Registrar Namecheap let miscreants slap spam, malware on unlucky customers' web domains

Updated Namecheap has admitted it accidentally let miscreants set up and control fraudulent subdomains on websites belonging to other customers.

These hijacked sites were subsequently used to host dodgy material. This caused them to be flagged up as malicious by Google's search engine, blocking netizens from visiting them, and piling further misery on webmasters.

Namecheap customer Kirk McElhearn found this out to his cost when he received an alert from Google that three subdomains on his website were serving out spammy content and/or malicious software. This was news to him since his hosting administration tool Cpanel was showing no such subdomains existed.

When McElhearn turned to ICANN-accredited registrar Namecheap for help, he got a rather disturbing response. The technical support staff at the US-based biz told him that the issue was down to a "misconfiguration on our nameservers."

Essentially, some scumbag with a Namecheap account had abused a vulnerability in Namecheap's DNS setup to tack extra subdomains onto McElhearn's kirkville.com website, point said subdomains at a web server, and use them to dish out naughty stuff.

"In short, it was another user that added the subdomains to their hosting account," he was told.

To make matters worse, the subdomains were outside his control. Also, while his legit site uses encrypted HTTPS by default, visitors to the new subdomain were redirected to standard HTTP pages. Ultimately, the subdomains were exploiting McElhearn's website's search rankings to lure in netizens.

"If you get a lot of traffic, the bogus pages set up on the sub-domain may inherit some of your website's prominence, allowing malicious users to serve spam or malware, or to make money by displaying Google ads," McElhearn explained.

"Interestingly, even though Google flagged these pages as 'hacked content' they were still serving Google ads; as if Google really doesn't care how they make their money."

After the subdomains were quickly removed, and McElhearn detailed his experiences in a report on Monday, noted infosec pundit Graham Cluley took the registrar to task on Twitter. Namecheap's response was not what you'd call reassuring:

The issue should be completely resolved very soon. Just an update: https://t.co/K72Dz8mAfI - Additionally, this affected a teeny tiny group of users of our web hosting service, and anyone registering domains are completely safe.

— Namecheap.com (@Namecheap) February 5, 2018

"The issue should be completely resolved very soon," it said on Twitter. "Additionally, this affected a teeny tiny group of users of our web hosting service, and anyone registering domains are completely safe."

The biz said it is conducting an audit, and will contact any of its customers who have been affected by its security cockup. Judging from the language used, the issue potentially affected any number of Namecheap's customer base, it's just that miscreants only got round to targeting a select bunch, and the registrar is now scrambling to find out who got hit.

"They certainly haven't contacted me about it, outside of the tweet which isn't what you'd call official," McElhearn told The Register. "And teeny tiny is not a useful term."

Thankfully, the dodgy subdomains on his site turned out to just be categorized spammy links to news articles. But it could have been a lot worse.

So far Namecheap isn't responding to requests for comment, but if the company is hosting your website you may want to check that you're not hosting anything nasty. ®

Updated to add

Namecheap's CEO Richard Kirkendall has been in touch to assure us that the dodgy subdomains were removed on Monday, the same day they were spotted, and insisted only a "minimal" number of customers were hit.

"We are almost done with our scanning of possibly affected users," he told us. "So far we are currently estimating 100 to 200, more than likely less, domains may have been affected by this issue. We are getting close to fully completing our audit and will give a full report once it's done."

And it appears that full report can now be found here, which details an "unexpected gap in our security" that led to a dozen domains being hijacked.