Email is an essential service for all businesses, including legal practices. Email is not only a primary communication channel but also required for registering with online services and profession-specific portals. When law firms merge or wind-up, internet domain names are often abandoned, allowing anyone to re-register and take ownership of the former firm’s domain name. The new owner can then, among other things take control of the former firm’s email services. This research report demonstrates how domain name abandonment attacks pose a significant cyber threat to the legal profession and other businesses. This report also makes recommendations as to measures legal practices and other businesses can take to stop this threat.

Update (18/09/2018): Read the high-level summary of this research on Iron Bastion’s security blog.

Update (12/09/2018): Our slides from SecTalks Sydney are available here.

Domain name abandonment allows cybercriminals to gain access to, or reset passwords for online services and profession-specific portals. These online services store documents, emails and other information relating to a legal practice, including financial details, personal information, confidential information and client-legal privileged information.

The goal of this research is to raise awareness of a common practice in the legal profession, and in other business of allowing domain names to expire after mergers and acquisitions. We give practical tips at the conclusion of this report on how legal practices and technology providers can defend legal practices and other businesses from domain name abandonment attacks.

A domain name is the foundation of every business

Email is an essential service in every business, and the effect of a company losing control over their email service is devastating, even if the company has merged or shut down. Sensitive information and documents are often exchanged over emails between clients, colleagues, vendors and service providers due to the convenience. Consequently, if a bad actor takes control of an entire business’s email service, sensitive information can end up in wrong hands.

The value of a hacked email account (Source: krebsonsecurity.com)

Email besides being used for communication is commonly required for signing up for online services. People often change jobs and end up with multiple user accounts on these services, with the old user accounts often abandoned. Online services usually rely on a single factor to reset passwords, i.e. only an email address is required to regain access if the password is forgotten. Consequently, whoever has control over the domain and able to set up a basic email service can capture password reset emails.

In short, bad actors can re-register an abandoned domain of a business and take full control of email services configuring it to:

receive email correspondence sensitive in nature; and

use the email accounts to reset passwords to online services.

What happens when a domain name expires

Once someone stops paying for an internet domain name, the registration status of the domain goes through various stages before it gets deleted. Once the final grace period ends, the internet domain name is abandoned. In other words, the domain name of the former business becomes available for anyone to re-register, with no additional identity or ownership verification required. Domain registration of abandoned domains is a well-known technique amongst SEO professionals and spam trap operators, but not so well-known to cybersecurity professionals as a security risk.

On any given day, an average of about a thousand ‘.au’ domain names expire. The ‘.au’ being the country code Top Level Domain (ccTLD) for Australia. The list of expiring internet domain names is public and published on a daily basis in a simple CSV file format. This list allows you to watch for valuable domain names due to expire and register them once the domain name registrar drops them.

The list of expiring domains is public

All you need to do is monitor the public list for domain names featuring relevant keywords you are interested in such as ‘law’ or ‘legal’, and register them again with your preferred domain registrar.

Once the domain registration is complete, you can specify (by changing the MX records of the domain) how the incoming emails should be handled. Having ownership of the domain name means you have full control over the incoming email flow of the former business.

By setting up a simple catch-all email service, you can:

receive email correspondence addressed to former staff; and

receive password reset emails from online services.

Having working access to an email address is powerful because a password reset allows you to regain access to a myriad of services originally belonging to the former business and its staff.

For example:

email platforms — Office 365, G Suite;

shadow IT accounts signed up by individual employees for business use — particularly for file sharing — Dropbox, OneDrive, Google Drive;

practice management software — LEAP, SILQ, ActionStep;

legal portal software — LawConnect, GlobalX, Infotrack, VOI providers;

online court portals — NSW Online Registry, Commonwealth Courts Portal;

government portals — Australian Taxation Office (ATO) Business Portal;

social media accounts — LinkedIn, Twitter, Facebook; and

online shopping services — eBay, PayPal, Amazon.

Legal practices merge and wind-up on a regular basis

Legal practices are established and wound-up just like any other business entity on a regular basis. What makes legal practices unique is that they frequently merge with each other or are acquired by another entity and this often coincides with a name or brand change.

In the US, 2017 was a record year for top-tier law firm mergers with 102 mergers or acquisitions in the year. At the small legal practice level, the number is likely to be in the thousands.

Mergers and acquisitions are also frequent in Australia

What happens after a merger or acquisition is that one entity may drop its branding in favour of the other firm, or a new brand is created for the firm. Consequently, the internet domain names of the old businesses are often left to expire in the process.

On a broader scale, two out of three small businesses cease operating within the first three years of starting according to the Australian Bureau of Statistics (ABS). This means that the domain name of many of these failed businesses is abandoned as well.

How we managed to get access to former law firms

Legal professionals also rely on emails to communicate with clients, while the staff uses their business email address to register to profession-specific legal services such as online court registries (e.g. Commonwealth Courts Portal) and other online services like Dropbox.

As part of this research, we identified a handful of abandoned domain names formerly belonging to legal practices and re-registered those domains with the intention of reinstating the email service. We set up a catch-all email server and waited for the incoming emails.

By taking full control over previously abandoned domain names, we can demonstrate that we were able to:

access confidential documents of the former clients;

access confidential documents of the former practice;

access confidential email correspondence; and

access personal information of former clients.

Also, we could have:

impersonated legal practitioners to defraud former clients and fellow practitioners;

regained access to the former legal practices Office 365 and G Suite account, potentially gaining access to any email and documents not deleted on the platforms; and

hijacked personal user accounts (LinkedIn, Facebook, etc.) of the legal professionals practising in their new jobs.

Opening Pandora’s Box

For this research, we hand-picked and re-registered domain names formerly belonging to legal practices in Australia. Once these domains were registered, we set up our private email server to receive emails addressed to the former legal practices.

Once the email server was ready to go, we:

sat back and waited for the emails to come in;

registered the domain name to data breach websites to collect email addresses and passwords belonging to former staff; and

attempted to reset passwords on third-party online services.

In the following sections, we are detailing what we managed to get access to and how we did it.

Emails with Sensitive Details

From the incoming emails we received, we noticed many online services send their users newsletters, reports, statements and notifications with confidential information.

We have found that NAB, Commonwealth Bank and Bankwest are popular banking services amongst legal practitioners in Australia: