[132399] in North American Network Operators' Group
RE: starwars.com subdomain hijacked?
daemon@ATHENA.MIT.EDU (Matt Disuko)
Mon Nov 22 12:19:45 2010
From: Matt Disuko <gourmetcisco@hotmail.com>
To: <ken@sizone.org>, NANOG <nanog@nanog.org>
Date: Mon, 22 Nov 2010 12:19:38 -0500
In-Reply-To: <20101122170521.GL20665@sizone.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I'm surprised by the sequence of events here..
domain "novator2.com" is registered with DomainsAtCost.ca.
domain "novator2.com" expires...
gets picked up by the administrators of "yourdomainhasexpired.com" - Rebel.=
com? 1550507.ca?
=3B=3B ANSWER SECTION:
shop.starwars.com. 1655 IN CNAME shop.starwars.novator2.com.
shop.starwars.novator2.com. 1655 IN A 74.54.152.75
=3B=3B AUTHORITY SECTION:
novator2.com. 160201 IN NS dns2.yourdomainhasexpired.c=
om.
novator2.com. 160201 IN NS dns.yourdomainhasexpired.co=
m.
Redir'd to a advert site=2C instead of a default "DomainsAtCost.ca" holding=
page or...nowhere.
Apparently quickly renewed and "given back" to the original owners.
Who's at play here? Does DomainsAtCost have a deal with Rebel.com? Or are=
they the same company?
It all seems fishy to me. Is this normal practice?
> Date: Mon=2C 22 Nov 2010 12:05:21 -0500
> From: ken@sizone.org
> To: nanog@nanog.org
> Subject: Re: starwars.com subdomain hijacked?
>=20
>=20
> On Mon=2C Nov 22=2C 2010 at 08:49:48AM -0800=2C Wil Schultz said:
> >Appears that it's a CNAME for shop.starwars.novator2.com.=20
> >
> >The expiry day is 11/22/2011=2C so if I were to guess I would think th=
at the domain expired=2C sent to an advert page=2C and was just renewed.
> >
> >-wil
>=20
> Smartest attack is to put up a page that looks exactly the same as the
> legit site=2C but with your own cheaper crappier knockoff starwars paraph=
enalia
> ('duke'=2C 'tewey'=2C 'princess luba') that you sell instead and make the=
huge
> profits.
>=20
> Not to give anyone any ideas that werent obvious like 15 years ago.
>=20
> How anyone can tell the internet is legit at a glance is beyond me. Need
> to hookup firefox's security warning to my speakers to get a modicum of
> alert that SSL is busted=2C to start=2C nevermind anything more creative.
>=20
> That phishers manage to fake sites that look wrong is also beyond me=2C w=
hat's
> so hard about 'save page as'?
>=20
> /kc
> --=20
> Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
> Heavy Computing - Clued bandwidth=2C colocation and managed linux VPS @15=
1 Front St. W.
>=20
=
