nanog mailing list archives

Re: starwars.com subdomain hijacked?

From: Rich Lafferty <rich () lafferty ca>
Date: Tue, 30 Nov 2010 10:14:04 -0500

Novator (Canadian web-shopping company, used to be FTD's big partner) is responsible for shop.starwars.com so I think 
all that's happened here is Novator forgot to renew a domain.

domainsatcost.ca is rebel.com is Momentous.ca and they own yourdomainhasexpired.com.

 -Rich


On 22 Nov 10, at 12:19 PM, Matt Disuko wrote:


I'm surprised by the sequence of events here..

domain "novator2.com" is registered with DomainsAtCost.ca.

domain "novator2.com" expires...

gets picked up by the administrators of "yourdomainhasexpired.com" - Rebel.com?  1550507.ca?

;; ANSWER SECTION:
shop.starwars.com.      1655    IN      CNAME   shop.starwars.novator2.com.
shop.starwars.novator2.com. 1655 IN     A       74.54.152.75

;; AUTHORITY SECTION:
novator2.com.           160201  IN      NS      dns2.yourdomainhasexpired.com.
novator2.com.           160201  IN      NS      dns.yourdomainhasexpired.com.

Redir'd to a advert site, instead of a default "DomainsAtCost.ca" holding page or...nowhere.

Apparently quickly renewed and "given back" to the original owners.

Who's at play here?  Does DomainsAtCost have a deal with Rebel.com?  Or are they the same company?

It all seems fishy to me.  Is this normal practice?

Date: Mon, 22 Nov 2010 12:05:21 -0500
From: ken () sizone org
To: nanog () nanog org
Subject: Re: starwars.com subdomain hijacked?


On Mon, Nov 22, 2010 at 08:49:48AM -0800, Wil Schultz said:

Appears that it's a CNAME for shop.starwars.novator2.com. 

The expiry day is 11/22/2011, so if I were to guess I would think that the domain expired, sent to an advert page, 
and was just renewed.

-wil


Smartest attack is to put up a page that looks exactly the same as the
legit site, but with your own cheaper crappier knockoff starwars paraphenalia
('duke', 'tewey', 'princess luba') that you sell instead and make the huge
profits.

Not to give anyone any ideas that werent obvious like 15 years ago.

How anyone can tell the internet is legit at a glance is beyond me. Need
to hookup firefox's security warning to my speakers to get a modicum of
alert that SSL is busted, to start, nevermind anything more creative.

That phishers manage to fake sites that look wrong is also beyond me, what's
so hard about 'save page as'?

/kc
-- 
Ken Chase - ken () heavycomputing ca - +1 416 897 6284 - Toronto CANADA
Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.


-- 
Rich Lafferty
rich () lafferty ca

Current thread:

starwars.com subdomain hijacked? Matt Disuko (Nov 22)
- Re: starwars.com subdomain hijacked? Rubens Kuhl (Nov 22)
- Re: starwars.com subdomain hijacked? Wil Schultz (Nov 22)
  - Re: starwars.com subdomain hijacked? Ken Chase (Nov 22)
    - Re: starwars.com subdomain hijacked? Seth Mattinen (Nov 22)
    - RE: starwars.com subdomain hijacked? Matt Disuko (Nov 22)
    - Re: starwars.com subdomain hijacked? Rich Lafferty (Nov 30)
  - RE: starwars.com subdomain hijacked? Matt Disuko (Nov 22)
- Re: starwars.com subdomain hijacked? Jaren Angerbauer (Nov 22)
- RE: starwars.com subdomain hijacked? Gavin Pearce (Nov 22)