The payment card giant MasterCard<\/strong> just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.<\/p>\n A DNS lookup on the domain az.mastercard.com on Jan. 14, 2025 shows the mistyped domain name a22-65.akam.ne.<\/p>\n<\/div>\n From June 30, 2020 until January 14, 2025, one of the core Internet servers that MasterCard uses to direct traffic for portions of the mastercard.com network was misnamed. MasterCard.com relies on five shared Domain Name System (DNS) servers at the Internet infrastructure provider Akamai <\/strong>[DNS acts as a kind of Internet phone book, by translating website names to numeric Internet addresses that are easier for computers to manage].<\/p>\n All of the Akamai DNS server names that MasterCard uses are supposed to end in \u201cakam.net\u201d but one of them was misconfigured to rely on the domain \u201cakam.ne<\/strong>.\u201d<\/p>\n This tiny but potentially critical typo was discovered recently by Philippe Caturegli<\/strong>,\u00a0founder of the security consultancy Seralys<\/a>. Caturegli said he guessed that nobody had yet registered the domain akam.ne, which is under the purview of the top-level domain authority for the West Africa nation of Niger<\/a>.<\/p>\n Caturegli said it took $300 and nearly three months of waiting to secure the domain with the registry in Niger. After enabling a DNS server on akam.ne, he noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe. Apparently, MasterCard wasn\u2019t the only organization that had fat-fingered a DNS entry to include \u201cakam.ne,\u201d but they were by far the largest.<\/p>\n Had he enabled an email server on his new domain akam.ne, Caturegli likely would have received wayward emails directed toward mastercard.com or other affected domains. If he\u2019d abused his access, he probably could have obtained website encryption certificates (SSL\/TLS certs)<\/a> that were authorized to accept and relay web traffic for affected websites. He may even have been able to passively receive Microsoft Windows authentication credentials<\/a> from employee computers at affected companies.<\/p>\n But the researcher said he didn\u2019t attempt to do any of that. Instead, he alerted MasterCard that the domain was theirs if they wanted it, copying this author on his notifications. A few hours later, MasterCard acknowledged the mistake, but said there was never any real threat to the security of its operations.<\/p>\n \u201cWe have looked into the matter and there was not a risk to our systems,\u201d a MasterCard spokesperson wrote. \u201cThis typo has now been corrected.\u201d<\/p>\n Meanwhile, Caturegli received a request submitted through Bugcrowd<\/strong>, a program that offers financial rewards and recognition to security researchers who find flaws and work privately with the affected vendor to fix them. The message suggested his public disclosure of the MasterCard DNS error via a post on LinkedIn<\/a> (after he\u2019d secured the akam.ne domain) was not aligned with ethical security practices, and passed on a request from MasterCard to have the post removed.<\/p>\n MasterCard\u2019s request to Caturegli, a.k.a. \u201cTiton\u201d on infosec.exchange.<\/p>\n<\/div>\n Caturegli said while he does have an account on Bugcrowd, he has never submitted anything through the Bugcrowd program, and that he reported this issue directly to MasterCard.<\/p>\n \u201cI did not disclose this issue through Bugcrowd,\u201d Caturegli wrote in reply. \u201cBefore making any public disclosure, I ensured that the affected domain was registered to prevent exploitation, mitigating any risk to MasterCard or its customers. This action, which we took at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure.\u201d <\/span><\/p>\n Most organizations have at least two authoritative domain name servers, but some handle so many DNS requests that they need to spread the load over additional DNS server domains. In MasterCard\u2019s case, that number is five, so it stands to reason that if an attacker managed to seize control over just one of those domains they would only be able to see about one-fifth of the overall DNS requests coming in.<\/p>\n But Caturegli said the reality is that many Internet users are relying at least to some degree on public traffic forwarders or DNS resolvers like Cloudflare<\/strong> and Google<\/strong>.<\/p>\n \u201cSo all we need is for one of these resolvers to query our name server and cache the result,\u201d Caturegli said. By setting their DNS server records with a long TTL or \u201cTime To Live\u201d \u2014 a setting that can adjust the lifespan of data packets on a network \u2014 an attacker\u2019s poisoned instructions for the target domain can be propagated by large cloud providers.<\/p>\n \u201cWith a long TTL, we may reroute a LOT more than just 1\/5 of the traffic,\u201d he said.<\/p>\n The researcher said he\u2019d hoped that the credit card giant might thank him, or at least offer to cover the cost of buying the domain.<\/p>\n \u201cWe obviously disagree with this assessment,\u201d Caturegli wrote in a follow-up post<\/a> on LinkedIn regarding MasterCard\u2019s public statement. \u201cBut we\u2019ll let you judge\u2014 here are some of the DNS lookups we recorded before reporting the issue.\u201d<\/p>\n Caturegli posted this screenshot of MasterCard domains that were potentially at risk from the misconfigured domain.<\/p>\n<\/div>\n As the screenshot above shows, the misconfigured DNS server Caturegli found involved the MasterCard subdomain az.mastercard.com<\/strong>. It is not clear exactly how this subdomain is used by MasterCard, however their naming conventions suggest the domains correspond to production servers at Microsoft\u2019s Azure<\/strong> cloud service. Caturegli said the domains all resolve to Internet addresses at Microsoft.<\/p>\n \u201cDon\u2019t be like Mastercard,\u201d Caturegli concluded in his LinkedIn post. \u201cDon\u2019t dismiss risk, and don\u2019t let your marketing team handle security disclosures.\u201d<\/p>\n One final note: The domain akam.ne has been registered previously \u2014 in December 2016 by someone using the email address um-i-delo@yandex.ru. The Russian search giant Yandex reports this user account belongs to an \u201cIvan I.\u201d from Moscow. Passive DNS records from DomainTools.com<\/a> show that between 2016 and 2018 the domain was connected to an Internet server in Germany, and that the domain was left to expire in 2018.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/01\/akamne.png?resize=667%2C478&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/01\/mastercard-response.png?resize=708%2C855&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/01\/mastercard-domains.png?resize=790%2C561&ssl=1\")
<\/p>\n