The web registrar papaki.com, one of the most well-known in our country, seems to have been successfully attacked by a large-scale cyber attack. In the last few hours, Papaki's customers have been increasingly reporting unauthorized access to its systems. In fact, many have even received an informative email advising them to immediately activate 2 Factor Authentication to protect themselves from a possible breach of their personal data. Let's see what exactly happened.
Unknown -so far- hackers have hacked into the system of papaki.com, causing a complete leak of personal data. The size of the leak is unimaginable: billing information, domain information and passwords fell into the hands of hackers. In a way that seems not to have been detected in time by the company's security systems (sql injection/phishing weakness or 0day exploit), the hackers managed to penetrate papaki.com's security systems, gaining access to all the sensitive information of the company's customers.
As we can see in the following screenshots from informative emails sent to customers papaki, the attack is confirmed.
It is worth emphasising that leaking credit card and customer password data to domain registrars is a particularly serious security issue that can have far-reaching consequences for consumers and businesses.
Domain registrars are often targets for cybercriminals as they hold large amounts of sensitive information. This information can include customer credit card details, passwords, personal data and other sensitive details.
When this data is leaked, customers are exposed to significant risks, including identity theft, credit card fraud and other forms of cybercrime. In addition, businesses providing these services may suffer significant financial losses and customer confidence may be undermined.
The details of the attack on PAPAKI/ENARTIA
To this point the company has not released technical details regarding the attack. The company has focused mainly on the data leaked from the hackers rather than the technical way in which it was carried out. It is therefore risky to draw conclusions before the company's announcement. In addition to similar attacks on domain registrars that have been carried out in the past (in Greece and abroad) the methodology is almost identical. We therefore suspect that the malicious attackers:
- Either they identified a weakness (sql injection or each other) zero-day that was not detected by the company's security systems
- Either they gained internal access with phishing attacks to some of the employees of the company or group
- Either they identified a significant weakness in the perimeter of the company (threat landscape) which they exploited to gain full unauthorized access.
The above may have been applied either one of these or all of them together. What is certain is that these attacks achieve permanent internal access (attack persistence) in the infrastructure of the target companies, which is usually detected after a long time of access and while a lot of data has been leaked to the Darknet or in other directions. Therefore an expert opinion and a thorough analysis forensics is more than necessary!!!
Who is PAPAKI company member of ENARTIA Group
The company PAPAKI is a member of the ENARTIA group of Brands, together with Top.host. Jointly owned by the company team.blue. which provides similar services in many countries of the European Union.
The company PAPAKI together with Top.host has a huge number of customers as we can see from what they report on their website. 320.000(!) domains are managed by the company with 120.000 of them having websites!
It is understandable that the company with the above customer numbers, was an ideal target for cybercriminals since the personal data that can be extracted by an attacker from an attack on domain registra are a) up to date b) reliable c) completely personal and accurate.
With the data that can be obtained from attacks like the one carried out on PAPAKI, one can proceed to additional attacks against customers, personalized attacks phishing or even impersonation.
Relevance to Predator spyware;
The timing announcement of the cyber attack on the company PAPAKI with the announcement by Personal Data Protection Authority on Predator's suspicious SMS raises certain questions. More specifically:
SecNews, in its investigation of the technical analysis of Predator among other things, it had come up with a malicious domain that had been used by Predator (specifically live24.com.gr)
The domain in question had been registered for use by the same Predator operators who had registered all the domains used. This domain live24.com.gr seems to have been registered with Tophost - a company belonging to the Enartia Group, which also owns the Papaki that was targeted. SecNews is aware that the judicial authorities have proceeded to obtain the relevant registrar data from top.host for the domain in question (credit cards/name register/ registration IP etc.) and have taken the investigation further in this direction.
Therefore, the timing is that at the same time that the DPAA announces the suspicious SMSs using malicious domains from the Predator operators, an attack on Papaki is announced (or detected).
Reports that have NOT yet seen the light of day, state that the Predator operators were using the malware and for their own benefit by targeting companies/organisations and institutions to obtain data without the knowledge of the services.They were then able to create databases with personal data to be able to target the target victims. Two cases of targeting of carrier companies that have been brought to the attention of the SecNews journalistic team converge in this direction.
Therefore, PAPAKI and the authority that will take over the investigation of the case (in conjunction with forensics analysis) should investigate whether and to what extent the suspected hackers are persons who, without the knowledge of PAPAKI/TOPHOST, targeted or used their infrastructure for malicious purposes. Or whether they tried to alter - delete data to cover possible traces since the judicial investigation is ongoing ....
Consequences of the cyber attack on Papaki.com customers
The hit that Papaki.com took is more powerful than we could have imagined. This is not just a typical attack, but a real threat to its customers.
Leakage of Personal Data: The personal data of Papaki's customers, such as names, email addresses, home addresses, telephone numbers, have been leaked. This is likely to cause great concern and expose customers to further risks.
Password leakage: Passwords for customer accounts on Papaki.com have also been leaked. This means that the attackers have the ability to enter customers' accounts and cause further damage.
Domain Information Leakage: Information about the domains registered by customers on Papaki.com has also been leaked. This can lead to abuse or loss of domains or transfer of domains to third parties.
In this critical situation, it is necessary for Papaki.com customers to take immediate steps to protect their accounts and personal data.
Examples of domain registrars that have been attacked by hackers worldwide
The cyber attack in Papaki is not an isolated incident. Countless domain registrars worldwide have been targeted by hackers.
GoDaddy, one of the world's largest domain registrars, was attacked in 2020. The hackers had access to about 1.2 million customer registrations.
"Cybersecurity is a never-ending battle. No one is safe from the attacks of hackers."
Even the network solutions, the first organization to start registering domain names, was not undisturbed. In 2019, millions of their customer accounts were exposed, revealing names, addresses and other sensitive data.
These incidents demonstrate the need for increased attention to cybersecurity, especially in the world of domain registrars. It is clear that the threat of hackers is present and everyone, from small registrars to industry leaders, must be on the alert.
What other registrar service providers should be wary of after the Papaki cyberattack?
The Papaki cyber attack reminds us that no one is safe in the internet world. It is important to understand that companies providing registrar services are not just observers, but must be active participants in protecting their customers.
To address this problem, businesses need to implement security strategies that include protecting customer data, strengthening security systems and training staff on security issues. In addition, a response plan should be in place in the event of a data leak, which includes informing customers, tracing the source of the leak and restoring security.
What can you do to protect your data after a cyber attack?
There are steps you can take to minimise the risk and protect your data.
- Change your passwords: The first and most important step is to change your passwords immediately. Make sure you use strong passwords - a mixture of characters, numbers and symbols.
- Activate the two-step verification process: Η two-step verification procedure can add an extra layer of security by requiring a second form of authentication.
- Check your banking transactions: Check your banking transactions for any suspicious activity. If you see something you don't recognise, contact your bank immediately.
- Keep track of your mail: Monitor your mail for messages from services or accounts you don't recognise. This may be a first sign that someone is trying to use your data.
SecNews, in accordance with journalistic ethics, has sent relevant questions to relevant executives of team.blue and ENARTIA and will publish the company's opinion in this article as soon as it receives it. The company is fully cooperating with the authorities and journalists and will answer all questions raised by the editorial team.
