Please ensure Javascript is enabled for purposes of website accessibility

Cybersecurity Experts PwC Get One of Their Subdomains Hijacked By Porn Spam

It feels like it’s been months since I’ve been able to write about something that has nothing to do with coronavirus. Kind of a nice feeling, actually, I’ve forgotten what that’s like. Anyhoo, when my esteemed colleague Bramwell spotted this story the other day, he made sure to send it my way because apparently it’s my job to do the write-up any time porn and public accounting firms collide.

The Register reports:

A forgotten subdomain on PricewaterhouseCoopers’ dot-com has been hijacked to host ads for porno websites and apps, neatly demonstrating why you should not neglect your corporate DNS records.

Developer and security researcher Vitali Fedulov told The Register this week he has twice now found the pwc.com subdomain hosting a roster of X-rated adverts to lure netizens to online smut emporiums, X-rated apps, blogs, and adult-only chat rooms. The material also shows up in web searches.

The subdomain, amyca-devapi.pwc.com, has since been taken offline – it no longer resolves to an IP address – though its entries in Google remain for now.

And yep, there they are.

Screenshot via The Register

The article continues:

Fedulov, who runs an image search engine, said two times is too many for such a large accountancy firm serving government contracts.

“Since the company provides security services, including for governments, I believe it is time to share the incidents to the public,” he said. “Also, because, from my communication with them, the company seems not interested in supporting the cyber-security community by, for example, offering a bug bounty rewards, the way other large companies do it.”

“Bug bounties” are cold hard cash rewards for those individuals who find and report vulnerabilities in a company’s website, basically financial incentives for hackers to alert companies to security issues rather than exploit them. If you’re curious, here’s a massive list of companies that offer such incentives.

The Register article goes into the technical bits and pieces of how exactly this happened which we won’t waste your time with since you probably don’t care, but it’s worth pointing out it doesn’t seem like PwC systems were compromised.

Still, as Fedulov pointed out, it’s kind of embarrassing for a firm selling cybersecurity consulting services to find themselves lending Google juice to porn spam.

Latest Accounting Jobs--Apply Now:

Have something to add to this story? Give us a shout by email, Twitter, or text/call the tipline at 202-505-8885. As always, all tips are anonymous.

Related articles

PwC Australia is Very Very Sorry, You Guys

Presumably because the many apologies and decisions made before this letter have not sufficiently gotten the heat off their backs (and boy is it hot), PwC Australia published an open letter apology on their website Monday. The entire text, including the formatting, appears in below. At issue, if you make your residence under a rock, […]

sketch of a robot among business people to signify AI replacing workers

PwC Chief Products & Technology Officer Says Not to Worry, They Don’t Want to Replace You With AI

A couple days ago, NYT published a piece asking an important question: Who will protect the workers losing their jobs to AI? The article references a May 16 senate subcommittee hearing chaired by Senator Richard Blumenthal at which OpenAI’s Sam Altman is told Mr. Blumenthal’s greatest nightmare is AI causing massive job loss. “There will […]