On 16 October, Web.com—the world’s oldest domain name provider and owner of Network Solutions, NameSecure, and Register.com—disclosed a major breach resulting in the leakage of its customers’ personally identifiable information (PII). This represents a victim pool of 22 million. Here is a summary of the attack based on the registrar’s advisory:

• The Web.com attack was a result of unauthorized access to its computer systems in late August.
• The registrar worked with a cybersecurity company for remediation and reported the compromise to the proper authorities.
• Web.com notified customers about the breach via email and requested them to change their passwords immediately.
• The information stolen included the users’ full names, street and email addresses, phone numbers, and subscription details.
• The registrar maintains that its customers’ credit card credentials were not affected as these were encrypted but did encourage clients to monitor their account transactions.

The advisory, however, did not provide further details on which system was actually compromised and what exploit was used. Reports also revealed that some customers have yet to receive notifications. It is also interesting to note that NetworkSolutions was already breached in 2009 before its acquisition by Web.com.

Our Investigative Tools: Domain Reputation Lookup and Others

Based on recent news coverage, we know that Web.com’s woes began when an unknown third party gained unauthorized entry into one of its Internet-connected systems. While we may not exactly know what that system was and how the access was granted, such incidents often occur as a result of phishing, human error, and/or cybersquatting attacks.

Indeed, scammers often reach out to their victims using typo versions of well-known domains that users would generally trust—making them likely to divulge sensitive information or grant access to strangers with malicious intent.

For example, say an employee of Web.com receives an email from someone claiming to be a colleague, and that person is requesting for login details to one of its systems. Nothing out of the ordinary at first glance. What that employee doesn’t notice, however, is the typo in the recipient’s email address.

This is a hypothetical case, of course, even though a quick search on Brand Monitor for brand name variations of web.com shows that web.co (missing the “m” in “com”), among other variants, is currently registered and could be used for committing fraud.

Note that we’re not claiming that this domain is necessarily malicious. It might well belong to a legitimate owner, though we’d recommend not to visit or share it, at least without utter caution.

A quick query for web[.]co on Domain Reputation Lookup revealed these warnings:

These malware-related warnings should alert Web.com’s IT administrator that an unauthorized user is claiming to be an employee of the organization. It may be a good idea to block him/her or anyone from the web.co domain from accessing the company’s network.

Considering the bigger picture in today’s nest of malicious domains, organizations can integrate Domain Reputation Lookup or Domain Reputation API into their systems. Automatic checks can be made with said capabilities to validate the legitimacy of domains or IP addresses trying to gain entry into their networks. More specifically, domains and IP addresses that have ties to malicious activity can be denied access immediately, thus ensuring the network’s security.

What’s more, organizations that want to make sure their domain is safe from threats and does not put their customers at risk of redirection to malicious sites and other attacks can also use a reverse IP/DNS API. The tool lists down all domains hosted on a company’s IP address. So, if any domain should turn out not be on that list, its connection can be immediately severed to prevent unauthorized access.

* * *

As our brief analysis showed, solutions such as Domain Reputation Lookup or Domain Reputation API and others can provide useful information to organizations willing to secure their network from unauthorized access.