Attackers took control over Perl[.]com with social engineering

In early February, it became known that unknown attackers took control over the perl[.]com domain owned by the Perl Foundation and Tom Christiansen, who has been using it since 1997 to post news and articles about the Perl language.

At the time, lawyer John Berryhill, who specializes in intellectual property issues, reported that the domain was stolen back in September 2020, when it was associated with the registrar Network Solutions.

Since after updating the contact information, ICANN prohibited the transfer of the domain for 60 days, the domain was transferred to the BizCN registrar in China only during the Christmas holidays. Then on January 27, 2021, he moved to the Key-Systems registrar. After that, the IP address assigned to the domain was changed from 151.101.2.132 to the Google Cloud IP address 35.186.238[.]101.

As the editor of the affected resource Brian Di Foy now writes, the domain was compromised using social engineering. The specialist spoke with other people affected by similar attacks, although representatives of Network Solutions still have not officially confirmed this version.

“We believe there was a social engineering attack on Network Solutions (including fake documents and so on). There is no reason for Network Solutions to tell me anything, but I talked to other affected domain owners and they described the exact same pattern [of attacks],” — Di Foy says.

After the domain was transferred to the Key-Systems registrar, unknown persons tried to sell perl[.]com for $190,000 on the Afternic marketplace, owned by GoDaddy. However, the lot was quickly withdrawn from sale when experts intervened.

Analysts at the Perl Network Operations Center have detailed the entire chronology of events on their blog. Ultimately, the domain returned to its rightful owner, Tom Christiansen, in early February 2021.

True, it took more time to return to normal operation, since many security solutions had already blacklisted the domain, and there were also problems with the DNS servers that were applied to the sinkholing domain. Currently, according to Di Foy, everything is finally working as usual.

Exit mobile version