The Freename Forum

Embarrassing domain mishap for the international payment service provider Mastercard: because they accidentally forgot a “t” in a domain, the door was open to cyber criminals for years. As things stand at present, no damage has been done.

As security expert Brian Krebs reports, Mastercard relies on five so-called “shared Domain Name System (DNS) servers” from internet service provider Akamai to process its data traffic. Between June 30, 2020 and January 14, 2025, one of these central servers, which Mastercard uses to route traffic for parts of the mastercard.com network, was misconfigured. The misconfiguration was due to a typo: All Akamai DNS server names used by Mastercard were supposed to end in the domain akam.net; however, a single server had the entry akam.ne, or more precisely a22-65.akam.ne. Mastercard's downfall was that .ne is a functioning top level domain, namely that of the state of Niger. There are similar problems with .com domains; here the Colombian country code .co repeatedly benefits from incorrect .com domain entries. In the case of akam.ne, the critical typo was discovered by Philippe Caturegli, founder of the security consultancy firm Seralys. According to Caturegli, it took him US$ 300 and almost three months of waiting to register the domain akam.ne with the registry Sonitel in Niger. Their website intnet.ne is currently unavailable.

If cyber criminals had exploited this loophole, the potential damage would have been enormous. Caturegli reports that hundreds of thousands of DNS requests from all over the world were received on his server every day. While MasterCard was not the only organization that had inadvertently created a DNS record with akam.ne, it was by far the largest. Had he activated an email server on his akam.ne domain, Caturegli would likely have received unwanted emails directed to mastercard.com or other affected domains. However, he did not do this, but instead informed Mastercard and offered to transfer the domain. “Before making any public disclosure, I ensured that the affected domain was registered to prevent exploitation, mitigating any risk to MasterCard or its customers. This action, which we took at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure,” said Caturegli. A few hours later, Mastercard acknowledged the mistake. “We have looked into the matter and there was not a risk to our systems,” said a spokesperson. “This typo has now been corrected.” As Brian Krebs further reports, Caturegli was not the first owner of the akam.ne domain. In December 2016, it was registered to a person who was or is reachable by email via the Russian search engine provider Yandex at um-i-delo@yandex.ru. Passive DNS records from domaintools.com would further show that the domain was connected to a server in Germany between 2016 and 2018 and that the domain expired by 2018.

For anyone who sends and receives sensitive data on a large scale, the Mastercard case is a renewed wake-up call, not least in light of the GDPR and NIS-2, to pay attention to the effective management of their own domain portfolio. Such easily avoidable mistakes can quickly lead to serious risks for a company, not to mention damage and fines. And they show once again that your own .brand offers opportunities to obtain and retain control over sensitive data.

You can find the article by Brain Krebs at:
https://krebsonsecurity.com/2025/01/mas ... for-years/