Security Researcher Buys Unregistered Domain Before Potential Compromise

In November 2020, security researcher Abraham Vegh notified KrebsOnSecurity about a domain sent to him from his bank with an unusual name. Fiserv, a banking software and tech solutions company, sent some of their customers emails with an unclaimed domain, defaultinstitution.com. Vegh did a simple search to realize the domain was not registered.

Why Are Unregistered Domains A Problem?

Anyone could have paid for this domain and claimed it as their own. If someone with malicious intent came across this email, an ensuing phishing scam could have been catastrophic.

Vegh set up an email account for the domain and watched as emails poured through to the account. Emails relating to the CashEdge service acquired by Fiserv were sent and bounced back to senders because they could not reach an active account. The users were trying to send emails to a client solutions director at Fiserv, but the reply address was “donotreply@defaultinstitution.com”.

CashEdge emails initially sent to the customers had information such as plan ID, send date, the amount being transferred, names, the last four digits of account numbers, and email addresses of the recipient. At the bottom of emails announcing CashEdge’s switch from their service Popmoney to Zelle, the support email was listed as “customersupport@defaultinstitution.com”.

Active customers became increasingly frustrated with the situation as they were being signed up for accounts they never intended to and when they replied, the emails weren’t reaching the right people. They were going to Vegh. After Vegh notified Fiserv, they announced they made a mistake by not changing the default address and contacted those affected customers to fill them in on the mishaps.

In conclusion, if it wasn’t for an intelligent researcher like Vegh, this mistake could have created a storm of phishing scams, and all the blame would have fallen on Fiserv. It’s crucial for organizations to have a team monitoring emails and searching for malicious action.

Engage with a security firm like SpearTip which has dedicated and certified engineers working around the clock to protect partners. Our Security Operations Center’s value comes from collaboration and knowledge that can’t be replicated by general security tools.

If any of the CashEdge customers were replying from company emails, a malicious actor likely would have been successful in getting a user to bite on a phishing email. The employee’s company would then be at risk of compromise depending on the actions of the theoretical threat actors.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US-based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.