A bomb threat hoax that mobilized police departments across the country last month took advantage of an obscure security weakness at web hosting and domain registry services like GoDaddy.com, researchers say.
The weakness allowed spammers to obscure the origins of thousands of extortion emails they sent out as part of the hoax campaign, said Ronald F. Guilmette, a veteran spam researcher based near Sacramento.
GoDaddy acknowledged in a statement sent to McClatchy that hackers had “abused” its service, and said employees had “identified a fix and are taking corrective action immediately.”
Other computer experts backed up Guilmette’s findings and noted that GoDaddy was an unintentional conduit for the bomb hoax campaign, which appears to have originated in Russia, and that a couple of other small companies also were abused by spammers.
The security weakness allowed spammers to hijack dormant domain names of Fortune 500 companies, institutions, universities and other entities hosted by companies like GoDaddy.com and send their spam using those domains, passing through spam filters that give a green light to email from trusted owners, Guilmette found.
He tracked the bomb hoax spam emails and found the vast majority moved through 3,971 websites — or domains — primarily at GoDaddy, a Scottsdale, Arizona, company that is also the world’s largest register of domain names with more than 40 million such names under management.
The extortionists sent out thousands of emails Dec. 13 demanding $20,000 in bitcoin in order to deactivate what they said were bombs placed in the premises of the recipients.
In dozens of cities – including San Francisco, Chicago, Miami, St. Louis and Boston – emergency personnel swarmed in response to the bomb threats, ordering building closures and lockdowns. Police swept buildings at Penn State and the University of Washington, and executives evacuated newsrooms, including at The News and Observer in Raleigh, North Carolina.
The threats cascaded to other areas, including Canada, New Zealand, Australia and Hong Kong.
Guilmette said he began tracking the path of the spam emails after learning of them Dec. 13, and immediately saw that the extortionists had gained control of dormant web addresses originally obtained by recognizable entities, like Massachusetts Institute of Technology and Yale University, Expedia, US Steel, Mastercard, Warner Brothers Entertainment and even from the Church of Scientology.
“None of these companies is guilty of anything but leaving these old domain names dangling,” Guilmette said, adding that in nearly all cases the domains had been registered years earlier but never used.
Through a vulnerability in the authentication and verification process used in domain controls, the hackers were able to commandeer unused domains and route victims in a different direction.
“They were pointed at IP addresses located on various Russian networks,” Guilmette said, referring to the internet protocol system for routing internet traffic. The vast majority pointed at sites registered by reg.ru, the largest Russian domain registrar.
Given the Russian angle, Guilmette nicknamed the extortion group Spammy Bear, echoing the names Cozy Bear and Fancy Bear given to two major hacking teams linked to Russian security services or military units that interfered in the 2016 U.S. presidential campaign.
GoDaddy spokesman Dan Race didn’t say precisely how hackers took advantage of the company’s dormant domains, only that no customer information was exposed.
According to Guilmette, a tiny percentage of the spam emails moved through domains hosted by two smaller U.S. domain name providers, Cincinnati-based NetDorm Inc., and Reprise Hosting, which lists a post office box in Las Vegas
Fellow experts on domain registry said Guilmette’s research was solid.
“He checks out, actually, as a legitimate researcher who knows what he’s talking about,” said Mike Simon, chief technology officer at Critical Informatics, a Seattle-area cybersecurity firm.
Those who purchase domains and set up websites sometimes choose to move them from one web host to another.
“You just assume that all you have to do is turn off the account over here and light up over there,” Simon said but further steps must be taken to zero out an unused account. “I would not have expected anyone, even a very security conscious person, to have taken those steps.”
Those who make their living from spam – pretending to be long lost Nigerian princes or vendors of miracle cures – seek to send out the email from multiple domains, rather than one sketchy internet address, to avoid getting trapped in spam filters.
The technique is known as “snowshoe spamming” because it spreads the weight of the bulk email across a wide area.
Guilmette said the spammers in the bomb hoax campaign launched a sextortion campaign last July, alleging that they had compromising material and demanding payments from recipients of up to $5,000.