Online Fraud new targets: domain control

The current situation related to the online fraud allows S21sec to detect and to prevent, very often, the fraud attacks when they are arising, sometimes even before they are launched. There are lots of articles and papers available in the Internet that detail all the different trojan features, focusing mainly on the method they use in order to steal credentials (BHO, process injection, man-in-the-middle, …)

The most common scenario that we usually face up is a three-element situation:

1. An exploit that triggers a vulnerability in a browser, usually included inside an iframe html element (the infection method).

2. Malicious code that is downloaded once the exploit has been successful (the trojan)

3. A web application where the stolen data is stored and where there is a C&C panel (the control panel).

Within this scenario, there are multiple combinations: several sites at the same time, different trojans, exploits targeting Internet Explorer, Firefox, Opera, … there are infinite possibilities.

In order to have as many infected computers as possible, the idea is that the more compromised web sites you have to inject you html code, the more zombie computers you’ll get. These web sites are often legitimate sites that have been compromised by exploiting any vulnerability in the site (SSI, SQL Injection, …). This method can become very successful due to insecure configurations or outdated software.

One the computer is infected, the malicious code has total control over it, and it starts grabbing all the information sent to the Internet (eg: users and passwords), and sometimes it forwards the user to phishing sites so that it can steal his credentials.

The above situation is nothing new, but nowadays there are new attack vectors, and these new vectors can threat the entire Internet: the Internet domains control.

One control panel example is the following picture (look at the number of infected computers, for instance, in EEEU and Spain):

Generally, the information (logs) gathered in the control panels is filtered looking for entities that could be related to financial aims: banks, online payments, online bids, … but is more and more common to find other filters: the authentication information for the Internet domain management control panels.

This information can be used in different malicious scenarios:

• Denial of Service forwarding the main domain ( to a non-existent ip address.

• Phishing attacks doing the same approach but forwarding all your web traffic to a malicious ip address.

• Domain sell/transfer without proper authorization.

• Domain contact details change

• They can change your MX record in order to forward all your mail traffic to a malicious SMTP host.

• Subdomain creation in order to host malicious code (remember the infection method)

During the last incidents, several domain management companies have been detected to be the attacker’s target, as you can see in the following picture:

Besides, in the last incident, there were detected more than 400 users and passwords for these domain control panels. Taking into account that these users very often manage lots of domains at the same time, we can guess that there are thousands of domains that could be compromised.

Example of a compromised user and password:


AutoCompletePasswords: usuario:password

In summary, the illegal activities related to the Internet fraud are getting smarter in order to commit the fraud. The Internet domain management is a task that is rarely considered to have major threats, but as it has been shown in this article, it can become the main gate for a big security incident in your organization. Among other tasks, it is recommended:

•The inclusion of these credentials in your security policy lifecycle

•Strong authentication

•Antifraud professional services

David Barroso Berrueta, R&D CTO at S21sec, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at