Registrar Namecheap let miscreants slap spam, malware on unlucky customers' web domains

Crooks create subdomains on a dozen sites

By Iain Thomson in San Francisco

Posted in Security, 7th February 2018 07:08 GMT

Updated Namecheap has admitted it accidentally let miscreants set up and control fraudulent subdomains on websites belonging to other customers.

These hijacked sites were subsequently used to host dodgy material. This caused them to be flagged up as malicious by Google's search engine, blocking netizens from visiting them, and piling further misery on webmasters.

Namecheap customer Kirk McElhearn found this out to his cost when he received an alert from Google that three subdomains on his website were serving out spammy content and/or malicious software. This was news to him since his hosting administration tool Cpanel was showing no such subdomains existed.

When McElhearn turned to ICANN-accredited registrar Namecheap for help, he got a rather disturbing response. The technical support staff at the US-based biz told him that the issue was down to a "misconfiguration on our nameservers."

Essentially, some scumbag with a Namecheap account had abused a vulnerability in Namecheap's DNS setup to tack extra subdomains onto McElhearn's website, point said subdomains at a web server, and use them to dish out naughty stuff.

"In short, it was another user that added the subdomains to their hosting account," he was told.

To make matters worse, the subdomains were outside his control. Also, while his legit site uses encrypted HTTPS by default, visitors to the new subdomain were redirected to standard HTTP pages. Ultimately, the subdomains were exploiting McElhearn's website's search rankings to lure in netizens.

"If you get a lot of traffic, the bogus pages set up on the sub-domain may inherit some of your website's prominence, allowing malicious users to serve spam or malware, or to make money by displaying Google ads," McElhearn explained.

"Interestingly, even though Google flagged these pages as 'hacked content' they were still serving Google ads; as if Google really doesn't care how they make their money."

After the subdomains were quickly removed, and McElhearn detailed his experiences in a report on Monday, noted infosec pundit Graham Cluley took the registrar to task on Twitter. Namecheap's response was not what you'd call reassuring:

"The issue should be completely resolved very soon," it said on Twitter. "Additionally, this affected a teeny tiny group of users of our web hosting service, and anyone registering domains are completely safe."

The biz said it is conducting an audit, and will contact any of its customers who have been affected by its security cockup. Judging from the language used, the issue potentially affected any number of Namecheap's customer base, it's just that miscreants only got round to targeting a select bunch, and the registrar is now scrambling to find out who got hit.

"They certainly haven't contacted me about it, outside of the tweet which isn't what you'd call official," McElhearn told The Register. "And teeny tiny is not a useful term."

Thankfully, the dodgy subdomains on his site turned out to just be categorized spammy links to news articles. But it could have been a lot worse.

So far Namecheap isn't responding to requests for comment, but if the company is hosting your website you may want to check that you're not hosting anything nasty. ®

Updated to add

Namecheap's CEO Richard Kirkendall has been in touch to assure us that the dodgy subdomains were removed on Monday, the same day they were spotted, and insisted only a "minimal" number of customers were hit.

"We are almost done with our scanning of possibly affected users," he told us. "So far we are currently estimating 100 to 200, more than likely less, domains may have been affected by this issue. We are getting close to fully completing our audit and will give a full report once it's done."

And it appears that full report can now be found here, which details an "unexpected gap in our security" that led to a dozen domains being hijacked.

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Neil Young slams Google, after you log in to read his rant with Google or Facebook

Heart Of Gold meets Piece Of Crap

Scammers use Google Maps to skirt link-shortener crackdown

Chocolate Factory's map service cuts commute times, URL lengths

Google borg gobbles Israeli cloud migration startup

Alas poor Velostrata! You knew those AWS and Azure workloads well

'Don't Google Google, Googling Google is wrong', says Google

Chocolate Factory unwraps developer style guide, squibs the thorny ISO date debate

Android devs prepare to hit pause on ads amid Google GDPR chaos

Hey Google. How will we eat?

Dropbox to let Google reach inside it and rummage about

Create and store GDocs in Dropbox, with admin policies preserved

Google listens to New Zealand just long enough to ignore it

'We can't delete court cases, and you can't make us'

US judges say you can Google Google, but you can't google Google

The Chocolate Factory is spared the aspirin treatment by the 9th Circuit Court

Twitter signs for Google cloud at list price of about $10m a month

Shifts Hadoop clusters and their 300PB of data, not the stuff that lets you tweet

Apple: Er, yes. Your iCloud stuff is now on Google's servers, too

You can't escape The Circle