Analysis of incident with loss of control over perl.com domain has been published

Brian d foy, founder of Perl Mongers, posted detailed analysis of the incident, as a result of which the perl.com domain was taken over by unauthorized persons. The seizure of the domain did not affect the server infrastructure of the project and was carried out at the level of a change of ownership and replacement of DNS server parameters at the registrar. It is alleged that the computers of those responsible for the domain were also not compromised, and the attackers used social engineering methods to deceive the Network Solutions registrar and change the owner’s data, using fake documents to confirm ownership of the domain.

Disabling two-factor authentication in the registrar interface and using a contact email pointing to the same domain are also mentioned among the factors that contributed to the attack. The domain was taken over in September 2020, in December the domain was transferred to the Chinese registrar BizCN, and in January to obfuscate traces it was transferred to the German registrar Key-Systems GmbH.

Until December, the domain remained in Network Solutions in accordance with the requirements ICANN prohibiting the transfer of a domain to another registrar within 60 days of changing contact information. If information about the seizure of the domain had been revealed before December, the process of returning the domain would have been significantly simplified, so the attackers did not change DNS servers for a long time and the domain continued to work without arousing suspicion, which prevented the timely detection of the attack. The problem surfaced only at the end of January, when scammers redirected traffic to their server and tried to sell a domain on the Afternic website for $ 190,000.

Perl-related events can also be noted CPAN module archive failure from using mirrors in favor of using a content delivery network that takes the load off the main server. In June, it is planned to completely clear the list of mirrors, in which there will be only one entry – www.cpan.org. The ability to manually configure the CPAN client to work through an explicitly specified mirror will remain.

/Media reports.