Re: starwars.com subdomain hijacked?

About Merit

Services

Network

Resources & Support

Network Research

News

Events

Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Re: starwars.com subdomain hijacked?

From: Rich Lafferty
Date: Tue Nov 30 10:28:00 2010

List-archive: <http://mailman.nanog.org/pipermail/nanog>
List-help: <mailto:nanog-request@nanog.org?subject=help>
List-id: North American Network Operators Group <nanog.nanog.org>
List-post: <mailto:nanog@nanog.org>
List-subscribe: <https://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=subscribe>
List-unsubscribe: <https://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=unsubscribe>

Novator (Canadian web-shopping company, used to be FTD's big partner) is responsible for shop.starwars.com so I think all that's happened here is Novator forgot to renew a domain.

domainsatcost.ca is rebel.com is Momentous.ca and they own yourdomainhasexpired.com.

 -Rich


On 22 Nov 10, at 12:19 PM, Matt Disuko wrote:

> 
> I'm surprised by the sequence of events here..
> 
> domain "novator2.com" is registered with DomainsAtCost.ca.
> 
> domain "novator2.com" expires...
> 
> gets picked up by the administrators of "yourdomainhasexpired.com" - Rebel.com?  1550507.ca?
> 
> ;; ANSWER SECTION:
> shop.starwars.com.      1655    IN      CNAME   shop.starwars.novator2.com.
> shop.starwars.novator2.com. 1655 IN     A       74.54.152.75
> 
> ;; AUTHORITY SECTION:
> novator2.com.           160201  IN      NS      dns2.yourdomainhasexpired.com.
> novator2.com.           160201  IN      NS      dns.yourdomainhasexpired.com.
> 
> Redir'd to a advert site, instead of a default "DomainsAtCost.ca" holding page or...nowhere.
> 
> Apparently quickly renewed and "given back" to the original owners.
> 
> Who's at play here?  Does DomainsAtCost have a deal with Rebel.com?  Or are they the same company?
> 
> It all seems fishy to me.  Is this normal practice?
> 
> 
> 
>> Date: Mon, 22 Nov 2010 12:05:21 -0500
>> From: ken@sizone.org
>> To: nanog@nanog.org
>> Subject: Re: starwars.com subdomain hijacked?
>> 
>> 
>> On Mon, Nov 22, 2010 at 08:49:48AM -0800, Wil Schultz said:
>>> Appears that it's a CNAME for shop.starwars.novator2.com. 
>>> 
>>> The expiry day is 11/22/2011, so if I were to guess I would think that the domain expired, sent to an advert page, and was just renewed.
>>> 
>>> -wil
>> 
>> Smartest attack is to put up a page that looks exactly the same as the
>> legit site, but with your own cheaper crappier knockoff starwars paraphenalia
>> ('duke', 'tewey', 'princess luba') that you sell instead and make the huge
>> profits.
>> 
>> Not to give anyone any ideas that werent obvious like 15 years ago.
>> 
>> How anyone can tell the internet is legit at a glance is beyond me. Need
>> to hookup firefox's security warning to my speakers to get a modicum of
>> alert that SSL is busted, to start, nevermind anything more creative.
>> 
>> That phishers manage to fake sites that look wrong is also beyond me, what's
>> so hard about 'save page as'?
>> 
>> /kc
>> -- 
>> Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
>> Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
>> 
> 		 	   		  

-- 
Rich Lafferty
rich@lafferty.ca

References:
- starwars.com subdomain hijacked? Matt Disuko
- Re: starwars.com subdomain hijacked? Wil Schultz
- Re: starwars.com subdomain hijacked? Ken Chase
- RE: starwars.com subdomain hijacked? Matt Disuko

Prev by Date: Re: Level 3 Communications Issues Statement Concerning Comcast'sActions
Next by Date: Re: Ratios & peering [was: Level 3 Communications Issues StatementConcerning Comcast's Actions]
Date Index
Thread Index
Author Index
Historical