{"id":1611,"date":"2025-01-23T02:41:38","date_gmt":"2025-01-23T02:41:38","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1611"},"modified":"2025-01-23T02:41:38","modified_gmt":"2025-01-23T02:41:38","slug":"mastercards-multi-year-dns-cut-and-paste-nightmare","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1611","title":{"rendered":"Mastercard\u2019s multi-year DNS cut-and-paste nightmare"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Due to a Domain Name System (DNS) setting error, which the security researcher who discovered it said was almost certainly a cut-and-paste problem, Mastercard had a DNS record with a missing character for almost five years. That error would have allowed attackers to potentially take over the subdomain, create a bogus site that mimics the legitimate Mastercard site, and then trick customers into revealing sensitive details and credentials.\u00a0<\/p>\n<p>Mastercard confirmed the DNS glitch in a statement to KrebsOnSecurity. \u201cWe have looked into the matter and there was not a risk to our systems,\u201d <a href=\"https:\/\/krebsonsecurity.com\/2025\/01\/mastercard-dns-error-went-unnoticed-for-years\/\">the MasterCard spokesperson wrote<\/a>. \u201cThis typo has now been corrected.\u201d<\/p>\n<p>But the security researcher who discovered the error said the nature of the glitch looks much more like a cut-and-paste error than a typo.<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/caturegli?miniProfileUrn=urn%3Ali%3Afsd_profile%3AACoAAABykhcBr7tQ3lKTG2_PmD5OmxxpHyj16fM\">Philippe Caturegli<\/a>, who calls himself the chief hacking officer at security firm Seralys, said the issue was that a DNS record was pointing to an address ending in \u201c.ne\u201d when it was supposed to end in \u201c.net\u201d.<\/p>\n<p>Because of the nature and length of DNS strings, Caturegli said it is likely the technician used cut-and-paste to transfer the data. If the person moving the data is not very careful, cut-and-paste can often lose one character, either at the end or the beginning of the string. That is what apparently happened, he said.<\/p>\n<p>This mess gets even messier, thanks to a combination of factors that are known to cause many cybersecurity issues: third party risk, and subdomains that were not primarily Mastercard\u2019s. The problem misnamed one of five shared DNS servers at internet service provider Akamai, which directs traffic for portions of Mastercard\u2019s network, sending requests to the incorrect address.<\/p>\n<p>The keystrokes being cut and pasted, according to Caturegli, were being handled by yet another third party, a company called CSC that, ironically, <a href=\"https:\/\/www.cscdbs.com\/\">bills itself as<\/a> \u201cmanaging and mitigating cybersecurity risk\u201d related to \u201ccyber threats such as domain name and DNS hijacking.\u201d\u00a0<\/p>\n<p>Another security executive, CIP CEO Andy Jenkinson, reviewed the Mastercard problem and labeled it \u201cappalling.\u201d<\/p>\n<p>\u201cI am unsure what the security team at Mastercard does, but it\u2019s certainly not basic security,\u201d Jenkinson said. \u201cFor five years, this was not picked up, so quality control was not checking. I put this down to human error and oversight. Somebody didn\u2019t even think about checking.\u201d<\/p>\n<p>CSO reached out to Mastercard for comment, but the company did not reply by deadline.<\/p>\n<p>Caturegli announced his findings publicly <a href=\"https:\/\/www.linkedin.com\/posts\/caturegli_for-the-past-45-years-mastercard-had-a-activity-7285038365236682753-PWJu\/\">in a LinkedIn post<\/a> where he asked CISOs and IT leaders to \u201cplease double-check your DNS records (because) a single typo can open the door to man-in-the-middle attacks, phishing, data interception, and more. If you don\u2019t control the domain your NameServers are pointing to, attackers might.\u201d<\/p>\n<p>Caturegli told CSO that, due to the nature of the Mastercard DNS setup, a site visitor would have only gone to the bogus address once out of every five times. But given the massive volume of traffic that Mastercard attracts, that 20% still amounted to a lot of potential victims.<\/p>\n<p>\u201cTo be fair, it was only a subdomain. From what I have seen, there was no mail server on that subdomain, which was used for Azure services,\u201d Caturegli said. \u201c[But] as an end user, you have no idea of where you are going. You are simply trusting the DNS.\u201d<\/p>\n<p>The problem is that this kind of cut-and-paste error is very easy to make, and the nature of the character strings makes it difficult to detect the error. Even worse, if the error is <em>not <\/em>detected right away, it could remain in place for an extended period, as Mastercard has learned.\u00a0<\/p>\n<p>\u201cYou need to continually check your configurations for any obvious mistakes. But with DNS, once it is configured, it is not going to generate an error,\u201d Caturegli said. \u201cUnless you check your configuration, you are not going to know about this issue. You can\u2019t rely on tools. They wouldn\u2019t even have any logs (showing the error). They won\u2019t see it on any of their logs.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Due to a Domain Name System (DNS) setting error, which the security researcher who discovered it said was almost certainly a cut-and-paste problem, Mastercard had a DNS record with a missing character for almost five years. That error would have allowed attackers to potentially take over the subdomain, create a bogus site that mimics the [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1612,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1611","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1611"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1611"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1611\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1612"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}