Hackernoon logoAttack Surface Management: A Look into Wild Domain and Subdomain Footprints by@jonathan.zhang

Attack Surface Management: A Look into Wild Domain and Subdomain Footprints

Author profile picture

@jonathan.zhangWhoisXML API

Top Whois, DNS, IP and threat intelligence data provider. We provide APIs, databases, and tools.

Attack surfaces comprise the many ways threat actors can exploit a connected environment to access confidential data, and surfaces tend to get larger as organizations take steps toward digital transformation.

As part of these surfaces, we noticed the growing presence of wild domains and subdomains. “Wild,” in this case, means that the domains contain the names of large brands and organizations, though their legitimacy is hard to establish since there is no public evidence of their ownership. In short, we can’t say for sure who is behind these domains and associated subdomains, which is risky from a cybersecurity standpoint.

We refer to the sum of these wild domains as “domain attack surfaces.” That is because wild domains could arguably figure in cyber attacks and damage the reputation of impersonated organizations.

To illustrate, we recently conducted a study that looked at the domain and subdomain footprints of 10 of the world’s most imitated brands today, namely:

  • Amazon
  • Apple
  • Bank of America
  • CIBC
  • Desjardins
  • Facebook
  • Microsoft
  • Netflix
  • PayPal
  • WhatsApp

A combination of Domain Name System (DNS), WHOIS, and IP intelligence sources, available as part of WhoisXML API’s Attack Surface Management (ASM) Solutions, was used to uncover and study the wild domains and subdomains that contain the companies’ brand names. Here are some of our key findings.

1. Companies Could Be Dealing with Thousands of Vectors

On average, the detected domain attack surface size of the 10 spoofed brands comprised as many as 17,734 domains and subdomains. Apple had the largest potential domain attack surface, with 54,187 possibly suspicious domains and subdomains. CIBC had the smallest, but the count still reached more than 1,000 domains and subdomains.

These numbers include subdomains (WARNING -- do not visit) that contain the brand names, such as:

Most of the examples above have been tagged as “verified phishing sites” by PhishTank. They also give us a glimpse of the threat actors’ tactics, which could include registering seemingly innocent or random-looking root domains and setting up subdomains that could contain the brand names later on—all that in an attempt to look legitimate and trustworthy.

2. Typosquatting Domains Can Inflate Domain Attack Surfaces

Aside from subdomains that contain the spoofed brand names, the domain attack surface could also include typosquatting domains or domain names that use misspelled variations of the brand. Our study discovered that typosquatting domains could amplify the total domain attack surface of the 10 brands by more than 8,000%.

A total of 369 root domains in the study were found via our Typosquatting Data Feed, but more than 29,000 unique typosquatting domains were found for all 10. Table 1 shows the number of typosquatting domains found for each brand, along with the percentage by which the domain attack surface size could increase when they are taken into account.

Table 1: Typosquatting Domains Found for Each Brand

Is Attack Surface Reduction Possible?

The study shows that organizations’ attack surface sizes can be quite large. But that does not make attack surface reduction too far-fetched.

WhoisXML API has developed a suite of Attack Surface Management (ASM) Solutions to help organizations cope with the exponential growth of the global domain attack surface. Our ASM Solutions is fueled by DNS, WHOIS, and IP intelligence, the same tools used in our study. These solutions allow security teams to monitor their organizations’ vast digital footprints.


Join Hacker Noon

Create your free account to unlock your custom reading experience.