Hello, welcome to the Thursday, March 5th, 2020 edition of the Santernut Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Well, we got some abandoned subdomains in the news again.

This time it was security researchers, Newman Oudzdeemir and Odzan Akdibi, that found about 700 of these

or 800, depending on how you count linked to Microsoft. The tricky part here is that what

Microsoft is doing, and that's what a lot of companies are doing, that they're setting

up a new subdomain for some project, and then they're using a DNSC name to essentially

redirect that subdomain to a particular Asia host in the case of Microsoft, of course.

The same would probably work with most cloud providers.

After they're done with that particular subdomain, the project is discontinued.

They are removing the website, but the DNS entry remains.

So what can happen now is that someone is coming in, is setting up a website on that particular

cloud provider with the same name that the original company like here, Microsoft, choose

for the site.

Since the CName lookup still exists in Microsoft's DNS.

Visitors are now redirected, for example, for something like identityhelp.

Microsoft.com or myprouser.microsoft.com to the hacker's website.

And given that companies like Let's Encrypt will give you a TLS certificate, even if you are just able to put up a website with that host name.

So that could potentially here lead to a pretty good fishing website.

So what these researchers did was essentially write a script to look for abandoned websites,

abandoned subdomains.microsoft.com. Then next they looked up, hey, is there a C name that

...