Linkedin NXDOMAINs - Purchased Pwnage

I recently asked a friend if I could have just a list of the domains in the LinkedIn dump, no passwords, not full emails, just domains. I run a program that I lovingly call “DeepMagic” and I feed it domains whenever I can. Well, this time when I tossed the list of domains into the engine it started spitting out tons of errors. There was a total of 9,436,804 unique domains names in the list, and for anyone who works with DNS that isn’t a very big number, so I didn’t think very much of it and didn’t know why it would choke on a list that small.

When I looked at the logs I noticed that there was a very large percentage of the domains that were coming up with NXDOMAIN. Most of the time this means that the domain isn’t registered, but can also mean that no name servers are registered for the domain (this usually happens when a corporation doesn’t want to maintain the domain but still wants to hold onto it for brand management).

I let the resolution keep going and just parsed out all of the NXDOMAINs, but when I saw the list of NXDOMAINs go over 90,000 and I wasn’t even out of the ‘A’s yet, I took a different approach. I sorted the list by count to find the most used domains (using of course my favorite sort | uniq -c | sort -n that I think everyone who’s ever done text parsing on Linux knows).

It lead to a few surprises, first, people still use AOL and earthlink?

Second… well just look for yourself:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

32952409 gmail.com
24071552 hotmail.com
20421035 yahoo.com
4283225 aol.com
1983431 comcast.net
1431727 yahoo.co.in
1337019 msn.com
1041953 sbcglobal.net
1039635 rediffmail.com
995709 yahoo.fr
916458 yahoo.co.uk
845570 live.com
841415 yahoo.com.br
750175 hotmail.co.uk
742597 verizon.net
575381 hotmail.fr
530308 ymail.com
529548 cox.net
510463 bellsouth.net
504339 libero.it
480006 att.net
429760 yahoo.es
407687 btinternet.com
396313 mail.ru
376970 googlemail.com
307292 earthlink.net
304012 mac.com
266076 yahoo.in
262010 yahoo.ca

I’ve never heard of rediffmail, you?

Anyways, I pushed the list in this order into a simple script:

1

cat domains_count.txt | xargs -P 100 -n 2 sh -c './findnx2.sh $1 $2' argv0 | tee nxdomains.txt

This is what is in findnx2.sh:

1
2
3
4
5
6

#!/bin/bash
lines=$(nslookup ${2} | grep NXDOMAIN | wc -l)
if [ $lines -eq "1" ]
then
	echo "$2 is open with count $1"
fi

And out popped a pretty interesting list (top 50):

domain -> number of email accounts registered under that domain (based on number of occurrences of the domain in the unfiltered list):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

XXXXXXXXXXX is open with count 7606
hotmail.con is open with count 4367
c2i.net is open with count 3966
yahoo.con is open with count 3487
gmail.con is open with count 3249
90wewhelp.ru is open with count 3218
csupomona.edu is open with count 2844
us.ing.com is open with count 2622
test.linkedin.com is open with count 2583
wowhackgold.com is open with count 2515
yahoo.om is open with count 2461
alltel.net is open with count 6565
w.cn is open with count 2451
uolsinectis.com.ar is open with count 2315
gmail.fr is open with count 2830
gmail.om is open with count 2122
hotmail.cm is open with count 2044
alltel.com is open with count 2046
hotmail.om is open with count 1901
memo.ikea.com is open with count 1809
chicagogsb.edu is open with count 1758
gawab.com is open with count 2141
mscd.edu is open with count 1740
mayalasr.com is open with count 1626
yavvaram.com is open with count 1424
twtelecom.com is open with count 1448
asbada5m.com is open with count 1371
eunet.yu is open with count 1272
camerabuy.info is open with count 1156
mywdo.com is open with count 1275
g.mail.com is open with count 1089
nortelnetworks.com is open with count 1815
infotechsw.com is open with count 1040
saugov.sa.gov.au is open with count 1033
hoyllmail.com is open with count 1028
mn.rr.com is open with count 1029
apollogrp.edu is open with count 980
gemail.com is open with count 1086
v4q.info is open with count 928
hoylmail.com is open with count 915
yahoo.coom is open with count 890
ifrance.com is open with count 917
justafou.com is open with count 886
2008radiochat.info is open with count 879
myclearwave.net is open with count 967
tconl.com is open with count 939
gmail.cim is open with count 849
flykingfisher.com is open with count 866
lycos.co.uk is open with count 1092
pichosti.info is open with count 813

Basic analysis of this list:

1. I thought that LinkedIn validated sign ups with an email, kinda hard to do with all these domains that are obviously mistyped, unless of course they just keep the database record around indefinitely
2. XXXXXXXXX is an ISP that went out of business in 2011, their domain is available for register and would probably mean 7606 accounts up for grabs, if not more that’s why I redacted it, but I wanted to mention it just to demonstrate how powerful this type of analysis of a hacked site’s dump can be. $10 to purchase a domain is much cheaper and more wide spread than cracking time passwords just for LinkedIn (well, one can dream that everyone uses unique passwords).
3. WoWHackGold was also up for grabs, I picked it up just to see what kind of traffic is still going to it, these guys sold hacked WoW accounts so I don’t particularly feel inclined protect their info.

What can someone do with this knowledge? Well, all they have to do to reset any of the accounts registered with one of these domains is simply purchase it, set up a catch-all email address and watch the account information roll in. The “accounts” they would have access to isn’t limited to LinkedIn either, could be anything that people use email addresses to sign up for.

/mubix

P.S. I have seen account take-overs of GMail accounts using “backup” accounts in this way. I assume Google has too since they ask me every so often now to make sure my backup email is correct.