Comcast.net domain name hijacked

Near midnight on May 28, two hackers gained control of Comcast's domain management account at Network Solutions.  The account controlled over 200 domains, including comcast.net, which hosts Comcast's consumer portal and handles e-mail for many of its 14 million subscribers.  The hackers kept control of the domain for over five hours.  They claim to have used a combination of social engineering and a technical hack to gain access to the account.  By Internet Identity's reckoning, the hackers made educated guesses about the password (social engineering) and used a brute force assault on the Network Solutions' log in page (technical hack) to find the right password.  At the time, Network Solutions did not lock out an account after high volume of failed log in attempts.  For a first-person account from the hackers of the takeover, please read http://blog.wired.com/27bstroke6/2008/05/comcast-hijacke.html

The implications of this domain name hijacking are scary. The hackers that took over Comcast.net did not have truly nefarious intentions, but they did make public a vulnerability that Internet Identity first alerted the registrar community about in September 2007. ICANN partially addressed this vulnerability with its SSAC Advisory on Registrar Impersonation Phishing Attacks (26 May 2008) http://icann.org/committees/security/sac028.pdf

The key takeaway is that a criminal can with moderate effort take over the legitimate domain of a financial institution to operate man-in-the-middle attacks or to replace the institutions legitimate site entirely. DNS and e-mail flow can also be hijacked.

The domain name is the weakest point in the security for financial institutions' websites. The attack against Comcast put a spotlight on this serious problem that has so far been ignored by industry and regulators alike.  Over 94% of financial institutions use consumer registrars that secure access to domain names with weak username/password systems that are often vulnerable to a brute force attack.  No consumer registrars even offer two-factor authentication.  To make matters worse, many institutions do not closely control who has access to their domain name accounts, so they do not even know where their vulnerabilities are.

If you wish to discuss this very serious vulnerability in greater depth, please contact us.