The Marketo Mess That Could Have Been Avoided

marketo blunder

Marketo.com suffered an outage as a result of failing to renew the Marketo domain, an issue the likes of which happen all too often to organizations.

Earlier this morning, RiskIQ got several complaints that their newly released, RiskIQ Community portal was being extremely slow to load. After meticulously preparing for the past week for this release, it was strange to hear about performance issues. Inspecting the website loading in Google Developer Tools revealed one site taking an abnormally long time to load, app-sj14.marketo.com.

Marketo provides marketing capabilities for our website and thousands of other websites around the world—at least 18,000 according to RiskIQ data, so if they were all loading slowly, there was surely a problem. Loading the website in the browser revealed a surprising page from Network Solutions: Marketo.com has not been renewed!

Inspecting the Marketo domain reveals an interesting change on July 25th, a new IP address, never-before-seen and not associated with Marketo.

Fig-1 The new Marketo.com

To discover more about how this happened, RiskIQ’s team reached back into RiskIQ Community and our PassiveTotal product. Their team was quick with the hotfix which meant we could easily use the site with no delays. Inspecting the marketo.com domain within PassiveTotal reveals an interesting change on July 25th, a new IP address, 208.91.197.132, never-before-seen and not associated with Marketo. This IP address is the same web server hosting content for Network Solutions:

Inspecting the Marketo domain reveals an interesting change on July 25th, a new IP address, never-before-seen and not associated with Marketo.

Fig-2 An unusual IP address

 

Inspecting the Marketo domain reveals an interesting change on July 25th, a new IP address, never-before-seen and not associated with Marketo.

Fig-3 Resolution records in PassiveTotal

Not only do the resolution records give us an idea of the change, but we can also inspect the “DNS” tab to see additional signs of a change in ownership. At the same time as the resolution change, we see new Nameserver and Mail server records to “pendingrenewaldeletion.com”:

Inspecting the Marketo domain reveals an interesting change on July 25th, a new IP address, never-before-seen and not associated with Marketo.

Fig-4 New Nameserver and Mail server records

So, how does this happen? What causes a domain with a registration history of several years to all of a sudden lapse in renewal? Simple: a lack of Digital Footprint management. If your organization has thousands of assets that need to be managed and a limited number of staff members to do so, mistakes will get made. In this case, the primary company domain failed to renew by the staff and was simply transferred to a holding location until it was bought back.

Inspecting the Marketo domain reveals an interesting change on July 25th, a new IP address, never-before-seen and not associated with Marketo.

Fig-5 Marketo’s communication to customers today

 

Inspecting the Marketo domain reveals an interesting change on July 25th, a new IP address, never-before-seen and not associated with Marketo.

Fig-6 Marketo’s service disruption notification

Mistakes like this are far too common and are easy to avoid. Setting the domain to auto-renewal is a sure-fire way to know that your infrastructure is safe. Beyond that, having a solid understanding of your externally facing digital assets – your digital footprint – is key to knowing when there’s an issue. Fortunately for Marketo, it appears like they recognized their mistake, but what would have happened if their domain was registered by a malicious actor? What if all the websites using Marketo began delivering malware?

In the age of digital, threats operate quickly and having your website compromised by a third-party component or library is a real concern. RiskIQ specializes in Digital Footprint discovery and offers a number of solutions to not only research threats, but proactively surface risks before they can turn into vulnerabilities.

Spread the love
Previous ArticleNext Article

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *