Over the last several weeks we have been investigating a new issue that we have only seen a handful of times before. The attack is not new but we starting to see it being used on popular domains such as domains use by campaigns for public office, corporate domains, Government IT and technology contractors and security related companies.
The attack is simple in how it is executed and is providing access to third party systems using common password reset scripts on websites. Here's how it works.
How the attack is being carried out
1. A company or organization fails to register a domain name that basically has been abandoned
2. Threat actors register the domain and setup email servers with wildcard acceptance of messages
3. Threat actors then look in previous data dumps for information relevant to the domain such as an account at the domain
4. Threat actors then scan popular websites such as hosting domains, official Government sites or other sites password reset features
5. If a successful response is seen the original companies third party account password is reset and the threat actor now has access to the third party website of the original domain owner
We also believe that this method has been used to collect sensitive information on business operations. The only way to really prevent this is to ensure that you never let any domains expire. We started receiving reports of 2 factor authentication tripping on accounts and when we researched it, we determined that these threat actors were attempting to reset a password and login to very specific account.
Don't forget third party Phone and Fax services
One additional note here is that services like eFax or virtual PBX systems may also be vulnerable to attack using a number previously assigned to a company.