NSI Spam leads to easily guessed webmail logins.

attrition advisory #001

September 16, 1999 - "NSI are morons" 99.09.16-001.nsi_stupidity_and_blackmail by: jericho@attrition.org

Vulnerability: Due to Network Solutions (NSI) unsolicited email, practical monopoly on domain registration, and their own stupidity, all NSI "customers" are at risk. Two vulnerabilities have been identified at this time, "stupidity" and "blackmail" respectively.

Vendor Status: NSI was contacted and made aware of this issue on Wed, 15 Sep. Due to past lack of correspondance, no reply is expected.

Impact: Any NSI customer is vulnerable to a wide variety of social engineering attacks stemming from a "service" being forced upon them by NSI. NSI customers must continue to receive unsolicited spam at the threat of losing service from NSI.

Details >-------------------------------------------------------------------

Stupidity: ----------

Beginning mid September, NSI began spamming their 'customers' with the mail regarding "Important information about your domain name account". For anyone who has registered a domain via NSI, you are likely to be targeted and potentially affected by this security threat.

NSI's mail goes on to offer all domain holders a free "dot com" email service. This web based email is akin to Hotmail or any of the other free mail services out there. Unfortunately, NSI makes two mistakes.

1. As a domain holder, you are not given a choice in receiving this account. Further, NSI sends you the login name and password, via email, with no encryption or other means of protection or verification. Here is a sample from the mail I received. (Yes, my password was changed).

"3. Lastly, we are pleased to offer you a FREE e-mail account using our new dot com now mail service. Because it's Web-based, you can use it in the office, at home or on the road. You'll need the following information to set up your account: >>>>>>>>>>>>Login name: jericho

>>>>>>>>>>>>Password: jerichonsi"

2. As you can probably guess, the login name and password are quite easily guessed. Examining my domain:

Forced Attrition (ATTRITION2-DOM)

Administrative Contact, Technical Contact, Zone Contact: Jericho, T (TJ2573) jericho@DIMENSIONAL.COM 602.347.0028 (FAX) private

By using the last name as the "login name", and "last name+nsi" as the password, it is trivial to log into the 'dot com' mail service and pose as the legitimate owner of the domain.

Blackmail: ----------

The last paragraph of the unsolicted mail reads:

"If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line. PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account."

This is a clear case of blackmail on NSI's part. By clicking on the link, they inform you that no further updates will reach you regarding your domain. This means that you must suffer under their unethical ways and receive their spam if you wish to receive mail about your registered domain that you paid for.

Reference >-----------------------------------------------------------------

Here is the full text of the mail for reference. Use this to alert others and watch for blatant spam by NSI.

Date: Wed, 15 Sep 1999 21:00:29 -0400 From: Network Solutions To: "T Jericho" Reply-To: Network Solutions Subject: Important information about your domain name account

Dear T Jericho,

As a customer of Network Solutions or one of our Premier Program members, we'd like to update you on three important items:

1. On September 18, 1999, Network Solutions plans to move to a new Web-based prepayment process for registering domain names. At that point, we will no longer accept NEW registrations without payment in full at time of registration. This new online payment method gives customers the convenience of payment by credit card. THIS CHANGE DOES NOT AFFECT YOUR CURRENT DOMAIN(S) IN ANY WAY AND NO ACTION IS REQUIRED ON YOUR PART.

If you register ten or more domain names per month, you could be eligible for Network Solutions' Affiliates or Business Account Programs. Under these programs, you may qualify to continue receiving invoices for domain name registrations. To be eligible, you must apply at http://www.netsol.com/affiliates or http://www.netsol.com/business_account.

2. Because you registered your domain name with us, your company has received a FREE listing in the NEW dot com directory. We believe the dot com directory gives you a unique competitive advantage, enabling potential customers to find and do business with you. Search the directory for your own business to see how easy it is! Go to http://www.netsol.com/directory to find your business. You can also click on "Update Your Listing" to search for and verify your company information.

3. Lastly, we are pleased to offer you a FREE e-mail account using our new dot com now mail service. Because it's Web-based, you can use it in the office, at home or on the road. You'll need the following information to set up your account: >>>>>>>>>>>>Login name: jericho

>>>>>>>>>>>>Password: jerichonsi

Please visit http://www.netsol.com/dotcomnowmail to review all the features of dot com now mail and set up your account.

Thank you for choosing Network Solutions to launch and develop your Internet identity. We look forward to serving you for many years to come.

Network Solutions, Inc. the dot com people

Copyright 1999 Network Solutions, Inc. Network Solutions is a registered trademark. The following are trademarks of Network Solutions, Inc.: the dot com people; dot com directory; dot com now mail. All rights reserved.

If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line. PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account.

(c)opyright 1999, Brian Martin. Permission granted to reprint this advisory in full for any non-profit purpose.