Attackers took over the Perl.com domain in September 2020

The Perl.com domain was hijacked in January, but a senior editor at the site revealed that the hackers took control of the domain in September 2020.

The Perl.com domain was hijacked in January 2021, but according to Brian Foy, senior editor of Perl.com, the attack took place months before, in September 2020.

Attackers have taken over the official domain name of The Perl Foundation perl.com and pointed it to an IP address associated with malware campaigns.

The domain Perl.com was created in 1994 and was the official website for the Perl programming language, it is registered with the registrar key-systems(.)net.

“The perl.com domain was hijacked this morning, and is currently pointing to a parking site.  Work is ongoing to attempt to recover it.” reads the announcement published on the Perl NOC in January.

“We encourage you NOT to visit the domain, as there are some signals that it may be related to sites that have distributed malware in the past.”

The attackers changed the IP address from 151.101.2.132 to 35.186.238[.]101.

After the hackers took over the site, it was displaying a blank page whose HTML contains Godaddy parked domain scripts.

Shortly after the domain hijacking, perl.com was offered for sale for $190k on afternic.com.

“John Berryhill provided some forensic work in Twitter that showed the compromise actually happened in September. The domain was transferred to the BizCN registrar in December, but the nameservers were not changed.” wrote Foy. “The domain was transferred again in January to another registrar, Key Systems, GmbH. This latency period avoids immediate detection, and bouncing the domain through a couple registrars makes the recovery much harder.”

The hijack took place in September, the domain was transferred in December to another registrar but the nameservers were not changed to avoid detection of the malicious activity. In January the domain was transferred again, at the end of January it was pointing to an IP address that was involved in past malware campaigns, including the distribution of Locky ransomware. Shortly after the second transfer, perl.com was offered for sale for $190k on afternic.com.

According to Foy, the attack might have resulted in the hack of several other domains.

“This part veers into some speculation, and Perl.com wasn’t the only victim. We think that there was a social engineering attack on Network Solutions, including phony documents and so on.” added Foy. “There’s no reason for Network Solutions to reveal anything to me (again, I’m not the injured party), but I did talk to other domain owners involved and this is the basic scheme they reported.”

The legitimate owner Tom Christiansen obtained back full control over the domain in early February.

The domain was back in the hands of Tom Christiansen, the rightful owner, in early February.

“The Perl.com domain is back in the hands of Tom Christiansen and we’re working on the various security updates so this doesn’t happen again. The website is back to how it was and slightly shinier for the help we received.” concludes Foy.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Perl.com)

[adrotate banner=”5″]

[adrotate banner=”13″]