Hacking law firms with abandoned domain names
How expired internet domains pose a significant cyber risk to the legal profession
Email is an essential service for all businesses, including legal practices. Email is not only a primary communication channel but also required for registering with online services and profession-specific portals. When law firms merge or wind-up, internet domain names are often abandoned, allowing anyone to re-register and take ownership of the former firm’s domain name. The new owner can then, among other things take control of the former firm’s email services. This research report demonstrates how domain name abandonment attacks pose a significant cyber threat to the legal profession and other businesses. This report also makes recommendations as to measures legal practices and other businesses can take to stop this threat.
Update (18/09/2018): Read the high-level summary of this research on Iron Bastion’s security blog.
Update (12/09/2018): Our slides from SecTalks Sydney are available here.
Domain name abandonment allows cybercriminals to gain access to, or reset passwords for online services and profession-specific portals. These online services store documents, emails and other information relating to a legal practice, including financial details, personal information, confidential information and client-legal privileged information.
The goal of this research is to raise awareness of a common practice in the legal profession, and in other business of allowing domain names to expire after mergers and acquisitions. We give practical tips at the conclusion of this report on how legal practices and technology providers can defend legal practices and other businesses from domain name abandonment attacks.
A domain name is the foundation of every business
Email is an essential service in every business, and the effect of a company losing control over their email service is devastating, even if the company has merged or shut down. Sensitive information and documents are often exchanged over emails between clients, colleagues, vendors and service providers due to the convenience. Consequently, if a bad actor takes control of an entire business’s email service, sensitive information can end up in wrong hands.
Email besides being used for communication is commonly required for signing up for online services. People often change jobs and end up with multiple user accounts on these services, with the old user accounts often abandoned. Online services usually rely on a single factor to reset passwords, i.e. only an email address is required to regain access if the password is forgotten. Consequently, whoever has control over the domain and able to set up a basic email service can capture password reset emails.
In short, bad actors can re-register an abandoned domain of a business and take full control of email services configuring it to:
- receive email correspondence sensitive in nature; and
- use the email accounts to reset passwords to online services.
What happens when a domain name expires
Once someone stops paying for an internet domain name, the registration status of the domain goes through various stages before it gets deleted. Once the final grace period ends, the internet domain name is abandoned. In other words, the domain name of the former business becomes available for anyone to re-register, with no additional identity or ownership verification required. Domain registration of abandoned domains is a well-known technique amongst SEO professionals and spam trap operators, but not so well-known to cybersecurity professionals as a security risk.
On any given day, an average of about a thousand ‘.au’ domain names expire. The ‘.au’ being the country code Top Level Domain (ccTLD) for Australia. The list of expiring internet domain names is public and published on a daily basis in a simple CSV file format. This list allows you to watch for valuable domain names due to expire and register them once the domain name registrar drops them.
All you need to do is monitor the public list for domain names featuring relevant keywords you are interested in such as ‘law’ or ‘legal’, and register them again with your preferred domain registrar.
Once the domain registration is complete, you can specify (by changing the MX records of the domain) how the incoming emails should be handled. Having ownership of the domain name means you have full control over the incoming email flow of the former business.
By setting up a simple catch-all email service, you can:
- receive email correspondence addressed to former staff; and
- receive password reset emails from online services.
Having working access to an email address is powerful because a password reset allows you to regain access to a myriad of services originally belonging to the former business and its staff.
- email platforms — Office 365, G Suite;
- shadow IT accounts signed up by individual employees for business use — particularly for file sharing — Dropbox, OneDrive, Google Drive;
- practice management software — LEAP, SILQ, ActionStep;
- legal portal software — LawConnect, GlobalX, Infotrack, VOI providers;
- online court portals — NSW Online Registry, Commonwealth Courts Portal;
- government portals — Australian Taxation Office (ATO) Business Portal;
- social media accounts — LinkedIn, Twitter, Facebook; and
- online shopping services — eBay, PayPal, Amazon.
Legal practices merge and wind-up on a regular basis
Legal practices are established and wound-up just like any other business entity on a regular basis. What makes legal practices unique is that they frequently merge with each other or are acquired by another entity and this often coincides with a name or brand change.
In the US, 2017 was a record year for top-tier law firm mergers with 102 mergers or acquisitions in the year. At the small legal practice level, the number is likely to be in the thousands.
What happens after a merger or acquisition is that one entity may drop its branding in favour of the other firm, or a new brand is created for the firm. Consequently, the internet domain names of the old businesses are often left to expire in the process.
On a broader scale, two out of three small businesses cease operating within the first three years of starting according to the Australian Bureau of Statistics (ABS). This means that the domain name of many of these failed businesses is abandoned as well.
How we managed to get access to former law firms
Legal professionals also rely on emails to communicate with clients, while the staff uses their business email address to register to profession-specific legal services such as online court registries (e.g. Commonwealth Courts Portal) and other online services like Dropbox.
As part of this research, we identified a handful of abandoned domain names formerly belonging to legal practices and re-registered those domains with the intention of reinstating the email service. We set up a catch-all email server and waited for the incoming emails.
By taking full control over previously abandoned domain names, we can demonstrate that we were able to:
- access confidential documents of the former clients;
- access confidential documents of the former practice;
- access confidential email correspondence; and
- access personal information of former clients.
Also, we could have:
- impersonated legal practitioners to defraud former clients and fellow practitioners;
- regained access to the former legal practices Office 365 and G Suite account, potentially gaining access to any email and documents not deleted on the platforms; and
- hijacked personal user accounts (LinkedIn, Facebook, etc.) of the legal professionals practising in their new jobs.
Opening Pandora’s Box
For this research, we hand-picked and re-registered domain names formerly belonging to legal practices in Australia. Once these domains were registered, we set up our private email server to receive emails addressed to the former legal practices.
Once the email server was ready to go, we:
- sat back and waited for the emails to come in;
- registered the domain name to data breach websites to collect email addresses and passwords belonging to former staff; and
- attempted to reset passwords on third-party online services.
In the following sections, we are detailing what we managed to get access to and how we did it.
Emails with Sensitive Details
From the incoming emails we received, we noticed many online services send their users newsletters, reports, statements and notifications with confidential information.
We have found that NAB, Commonwealth Bank and Bankwest are popular banking services amongst legal practitioners in Australia:
Business debit cards often remain active even after the business has dissolved:
Travel arrangements are made on behalf of the former law firm:
Legal professionals usually add their work email addresses to their current LinkedIn profile. Although because people tend to forget removing these abandoned email addresses from their profile, we keep receiving email notifications from LinkedIn:
Former firms keep getting BAS notifications either for former clients or their former businesses:
Invoices sent to the legal practice can reveal which suppliers they use, the following invoice is for a legal archive storage service.
Accessing Sensitive Information
We received legal documents relating to family law matters:
Also, invoices from other law firms for work performed on behalf of the firm:
We received transcripts of court proceedings:
These incoming emails let us peek into the internal workings of a law practice:
We received emails from former clients seeking advice:
Legal practitioners on the opposing sides of matters often voluntarily exposed information to us sending correspondence to the former law firm’s email address as an additional cc:
This other case involves a joint bank account closure:
This document details the negotiation strategy of a settlement:
Other Amusing and Fun Facts
Uber is the preferred choice of travel amongst legal practitioners:
They order things from Amazon:
Lawyers tend to use lots of mobile data (bonus for the emails revealing the active phone numbers of former staff):
Text-to-email services leak text messages of personal nature:
Ironically, they receive invitations to cybersecurity events:
Finally, lawyers know how to party:
Revealing Valid Passwords from Data Breaches
In addition to setting up a catch-all email address, we took proactive steps to get to know our new domains better by registering to data breach notification websites. In doing so, we were able to reveal passwords belonging to legal professionals and staff at the former firms.
According to a recent study, over 80% of people online are guilty of reusing their passwords on multiple cloud services. Passwords are often leaked to the internet when data breaches happen. There are over 1.7 billion hacked credentials from data breaches such as LinkedIn, Netflix and Adobe. If a legal practitioner is reusing the same password across several websites (such as their work or personal mailbox) as in the breach data, a hacker could log into their email service with the same password.
On Haveibeenpwned and SpyCloud, email and domain name owners can check if they have an account that has been compromised in a data breach. It usually means that passwords from online services have ended up on the internet for everyone to see.
With the combination of the Haveibeenpwned Domain Search and the SpyCloud service, we were able to retrieve former legal practice email addresses and passwords leaked by past data breaches. Both of these services required us to verify the domain ownership before they provided access to the breach data information, but because we had full control over the domain names, we could easily pass this domain ownership verification process.
At Haveibeenpwned, we simply requested the confirmation email to
firstname.lastname@example.org to complete the verification process.
Once the verification was complete, we could retrieve the list of email addresses that were involved in any past data breaches.
The verification process at SpyCloud was similar, all we had to do was click on a link in a domain ownership verification email. As opposed to Haveibeenpwned, however, this service exposes the actual passwords of the former employees, not just whether they were involved in a data breach.
Without publishing the actual passwords as part of this research, we can reveal that legal professionals (in our non-representative sample of thirty-something individuals) are:
- guilty of using weak passwords on online services; and
- tend to reuse them across multiple websites.
Because legal professionals tend to reuse their favourite passwords, it is likely that they chose the same favourite password on:
- their current business mailbox;
- their personal mailbox; or
- online services (e.g. Dropbox, OneDrive, Facebook).
Abusing Password Resets of Social Media Accounts
By having the list of valid email addresses taken from Haveibeenpwned, we can demonstrate how we could have taken control over the current personal and work-related user accounts of former staff.
For example, practitioners tend to feature their former work email address on LinkedIn. Perhaps it is a little-known fact that everyone can request passwords reset emails to any of the email addresses added to the account.
Resetting passwords on personal LinkedIn accounts
Because email addresses associated with the abandoned domain names rarely get removed from the practitioners’ LinkedIn account, we can request password reset emails to the domain under our control. All we need to do is go through the LinkedIn Password Reset process and click on the link in the email to hijack the practitioner’s LinkedIn account.
The following legal practitioner with a very active LinkedIn account was a partner at the former legal firm:
The first step is to visit the ‘Forgot password?’ page linked from the login page:
Next, we enter the practitioner’s abandoned business email address:
Then we receive the password reset email:
Personal Facebook accounts
The same concept applies to Facebook as well. Certain practitioners also added their former work email address to their Facebook account and forgot to remove them. This practice allows us again to reset the password on Facebook, too.
The following solicitor owns a quite active Facebook page:
Let’s find out if we can reset this solicitor’s password with the ‘Forgotten account?’ feature:
The password reset email arrives as expected:
We could just use the embedded link then or provide the six-digit reset code on the website to complete the account takeover:
Accessing Twitter accounts
Twitter is no exception either. We found Twitter accounts registered under someone’s former email address under the abandoned domain, making Twitter accounts susceptible to password resets.
We use the forgotten password feature again:
The link in the email would allow us to reset the password of the Twitter account and let us in:
Personal Twitter accounts are not safe, either, as certain practitioners used their work email address to register on Twitter and never changed it:
Abusing Profession-specific Services
Legal practitioners rely on free services like Dropbox for storing and sharing work-related files. This Dropbox account seems to be full per the notification email which landed in our mailbox:
Let’s see if we could reset the password on it! (spoilers: yes, it would)
Professional-specific web portals
The hijacked email addresses also allow us to reset the password of the Commonwealth Courts Portal. The Commonwealth Courts Portal provides web-based registry services for legal professionals to file documents for litigation process for the Federal Court. A user account here could give us access to sensitive documents and details of former clients.
Although the portal requires a username and password combination to log in, we can retrieve the username by entering our email address:
We can use the forgotten password feature by keying in the username from the email and the very same email address.
The portal assigns us a temporary password, which would let us log in then:
We can also reset passwords on the NSW Online Registry portal, too. The Online Registry portal provides similar services to the Commonwealth Courts Portal, but for state courts such as the NSW Supreme, District and Local Courts.
We use the forgotten password feature again to get access:
Once we clicked on the password reset link from the email, we did not attempt to proceed past the security questions. However, as Google pointed out earlier, security questions are insecure. The adventurous may want to search for these details in public records. For example, we were able to track down this particular lawyer’s older brother on Facebook, whose birth date is probably available on the platform.
The LEAP Practice Management Platform is not safe, either. LEAP practice management software and is the most commonly used software for managing a legal practice. The platform contains online client files, legal documents and has integrated trust accounting and time billing.
We click on the ‘Forgotten password?’ link again and enter one of the legal practitioner’s former work email address:
A few seconds later, we managed to receive the following email:
Although LEAP is boasting how secure their platform is, the password reset email features the cleartext password, meaning that the company is not storing their customers’ passwords in a secure hashed format.
Finally, Law Society accounts are not safe from password reset attacks, either:
Law firms also use PayPal
Certain firms had registered on PayPal with their work email as a method of receiving payments from clients:
This particular firm had an AdWords account at Google. If we were wondering what keywords this firm was using on AdWords? We could have reset the password to find that out.
Accessing Former Office 365 and G Suite Accounts
Based on our experience, the two most popular email platforms amongst law firms are Office 365 followed by Google G Suite. These cloud-based email services are often abandoned leaving online data intact, rather than the accounts closed. To make things worse, legal professionals tend to retain their emails forever, making those mailboxes fairly valuable to potential fraudsters operating Business Email Compromise (BEC) fraud.
Based on the historical DNS records, we found that one of the law firms relied on Office 365 and G Suite for hosting email services. This made us think: could we hijack the account and access the inboxes of the former practice?
First, we tried and failed to reset the password on Office 365 as two-factor authentication was enabled, which stopped us from completing the password reset.
We had more luck with G Suite. First, we tried and failed to reset the password with the former G Suite administrator’s email account:
Then we tried to reset the G Suite administrator’s account by using the internal email address that Google assigns to every subscriber.
We stopped at this last step and decided to not complete the password reset process on G Suite:
As for all other services, we did not complete the final step of the password resets for privacy reasons meaning we did not log into or take over the user accounts, or access any information stored in online services, although we could have.
Businesses, especially legal practices leave themselves exposed to cyber attacks by allowing their former domain names expire. Bad actors can acquire these abandoned domain names and reinstate the former business’s email service.
This research demonstrates that abandoned domain names allow new domain owners to access financial, personal, confidential and privileged information of the former owner. In addition, attacks can gain access to email addresses and passwords from past data breaches, and take over online services. If we were a bad actor, we could have used the domain to commit fraud by numerous methods as well as reinstating the former website of the law firm and posing as former staff.
To prevent this from happening to your business, we recommend you:
- keep renewing the former firm’s domain name indefinitely;
- close user accounts that were registered with the business email address (e.g. Dropbox, Commonwealth Courts Portal, PayPal);
- change or remove the business email address from online user accounts (e.g. LinkedIn, Facebook);
- unsubscribe from email notifications that usually features sensitive data (Text-to-email services, mobile phone billing notifications);
- advise your clients to update their address book;
- enable two-factor authentication (2FA or MFA) where the feature is supported for online services; and
- use unique and complex passwords.
We recommend that LEAP review the password storage practices of their practice management software and apply the latest password hashing security practices. Online court portals and other professional-specific websites should implement two-factor authentication for logins and strict controls for password resets.
We also suggest the Australian law societies consider taking over the domain names when a legal practice is wound-up. As far as we know, law societies in Australia have the power to appoint an administrator to take over a legal practice when it is closed to take care of client files and distribute any funds left in the trust account. Law societies could take over the domain name and hold onto that for an extended period rather than letting them expire. The law societies should set up a website with a simple notice (like the FBI does on seized domain names) advising the visitors that the law firm is closed and reply to emails with an automated message.
During the three month period of this research, we:
- re-registered six abandoned domain names, some of which formerly belonged to Australian legal practices;
- received approximately 25,000 emails in total;
- received emails and documents of a sensitive nature;
- recovered the actual passwords (previously exposed in public data breaches and were later published on Spycloud) of approximately thirty legal professionals;
- successfully attempted password recovery of many popular online services and profession-specific portals;
- won $250,000 from Mark Zuckerberg himself (we are yet to claim the prize).
About the Authors
Gabor Szathmari is a cybersecurity expert with over ten years experience, having worked in both private and public sectors. He has helped numerous big-name clients with data breach investigations and security incident management. In his professional life, Gabor helps businesses, including many small and mid-size legal practices, with their cybersecurity challenges at Iron Bastion — Australia’s anti-phishing experts.
Jeremiah Cruz is a Networking Associate and UTS Graduate. He helps kids learn to code and communicates complex ideas through stories and practical lessons building what he most loves: Games.
Originally published at blog.gaborszathmari.me on August 21, 2018.