Years of testing has shown that corp.com is perhaps one of the most dangerous domain names in the world. Why? Because whoever owns it would have access to a stream of passwords, email, and other proprietary data belonging to major companies around the globe.
With an asking price of US $1.7 million, Mike O’Connor is selling the domain name for the first time since he purchased it in 1994 when he invested in a whole series of choice domains including bar.com, pub.com, and television.com. Through the years he has sold several of his other domains but has kept back the corp.com domain until now.
O’Connor has said that he hopes that Microsoft purchases the domain because almost all of the computers trying to share sensitive data with corp.com are Windows PCs that may be somewhat confused.
Early versions of Windows have made it more likely that they will share sensitive data with corp.com. These versions of Windows were actually encouraged to adopt insecure settings that encouraged this sharing.
The key problem is “namespace collision” where domain names intended to be used in internal networks overlap with domain names on the open internet.
A Microsoft innovation called Active Directory is used by internal corporate networks to validate things on the network. Active Directory is a broad label for a whole range of identity-related services in Windows run environments. A key Windows feature called “DNS name devolution” is how things find each other in these environments. It’s a kind of shorthand way that these computers or servers find one another without having to use full, legitimate domain names. So if a company uses an internal network called “internalnetwork.example.com” and the employee wishes to find the “publicdrive” on that internal system. They don’t need to type “publicdrive.internalnetwork.example.com” into Windows Explorer. Instead, they can type “\\publicdrive\” and Windows will take care of the rest.
But in early versions of Windows when an internal Windows domain doesn’t map back to a second-level domain within the organization that the company controls and owns, things get tricky. So, for example, in the Windows 2000 Server, the default Active Directory path was “corp”. And because of that, many companies have used this setting without modifying it to be an internally controlled domain.
What’s worse is that many companies have gone on to build vast networks with this erroneous setting.
So now, if a company employee types in the “corp” internal domain, but is on an external network, like at their local Starbucks, the company laptop may seek to share internal resources with “corp.com”. Which would make corp.com a potential portal to intercept private communications. This is all according to Jeff Schmidt who conducted a lengthy study on DNS namespace collisions funded, in part, by the U.S. Department of Homeland Security.
Schmidt convinced O’Connor to hold back from selling off corp.com while he studied this phenomenon. In 2019, when he conducted his study, Schmidt found almost 400,000 computers attempting to share information with this domain. During the experiment Schmidt configured corp.com to accept incoming email and “After about an hour we received in excess of 2 million emails and discontinued the experiment”. He further found that “Hundreds of thousands of machines directly exploitable and countless more exploitable via lateral movement once in the enterprise…. Want an instant foothold into about 30 of the world’s largest companies….. Control corp.com.”
As a joke, O’Connor did a similar experiment back in the ’90s when he owned corporation.com. He found that a website building tool Microsoft FrontPage actually suggested corporation.com as an example in the setup wizard. O’Connor briefly redirected the queries for this domain to a local adult sex toy shop as a joke. But he soon found himself receiving angry emails. When he briefly enabled an email server on corp.com, O’Connor told KrebsOnSecurity in an interview that “Right away I started getting sensitive emails, including pre-releases of corporate financial filings with the U.S. Securities and Exchange Commission, human resources reports and all kinds of scary things.”
Although Microsoft has distributed several software updates to decrease namespace collisions that would cause these security problems, O’Connor and Schmidt both say that very few organizations have employed these fixes. This is because the fix requires the entire internal directory to be taken down simultaneously. And the Microsoft patches will likely slow down or break a number of internal applications that organizations rely on day-to-day.
Microsoft actually offered to buy the domain several years ago for US $20,000, which O’Connor turned down believing the price didn’t reflect the true value of the domain.
O’Connor believes that it’s Microsoft’s duty to purchase the domain to take responsibility for their mistakes. But he confesses that “My frustration here is the good guys don’t care and the bad guys probably don’t know about it. But I expect the bad guys would like it.”
He ultimately fears that if Microsoft doesn’t buy the domain that a representative of organized cybercriminals or state-funded hacking groups might purchase it instead.
