September 2018
News, Uncategorised,

Practice Names and Security – is there really a link?

It appears to be a feature of modern life – brand names change, it sometimes seems, as quickly as the seasons! And in our industry, it’s more common than most, with corporates and chains buying up independents, and independents rebranding through mergers, partnership changes, or even just to carve out a niche. However, once you factor in websites, there’s a very real security risk in rebranding that is often forgotten by web devs, marketing agencies and even security professionals. In this blog, we’re going to be talking about some truly frightening research reported this week by the UK’s National Cyber Security Centre.

 

What’s the issue?

Fundamentally, the problem is that to compete in the modern world, pretty much any business – and certainly that includes vet – need to have a website. To have a website, you need to have a web domain – which is your site’s unique identity – for this website, it’s vetsdigital.com, for example. Now, for that to be useful to your actual and – vitally – prospective clients, the domain you choose has to be related to your business’s actual name. We’re VetHelpDirect.com, which is the domain of our client-facing site, and this site (for vets and other professionals) is a related name. If we were to change our name for any reason, we’d need to get a new domain, reflecting our new identity.

Of course, increasingly we’re all doing business online, and especially almost everyone is using emails as their main method of written communication nowadays. If you want your business to look professional, you tie your email address to your domain name – “info@vethelpdirect.com” for example. Then your website and emails both reflect your business identity, because they both use the same domain.

 

OK, that’s straightforward. If you change your business name, you need to get a new domain too, which changes your website and email addresses. Why is this a problem?

The problem is what happens to the old domain name. Most businesses will keep it running for a few months, redirecting traffic to the new website. However, it costs money to keep renewing the domain name each year; and if it’s not one you’re using, you might not remember to do so – even if you wanted to. So, sooner or later that domain will expire.

That’s where cybercriminals come in. There are databases published every day of those domains who haven’t been renewed and are expiring that day. The criminals can then – perfectly legally – buy your expired domain. This is where it gets clever. Although you’ve doubtless migrated and closed all the email accounts attached to that domain, an attacker can set up a “catch-all” email server that will route ANY email containing the “@mydomain.co.uk”, or whatever, to the attackers email account. They can then sift through what they receive, using the emails to determine what email addresses used to exist when it was a legitimate business domain. They may even find themselves receiving sensitive information from your suppliers, contractors, labs or referral centres, perhaps even from members of staff or clients who haven’t updated their contacts to the new email addresses yet.

Even if there’s nothing they can use directly in the emails, it’s likely that the attacker can glean enough information from them (the email address itself, and the name of the person it’s addressed to) to set up new email accounts by the same name. They can then use the password reset options for a wide range of personal and professional services to gain access to the data, using the old email accounts.

For example, the researchers were able to access:

  • Confidential emails

  • Banking information

  • Tax information

  • Personal details of members of staff

  • Business and personal social media accounts, including LinkedIn, Facebook and Twitter

  • File sharing systems including Dropbox

  • Professional web portals (in this case the Commonwealth Courts portal, for us, potentially the RCVS PDP or CPD sites, or VDS portal).

  • Practice management software through the built-in remote access capability (which is really scary)

  • G-Suite accounts and Office 365 (if the 2 Factor Authentication mode isn’t turned on).

In addition, by using data-breach identification websites, because the researchers had access to both the emails and the domains, they were able to access lists of leaked or breached passwords, and tie them to specific members of staff. As most people reuse passwords across multiple sites, this could potentially allow them to hack into the new email address, or the personal accounts, of the relevant staff members.

Overall, if this happens to you it is a disaster for your clients, your staff, and ultimately your business. It could lead to serious data-breaches (and potentially a £17 million fine for that, not counting the harm to your staff and clients), financial fraud, blackmail, spam and malware distribution under your name, and more.

 

How can it be blocked?!

It’s actually really easy – the only reason this breach is possible is because people don’t renew their old domain names. We strongly recommend that you set your old domain names to autorenew indefinitely, and if possible lock them to prevent transfers to other owners without your express permission. While this means accepting the cost (perhaps £10 per annum per domain), doing so might avert a nightmare.

 

Where can I find out more?

You can read the report on the researcher’s blog here.

The NCSC report is here (about half-way down), and they have published advice on multi-factor authentication here.

Need advice on websites or emails? Contact us and see if we can help!