• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Hackers Love Expired Domains

November 26, 2020Luke Leal

17
SHARES
FacebookTwitterSubscribe

Sometimes, website owners no longer want to own a domain name and they allow it to expire without attempting to renew it.

This happens all the time and is totally normal, but it’s important to remember that attackers regularly monitor domain expirations and may target certain domains that meet specific criteria.

Vendor domains can be an easy backdoor

A vendor (supplier) domain is defined as a website that is used to host and load third party Javascript resources — for example, something like a live chat widget or also advertisements. This also includes domains used to load Javascript sources for specific WordPress plugins.

For whatever reason, a vendor may allow their domain’s registration to expire, which means it can become available for an attacker (or anyone else) to register it.

Attackers typically perform reconnaissance to ascertain whether or not a domain is valuable to them. For example, if the expired domain is used within a plugin to load a Javascript resource, then it would make it a perfect target.

We recently found this exact scenario with the now defunct WordPress plugin visual-website-editor and its domain tidioelements[.]com, which was kindly reported to us by a website owner that encountered suspicious activity while using it.

Expired Domain Landing Plugin Page
The landing page for tidioelements[.]com in 2015, back when it was still an active plugin website.
The attacker’s strategy relies on the fact that some websites might still have the plugin installed and activated, and continue to load resources from the expired domain.

Once the attacker has registered the domain, they can then “assume” control by replacing any legitimate Javascript resources with something malicious.

The plugin won’t know that the domain has expired or that the Javascript resource is now loading from an attacker’s server — the only information it has is the URL to the Javascript resource, which it tries to include wherever the plugin is loaded.

Expired plugin javascript domain swapped

The project was abandoned and is no longer available for download in the WordPress repository. Nevertheless, attackers were able to take advantage of the expired domain to load arbitrary content, which highlights the importance of keeping all software updated and removing any old plugins that aren’t actively used in your environment. Another important tip to harden your website is to only use resources from official and reputable sources.

17
SHARES
FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Security, WordPress SecurityTags: Black Hat Tactics, Labs Note, Malware, WordPress Plugins and Themes

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

WordPress Security Course

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.