Skip to content
Naked Security Naked Security

Perl.com gets its domain back – normal service restored!

All's well that ends well.

Good news, everybody!

Two weeks ago, we wrote that the well-known and widely-used domain perl.com had been taken over by persons unknown.

Perl, now more than 30 years young, is amongst the most popular and prevalent programming languages out there, and websites that serve the world of Perl are therefore popular, too.

So, even though the official home of the language itself is perl.org, the perl.com website has been a well-known companion in the Perl community for many years.

You can imagine why, if the original owner had allowed their registration of the domain to lapse, either by mistake or because they felt they no longer needed it, a new owner might be keen to snap it up.

(Indeed, four-letter dot-COM domains are rare and expensive these days if they don’t spell out a well-known word, and even if they can’t be pronounced as a word at all.)

In this case, however, the domain’s takeover was as unlikely as it was unexpected.

That’s because perl.com had been registered for years to widely respected US-based Perl guru Tom Christiansen, and it hadn’t expired.

So it was difficult to figure out how any domain registrar would have been inclined to believe that Christiansen, or tchrist as he is widely known, would voluntarily have relinquished the domain…

…especially to someone who immediately redirected the domain to pretty much nothing at all:

Redirected perl.com site visited directly (and insecurely) on 2021-01-29.

Yet that is what happened at the end of January 2021, when the domain registration suddenly switched to a privacy-protected registrant based in Moldova:

[WHOIS data for PERL.COM, retrieved 2021-01-29]

Domain Name: perl.com
Registry Domain ID: 432086_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.rrpproxy.net
Registrar URL: http://www.key-systems.net
Updated Date: 2021-01-27T12:43:15Z
Creation Date: 1994-08-16T04:00:00Z
Registrar Registration Expiration Date: 2031-01-26T15:26:42Z
Registrar: Key-Systems GmbH
[...]
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY  
Registrant Organization: REDACTED FOR PRIVACY
[...]
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: Chisinau
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: MD [Moldova]
[...]
Admin Name: REDACTED FOR PRIVACY  
Admin Organization: REDACTED FOR PRIVACY
[...]]
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY

For a short while after the domain takeover, according to reporters at IT news site The Register, domain name reseller Afternic was offering the suddenly blanked-out perl.com domain for sale for the impressive sum of $190,000.

(By the time we looked, on the day after The Register published its report, the domain was still out of tchrist‘s control but no longer up for sale on any publicly visibly domain broker’s site we could find.)

The good news

We don’t know exactly how this takeover was achieved, and what collateral was used to convince the relevant domain registrars to authorise the transfer, but we are pleased to report that normal service has been resumed.

The perl.com domain is now back under tchrist‘s control, and the registration details are no longer hidden behind a privacy shield, so you can check them out for yourself:

[WHOIS data for PERL.COM, retrieved 2021-02-07]

Domain Name: PERL.COM
Registry Domain ID: 
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2021-02-05T19:59:16Z
Creation Date: 1994-08-16T04:00:00Z
Registrar Registration Expiration Date: 2031-02-05T16:54:08Z
Registrar: Network Solutions, LLC
[...]
Registry Registrant ID: 
Registrant Name: Tom Christiansen Perl Consultancy
Registrant Organization: Tom Christiansen Perl Consultancy
[...]
Registrant City: BOULDER
Registrant State/Province: CO
Registrant Postal Code: 80304-1022
Registrant Country: US
[...]
Admin Name: Tom Christiansen Perl Consultancy
Admin Organization: Tom Christiansen Perl Consultancy
[...]
Admin City: BOULDER
Admin State/Province: CO
Admin Postal Code: 80304-1022
Admin Country: US

And, of course, the site is back to normal:

Main page of perl.com visited directly on 2021-02-07.

During the domain takeover, the perl.org site leapt to the rescue by serving the content of perl.com via perldotcom.perl.org (try reading that sentence out aloud quickly!), and that “emergency” URL still works, but it is once again safe to visit perl.com directly.

Result!


10 Comments

The bad news: “We don’t know exactly how this takeover was achieved, and what collateral was used to convince the relevant domain registrars to authorise the transfer”, so it is impossible to tell how to prevent this type of domain stealing.

Ahhh, watch this space! *We* (meaning me in this case :-) don’t know because it wasn’t our domain name, and we don’t want to guess how this happened in case we point our finger in the wrong direction.

But we are hoping to bring you a special episode of the Naked Security Podcast soon in which we will be talking to the person who co-ordinated the “fetchback” (is that the inverse of a takeover?) in this particular case, so we can not only give a real-world example of how this sort of thing happens, but also explain how to react if it does.

Thanks for clarifying the “we” Paul! I too was interested if this domain take over was a practice event for other well known sites — that wouldn’t necessarily completely redirect to a blank page, rather an expected page w/malicious code added in. Does the podcast & this blog share topics? I don’t follow the podcast (who has time to listen!?), but would jump over to the podcast in the event the aftermath on this topic isn’t covered here.

Thanks!
Ed

I don’t know the details of how the Perlers lost and regained the domain and I don’t want to guess so I am waiting until they have finished their fact-finding and write-up stages.

Having said that, the answer to “what could crooks do with a domain like this” is pretty much “whatever they liked”, e.g. shut it down and sell it on, host malware under a trusted banner, use it for trapping traffic and harvesting visitor data (including passwords) for a while, or any combination of those.

I was surprised at the blank page site that took its place – sites up for sale usually redirect to a “make an offer” or “this is the price” page. Why that didn’t happen here is something I can only guess at so far. The fact that the domain was up for sale so briefly suggests that the prompt reaction of the Perlers trying to get the domain back may have helped.

But we (which includes me!) had better wait to hear a real answer..

FWIW the minipodcasts we do are generally about 20 mins long so they only take 10 mins if you listen at 2x speed, which any decent podcast player will support. We usually, but not always, cover topics that we have already handled in a written article, so they are meant to be an additional and alternative source of info on various topics, not a replacement for written articles.

HtH

Not knowing how it was done is very worrisome. Suppose someone managed the same trick and took over Google.com? Yikes!

I think we can all guess at four or five ways this kind of thing could happen, e.g. phished password, turncoat colleague, corrupt registrar, lucky guess, software vulnerability, SIM swap, at gunpoint, expiration mistake, forged ID documents… OK, that’s nine ways already!

Let’s wait for the Perlers themselves to tell the story their way, as soon as they can do so without jeopardising any followup activities, e.g. with law enforcement…

…after all, they did admit to the problem right away, take steps to limit the damage, come up with a workaround and get busy fixing the issue, which they managed to do pretty quickly

My guess would be a SIM swap or forged ID.

Also as a perl contributor, I have an @cpan.org email address that has been getting a lot of spam for the past few months, with a higher than average number of phishing emails telling me that there are security issues with my domain or website.

I would think that it is unlikely that Tom Christiansen fell for a phish and leaked his email password, but perhaps he got a real notification from his domain registrar alerting him to a pending transfer, and he ignored it because he assumed that it was spam.

After a bit of umming-and-ahhhing about this comment, I decided to let you speculate :-) But we’re going to wait until we can bring you a report from the camel’s mouth…

I’m glad to hear you are hoping to do a follow up to this. However, I would request that you provide some written content as well – I never listen to the podcasts as it is just impractical for me, but I read most of the typed content you produce.

I agree; I find it MUCH easier to read the information rather than listen to it. Even listening at double speed is too slow for me. I read swiftly, and can easily read a ten minute script in just a minute or two. And if I like, I can print out the article, but I can’t easily do that with a podcast. Also, I find that I retain the information much better if I read the materiel rather than listen to it. But the podcasts are excellent. Thanks for continuing to bring us the latest and greatest security information.

Stay safe.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?