External Threat Management

The Marketo Mess That Could Have Been Avoided

Marketo.com suffered an outage as a result of failing to renew the Marketo domain, an issue the likes of which happen all too often to organizations.

Earlier this morning, we got several complaints that our newly released, RiskIQ Community portal was being extremely slow to load. After meticulously preparing for the past week for this release, it was strange to hear about performance issues. Inspecting the website loading in Google Developer Tools revealed one site taking an abnormally long time to load, app-sj14.marketo.com.

Marketo provides marketing capabilities for our website and thousands of other websites around the world—at least 18,000 according to RiskIQ data, so if they were all loading slowly, there was surely a problem. Loading the website in the browser revealed a surprising page from Network Solutions: Marketo.com has not been renewed!

Inspecting the Marketo domain reveals an interesting change on July 25th, a new IP address, never-before-seen and not associated with Marketo.

To discover more about how this happened, we reached back into RiskIQ Community and our PassiveTotal product. Fortunately, our team was quick with the hotfix which meant we could easily use the site with no delays. Inspecting the marketo.com domain within PassiveTotal reveals an interesting change on July 25th, a new IP address, 208.91.197.132, never-before-seen and not associated with Marketo. This IP address is the same web server hosting content for Network Solutions:

Inspecting the Marketo domain reveals an interesting change on July 25th, a new IP address, never-before-seen and not associated with Marketo.

Inspecting the Marketo domain reveals an interesting change on July 25th, a new IP address, never-before-seen and not associated with Marketo.

https://community.riskiq.com/search/208.91.197.132

Not only do the resolution records give us an idea of the change, but we can also inspect the “DNS” tab to see additional signs of a change in ownership. At the same time as the resolution change, we see new Nameserver and Mail server records to “pendingrenewaldeletion.com”:

Inspecting the Marketo domain reveals an interesting change on July 25th, a new IP address, never-before-seen and not associated with Marketo.

So, how does this happen? What causes a domain with a registration history of several years to all of a sudden lapse in renewal? Simple: a lack of Digital Footprint management. If your organization has thousands of assets that need to be managed and a limited number of staff members to do so, mistakes will get made. In this case, the primary company domain failed to renew by the staff and was simply transferred to a holding location until it was bought back.

Inspecting the Marketo domain reveals an interesting change on July 25th, a new IP address, never-before-seen and not associated with Marketo.

Inspecting the Marketo domain reveals an interesting change on July 25th, a new IP address, never-before-seen and not associated with Marketo.

Mistakes like this are far too common and are easy to avoid. Setting the domain to auto-renewal is a sure-fire way to know that your infrastructure is safe. Beyond that, having a solid understanding of your externally facing digital assets - your digital footprint - is key to knowing when there’s an issue. Fortunately for Marketo, it appears like they recognized their mistake, but what would have happened if their domain was registered by a malicious actor? What if all the websites using Marketo began delivering malware?

In the age of digital, cyber threats operate quickly and having your website compromised by a third-party component or library is a real concern. RiskIQ specializes in Digital Footprint discovery and offers a number of solutions to not only research cyber threats, but proactively surface risks before they can turn into vulnerabilities.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor