For a week we lost control of the Perl.com domain. Now that the incident has died down, we can explain some of what happened and how we handled it. This incident only affected the domain ownership of Perl.com and there was no other compromise of community resources. This website was still there, but DNS was handing out different IP numbers.
An interesting article was published on Perl.com last week. Although it reads as a post-mortem, it highlights how important Domain Names and their underlying DNS are to the core operations of every and any business online. Most importantly, it proves that choosing your supplier is one of, if not the most important factors when it comes to protecting these pivotal cornerstones of your operational network.
Imagine a well-known retail store like Sacks Fifth Avenue of New York having thieves move the entire storefront to a new city without anyone even realizing it. Then suddenly, months later, the doors close and the store is listed for sale with no one knowing who, or what happened, or having the slightest hint of how to fix it. That is what happened to Perl.com in a nutshell, and we truly feel for the difficulty and concern they must have went through as they attempted to piece together events and attempt to recover their stolen asset.
Now back to the action… here’s the basic series of events as best as they could put together.
- September 28th 2020: What looks like a social engineering attack was made against the Registrar at the time, Network Solutions. Fake documents were used to change ownership of the domain. There was no monitoring of the registration information, so the change wasn’t detected by anyone at Perl operations.
- December 2020: Perl.com was transferred away from Network Solution to the BizCN registrar. Nameservers were not changed so no operational impact was detected. The delay was due to the 60 day restrictions on transfers after a domain ownership change.
- January 2021: Perl.com was transferred again, but this time to the Key Systems, GmbH Registrar. This multi-transfer bounce is a common tactic by domain hijackers to further complicate any investigation or roll back the theft. Perl.com was listed by the hijacker on Afternic for the blowout sale price of $190k.
- January 27th 2020: The Perl NOC team noticed through normal monitoring there were some issues with the website resolving. Users were also reporting that the website was unreachable. This kicked off the week long effort to retrieve control.
Most of the article covers the confusing and difficult events during the recovery effort and is a great read to prepare yourself if you are currently with a Registrar where this is a high risk. And they admit themselves that if they had not been somewhat well known in the industry, it may have been impossible, or at least taken far longer than the week or so for them to recover the domain. Therefore it’s very important to avoid this scenario at all costs.
Here at Domainsure.com, a Secure Registration, Brand Protection, and Commercial DNS provider, we recognized early on just how important domain names and DNS are to the internet. And how competing Registrars were racing to undercut each other’s price point resulting in the commoditization of this critical aspect of the Internet.
When cost cutting, security, monitoring, and customer support are some of the first components to be affected. And we have seen many stories of how things can go wrong. Here at DomainSure, we took the opposite approach and have designed our business model around becoming the most security conscious Registrar in the industry.
The key features we provide that would have made the Perl.com scenario impossible on our platform are:
- Whois Privacy by default: Bad actors can’t create fake documents and ID for people they don’t know. If they can’t find out who is the actual registrant contact on file, they are operating in the dark and have to guess when putting together fake documentation.
- Ownership Changes: Requires access to the administration interfaces. We provide both 2FA and YubiKey support for ensuring only secure authorized access.
- Whois & DNS Monitoring: Any registrant changes result in immediate notifications to account holders. Even minor changes to the DNS settings are reported.
- Account Retrieval & Domain Unlock: Can only be done through a customer support request. And taking cues from the Crypto space where fraud is rampant, we require that the registrant provide not only a copy of their ID, but that they submit a picture of them holding it so we can ensure they are who they say they are.
Although we are in the early stages of launch, we already have prominent government and corporate clients who rely on and trust the next generation level of security, monitoring, and DNS that Domainsure provides.