If you’re selling web-based software for a living and shipping code that references an unregistered domain name, you’re looking for trouble. But when the same mistake is made by a Fortune 500 company, the results can range from costly to disastrous. Here is the story of such a blunder committed by Fiserv [NASDAQ:FISV], a $ 15 billion company that provides online banking software and other technology solutions to thousands of financial institutions.
In November 2020, KrebsOnSecurity heard from a security researcher Abraham Vegh, who noticed something strange while checking an email from his financial institution.
Vegh could see that his bank’s post referred to a curious area: defaultinstitution.com. A quick search of the WHOIS registration records showed that the domain was not registered. Wondering if he could receive email communications at that address if he registered the domain, Vegh grabbed it for a few dollars, created a catch-all email account for it, and waited.
“It appears the domain is provided by default, and IT departments at client banks assume they don’t need to change it, or don’t know they could / should,” Vegh said, noting that an attacker who stumbled upon its discovery earlier, it could have had a powerful and trusted domain from which to launch email phishing attacks.
At first, only a few temperamental emails arrived. Ironically, one was from a Fiserv “quality assurance” manager. The auto-response message indicated that the employee was out of the office “on R&R” and would be back at work on December 14th.
Many other emails poured in, including many “bounced” messages delivered in response to letters from Cashedge.com, a money transfer service that Fiserv acquired in 2011.
Emails get bounced – or bounced back to sender – when they’re sent to an address that doesn’t exist or is no longer active. The messages had been sent to the email address of a former director of client solutions at Fiserv; the “reply-to:” address in those missives was “[email protected]”.
The messages informed customers of CashEdge’s core Popmoney service – which allows users to send, request, and receive money directly from bank accounts – that Popmoney was being replaced by Zelle, a more modern wire transfer service. .
Each CashEdge missive included information about recurring transfers that were canceled, such as plan ID, date sent, amount to transfer, name, and the last four digits of the account number that the account came from. money and recipient’s email address. Account.
Incredibly, at the bottom of every message to CashEdge / Popmoney customers was a boilerplate text: “This email was sent to [recipient name here]. If you have received this email in error, please send an email to [email protected]
Other services that made clients respond to the researcher’s domain included client Fiserv Netspend.com, one of the leading providers of prepaid debit cards that do not require a minimum balance or credit check. Netspend’s messages all had to confirm the email address linked to a new account, and were about “me-to-me transfers” set up through its service.
Each message included a one-time code that recipients were asked to enter on the company’s website. But from reading the many responses to these missives, it seems that Netspend did not make it clear where users were supposed to enter this code. Here is one of the crudest examples of a customer response:
Numerous other Netspend emails have expressed their mystification as to why they are receiving such messages, stating that they have never signed up for the service. According to the essence of these messages, the Respondents were victims of identity theft.
“My accounts have been hacked and if funds are lost, your [sic] sued against me and the Federal Trade Commission, ”wrote one. “I didn’t create the account. Please shut down this account and let me know what’s going on, ”replied another. “I have never subscribed to this service. Someone else is using my information, ”wrote a third.
These messages were also about transfers from me to me. Other emails came from Detroit TCF National Bank.
Based in New York Union Bank also sent client information to the researcher’s domain. These two messages were intended to confirm that the recipient had linked their accounts to those of another bank. And in both cases, the recipients replied that they had not authorized the pairing.
In response to questions from KrebsOnSecurity, Fiserv acknowledged that it inadvertently included references to defaultinstitution.com as a placeholder in software solutions used by some partners.
“We identified 5 clients for whom auto-generated emails to their clients included the domain name ‘defaultinstitution.com’ in the ‘reply’ address,” Fiserv said in a written statement. “This placeholder URL was inadvertently left unchanged during the implementation of these solutions. After being made aware of the situation, we immediately conducted a scan to locate and replace instances of the fictitious domain name. We have also notified customers whose customers have received these emails.
Indeed, the last email Vegh’s inbox received was February 26.
This is not the first time that Fiserv’s oversight has put the security and confidentiality of its customers at risk. In 2018, KrebsOnSecurity revealed how a programming weakness in a software platform sold to hundreds of banks exposed the personal and financial data of countless customers. Fiserv was then sued by a client of a credit union; this trial is still ongoing.
Vegh said he found a similar domain while working as a subcontractor at the Federal Reserve Bank of Philadelphia in 2015. In this case, he discovered an unregistered domain invoked by AirWatch, a data management product. mobile devices since acquired by VMWare.
“After I registered this domain, I started receiving traffic from all over the world from Fortune 500 company devices that pinged the domain,” said Vegh.
Vegh said he plans to give Fiserv control of defaultinstitution.com and deliver intercepted messages to his inbox. He doesn’t ask for much in return.
“I was then promised a t-shirt and a case of beer for my efforts, but alas, I never received one,” he said of his interaction with AirWatch. “This time, I hope to receive a t-shirt!
Update, 12:44 p.m. ET: The first paragraph has been updated to reflect Fiserv’s 2020 revenue, which was close to $ 15 billion.