Zoho taken offline by domain registrar for phishing violations
CRM service Zoho disappeared from the internet after its domain registrar suspended it for failing to deal with phishing appropriately.
TierraNet blacklisted Zoho.com after receiving complaints about phishing emails sent from Zoho-hosted accounts. This meant that many businesses were unable to access their documents, address books and emails, causing chaos for many. Zoho has said that in order to ensure such an occurrence is never repeated, it will become a domain registrar itself.
Zoho CEO Sridhar Vembu used Twitter to complain about his company being taken offline without warning, and said that TierraNet were difficult to get hold of to get the matter resolved. After many hours of disruption, it seems that the problem has been addressed but some customers continue to face issues. Vembu offered some advice in a retweet:
To all those still experiencing issues, it takes 24-48 for DNS Records to fully propagate around the world. Use https://t.co/Eg1uq6DmLg to search for the subdomain you need, and if you're using windows, try adding the A record to your hosts file. I'm in to Invoice using that way.
— VJ CyberTangle (@keithgallagher) September 24, 2018
So what was the problem? The Zoho CEO penned a lengthy blog post to try to explain:
Here's what happened. Our domain name registrar blacklisted (shut down) our domain. (Registrars are independent organizations that manage the reservation of internet domain names. The registrar does not host any Zoho site, they simply register the zoho.com domain name.) The blacklist lasted about an hour before it was restored. This means any incoming services request to Zoho.com cannot get resolved into the proper IP address that can deliver the services (although the service is still up at the specific IP address). The shutdown impacted some, but not all, customers who tried to use any Zoho service. Unfortunately, domain names still remain a single point of failure in the system.
The shutdown was done by an automatic algorithm in response to phishing complaints against Zoho. (Phishing is a fraudulent attempt by a malicious third party to impersonate a legitimate email address for nefarious activity, like fake invoicing). Phishing has successfully targeted all major email services providers around the globe. Phishing is rampant and mail services providers like Zoho have devised multiple methods to combat it like blacklisting, flagging suspicious emails, scanning, smart filters, and other methods. According to Symantec, 76% of all organizations have reported falling victim to phishing attacks in 2017.
In this case, the registrar received 3 phishing complaints over the last two months (from recipients of third parties phishing messages impersonating Zoho mail), 2 of which were addressed immediately and 1 was under investigation. To put these numbers in context, just one security service company blocked 51 million phishing attempts in 2017.
Somehow this automated algorithm decided to shut down the Zoho domain based on these 3 cases -- without prior warning of the shutdown, or investigation into the traffic supported by this domain. Let me also be clear that there was no cyber attack on Zoho.
Vembu conceded that while the problem has been addressed, issues remain for many customers. By way of reassurance, he says that Zoho has now migrated to Cloudflare as its registrar, but it seems that this is not the long-term solution. He closes his blog post saying:
You have my assurance that nothing like this will ever happen again. We will not let our fate be determined by automated algorithms of others. We will be a domain registrar ourselves.