Sometimes, website owners no longer want to own a domain name and they allow it to expire without attempting to renew it.
This happens all the time and is totally normal, but it’s important to remember that attackers regularly monitor domain expirations and may target certain domains that meet specific criteria.
Vendor domains can be an easy backdoor
For whatever reason, a vendor may allow their domain’s registration to expire, which means it can become available for an attacker (or anyone else) to register it.
We recently found this exact scenario with the now defunct WordPress plugin visual-website-editor and its domain tidioelements[.]com, which was kindly reported to us by a website owner that encountered suspicious activity while using it.
The attacker’s strategy relies on the fact that some websites might still have the plugin installed and activated, and continue to load resources from the expired domain.
The project was abandoned and is no longer available for download in the WordPress repository. Nevertheless, attackers were able to take advantage of the expired domain to load arbitrary content, which highlights the importance of keeping all software updated and removing any old plugins that aren’t actively used in your environment. Another important tip to harden your website is to only use resources from official and reputable sources.