[132714] in North American Network Operators' Group
Re: starwars.com subdomain hijacked?
daemon@ATHENA.MIT.EDU (Rich Lafferty)
Tue Nov 30 10:27:56 2010
From: Rich Lafferty <rich@lafferty.ca>
Resent-From: Rich Lafferty <rich@lafferty.ca>
In-Reply-To: <BLU156-w41C3A86C0380684EA01A12C93D0@phx.gbl>
Date: Tue, 30 Nov 2010 10:14:04 -0500
Resent-To: NANOG <nanog@nanog.org>
To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Novator (Canadian web-shopping company, used to be FTD's big partner) is =
responsible for shop.starwars.com so I think all that's happened here is =
Novator forgot to renew a domain.
domainsatcost.ca is rebel.com is Momentous.ca and they own =
yourdomainhasexpired.com.
-Rich
On 22 Nov 10, at 12:19 PM, Matt Disuko wrote:
>=20
> I'm surprised by the sequence of events here..
>=20
> domain "novator2.com" is registered with DomainsAtCost.ca.
>=20
> domain "novator2.com" expires...
>=20
> gets picked up by the administrators of "yourdomainhasexpired.com" - =
Rebel.com? 1550507.ca?
>=20
> ;; ANSWER SECTION:
> shop.starwars.com. 1655 IN CNAME =
shop.starwars.novator2.com.
> shop.starwars.novator2.com. 1655 IN A 74.54.152.75
>=20
> ;; AUTHORITY SECTION:
> novator2.com. 160201 IN NS =
dns2.yourdomainhasexpired.com.
> novator2.com. 160201 IN NS =
dns.yourdomainhasexpired.com.
>=20
> Redir'd to a advert site, instead of a default "DomainsAtCost.ca" =
holding page or...nowhere.
>=20
> Apparently quickly renewed and "given back" to the original owners.
>=20
> Who's at play here? Does DomainsAtCost have a deal with Rebel.com? =
Or are they the same company?
>=20
> It all seems fishy to me. Is this normal practice?
>=20
>=20
>=20
>> Date: Mon, 22 Nov 2010 12:05:21 -0500
>> From: ken@sizone.org
>> To: nanog@nanog.org
>> Subject: Re: starwars.com subdomain hijacked?
>>=20
>>=20
>> On Mon, Nov 22, 2010 at 08:49:48AM -0800, Wil Schultz said:
>>> Appears that it's a CNAME for shop.starwars.novator2.com.=20
>>>=20
>>> The expiry day is 11/22/2011, so if I were to guess I would think =
that the domain expired, sent to an advert page, and was just renewed.
>>>=20
>>> -wil
>>=20
>> Smartest attack is to put up a page that looks exactly the same as =
the
>> legit site, but with your own cheaper crappier knockoff starwars =
paraphenalia
>> ('duke', 'tewey', 'princess luba') that you sell instead and make the =
huge
>> profits.
>>=20
>> Not to give anyone any ideas that werent obvious like 15 years ago.
>>=20
>> How anyone can tell the internet is legit at a glance is beyond me. =
Need
>> to hookup firefox's security warning to my speakers to get a modicum =
of
>> alert that SSL is busted, to start, nevermind anything more creative.
>>=20
>> That phishers manage to fake sites that look wrong is also beyond me, =
what's
>> so hard about 'save page as'?
>>=20
>> /kc
>> --=20
>> Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
>> Heavy Computing - Clued bandwidth, colocation and managed linux VPS =
@151 Front St. W.
>>=20
> =20
--=20
Rich Lafferty
rich@lafferty.ca
