It feels like it’s been months since I’ve been able to write about something that has nothing to do with coronavirus. Kind of a nice feeling, actually, I’ve forgotten what that’s like. Anyhoo, when my esteemed colleague Bramwell spotted this story the other day, he made sure to send it my way because apparently it’s my job to do the write-up any time porn and public accounting firms collide.
A forgotten subdomain on PricewaterhouseCoopers’ dot-com has been hijacked to host ads for porno websites and apps, neatly demonstrating why you should not neglect your corporate DNS records.
Developer and security researcher Vitali Fedulov told The Register this week he has twice now found the pwc.com subdomain hosting a roster of X-rated adverts to lure netizens to online smut emporiums, X-rated apps, blogs, and adult-only chat rooms. The material also shows up in web searches.
The subdomain, amyca-devapi.pwc.com, has since been taken offline – it no longer resolves to an IP address – though its entries in Google remain for now.
And yep, there they are.
The article continues:
Fedulov, who runs an image search engine, said two times is too many for such a large accountancy firm serving government contracts.
“Since the company provides security services, including for governments, I believe it is time to share the incidents to the public,” he said. “Also, because, from my communication with them, the company seems not interested in supporting the cyber-security community by, for example, offering a bug bounty rewards, the way other large companies do it.”
“Bug bounties” are cold hard cash rewards for those individuals who find and report vulnerabilities in a company’s website, basically financial incentives for hackers to alert companies to security issues rather than exploit them. If you’re curious, here’s a massive list of companies that offer such incentives.
The Register article goes into the technical bits and pieces of how exactly this happened which we won’t waste your time with since you probably don’t care, but it’s worth pointing out it doesn’t seem like PwC systems were compromised.
Still, as Fedulov pointed out, it’s kind of embarrassing for a firm selling cybersecurity consulting services to find themselves lending Google juice to porn spam.
