Linkedin NXDOMAINs - Purchased Pwnage
I recently asked a friend if I could have just a list of the domains in the LinkedIn dump, no passwords, not full emails, just domains. I run a program that I lovingly call “DeepMagic” and I feed it domains whenever I can. Well, this time when I tossed the list of domains into the engine it started spitting out tons of errors. There was a total of 9,436,804 unique domains names in the list, and for anyone who works with DNS that isn’t a very big number, so I didn’t think very much of it and didn’t know why it would choke on a list that small.
When I looked at the logs I noticed that there was a very large percentage of the domains that were coming up with NXDOMAIN. Most of the time this means that the domain isn’t registered, but can also mean that no name servers are registered for the domain (this usually happens when a corporation doesn’t want to maintain the domain but still wants to hold onto it for brand management).
I let the resolution keep going and just parsed out all of the NXDOMAINs, but when I saw the list of NXDOMAINs go over 90,000 and I wasn’t even out of the ‘A’s yet, I took a different approach. I sorted the list by count to find the most used domains (using of course my favorite
sort | uniq -c | sort -n that I think everyone who’s ever done text parsing on Linux knows).
It lead to a few surprises, first, people still use AOL and earthlink?
Second… well just look for yourself:
I’ve never heard of rediffmail, you?
Anyways, I pushed the list in this order into a simple script:
This is what is in
And out popped a pretty interesting list (top 50):
domain -> number of email accounts registered under that domain (based on number of occurrences of the domain in the unfiltered list):
Basic analysis of this list:
- I thought that LinkedIn validated sign ups with an email, kinda hard to do with all these domains that are obviously mistyped, unless of course they just keep the database record around indefinitely
- XXXXXXXXX is an ISP that went out of business in 2011, their domain is available for register and would probably mean 7606 accounts up for grabs, if not more that’s why I redacted it, but I wanted to mention it just to demonstrate how powerful this type of analysis of a hacked site’s dump can be. $10 to purchase a domain is much cheaper and more wide spread than cracking time passwords just for LinkedIn (well, one can dream that everyone uses unique passwords).
- WoWHackGold was also up for grabs, I picked it up just to see what kind of traffic is still going to it, these guys sold hacked WoW accounts so I don’t particularly feel inclined protect their info.
What can someone do with this knowledge? Well, all they have to do to reset any of the accounts registered with one of these domains is simply purchase it, set up a catch-all email address and watch the account information roll in. The “accounts” they would have access to isn’t limited to LinkedIn either, could be anything that people use email addresses to sign up for.
P.S. I have seen account take-overs of GMail accounts using “backup” accounts in this way. I assume Google has too since they ask me every so often now to make sure my backup email is correct.