Publications
Partners
The website domain belonging to the predecessor of the Companies and Intellectual Property Commission (CIPC) was scooped up by a man from Mexico late last week after its registration lapsed.
The CIPC is responsible for registering South African companies and co-operatives, as well as keeping a registry of their directors and contact details.
The transfer of the website's ownership gives the new owner the potential to distribute legitimate-looking phishing emails which could be crafted to steal the login details and personal information of legitimate business owners.
This is because the new owner, Miguel Antonio Gomez, gained access to the @cipro.co.za range of email addresses when he took over the site. As such, he has the ability to create any @cipro.co.za email address he chooses.
This could be used as a very convincing avenue for conducting phishing attacks.
From CIPRO to CIPC
The CIPC was established in terms of the 2008 Companies Act by amalgamating the Office of Companies and Intellectual Property Enforcement, and the Companies and Intellectual Property Registration Office, or CIPRO.
The change included new branding and a new website www.cipc.co.za.
"CIPRO ceased to exist in 2011", Andre Kritzinger, Executive Manager: Business Intelligence and Systems Group at the CIPC, told News24.
But while CIPRO ceased to exist, its websites remained.
Following the change to the CIPC, the www.cipro.gov.za and www.cipro.co.za websites did set up landing pages to refer users to the new CIPC website found at www.cipc.co.za.
But despite removing all links from these landing pages, a user could still access CIPRO’s company name search function by entering the website URL manually.
In layman’s terms, the website had closed its curtains, but hadn't removed any of its furniture.
After a successful query, the search function found on the website would provide a user with links back to the main www.cipro.co.za website, where the results would be displayed.
That was until Gomez obtained the ownership of www.cipro.co.za.
Links to suspicious website
On 17 August 2018 the www.cipro.co.za website was registered to Mr Miguel Gomez, a resident of Meoquoi in the northern Mexican state of Chihauhua.
Now, attempting to access www.cipro.co.za will redirect your browser to a Czech website, www.horux.cz. The website contains several adverts for forex trading, online MBAs, insurance, and the like. This site uses the same Google Adsense ID and Analytics code as other sites registered to Gomez.
The site was mentioned in a Facebook post from October 2017, in which the poster offered Russian email accounts for sale, along with what appears to be a price-list for hacking services.
Gomez has numerous websites registered to his name, spanning several geographical regions.
Using Google Adsense and Google Analytics codes, Gomez was traced to at least 16 other websites, ranging from Japanese, Czechoslovakian, Russian and Mexican websites. More than 100 websites have been registered to a "Miguel Gomez", although not all of them can conclusively be linked to the same Gomez that bought the www.cipro.co.za site.
But along with the transfer of the website domain name, an even more worrying consequence, according to security analysts, is that Gomez also obtained the @cipro.co.za email account, essentially allowing him to create, send and receive emails that could appear legitimate to unwary consumers.
Ettienne Burke-le Roux, a lead security analyst at cybersecurity consultants Sensepost, told News24 that this could expose South African business owners to a major security risk.
"This opens an effective avenue for phishing attacks against business owners. An apparently legitimate email from @cipro.co.za email address could easily contain a phishing link to a cloned website of the CIPC. If the user can be convinced to enter or update their account details, the new website owners will have access to all of that information. This poses a major security risk for these users."
Having access to the mail server also means that any account recovery and password reset emails sent to the @cipro.co.za address can be accessed by Gomez, and in turn used to reset those accounts.
Willem Mouton, an associate analyst at Sensepost said this information could also be used with information contained in other data breaches to provide attackers with targeted phishing campaigns, also called "spear phishing". He used the example of the leaked deeds property database leaked late in 2017, which contained 60 million records of both living and deceased South Africans.
"Any emails sent to a cipro.co.za address will be accessible to the new owners. They could use it to reset account passwords and gain access to social media and other email accounts. The emails accidentally sent to cipro.co.za could be cross-referenced with other data-breaches to create a highly convincing social engineering attack. Just last year a data-dump containing 60 million records was leaked, which included employment details, directorship and business ownership status."
CIPC responds
In response to question sent by News24, the CIPC’s Kritzinger indicated that the responsibility for maintaining .gov.za websites lies with the State Information Technology Agency (SITA).
"The domain names, cipro.co.za, cipro.com, cipro.net and cipro.org are no longer of interest to CIPC. Both CIPRO and consequently CIPC have never had any mail addresses linked to @cipro.co.za. We can confirm that no mails have reticulated through this manner. We can also confirm that cipro.co.za does not resolve to cipc.co.za. any longer. There were and are therefore no mail or transactional resolutions to the cipc.co.za site."
He also urged stakeholders to remain vigilant when engaging online.
"Phishing on websites, CIPC included, is a daily occurrence. We are confident that our systems are secure.
"Users and stakeholders of all systems still need to be aware of the dangers of phishing. We will continue to engage with stakeholders, including the potential blocking of domains such as cipro.co.za in South Africa, to obviate confusion in this regard."
At the time of publication, Gomez had not responded to questions sent to his email address, although News24 was sent a phishing link from an unknown address shortly after submitting the questions to Gomez.
* SUBSCRIBE FOR FREE UPDATE: Get Fin24's top morning business news and opinions in your inbox.
