Registrar Namecheap let miscreants slap spam, malware on unlucky customers' web domains

Crooks create subdomains on a dozen sites

By Iain Thomson in San Francisco


Updated Namecheap has admitted it accidentally let miscreants set up and control fraudulent subdomains on websites belonging to other customers.

These hijacked sites were subsequently used to host dodgy material. This caused them to be flagged up as malicious by Google's search engine, blocking netizens from visiting them, and piling further misery on webmasters.

Namecheap customer Kirk McElhearn found this out to his cost when he received an alert from Google that three subdomains on his website were serving out spammy content and/or malicious software. This was news to him since his hosting administration tool Cpanel was showing no such subdomains existed.

When McElhearn turned to ICANN-accredited registrar Namecheap for help, he got a rather disturbing response. The technical support staff at the US-based biz told him that the issue was down to a "misconfiguration on our nameservers."

Essentially, some scumbag with a Namecheap account had abused a vulnerability in Namecheap's DNS setup to tack extra subdomains onto McElhearn's website, point said subdomains at a web server, and use them to dish out naughty stuff.

"In short, it was another user that added the subdomains to their hosting account," he was told.

To make matters worse, the subdomains were outside his control. Also, while his legit site uses encrypted HTTPS by default, visitors to the new subdomain were redirected to standard HTTP pages. Ultimately, the subdomains were exploiting McElhearn's website's search rankings to lure in netizens.

"If you get a lot of traffic, the bogus pages set up on the sub-domain may inherit some of your website's prominence, allowing malicious users to serve spam or malware, or to make money by displaying Google ads," McElhearn explained.

"Interestingly, even though Google flagged these pages as 'hacked content' they were still serving Google ads; as if Google really doesn't care how they make their money."

After the subdomains were quickly removed, and McElhearn detailed his experiences in a report on Monday, noted infosec pundit Graham Cluley took the registrar to task on Twitter. Namecheap's response was not what you'd call reassuring:

"The issue should be completely resolved very soon," it said on Twitter. "Additionally, this affected a teeny tiny group of users of our web hosting service, and anyone registering domains are completely safe."

The biz said it is conducting an audit, and will contact any of its customers who have been affected by its security cockup. Judging from the language used, the issue potentially affected any number of Namecheap's customer base, it's just that miscreants only got round to targeting a select bunch, and the registrar is now scrambling to find out who got hit.

"They certainly haven't contacted me about it, outside of the tweet which isn't what you'd call official," McElhearn told The Register. "And teeny tiny is not a useful term."

Thankfully, the dodgy subdomains on his site turned out to just be categorized spammy links to news articles. But it could have been a lot worse.

So far Namecheap isn't responding to requests for comment, but if the company is hosting your website you may want to check that you're not hosting anything nasty. ®

Updated to add

Namecheap's CEO Richard Kirkendall has been in touch to assure us that the dodgy subdomains were removed on Monday, the same day they were spotted, and insisted only a "minimal" number of customers were hit.

"We are almost done with our scanning of possibly affected users," he told us. "So far we are currently estimating 100 to 200, more than likely less, domains may have been affected by this issue. We are getting close to fully completing our audit and will give a full report once it's done."

And it appears that full report can now be found here, which details an "unexpected gap in our security" that led to a dozen domains being hijacked.

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

FYI: Drone maker DJI's 'Get it on Google Play' website button definitely does not get the app from Google Play...

Updated Quadcopter slinger rudely palms folk off to .apk download

Here you go, cloudy admins: Google emits NATty odds 'n' sods

Google Cloud Next Incremental titbits aimed at time-poor techies

Google's secret to a healthy phone? Remote-controlling your apps

Look Ma, no not much malware!

EU Android latest: Critics diss Google's money-spinning 'cure'

You shouldn't profit from punishment

Surprising no one, Google to appeal against European Commission's €4.34bn Android fine

We'll just take our time here

Google Project Zero zeroes in on Google project: Security hole spotted in gVisor sandbox fence

Horn flags up flaw that can be exploited to breakout out of software containers

Google now minus Google Plus: Social mini-network faces axe in data leak bug drama

Project Zero would have been all over this – yet it remained under wraps

Iron Mike Pence blasts Google for its censor-happy Dragonfly Chinese search engine

Wait until the Veep finds out what Apple is doing for them

Uncool: Google won't be setting up shop in disused Berlin electrical substation

Insists it wasn't chased off following protest and occupation by locals

Neil Young slams Google, after you log in to read his rant with Google or Facebook

Heart Of Gold meets Piece Of Crap