Top Whois, DNS, IP and threat intelligence data provider. We provide APIs, databases, and tools.
Both physical and digital supply chains have undeniably become more populated with third parties. Virtually all organizations work with different software providers, use one or more payment processors, and avail of web hosting services and cloud solutions from external parties. Companies that manufacture physical products also need to employ the services of courier companies.
All these vendors that enable enterprises to conduct business pose cyber risks. But how risky can they be? Here are a few recent third-party-related cybersecurity incidents to provide some perspective:
Many other cybersecurity incidents involving third parties have been reported, which is why several companies are implementing third-party vendor risk management processes.
But it’s difficult to manage what we don’t know. Falling into that category of “unknowns” are online properties, such as domain names and subdomains, which can possibly be used to impersonate third parties as part of phishing attacks and social engineering scams. To illustrate, we analyzed the domain footprints of three categories of third-party providers:
To understand how threat actors can attack a third-party vendor, organizations can look at its domain attack surface or the sum of all of its domains and subdomains that could be abused.
Take a look at a few examples of such online properties:
As you can see from the examples above, these domains contain the third-party vendor’s name, so they could be used, at least to some extent, to imitate its communications. And the more possibly suspicious domains and subdomains containing a company’s brand, the larger its potential attack surface size.
For the three third-party categories in this study, software providers had the largest domain attack surface size at 44,514 subdomains.
The four courier companies, meanwhile, had a total domain attack surface comprising 24,601 subdomains, while those in the payment processing sector had 7,512.
Figure 1: Domain Attack Surface Size of Third-Party Vendors by Industry
These numbers show that threat actors target industries with large user bases, such as the software sector. Microsoft, Oracle, and Salesforce alone have more than 1 billion users in total. Victimizing a small percentage of this user base could be lucrative for threat actors.
We began the study with the premise that not all domains and subdomains discovered by WhoisXML API’s Third-Party Risk Management (TPRM) Solutions are necessarily suspicious. The companies under scrutiny may legitimately own some of them. While that is true, only a few turned out to be publicly attributable to the said companies. Looking at their WHOIS records, the domain names that share the same registrant email address as their official domains were very few.
Figure 2 shows the disparity between publicly and non-publicly attributable domains. For the courier and payment processor groups, less than 1% of the domains could be attributed to legitimate companies. The percentage was higher for the software industry at 2.27%.
Figure 2: Publicly versus Non-Publicly Attributable Domains
Another aspect that this study looked at was the top-level domain (TLD) distribution of the subdomains. We often see new TLDs on lists of most-abused TLDs, but old and major TLDs took the spotlight in this study, as shown in Table 1.
Table 1: Top 3 TLDs by Industry
When taking advantage of third-party vulnerabilities, threat actors might use TLDs that are deemed reputable, as these could add to the weaponized domains’ trustworthiness.
With the help of Third-Party Risk Management (TPRM) Solutions developed by WhoisXML API, companies can better understand, mitigate, and reduce the risks associated with third-party vendors. These solutions are powered by Domain Name System (DNS), WHOIS, and IP intelligence and can be integrated into cybersecurity products or used as standalone third-party risk assessment solutions by security teams.
Create your free account to unlock your custom reading experience.