The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.
A DNS lookup on the domain az.mastercard.com on Jan. 14, 2025 shows the mistyped domain name a22-65.akam.ne.
From June 30, 2020 until January 14, 2025, one of the core Internet servers that MasterCard uses to direct traffic for portions of the mastercard.com network was misnamed. MasterCard.com relies on five shared Domain Name System (DNS) servers at the Internet infrastructure provider Akamai [DNS acts as a kind of Internet phone book, by translating website names to numeric Internet addresses that are easier for computers to manage].
All of the Akamai DNS server names that MasterCard uses are supposed to end in βakam.netβ but one of them was misconfigured to rely on the domain βakam.ne.β
This tiny but potentially critical typo was discovered recently by Philippe Caturegli,Β founder of the security consultancy Seralys. Caturegli said he guessed that nobody had yet registered the domain akam.ne, which is under the purview of the top-level domain authority for the West Africa nation of Niger.
Caturegli said it took $300 and nearly three months of waiting to secure the domain with the registry in Niger. After enabling a DNS server on akam.ne, he noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe. Apparently, MasterCard wasnβt the only organization that had fat-fingered a DNS entry to include βakam.ne,β but they were by far the largest.
Had he enabled an email server on his new domain akam.ne, Caturegli likely would have received wayward emails directed toward mastercard.com or other affected domains. If heβd abused his access, he probably could have obtained website encryption certificates (SSL/TLS certs) that were authorized to accept and relay web traffic for affected websites. He may even have been able to passively receive Microsoft Windows authentication credentials from employee computers at affected companies.
But the researcher said he didnβt attempt to do any of that. Instead, he alerted MasterCard that the domain was theirs if they wanted it, copying this author on his notifications. A few hours later, MasterCard acknowledged the mistake, but said there was never any real threat to the security of its operations.
βWe have looked into the matter and there was not a risk to our systems,β a MasterCard spokesperson wrote. βThis typo has now been corrected.β
Meanwhile, Caturegli received a request submitted through Bugcrowd, a program that offers financial rewards and recognition to security researchers who find flaws and work privately with the affected vendor to fix them. The message suggested his public disclosure of the MasterCard DNS error via a post on LinkedIn (after heβd secured the akam.ne domain) was not aligned with ethical security practices, and passed on a request from MasterCard to have the post removed.
MasterCardβs request to Caturegli, a.k.a. βTitonβ on infosec.exchange.
Caturegli said while he does have an account on Bugcrowd, he has never submitted anything through the Bugcrowd program, and that he reported this issue directly to MasterCard.
βI did not disclose this issue through Bugcrowd,β Caturegli wrote in reply. βBefore making any public disclosure, I ensured that the affected domain was registered to prevent exploitation, mitigating any risk to MasterCard or its customers. This action, which we took at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure.β
Most organizations have at least two authoritative domain name servers, but some handle so many DNS requests that they need to spread the load over additional DNS server domains. In MasterCardβs case, that number is five, so it stands to reason that if an attacker managed to seize control over just one of those domains they would only be able to see about one-fifth of the overall DNS requests coming in.
But Caturegli said the reality is that many Internet users are relying at least to some degree on public traffic forwarders or DNS resolvers like Cloudflare and Google.
βSo all we need is for one of these resolvers to query our name server and cache the result,β Caturegli said. By setting their DNS server records with a long TTL or βTime To Liveβ β a setting that can adjust the lifespan of data packets on a network β an attackerβs poisoned instructions for the target domain can be propagated by large cloud providers.
βWith a long TTL, we may reroute a LOT more than just 1/5 of the traffic,β he said.
The researcher said heβd hoped that the credit card giant might thank him, or at least offer to cover the cost of buying the domain.
βWe obviously disagree with this assessment,β Caturegli wrote in a follow-up post on LinkedIn regarding MasterCardβs public statement. βBut weβll let you judgeβ here are some of the DNS lookups we recorded before reporting the issue.β
Caturegli posted this screenshot of MasterCard domains that were potentially at risk from the misconfigured domain.
As the screenshot above shows, the misconfigured DNS server Caturegli found involved the MasterCard subdomain az.mastercard.com. It is not clear exactly how this subdomain is used by MasterCard, however their naming conventions suggest the domains correspond to production servers at Microsoftβs Azure cloud service. Caturegli said the domains all resolve to Internet addresses at Microsoft.
βDonβt be like Mastercard,β Caturegli concluded in his LinkedIn post. βDonβt dismiss risk, and donβt let your marketing team handle security disclosures.β
One final note: The domain akam.ne has been registered previously β in December 2016 by someone using the email address um-i-delo@yandex.ru. The Russian search giant Yandex reports this user account belongs to an βIvan I.β from Moscow. Passive DNS records from DomainTools.com show that between 2016 and 2018 the domain was connected to an Internet server in Germany, and that the domain was left to expire in 2018.
This is interesting given a comment on Caturegliβs LinkedIn post from an ex-Cloudflare employee who linked to a report he co-authored on a similar typo domain apparently registered in 2017 for organizations that may have mistyped their AWS DNS server as βawsdns-06.neβ instead of βawsdns-06.net.β DomainTools reports that this typo domain also was registered to a Yandex user (playlotto@yandex.ru), and was hosted at the same German ISP β Team Internet (AS61969).
Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three βzero-dayβ weaknesses that are already under active attack. Redmondβs inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.
Rapid7βs Adam Barnett says January marks the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also saw the publication of nine critical remote code execution (RCE) vulnerabilities.
The Microsoft flaws already seeing active attacks include CVE-2025-21333, CVE-2025-21334 and, you guessed itβ CVE-2025-21335. These are sequential because all reside in Windows Hyper-V, a component that is heavily embedded in modern Windows 11 operating systems and used for security features including device guard and credential guard.
Tenableβs Satnam Narang says little is known about the in-the-wild exploitation of these flaws, apart from the fact that they are all βprivilege escalationβ vulnerabilities. Narang said we tend to see a lot of elevation of privilege bugs exploited in the wild as zero-days in Patch Tuesday because itβs not always initial access to a system thatβs a challenge for attackers as they have various avenues in their pursuit.
βAs elevation of privilege bugs, theyβre being used as part of post-compromise activity, where an attacker has already accessed a target system,β he said. βItβs kind of like if an attacker is able to enter a secure building, theyβre unable to access more secure parts of the facility because they have to prove that they have clearance. In this case, theyβre able to trick the system into believing they should have clearance.β
Several bugs addressed today earned CVSS (threat rating) scores of 9.8 out of a possible 10, including CVE-2025-21298, a weakness in Windows that could allow attackers to run arbitrary code by getting a target to open a malicious .rtf file, documents typically opened on Office applications like Microsoft Word. Microsoft has rated this flaw βexploitation more likely.β
Ben Hopkins at Immersive Labs called attention to the CVE-2025-21311, a 9.8 βcriticalβ bug in Windows NTLMv1 (NT LAN Manager version 1), an older Microsoft authentication protocol that is still used by many organizations.
βWhat makes this vulnerability so impactful is the fact that it is remotely exploitable, so attackers can reach the compromised machine(s) over the internet, and the attacker does not need significant knowledge or skills to achieve repeatable success with the same payload across any vulnerable component,β Hopkins wrote.
Kev Breen at Immersive points to an interesting flaw (CVE-2025-21210) that Microsoft fixed in its full disk encryption suite Bitlocker that the software giant has dubbed βexploitation more likely.β Specifically, this bug holds out the possibility that in some situations the hibernation image created when one closes the laptop lid on an open Windows session may not be fully encrypted and could be recovered in plain text.
βHibernation images are used when a laptop goes to sleep and contains the contents that were stored in RAM at the moment the device powered down,β Breen noted. βThis presents a significant potential impact as RAM can contain sensitive data (such as passwords, credentials and PII) that may have been in open documents or browser sessions and can all be recovered with free tools from hibernation files.β
Tenableβs Narang also highlighted a trio of vulnerabilities in Microsoft Access fixed this month and credited to Unpatched.ai, a security research effort that is aided by artificial intelligence looking for vulnerabilities in code. Tracked as CVE-2025-21186, CVE-2025-21366, and CVE-2025-21395, these are remote code execution bugs that are exploitable if an attacker convinces a target to download and run a malicious file through social engineering. Unpatched.ai was also credited with discovering a flaw in the December 2024 Patch Tuesday release (CVE-2024-49142).
βAutomated vulnerability detection using AI has garnered a lot of attention recently, so itβs noteworthy to see this service being credited with finding bugs in Microsoft products,β Narang observed. βIt may be the first of many in 2025.β
If youβre a Windows user who has automatic updates turned off and havenβt updated in a while, itβs probably time to play catch up. Please consider backing up important files and/or the entire hard drive before updating. And if you run into any problems installing this monthβs patch batch, drop a line in the comments below, please.
Further reading on todayβs patches from Microsoft:
Never ask AI for a story. He was thinking about this for an hour. Faith and Faith Alone came out about haft through this book. Moreover James... after this just verses and words using a blender to chop it all up.There is no excerpt because this is a protected post.The fediverse (often referred to as just fedi) is a collection of social networking services that can communicate with each other (formally known as federation) using a common protocol.The Questions are critical and sources must be clear in the Questioning. I used the King James Bible only.
Login
