Customers have to make quick switch to avoid security risk and potential outages.

I frequently write about domain name theft. Usually, the only loss in the theft is the domain name. But it can be much worse.

Three domain names belonging to Newtek Business Services Corp. (NASDAQ:NEWT) were recently stolen, as Brian Krebs explains in a post today. Unfortunately, customers used these domain names to access and point to their web services, potentially leading to outages and leaked information.

Krebs details Newtek’s bungled response in his post, but let’s dig a bit deeper into the domain theft.

The three stolen domains were webcontrolcenter[dot]com, thesba[dot]com, and crystaltech[dot]com.

Looking at historical Whois records at DomainTools brings up many interesting points.

First, Newtek is a Tucows reseller and managed all of these domains through its reseller account. I wonder if it also helped customers register domains through its reseller account and if any customer domains were also susceptible to the hack.

Second, the thief or thieves moved the domain names to three different registrars: P.A. Viet Nam Company Limited, INET Corporation and GMO Internet, respectively. There are a few possible reasons for this:

  • There were multiple thieves
  • The domains were moved to multiple registrars to make it more difficult to recover them quickly
  • Three different registrars were used to reduce the chances of detection during the theft

Third, the theft of at least one domain occured a couple weeks ago and went undetected. DomainTools has a historical record for CrystalTech[dot]com dated January 31, 2018 that shows the domain had already been transferred to GMO.

Companies (especially web service providers) should always track their registrations through a service such as DomainTools or DomainIQ to be alerted if their domains change.

Fourth, all three domains had the same registrant contact email. This could have been a source of the hack, although NewtekOne.com, the company’s main domain name, was not stolen and used the same address.

Amazingly, Newtek’s stock opened up to begin the day. It has been relatively quiet about the domain theft, but it’s something investors should dig into to understand its impact.

Source link