back to article Registrar Namecheap let miscreants slap spam, malware on unlucky customers' web domains

Namecheap has admitted it accidentally let miscreants set up and control fraudulent subdomains on websites belonging to other customers. These hijacked sites were subsequently used to host dodgy material. This caused them to be flagged up as malicious by Google's search engine, blocking netizens from visiting them, and piling …

  1. teknopaul Silver badge

    company to is a dns service

    I think the problem is with DNS not hosted websites. I have my names registered there, not a lot I can do to see if im a victim other than googling my domains looking for stuff that is not mine.

    Namecheap are the only ones that can fix this mess.

  2. Terry 6 Silver badge

    Namecheap

    Could be a clue.

    1. phuzz Silver badge

      Re: Namecheap

      What they paid for, they got.

      1. JassMan Silver badge
        FAIL

        Re: Namecheap @phuzz

        The problem is that the owners of kirkville.com are not registered on Namecheap but Tucows, yet Namecheap allowed a bunch of shysters to register a subdomain on a domain to which they had no rights. This isn't even a technical problem but an admin one. Namecheap had no rights to allow abuse of the original domain.

    2. Anonymous Coward
      Anonymous Coward

      Re: Namecheap

      > Could be a clue.

      Cheaper than Netsol, not "too-good-to-believe" cheap.

      I like Namecheap, unless they've changed recently. It looks like a site run by tech guys, not the usual get-rich-quick scheisters. It's just a bloody registrar with a boring UI that's actually usable. They don't waste money developing shiny bullshit and marketing useless extras to you.

      I'll give them the benefit of the doubt that it was just an innocent mistake, and that they tried to hush it up because it could take DAYS for the DNS to update if the bad guys were smart enough to set huge TTLs on those subdomains. That Graham guy made an irresponsible disclosure.

      1. Graham Cluley

        Re: Namecheap

        > That Graham guy made an irresponsible disclosure.

        I didn't disclose anything.

        Kirk McElhearn wrote the blog post (I merely retweeted it, much to Namecheap's annoyance).

        And Kirk didn't irresponsibly disclose anything either. He just reported that an unauthorised party had created subdomains for his domain via Namecheap, but he *didn't* (because both he and I simply don't know) explain how it was done.

        As far as I can see Namecheap still hasn't informed affected customers.

        1. Anonymous Coward
          Anonymous Coward

          Re: Namecheap

          I see. Innocent mistakes all around.

          Shit happens.

  3. Anonymous South African Coward Silver badge

    Penny wise....

    1. I ain't Spartacus Gold badge
      IT Angle

      Yes! I've got lovely balloons down here Georgey!

  4. MiguelC Silver badge

    "as if Google really doesn't care how they make their money."

    as if...

  5. PyLETS

    DNS is insecure

    What's needed is for the reputable registrars to provide customers with more useful help in setting up DNSSEC in ways such that the customer retains the zone signing private key and this never exists on the DNS servers which serve the public key and signed records. The DNSSEC standard also probably needs a signed assertion available to the effect that unsigned subdomains of a zone do not exist, but if it currently has this capability I'm unaware of it.

    1. Tom 38 Silver badge

      Re: DNS is insecure

      Given how bad us wizards are with PKI, what makes you think a muggle can manage their own keys?

      1. PyLETS

        Re: DNS is insecure - muggle key mismanagement

        It's a question of whether it's better for a muggle to learn to be more like a wizard by risking key management mistakes or to risk getting screwed by an incompetent or untrustworthy registrar which holds the keys for them. I guess if the muggle who wants looking after has the sense to pay for the less cheap registrar who relies on income from customers to not want to screw them over, that's their choice.

  6. adam payne Silver badge

    "Interestingly, even though Google flagged these pages as 'hacked content' they were still serving Google ads; as if Google really doesn't care how they make their money."

    Of course Google doesn't care how they make their money.

    1. Anonymous Coward
      Anonymous Coward

      "Of course Google doesn't care how they make their money."

      Don't Be Evil was the slogan, but the banner was printed in the Wrong font and got cropped.

      It was supposed to say "Don't Be Evil, Just Profit off Evil People"

  7. Alan J. Wylie

    There was a very similar issue recently with one of the methods of validating TLS certificates on shared hosting infrastructures

    https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

    At approximately 5 p.m. Pacific time on January 9, 2018, we received a report from Frans Rosén of Detectify outlining a method of exploiting some shared hosting infrastructures to obtain certificates for domains he did not control, by making use of the ACME TLS-SNI-01 challenge type. We quickly confirmed the issue and mitigated it by entirely disabling TLS-SNI-01 validation in Let’s Encrypt. We’re grateful to Frans for finding this issue and reporting it to us.

  8. anthonyrossbach

    I guess you did not see the tweets they deleted...

    Ya they did a lot worse by telling people to delete any mention of it including post by Graham Cluley. The CEO account was also attacking people posting links to it saying that it is fixed and they let users know and they never posted publicly or on there own blog.

    You can see the tweets deleted at techrundown.com/thats-not-how-security-works-security-is-not-obscurity/

  9. anthonyrossbach

    Ya your site breaks Canada laws also

    I had to make an account to post here, one problem your signup breaks Canadian anti spam laws. If you are allowing users in Canada to register you must NOT have any email marketing or update options on by default and must be deselected by default!

    1. JWLong

      Re: Ya your site breaks Canada laws also

      Canada has laws, who let that happen?

      I mean, if they can't handle some tick boxes what are they going to do with Laws

      I'm only kidding, don't get all butt hurt now!

      (but it is funny)

    2. Tom 38 Silver badge

      Re: Ya your site breaks Canada laws also

      You're not registering in Canada, you're registering in the UK, so that's alright then.

  10. allan wallace

    Re: Ya your site breaks Canada laws also

    If this is true then this probably already breaks PECR, and will certainly break GDPR compliance (when the registrant is an E.U. citizen)

    1. Anonymous Coward
      Anonymous Coward

      Re: Ya your site breaks Canada laws also

      "If this is true then this probably already breaks PECR, and will certainly break GDPR compliance (when the registrant is an E.U. citizen)"

      But NONE of this matters to the NSA.

      All your data..

  11. oah

    Still some sort of issue

    I use outlook and it does a great job of filtering out spam, except for excellently crafted spam.

    A couple months back, I noticed that all of a sudden, spam was starting to come through to my inbox, they were from legit random .com websites.

    The one main thing they all had in common is Namecheap being the registrar.

    The links they wanted me to click on were not subdomains, but normal .com's.

    Most links pointed to a subfolderoff the root that was the name of a color.

    I found this post this morning and I noticed that the websites linked from before this week are no longer up, indicating that they were found to be compromised i guess.

    I wish there was a place I could discuss my findings with someone who could help find any pattern or something.

  12. tkrozen

    Credit Card info stolen (last purchase: Namecheap)

    My last purchase was a DNS certificate through NameCheap. 24 hours later: $1,000 of fraud coming through on that card. Anyone else here having any issues?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019