How to track down your expired domain names before hackers do

What happens when your organization’s domain name expires or changes? Expired domains don’t simply disappear, and they can even become attack routes into your organization. Recent news out of Belgium has highlighted the potential danger, with hundreds of expired domain names and email addresses of government services being found available for purchase online.

An ethical hacker, Inti De Ceukelaire, ran a large-scale privacy investigation and ran into some unsettling results. He managed to buy 107 expired domain names for the small sum of €8 each. These domain names came from police zones, hospitals, plus social and legal government services. These in turn gave him access to 848 professional email addresses and hundreds of associated cloud storage accounts.

This risk with expired domains has relevance for all organizations in both Belgium and beyond. We’ll explore why all organizations should be paying attention to their expired domains and how they can keep track of the issue going forward.

Why should organizations be concerned?

Domain names identify organizations or individuals online. For example, ‘Outpost24’ is the top-level domain name we use for our website. However, domain names don’t last forever. Organizations essentially rent the use of these names and they need to pay for them at regular intervals. Sometimes entirely new domain names are needed, like when an organization changes name after a re-brand or merger, or ceases to exist entirely after a bankruptcy or closure.

So, what happens to the old domain name in these cases? It doesn’t cease to exist – they go back on the market, and anyone can buy them. This brings risk, which is the point that Inti De Ceukelaire proved by gaining access to personal data within the hundreds of email accounts connected to the 107 expired domain he purchased. He was also able to trigger password reset emails and access the associated cloud storage services such as Dropbox, Google Drive, and OneDrive via the email addresses. These accounts contained lots of sensitive information.

Expired domains offer a relatively simple attack route for hackers. First, they look for organizations that have changed names (not hard to find online) and search for the old domains. They can purchase the domain for a small price and then investigate further to see if email addresses and associated cloud storage accounts are still connected. At a price point of around of €8 for a domain, it’s well worth some trial and error from the hacker for potentially accessing a treasure trove of data.

This attack route highlights the importance of being able to keep track of your expired and expiring domain names.

How can Outpost24’s Sweepatic help?

Sweepatic is our external attack surface management (EASM) solution, which can help you figure out if you have expired domains that could be available to purchase. We can also give you an overview of domains that are about to expire and help you figure out which domains are vulnerable for a takeover. This gives your organization the visibility you need and the time to act in order to close off attack routes.

All primary domains or top-level domains within an organization’s Sweepatic scope are enriched with “WHOIS” data. This means we can offer users two ways for organizations to track their domain name status, including (but not limited to) domain name expirations. We’ll run through how both work below. If you’re an existing customer, you can start using these features right away (if you’re not already).

Not with us but interested to learn how EASM could fit in with your organization? Speak to an Outpoust24 expert today.

A new subcategory named ‘EPP status’ is now available within the Sweepatic platform. EPP (Extensible Provisioning Protocol) domain status codes indicate the status of a domain name registration. These codes can provide information about the domain’s working status, protection level, and expiration date. They can be set by either the registrar (client status codes) or the registry (server status codes).

Examples of these codes include “addPeriod” (a grace period after initial registration), “autoRenewPeriod” (a grace period after a domain name registration period expires), “OK” (standard status with no holds or restrictions), and “serverTransferProhibited” (prevents domain transfer to another registrar).

Highlighted area shows where ‘EPP status’ can be found in the Sweepatic tracker

The generated observations use the following categories for the findings:

  • Unknown: EPP status of domain is unknown.
  • No EPP status entries: EPP status of domain is empty.
  • Pending delete w/ redemption period: EPP status indicates domain is pending deletion after a redemption period.
  • Pending delete: EPP status indicates domain is pending deletion.
  • Pending create: EPP status indicates domain is pending creation.
  • Pending restore: EPP status indicates domain is pending restore.
  • Pending renew: EPP status indicates domain is pending renewal.
  • Pending transfer: EPP status indicates domain is pending transfer.
  • All actions prohibited: EPP status prohibits all client actions. This is best practice.
  • No client actions prohibited: EPP status prohibits no client actions. Consider at least prohibiting client transfer.
  • Client transfer prohibited: EPP status prohibits client transfer. This is good practice. Ideally, prohibit client update, client delete and client transfer actions.
  • Some client actions prohibited: EPP status prohibits some client actions. Consider also prohibiting client transfer.
  • Client renew prohibited: EPP status prohibits client renew. Make sure this is desired.

Please note that the empty status generates a “?” score and doesn’t contribute to your scope score. All of the other observations have scores adjusted to them. The most important EPP status to have is “clientTransferProhibited”. If this is at least present in your observation, your observation will have a B score. If all recommended EPP status entries are present (clientDeleteProhibited, clientRenewProhibited, clientTransferProhibited and clientUpdateprohibited) the score will be an A. The metadata tab of your observation will show which EPP status is present, and which out of the 4 recommented EPP status entries we consider to missing.

In addition, please note that your score for the dimension of configuration may be affected due to this new observation.

2. WHOIS summary export

All primary domains or top-level domains within your Sweepatic scope are now enriched with WHOIS data and this information is dynamically refreshed. Next to enabling notifications about domain name expirations, you can now also download a CSV file to guarantee you stay up-to date with your domain status. The exported file includes the following information:

– Primary domains
– Domain expiration timestamp
– Platform refresh timestamp
– EPP status code

To export the CSV file, navigate to Assets > Domains > Export WHOIS summary.

Where the ‘Export WHOIS summary’ can be found in the Sweepatic UI

Get visibility over expiring domains

If you’re already a customer, get started with the above steps to gain visibility against expiring domains and close off potential attack routes. New to EASM? See Outpost24’s Sweepatic solution in action with a free attack surface analysis.

About the Author

Marcus White Cybersecurity Specialist, Outpost24

Marcus is an Outpost24 cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.