Hijacking Unclaimed Google Apps Domain Services To Hijack Mail, or Assign a Domain Penalty

Jake Ludington stumbled on to a way to create  extra hoops for anyone who is going to sign up for a Google Apps Account.  Now the company that could benefit from Jake’s exploit the most is Microsoft since his attack just makes Google Apps a pain to sign up for.

Jake, being a nice guy isn’t as evil as I am, so let me give you some detail on how to actually do some evil through this exploit.

First you follow Jake’s directions and get the initial claim on the domain, which will give you a tag to add to a DNS record.

Then you do a who is for a the domain to see where it is hosted and the most likely email addresses to use as a login.

Registered through: Domains Priced Right
Created on: 04-May-03
Expires on: 04-May-20
Last Updated on: 30-Jun-10
Administrative Contact:
Ludington, Jacob REMOVED@ALSOREMOVED.com
1037 NE 65th Street #145
Seattle, Washington 98115
United States
Technical Contact:
JakeLudington.com, NA REMOVED@ALSOREMOVED.com
1037 NE 65th Street #145
Seattle, Washington 98115
United States
Domain servers in listed order:

Now you have all the information you need to go out to a list of email and passwords lists which you can acquire from any number of BlackHat Sites, or if you run a Twitter metrics tool that asks for a user/pass, or a PhotoSharing site, or an e-card site… and you look for the email address or people with the same name, and you log in to their domain registrar’s site with that User/Pass.

So you go out to https://www.dnsmadeeasy.com/servlet/login and you login with Jake’s information.  If like most people the password is the same as they have used elsewhere you don’t have to work to hard to get in.

Now you could hijack their whole domain but they’d notice that, so instead you just hijack a sub domain, like imail.JakeLudington.com you create an MX record for that, put your Google Tag in the DNS entry so that Google thinks you are an admin, and you can now send mail from a very official looking JakeLudington Account.   You can also set up websites to run spam from.  And because you hijacked a subdomain, Jake might take months, or even years to notice, and won’t really know how it happened.

You can avoid this happening by putting a few layers between you and your would be hijackers.  I have my own registrar service through a big reseller, which is $120-ish a year, but it means you have to log in to it, rather than through a big named registrar.  While that is security through Obscurity the way this trick works best is through automation, so you need only be one hop from normal to prevent most hijacks.

You should also use a unique password, and an email for your domain services you don’t use for anything else.  Jake did this. (he’s not dumb) which would make it harder to hijack his site.  Though it turns out he used the same password he uses for everything else… SO… When I went to change his DNS it didn’t take too long to figure out which password he uses…  Don’t worry Jake, I’m only planning to send mail from Jake@sales.jakeludington.com to sell ads you will never actually serve… It’s not like any of those ad buyers will be too mad at you.