The Freename Forum

By changing the WHOIS domain, it was possible to give hackers access to sensitive data.

The .mobi registry Identity Digital Limited has made a rookie mistake with considerable potential for damage. Hackers from WatchTowr had noticed that the domain for the .mobi WHOIS server had changed from whois.dotmobiregistry.net to whois.nic.mobi. The now unused domain dotmobiregistry.net had been allowed to expire by the registry in December 2023, so the hackers snapped it up for US$ 20. On Friday, August 30, 2024, they then set up a WHOIS server at whois.dotmobiregistry.net to see if there were any requests. The result was astonishing from the hackers' point of view: by September 4, 2024, there had been 2.5 million requests, including from various mail servers under .gov and .mil. Above all, however, it was discovered that numerous certification authorities responsible for issuing TLS/SSL certificates for domains such as google.mobi and microsoft.mobi were using the WHOIS server via the “Domain Email Validation” mechanism to determine the owners of a domain and where to send the verification data. “Effectively, we had inadvertently undermined the CA process for the entire .mobi TLD,” said the hackers. Anyone letting a domain expire should therefore be really sure that they no longer need it.

You can find more information about the .mobi breakdown at:
https://labs.watchtowr.com/we-spent-20- ... s-of-mobi/