751 domain names registered at Gandi were pointed to malware sites.
Hackers managed to redirect 751 domain names at domain name registrar Gandi.net to servers spreading malware, the company detailed this week.
All of the domain names were on country code domain names for which Gandi uses a third-party technical provider to connect to the registry. Gandi, like most registrars, has direct connections to many of the registries. But for some ccTLDs, it uses a third party to provide the connection. That’s where the breach occurred.
According to Gandi, someone was able to get its credentials to log in to the web interface of the unnamed technical provider to redirect the names. Gandi believes that the credentials were intercepted because the technical provider allows access via http instead of https.
The domain names were redirected for up to 11 hours.
Although I understand the desire to not throw the technical provider under the bus, revealing its name could help other registrars prevent the same thing from happening. (Psst: if you know who the provider is that handles 34 of Gandi’s ccTLDs, drop me a line.)
I’m fairly certain it was RRPproxy, a.k.a. Key Systems. They’re one of the only ones that supports all of these TLDs.
Volker Greimann says
Nope, they are not with Key-Systems. I have an idea who it might be, but I am not going to speculate.