Governance & Risk Management , Incident & Breach Response , Security Operations

Google Leaked Whois Data

282,000 Domain Admins at Risk from Fraudsters, Spammers

Google has warned Google Apps administrators that private Whois records - which list administrative and technical contact information for their domain - have been exposed. The leak, which affects more than 282,000 domains, places contacts for those domains at greater risk of identity theft attacks and spam campaigns, according to Cisco.

See Also: Top 5 Log Sources You Should Be Ingesting but Probably Aren't

In a March 12 email to affected customers, Google blamed the data breach on "a software defect in the Google Apps domain renewal system," which deactivated related privacy settings.

The leak of private Whois data, which began in mid-2013, was discovered by Craig Williams of Cisco's Talos Security Intelligence and Research Group on Feb. 19. He says he immediately notified Google, which began investigating and reported on Feb. 25 that related updates had been put in place to fix the problem.

But unfortunately for the more than 282,000 domain owners, their private Whois information has now been cataloged and made publicly available, Cisco says. "The reality of this Whois information leak is that it exposed [details] of hundreds of thousands of registration records - [for domains] that had opted into privacy protection, without their knowledge or consent, to the entire Internet," Cisco says in a blog post. "This information will be available permanently as a number of services keep Whois information archived."

In confirming the breach, a Google spokeswoman notes: "A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps' integration with the eNom domain registration API. We identified the root cause, made the appropriate fixes, and communicated this with affected Apps customers. We apologize for any issues this may have caused."

Google didn't respond to a request to confirm Cisco's count of more than 282,000 domains having been exposed, or how users might mitigate related threats. But Cisco says: "We arrived at the number domains affected by this information leak by taking the total number of domains which were public when the issue was discovered and subtracting the number that were public after the issue was resolved."

Whois Data Exposed



Cisco shows how it spotted a mid-2013 spike in proxy services being turned off, which Google resolved in late February 2015.

What is Whois?

Whois is an Internet record listing system used to catalog who owns a domain name, as well as administrative and technical contact information for the site. Such information is required by the Internet Corporation for Assigned Names and Numbers, which regulates domain names.

"At least annually, a registrar must present to the registrant the current Whois information, and remind the registrant that provision of false Whois information can be grounds for cancellation of their domain name registration," ICANN says. "Registrants must review their Whois data, and make any corrections."

Even so, those who register domain names have long used fake contact information. In some cases, that's to mask illegitimate activity. But in many cases, it's simply because the data provided is publicly available and could be abused by fraudsters or spammers. And the ICANN requirement to furnish only legitimate information rarely seems to be enforced, except when malicious activity gets detected.

Private Registration, With Caveats

In recent years, many registrars have begun offering private registration services - a.k.a. proxy services - that substitute the registrar's contact information for the site owner's. This allows accurate information to still be stored and made available for legitimate purposes, for example in response to law enforcement requests. At the same time, it screens an individual's real name, mailing address and email address from being broadcasted to the entire world. Cisco says it's akin to paying extra to have one's name and phone number not be included in a public phone book.

But the use of Whois proxy services carries caveats. "It is also important to note that even if domain privacy services are leveraged, it is not necessarily a guarantee of true anonymity. Registrars may be bound by law to release private information," says DomainTools, which tracks domain name registration and hosting data.

Likewise, registrars may inadvertently leak the real Whois information, which Cisco says is what happened with Google Apps. Google was offering a proxy service for its administrators via domain name registrar eNom, to which 94 percent of the domains registered with the search giant - in partnership with eNom - had subscribed. But starting in 2013, Cisco found that Google had deactivated that privacy feature, thus broadcasting all of the information that the administrators had instructed it to obscure.

Google notified customers about the problem in a March 12 email:





Source: Cisco.

Risks: Spam, ID Theft

The risks to users are highlighted by eNom's identity protection service, which warns that Whois data can be used by attackers to target their spam attacks or perpetrate identity theft. "In America alone, there are an estimated 9 million cases of identity theft each year and 3 trillion spam emails sent each year," says eNom's pitch for its privacy protection service. "Spammers and thieves can get your information through your domain name's public record."

Indeed, Cisco warns that criminals are likely already harvesting contact information from domain registration records, and that all Google Apps administrators should beware of related attacks, such as spear-phishing. "As eNom points out, identify theft is also a possibility," Cisco warns. "To best protect themselves users are urged to adopt safe browsing habits and make use of layered defenses like anti-virus and anti-spam technology."