Is the Mauritius Revenue Authority vulnerable to cybercrime?

December 4, 2014

I recently received a letter by the Mauritius Revenue Authority (MRA) regarding my annual returns. While I needed information on the same, I visited the MRA website in the beginning of the week. The website was inaccessible. The domain registration of mra.mu had expired in 2011 and MRA didn’t renew it. Therefore the domain name was suspended, resulting in the website’s inaccessibility.

Today the website was available again. I continued looking for information. In my quest I noticed unusual things and poor IT security. Digging further I found that there are at least two other domain names that show the same content as www.mra.mu. The domain names are as follows:

www.mramu.org www.mragovmu.org

Both of the above mentioned domains were registered through GoDaddy.com on 2 Dec 2014. It’s the same day as mra.mu was suspended. Domain names with .org are currently available at $8.99/year.

mra-poor-it-sec

Screenshot taken from GoDaddy website

The whois record of mra.mu is as follows:

Domain Name: mra.mu Domain ID: 63231-CoCCA WHOIS Server: Referral URL: Updated Date: 2014-12-03T13:20:25.823Z Creation Date: 2006-10-26T14:00:00.000Z Registry Expiry Date: 2018-10-26T14:00:00.000Z Sponsoring Registrar: Register.mu Sponsoring Registrar IANA ID: Domain Status: ok Name Server: dns1.intnet.mu Name Server: dns2.intnet.mu DNSSEC: unsigned Additional Section Sponsoring Registrar URL: http://www.register.mu Sponsoring Registrar Address: Port Louis Mauritius Sponsoring Registrar Country: MU Sponsoring Registrar Phone: Sponsoring Registrar Fax: +242.5305 Sponsoring Registrar Customer Service Contact: register.mu support Sponsoring Registrar Customer Service Email: support@register.mu

It does not mention Mauritius Revenue Authority anywhere. We cannot say if the website is owned by the Mauritius Revenue Authority by looking at the above extract.

However, the whois records of the other two domains, that is, mramu.org and mragovmu.org show that the domain names are registered in an individual’s name.

Domain Name:MRAMU.ORG Domain ID: D174700474-LROR Creation Date: 2014-12-02T12:57:18Z Updated Date: 2014-12-02T17:56:17Z Registry Expiry Date: 2015-12-02T12:57:18Z Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR) Sponsoring Registrar IANA ID: 146 WHOIS Server: Referral URL: Domain Status: clientDeleteProhibited Domain Status: clientRenewProhibited Domain Status: clientTransferProhibited Domain Status: clientUpdateProhibited Domain Status: serverTransferProhibited Domain Status: addPeriod Registrant ID:CR182409577 Registrant Name:Fawzi Codadeen Registrant Organization: Registrant Street: 14, Rue des Andreanum, Morc Montreal ,Coromandel Registrant City:Port Louis Registrant State/Province:N/A Registrant Postal Code:0000 Registrant Country:MU Registrant Phone:+230.57744007 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email:fawzic@gmail.com Admin ID:CR182409579 Admin Name:Fawzi Codadeen Admin Organization: Admin Street: 14, Rue des Andreanum, Morc Montreal ,Coromandel Admin City:Port Louis Admin State/Province:N/A Admin Postal Code:0000 Admin Country:MU Admin Phone:+230.57744007 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email:fawzic@gmail.com Tech ID:CR182409578 Tech Name:Fawzi Codadeen Tech Organization: Tech Street: 14, Rue des Andreanum, Morc Montreal ,Coromandel Tech City:Port Louis Tech State/Province:N/A Tech Postal Code:0000 Tech Country:MU Tech Phone:+230.57744007 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email:fawzic@gmail.com Name Server:DNS1.INTNET.MU Name Server:DNS2.INTNET.MU Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: DNSSEC:Unsigned

There has been no public communique by the MRA regarding their website’s downtime on 2 Dec 2014, neither any announcement was made with regards to purchase or migration towards the new domains.

Cyber threat?

In light of the above information and if these domain names aren’t commissioned and managed by the MRA, then they can be used for malicious activities on the Internet.

Scenario

At the moment both domain names, that is, mramu.org and mragovmu.org load the same content as www.mra.mu. All three domain names point to the same web server.

If the two domain names, registered by an individual, are to be used with malicious intentions, a sub-domain like eservices.mramu.org could be created. The sub-domain would point to a server other than that of the Mauritius Revenue Authority. Taxpayers would be then prompted to do e-filing and pay their taxes online through that link.

While checking the homepage, under mramu.org, people would see the real content from Mauritius Revenue Authority. The sub-domain however will be managed by a cyber criminal.

Cyber threats & security incidents in Mauritius

On 4 Dec 2014, an article appeared on defimedia.info where S. Moonesamy stated the dangers of phishing in the event of a possible sale of gov.mu domain.

On Friday 28 Nov 2014, the National Computer Board organized a Cyber Security Conference¹. I questioned CERT-MU’s officer-in-charge regarding security incidents in Mauritius and the framework in-place to identify vulnerabilities & incidents. He didn’t say anything about security incidents in Mauritius and replied that CERT-MU has an effective « online reporting tool ». That reply was not to my satisfaction. The mentioned tool is an electronic PDF that does not work on Linux and BSD.

On 14 November 2014, l’express.mu published an article that highlighted the dangers pertaining to the migration of the Government Web Portal towards govmu.org.

[1] NCB: Cyber Security Conference