starwars.com subdomain hijacked?

Matt Disuko gourmetcisco at hotmail.com
Mon Nov 22 17:19:38 UTC 2010


I'm surprised by the sequence of events here..

domain "novator2.com" is registered with DomainsAtCost.ca.

domain "novator2.com" expires...

gets picked up by the administrators of "yourdomainhasexpired.com" - Rebel.com?  1550507.ca?

;; ANSWER SECTION:
shop.starwars.com.      1655    IN      CNAME   shop.starwars.novator2.com.
shop.starwars.novator2.com. 1655 IN     A       74.54.152.75

;; AUTHORITY SECTION:
novator2.com.           160201  IN      NS      dns2.yourdomainhasexpired.com.
novator2.com.           160201  IN      NS      dns.yourdomainhasexpired.com.

Redir'd to a advert site, instead of a default "DomainsAtCost.ca" holding page or...nowhere.

Apparently quickly renewed and "given back" to the original owners.

Who's at play here?  Does DomainsAtCost have a deal with Rebel.com?  Or are they the same company?

It all seems fishy to me.  Is this normal practice?



> Date: Mon, 22 Nov 2010 12:05:21 -0500
> From: ken at sizone.org
> To: nanog at nanog.org
> Subject: Re: starwars.com subdomain hijacked?
> 
> 
> On Mon, Nov 22, 2010 at 08:49:48AM -0800, Wil Schultz said:
>   >Appears that it's a CNAME for shop.starwars.novator2.com. 
>   >
>   >The expiry day is 11/22/2011, so if I were to guess I would think that the domain expired, sent to an advert page, and was just renewed.
>   >
>   >-wil
> 
> Smartest attack is to put up a page that looks exactly the same as the
> legit site, but with your own cheaper crappier knockoff starwars paraphenalia
> ('duke', 'tewey', 'princess luba') that you sell instead and make the huge
> profits.
> 
> Not to give anyone any ideas that werent obvious like 15 years ago.
> 
> How anyone can tell the internet is legit at a glance is beyond me. Need
> to hookup firefox's security warning to my speakers to get a modicum of
> alert that SSL is busted, to start, nevermind anything more creative.
> 
> That phishers manage to fake sites that look wrong is also beyond me, what's
> so hard about 'save page as'?
> 
> /kc
> -- 
> Ken Chase - ken at heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
> Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
> 
 		 	   		  


More information about the NANOG mailing list