Hijacked domains: Tucows and Njalla fell victims of a phishing attack

Njalla revealed today that Tucows was the victim of a phishing attack that affected some domains registered with Njalla and other resellers and registrants. Tucows received a (fake) court order (including a gag order) to hand over a set of domains, where some where registered through Njalla (and others weren’t).

Njalla is a Tucows domain name reseller as Njalla is not yet a registrar for legacy and New gTLDs. ICANN has refused to give Njalla a registrar accreditation. (Read more here and here.)

Tucows receives quite a lot of these court orders and got tricked by it. Not many details on exactly how the full attack was done were made available.

So this was a directed attack against specific domains with a gag order. Tucows believed they were not allowed to inform Njalla, and thus didn’t (and therefor Njalla couldn’t inform their registrants). This means that no customer data was leaked, but it did lead to the domains being hijacked/stolen. These domains were later updated with new content which led to phishing attacks on their user base.

The domains were transferred internally at Tucows to their compliance department and then handed over to the attacker, who then immediately transferred these domains to other registrars. In this case it was Epik and Namecheap. Epik handed back the domain that was transferred to them as soon as they were informed about what had happened.

Namecheap on the other hand, one of the largest registrars in the world, decided not to yet. They have also decided to not disable the domain usage.

Njalla says that “the phishing attacks on the domain in question is still on-going even though Namecheap has been informed multiple times, including the fact that the court order that they justify the transfer with was a faked one. We know that Namecheap and Tucows have some animosity between them after a previous feud but hope that they will not let third parties suffer because of it. It’s extremely concerning that a company like Namecheap does not take this situation more seriously and swiftly return the domain to the registrant (and meanwhile disable the domains usage).”

Tucows has not made a official comment yet.

Here is the complete blog post from Njalla:

A lot of people are public about their usage of Njalla. We however find that it’s their prerogative to decide if they want to acknowledge our relationship. We’re like that secret partner that’s ok with being a secret, maybe kept on the side or maybe just because real intimacy is the business of just the involved parties. That’s why we rarely openly talk about dealings with specific domain names that are registered through us.

However, the past few days there has been a quite unique attack that has affected some domains registered through us. The registrants of those have been vocal about their relationship with us, and we’ve worked together in trying to rectify the problem. For transparency and to learn from this situation we decided to write up a post about what actually happened and how we’re making sure this will not happen again.

In order to explain we need to explain a bit how Njalla works. The main difference with us and many other registrars is that we’re the legal owner of domains. Many other registrars offer a service of being a proxy in between, but the regulations means that they will hand over the user data whenever there’s any sort of inquiry. Some registries (TLDs) even require this data to also be sent to them at registrations. Taking the legal ownership means that we are also more liable than what other registrars are — and want to be, which is why we’re quite unique in how we operate.

This is also a bit problematic though. First of all the end registrant needs to trust us that we will not run away with their domains. After this many years in operation and a flawless track record, the trust seem to be established (and we’re happy for that trust). It also means we’re harsher than other registrars against phishing, scams and we operate quickly to resolve cases like that. For us this is a win-win since we also want a cleaner internet – freedom of speech doesn’t mean the right to spread malware. We protect those that need it, not those that want to abuse it.

Another problem is that we many times also need a go-between ourselves. The regulations of most TLDs (such as .com .net .org etc) are very often that the registrar is not allowed to register end-registrant domains for themselves. So we have partnered up with other registrars to register domains through them, so we’re the end customer. This means that they only know our information as the registrant, and we work closely together to mitigate any potential issues that arises (such as the aforementioned phishing situations for instance).

A few days ago, one of our partners (Tucows) was however the victim of a phishing attack themselves. They received a court order (including a gag order) to hand over a set of domains, where some where registered through Njalla (and others weren’t). Tucows receives quite a lot of these court orders and got tricked by it. We haven’t gotten all of the details with them on exactly how the full attack was done, but we’ve asked for clarifications. We have been promised that Tucows have strongly improved their operations for how to deal with future court orders.

So this was a directed attack against specific domains, through a specific partner, with a gag order. Tucows believed they were not allowed to inform us, and thus didn’t (and therefor we couldn’t inform our registrants). This means that no data was leaked, but it did lead to the domains being hijacked. These domains were later updated with new content which led to phishing attacks on their user base, which we are extremely upset about.

These situations are unfortunately more or less out of our hands. We have selected partners that agree on our values (like privacy and an open internet) and that can also handle the legal aspects of working with a unique niche operation like ours. A major problem with domains is however the centralised operations that it’s built upon. We have one single instance called ICANN that controls 90%+ of the TLDs that exist (essentially all TLDs that are not governed by a territory), and then the few registrars that have volume enough to make direct agreements with these TLDs. This is one of the things that we started Njalla to combat – long term we’re working against this centralisation and wanting to get volume enough to be a voice of reason within this industry. We believe that if more registrars operated the way we do – and would take the same effort to fight court orders as we do – this attack would not have been possible.

And speaking of this industry, and to continue with the story of the hijacked domains: the domains were transferred internally at Tucows to their compliance department and then handed over to the attacker, who then immediately transferred these domains to other registrars. In our case it was Epik and Namecheap. Epik is a registrar we do not like for political reasons but credit due where credit is due, they handed back the domain that was transferred to them as soon as they were informed about what had happened.

Namecheap on the other hand, one of the largest registrars in the world, decided not to yet. Even though the rules are quite clear in these cases. They have also decided to not disable the domain usage. This means the phishing attacks on the domain in question is still on-going even though Namecheap has been informed multiple times, including the fact that the court order that they justify the transfer with was a faked one. We know that Namecheap and Tucows have some animosity between them after a previous feud but hope that they will not let third parties suffer because of it. It’s extremely concerning that a company like Namecheap does not take this situation more seriously and swiftly return the domain to the registrant (and meanwhile disable the domains usage).

After all of this is done, we’re going to have a debriefing with our partners to understand more about what exactly happened and we’ve already offered our expertise where it might be helpful.

Sold.Domains

About Konstantinos Zournas

I studied Computer Engineering and Computer Science in London, UK and I am now living in Athens, Greece. I went online in 1995, started coding in 1996 and began buying domain names and creating websites in 2000. I started the OnlineDomain.com blog in 2012.

3 comments

  1. So who should we be more angry with?

    Of course Namecheap is mostly in Ukraine and has many Russian customers, draw your own conclusions.

    I think BOTH Tucows AND Namecheap should be deemed as “not fit & proper” company to manage registrations.

    Maybe one warning shot by ICANN and two years on probation with a one more strike and you are banned for 5 years then need to re-apply and satisfy ICANN that you are fit and proper.

    At the very least I would like to see the CEO’s of both sacked IMMEDIATELY.

  2. Internet security is a shit, ex-convicted hackers are given more premiums and with a lot of money to work in the best data encryption software brands in the US and other countries.
    When something goes wrong or it is the Chinese and now the Russians, Dan.com is also attacked for being in the Netherlands.
    I care more about online security than politics wherever it comes from, no political party in the world feeds me.

  3. Jeff Schneider

    Hello Konstantinos,
    Domains are Strategic Assets, some of these assets are near priceless. When will registrars treat them as such.
    They don’t get it unlless you leave them. JAS 5/3/2021

    Gratefully and Respectfully, Jeff Schneider (CONTACT GROUP} Metal Tiger, Former ( Rockefeller I.B.E.C. Marketing Analyst/Strategist) (Licensed C.B.O.E. Commodity Hedge Strategist) ( Domain Master) ( UseBiz.com )

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.