Cyber Incident Victim: Newtek Business Services Corp.
Date:
Feb 2018
Location:
United States of America
Summary
Newtek Business Services Corp. experienced a domain hijacking attack where three core domains were stolen by a Vietnamese hacker, disrupting customer websites and email services. The attacker replaced a critical login portal with a live chat interface, potentially intercepting sensitive communications and credentials. Initially attributing the outage to security enhancements, the company later acknowledged the domain dispute and warned customers to avoid interacting with compromised domains. Evidence suggests the perpetrator was likely a customer who exploited a vulnerability in Newtek's services after receiving no response to prior notifications. The incident exposed inadequate communication practices, as the company failed to prominently alert users or mandate password resets despite ongoing data interception risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 10, 2018, Newtek Business Services Corp. experienced a domain hijacking incident affecting three core domains: webcontrolcenter[dot]com, thesba[dot]com, and crystaltech[dot]com. A Vietnamese hacker gained unauthorized control of these domains, disrupting web hosting and email services for thousands of Newtek's customers. The attacker replaced the legitimate login page at webcontrolcenter[dot]com—a portal used by customers to manage their websites—with a live chat service, redirecting support inquiries to himself. Newtek initially notified customers via email late on February 10 without disclosing the breach, attributing the domain changes to "increased" security measures. Ten hours later, a follow-up email acknowledged a "dispute" over the domains and warned customers to avoid interacting with the compromised sites, noting an unidentified third party was engaging users through the chat interface. The hijacker claimed to have alerted Newtek about a security bug five days prior to the attack but received no response. Forensic clues linked the attacker to Vietnam, including the transfer of two domains to the Vietnamese registrar inet.vn and social media profiles tied to the email [email protected] used by the perpetrator. Domain registration records revealed the attacker had previously registered giakiemnew[dot]com through Newtek’s own domain services, suggesting prior access to the company’s systems.
The hijacking caused widespread operational disruptions, stranding business websites and disabling email for Newtek’s clients. A reseller of Newtek’s services reported spending the weekend assisting customers with account recovery, criticizing the company’s failure to clearly communicate risks such as potential credential harvesting by the attacker. Newtek did not implement immediate password resets or post incident notices on its homepage, relying solely on email alerts that many customers could not access due to email outages. The compromised domains were critical to Newtek’s operations as a provider of web hosting, cloud solutions, and business services to over 100,000 websites and 40,000 managed accounts. While the attacker did not deploy malware or phishing campaigns, the hijacking created opportunities for data interception and eroded customer trust. Newtek did not publicly respond to media inquiries or clarify whether the "bug" referenced by the hacker was exploited to facilitate the domain transfers. The incident highlighted vulnerabilities in Newtek’s domain management practices, particularly the lack of safeguards against unauthorized transfers and delayed breach notifications. Service disruptions persisted for an unspecified duration as customers were instructed to cease using the hijacked domains entirely.