751 domain names registered at Gandi were pointed to malware sites.
All of the domain names were on country code domain names for which Gandi uses a third-party technical provider to connect to the registry. Gandi, like most registrars, has direct connections to many of the registries. But for some ccTLDs, it uses a third party to provide the connection. That’s where the breach occurred.
According to Gandi, someone was able to get its credentials to log in to the web interface of the unnamed technical provider to redirect the names. Gandi believes that the credentials were intercepted because the technical provider allows access via http instead of https.
The domain names were redirected for up to 11 hours.
Although I understand the desire to not throw the technical provider under the bus, revealing its name could help other registrars prevent the same thing from happening. (Psst: if you know who the provider is that handles 34 of Gandi’s ccTLDs, drop me a line.)
I’m fairly certain it was RRPproxy, a.k.a. Key Systems. They’re one of the only ones that supports all of these TLDs.
Nope, they are not with Key-Systems. I have an idea who it might be, but I am not going to speculate.