all new .top domains between May 2023 and April 2024. Interisle said .top has roughly 2.76 million domains in its stable, and that more than 117,000 of those were phishing sites in the past year.
Source: Interisle Consulting Group.
ICANN said its review was based on information collected and studied about .top domains over the past few weeks. But the fact that high volumes of phishing sites are being registered through Jiangsu Bangning Science & Technology Co Ltd. is hardly a new trend.
For example, more than 10 years ago the same Chinese registrar was the fourth most common source of phishing websites, as tracked by the APWG. Bear in mind that the APWG report excerpted below was published more than aΒ year before Jiangsu Bangning received ICANN approval to introduce and administer the new .top registry.
Source: APWG phishing report from 2013, two years before .top came into being.
A fascinating new wrinkle in the phishing landscape is the growth in scam pages hosted via the InterPlanetary File System (IPFS), a decentralized data storage and delivery network that is based on peer-to-peer networking. According to Interisle, the use of IPFS to host and launch phishing attacks β which can make phishing sites more difficult to take down β increased a staggering 1,300 percent, to roughly 19,000 phishing sites reported in the last year.
Last yearβs report from Interisle found that domain names ending in β.usβ β the top-level domain for the United States β were among the most prevalent in phishing scams. While .us domains are not even on the Top 20 list of this yearβs study, β.comβ maintained its perennial #1 spot as the largest source of phishing domains overall.
A year ago, the phishiest domain registrar by far was Freenom, a now-defunct registrar that handed out free domains in several country-code TLDs, including .tk, .ml, .ga and .cf. Freenom went out of business after being sued by Meta, which alleged Freenom ignored abuse complaints while monetizing traffic to abusive domains.
Following Freenomβs demise, phishers quickly migrated to other new low-cost TLDs and to services that allow anonymous, free domain registrations β particularly subdomain services. For example, Interisle found phishing attacks involving websites created on Googleβs blogspot.com skyrocketed last year more than 230 percent. Other subdomain services that saw a substantial growth in domains registered by phishers include weebly.com, github.io, wix.com, and ChangeIP, the report notes.
Source: Interisle Consulting.
Interisle Consulting partner Dave Piscitello said ICANN could easily send similar warning letters to at least a half-dozen other top-level domain registries, noting that spammers and phishers tend to cycle through the same TLDs periodically β including .xyz, .info, .support and .lol, all of which saw considerably more business from phishers after Freenomβs implosion.
Piscitello said domain registrars and registries could significantly reduce the number of phishing sites registered through their services just by flagging customers who try to register huge volumes of domains at once. Their study found that at least 27% of the domains used for phishing were registered in bulk β i.e. the same registrant paid for hundreds or thousands of domains in quick succession.
The report includes a case study in which a phisher this year registered 17,562 domains over the course of an eight-hour period β roughly 38 domains per minute β using .lol domains that were all composed of random letters.
ICANN tries to resolve contract disputes privately with the registry and registrar community, and experts say the nonprofit organization usually only publishes enforcement letters when the recipient is ignoring its private notices. Indeed, ICANNβs letter notes Jiangsu Bangning didnβt even open its emailed notifications. It also cited the registry for falling behind in its ICANN membership fees.
With that in mind, a review of ICANNβs public enforcement activity suggests two trends: One is that there have been far fewer public compliance and enforcement actions in recent years β even as the number of new TLDs has expanded dramatically.
The second is that in a majority of cases, the failure of a registry or registrar to pay its annual ICANN membership fees was cited as a reason for a warning letter. A review of nearly two dozen enforcement letters ICANN has sent to domain registrars since 2022 shows that failure to pay dues was cited as a reason (or the reason) for the violation at least 75 percent of the time.
Piscitello, a former vice president of security at ICANN, said nearly all breach notices sent out while he was at ICANN were because the registrar owed money.
βI think the rest is just lipstick to suggest that ICANNβs on top of DNS Abuse,β Piscitello said.
KrebsOnSecurity has sought comment from ICANN and will update this story if they respond.
ICANN said most of its investigations are resolved and closed through the initial informal resolution stage, and that hundreds of enforcement cases are initiated during this stage with the contracted parties who are required to demonstrate compliance, become compliant, and/or present and implement remediation plans to prevent the recurrence of those enforcement issues.
βIt is important to take into account that, prior to issuing any notice of breach to a registrar or registry operator, ICANN Compliance conducts an overall contractual compliance βhealth checkβ of the relevant contracted party,β ICANN said in a written response to questions. βDuring this check, ICANN Compliance proactively reviews the contracted partyβs compliance with obligations across the agreements and policies. Any additional contractual violation found during these checks is added to the Notice of Breach. It is not uncommon for parties who failed to comply with contractual obligations (whether they are related to DNS Abuse, RDDS, or others) to also be in arrears with ICANN fees.β
Update, 11:49 p.m. ET: Added statement from ICANN. Clarified Piscitelloβs former role at ICANN.
The password manager service LastPass is now forcing some of its users to pick longer master passwords. LastPass says the changes are needed to ensure all customers are protected by their latest security improvements. But critics say the move is little more than a public relations stunt that will do nothing to help countless early adopters whose password vaults were exposed in a 2022 breach at LastPass.
LastPass sent this notification to users earlier this week.
LastPass told customers this week they would be forced to update their master password if it was less than 12 characters. LastPass officially instituted this change back in 2018, but some undisclosed number of the companyβs earlier customers were never required to increase the length of their master passwords.
This is significant because in November 2022, LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users.
Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.
KrebsOnSecurity last month interviewed a victim who recently saw more than three million dollars worth of cryptocurrency siphoned from his account. That user signed up with LastPass nearly a decade ago, stored their cryptocurrency seed phrase there, and yet never changed his master password β which was just eight characters. Nor was he ever forced to improve his master password.
That story cited research from Adblock Plus creator Wladimir Palant, who said LastPass failed to upgrade many older, original customers to more secure encryption protections that were offered to newer customers over the years.
For example, another important default setting in LastPass is the number of βiterations,β or how many times your master password is run through the companyβs encryption routines. The more iterations, the longer it takes an offline attacker to crack your master password.
Palant said that for many older LastPass users, the initial default setting for iterations was anywhere from β1β to β500.β By 2013, new LastPass customers were given 5,000 iterations by default. In February 2018, LastPass changed the default to 100,100 iterations. And very recently, it upped that again to 600,000. Still, Palant and others impacted by the 2022 breach at LastPass say their account security settings were never forcibly upgraded.
Palant called this latest action by LastPass a PR stunt.
βThey sent this message to everyone, whether they have a weak master password or not β this way they can again blame the users for not respecting their policies,β Palant said. βBut I just logged in with my weak password, and I am not forced to change it. Sending emails is cheap, but they once again didnβt implement any technical measures to enforce this policy change.β
Either way, Palant said, the changes wonβt help people affected by the 2022 breach.
βThese people need to change all their passwords, something that LastPass still wonβt recommend,β Palant said. βBut it will somewhat help with the breaches to come.β
LastPass CEO Karim Toubba said changing master password length (or even the master password itself) is not designed to address already stolen vaults that are offline.
βThis is meant to better protect customersβ online vaults and encourage them to bring their accounts up to the 2018 LastPass standard default setting of a 12-character minimum (but could opt out from),β Toubba said in an emailed statement. βWe know that some customers may have chosen convenience over security and utilized less complex master passwords despite encouragement to use our (or others) password generator to do otherwise.β
A basic functionality of LastPass is that it will pick and remember lengthy, complex passwords for each of your websites or online services. To automatically populate the appropriate credentials at any website going forward, you simply authenticate to LastPass using your master password.
LastPass has always emphasized that if you lose this master password, thatβs too bad because they donβt store it and their encryption is so strong that even they canβt help you recover it.
But experts say all bets are off when cybercrooks can get their hands on the encrypted vault data itself β as opposed to having to interact with LastPass via its website. These so-called βofflineβ attacks allow the bad guys to conduct unlimited and unfettered βbrute forceβ password cracking attempts against the encrypted data using powerful computers that can each try millions of password guesses per second.
A chart on Palantβs blog post offers an idea of how increasing password iterations dramatically increases the costs and time needed by the attackers to crack someoneβs master password. Palant said it would take a single high-powered graphics card about a year to crack a password of average complexity with 500 iterations, and about 10 years to crack the same password run through 5,000 iterations.
Image: palant.info
However, these numbers radically come down when a determined adversary also has other large-scale computational assets at their disposal, such as a bitcoin mining operation that can coordinate the password-cracking activity across multiple powerful systems simultaneously.
Meaning, LastPass users whose vaults were never upgraded to higher iterations and whose master passwords were weak (less than 12 characters) likely have been a primary target of distributed password-cracking attacks ever since the LastPass user vaults were stolen late last year.
Asked why some LastPass users were left behind on older security minimums, Toubba said a βsmall percentageβ of customers had corrupted items in their password vaults that prevented those accounts from properly upgrading to the new requirements and settings.
βWe have been able to determine that a small percentage of customers have items in their vaults that are corrupt and when we previously utilized automated scripts designed to re-encrypt vaults when the master password or iteration count is changed, they did not complete,β Toubba said. βThese errors were not originally apparent as part of these efforts and, as we have discovered them, we have been working to be able to remedy this and finish the re-encryption.β
Nicholas Weaver, a researcher at University of California, BerkeleyβsΒ International Computer Science Institute (ICSI) and lecturer at UC Davis, said LastPass made a huge mistake years ago by not force-upgrading the iteration count for existing users.
βAnd now this is blaming the users β βyou should have used a longer passphraseβ β not them for having weak defaults that were never upgraded for existing users,β Weaver said. βLastPass in my book is one step above snake-oil. I used to be, βPick whichever password manager you want,β but now I am very much, βPick any password manager but LastPass.'β
Asked why LastPass isnβt recommending that users change all of the passwords secured by the encrypted master password that was stolen when the company got hacked last year, Toubba said itβs because βthe data demonstrates that the majority of our customers follow our recommendations (or greater), and the probability of successfully brute forcing vault encryption is greatly reduced accordingly.β
βWeβve been telling customers since December of 2022 that they should be following recommended guidelines,β Toubba continued. βAnd if they havenβt followed the guidelines we recommended that they change their downstream passwords.β
Itβs not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware β as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.
The Barracuda Email Security Gateway (ESG) 900 appliance.
Campbell, Calif. based Barracuda said it hired incident response firm Mandiant on May 18 after receiving reports about unusual traffic originating from its Email Security Gateway (ESG) devices, which are designed to sit at the edge of an organizationβs network and scan all incoming and outgoing email for malware.
On May 19, Barracuda identified that the malicious traffic was taking advantage of a previously unknown vulnerability in its ESG appliances, and on May 20 the company pushed a patch for the flaw to all affected appliances (CVE-2023-2868).
In its security advisory, Barracuda said the vulnerability existed in the Barracuda software component responsible for screening attachments for malware. More alarmingly, the company said it appears attackers first started exploiting the flaw in October 2022.
But on June 6, Barracuda suddenly began urging its ESG customers to wholesale rip out and replace β not patch β affected appliances.
βImpacted ESG appliances must be immediately replaced regardless of patch version level,β the companyβs advisory warned. βBarracudaβs recommendation at this time is full replacement of the impacted ESG.β
In a statement, Barracuda said it will be providing the replacement product to impacted customers at no cost, and that not all ESG appliances were compromised.
βNo other Barracuda product, including our SaaS email solutions, were impacted by this vulnerability,β the company said. βIf an ESG appliance is displaying a notification in the User Interface, the ESG appliance had indicators of compromise. If no notification is displayed, we have no reason to believe that the appliance has been compromised at this time.β
Nevertheless, the statement says that βout of an abundance of caution and in furtherance of our containment strategy, we recommend impacted customers replace their compromised appliance.β
βAs of June 8, 2023, approximately 5% of active ESG appliances worldwide have shown any evidence of known indicators of compromise due to the vulnerability,β the statement continues. βDespite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances. Therefore, we would like customers to replace any compromised appliance with a new unaffected device.β
Rapid7βs Caitlin Condon called this remarkable turn of events βfairly stunning,β and said there appear to be roughly 11,000 vulnerable ESG devices still connected to the Internet worldwide.
βThe pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldnβt eradicate attacker access,β Condon wrote.
Barracuda said the malware was identified on a subset of appliances that allowed the attackers persistent backdoor access to the devices, and that evidence of data exfiltration was identified on some systems.
Rapid7 said it has seen no evidence that attackers are using the flaw to move laterally within victim networks. But that may be small consolation for Barracuda customers now coming to terms with the notion that foreign cyberspies probably have been hoovering up all their email for months.
Nicholas Weaver, a researcher at University of California, Berkeleyβs International Computer Science Institute (ICSI), said it is likely that the malware was able to corrupt the underlying firmware that powers the ESG devices in some irreparable way.
βOne of the goals of malware is to be hard to remove, and this suggests the malware compromised the firmware itself to make it really hard to remove and really stealthy,β Weaver said. βThatβs not a ransomware actor, thatβs a state actor. Why? Because a ransomware actor doesnβt care about that level of access. They donβt need it. If theyβre going for data extortion, itβs more like a smash-and-grab. If theyβre going for data ransoming, theyβre encrypting the data itself β not the machines.β
In addition to replacing devices, Barracuda says ESG customers should also rotate any credentials connected to the appliance(s), and check for signs of compromise dating back to at least October 2022 using the network and endpoint indicators the company has released publicly.
Update, June 9, 11:55 a.m. ET: Barracuda has issued an updated statement about the incident, portions of which are now excerpted above.
FreshRSS 