December 4, 2014
I recently received a letter by the Mauritius Revenue Authority (MRA) regarding my annual returns. While I needed information on the same, I visited the MRA website in the beginning of the week. The website was inaccessible. The domain registration of mra.mu had expired in 2011 and MRA didn’t renew it. Therefore the domain name was suspended, resulting in the website’s inaccessibility.
Today the website was available again. I continued looking for information. In my quest I noticed unusual things and poor IT security. Digging further I found that there are at least two other domain names that show the same content as www.mra.mu. The domain names are as follows:
Both of the above mentioned domains were registered through GoDaddy.com on 2 Dec 2014. It’s the same day as mra.mu was suspended. Domain names with .org are currently available at $8.99/year.
The whois record of mra.mu is as follows:
It does not mention Mauritius Revenue Authority anywhere. We cannot say if the website is owned by the Mauritius Revenue Authority by looking at the above extract.
However, the whois records of the other two domains, that is, mramu.org and mragovmu.org show that the domain names are registered in an individual’s name.
There has been no public communique by the MRA regarding their website’s downtime on 2 Dec 2014, neither any announcement was made with regards to purchase or migration towards the new domains.
In light of the above information and if these domain names aren’t commissioned and managed by the MRA, then they can be used for malicious activities on the Internet.
At the moment both domain names, that is, mramu.org and mragovmu.org load the same content as www.mra.mu. All three domain names point to the same web server.
If the two domain names, registered by an individual, are to be used with malicious intentions, a sub-domain like eservices.mramu.org could be created. The sub-domain would point to a server other than that of the Mauritius Revenue Authority. Taxpayers would be then prompted to do e-filing and pay their taxes online through that link.
While checking the homepage, under mramu.org, people would see the real content from Mauritius Revenue Authority. The sub-domain however will be managed by a cyber criminal.
Cyber threats & security incidents in Mauritius
On 4 Dec 2014, an article appeared on defimedia.info where S. Moonesamy stated the dangers of phishing in the event of a possible sale of gov.mu domain.
On Friday 28 Nov 2014, the National Computer Board organized a Cyber Security Conference1. I questioned CERT-MU’s officer-in-charge regarding security incidents in Mauritius and the framework in-place to identify vulnerabilities & incidents. He didn’t say anything about security incidents in Mauritius and replied that CERT-MU has an effective « online reporting tool ». That reply was not to my satisfaction. The mentioned tool is an electronic PDF that does not work on Linux and BSD.
On 14 November 2014, l’express.mu published an article that highlighted the dangers pertaining to the migration of the Government Web Portal towards govmu.org.