Motherboard reports that a scammer used a phony court order to trick a domain registrar into giving them control over a domain that posted links to dark web drug markets. The scammer then replaced the links on the site to lead to replicas of the drug markets that would steal users’ cryptocurrency.
“Each site looked real but instead shared all user activity with the attacker, including passwords and messages,” the site’s legitimate administrator said in a message. “Cryptocurrency addresses displayed on these sites were rewritten to addresses controlled by the phisher, intercepting many people's money.”
The incident serves as an example of how social engineering can be used to bypass technical defenses. The administrator of the site told Motherboard, “I had 2FA and PGP enabled on that account. I am not an idiot when it comes to security.”
Tucows, the domain registrar that was tricked, received a realistic-looking court order that purported to come from a German court. The document was copied from a real court order that was used to take over a domain, and told the registrar that they weren’t permitted to inform the administrator or other registrars before making the change.
Madeleine Stoesser, PR and corporate communications lead at Tucows, acknowledged the attack and said the company is working to prevent these incidents in the future.
“Our findings show that Tucows was the victim of an intricate phishing scheme presented under the guise of a secret court order. This was a hyper-targeted phish designed with the direct intent of hijacking select domains,” Stoesser said. “We immediately began steps to successfully retrieve the domains and have implemented new processes to mitigate future issues. As the second-largest domain name registrar in the world by volume, Tucows is committed to the continued privacy and security of domains and our customers.”
New-school security awareness training can help your employees thwart targeted social engineering attacks.
Motherboard has the story.