Third-Party Risk Management: What About Domains and Subdomains?

Both physical and digital supply chains have undeniably become more populated with third parties. Virtually all organizations work with different software providers, use one or more payment processors, and avail of web hosting services and cloud solutions from external parties. Companies that manufacture physical products also need to employ the services of courier companies.

All these vendors that enable enterprises to conduct business pose cyber risks. But how risky can they be? Here are a few recent third-party-related cybersecurity incidents to provide some perspective:

• Four courier divisions of Canada-based TFI International suffered from a ransomware attack in August. The threat actors said they would publish sensitive customer information if the company didn’t pay the ransom.
• Software provider Nitro suffered a data breach that exposed 70 million user records and 1TB worth of documents.

Many other cybersecurity incidents involving third parties have been reported, which is why several companies are implementing third-party vendor risk management processes.

But it’s difficult to manage what we don’t know. Falling into that category of “unknowns” are online properties, such as domain names and subdomains, which can possibly be used to impersonate third parties as part of phishing attacks and social engineering scams. To illustrate, we analyzed the domain footprints of three categories of third-party providers:

• Courier companies (DHL, UPS, FedEx, and China Post)
• Software providers (Microsoft, Oracle, and Salesforce)
• Online payment processors (PayPal, Payoneer, and Transferwise)

Domain Attack Surface Size

To understand how threat actors can attack a third-party vendor, organizations can look at its domain attack surface or the sum of all of its domains and subdomains that could be abused.

Take a look at a few examples of such online properties:

Couriers

• dhlqa[.]e-invoice[.]com 
• apc[.]ups[.]amvarworld[.]com[.]co
• fedex-central[.]prescience[.]cloud 
• chinaposttracking[.]cjgls[.]co

Payment processors

• transferwiseapp[.]fitnessbo[.]com
• account[.]paypal[.]c[.]o[.]m[.]candypop[.]com[.]br 
• blog-payoneer-com[.]payoneer[.]payoneer[.]prod2[.]reblaze[.]com

Software providers

• microsoftonline[.]com[.]office[.]caesars[.]myshn[.]net
• oracle[.]volksbank-serviceupdate545851[.]de 
• www[.]www[.]www[.]www[.]salesforce[.]laderavineyards[.]com

As you can see from the examples above, these domains contain the third-party vendor’s name, so they could be used, at least to some extent, to imitate its communications. And the more possibly suspicious domains and subdomains containing a company’s brand, the larger its potential attack surface size.

For the three third-party categories in this study, software providers had the largest domain attack surface size at 44,514 subdomains.

The four courier companies, meanwhile, had a total domain attack surface comprising 24,601 subdomains, while those in the payment processing sector had 7,512.

Figure 1: Domain Attack Surface Size of Third-Party Vendors by Industry

These numbers show that threat actors target industries with large user bases, such as the software sector. Microsoft, Oracle, and Salesforce alone have more than 1 billion users in total. Victimizing a small percentage of this user base could be lucrative for threat actors.

Publicly Attributable Domains

We began the study with the premise that not all domains and subdomains discovered by WhoisXML API’s Third-Party Risk Management (TPRM) Solutions are necessarily suspicious. The companies under scrutiny may legitimately own some of them. While that is true, only a few turned out to be publicly attributable to the said companies. Looking at their WHOIS records, the domain names that share the same registrant email address as their official domains were very few.

Figure 2 shows the disparity between publicly and non-publicly attributable domains. For the courier and payment processor groups, less than 1% of the domains could be attributed to legitimate companies. The percentage was higher for the software industry at 2.27%.

Figure 2: Publicly versus Non-Publicly Attributable Domains

TLD Distribution

Another aspect that this study looked at was the top-level domain (TLD) distribution of the subdomains. We often see new TLDs on lists of most-abused TLDs, but old and major TLDs took the spotlight in this study, as shown in Table 1.

Table 1: Top 3 TLDs by Industry

When taking advantage of third-party vulnerabilities, threat actors might use TLDs that are deemed reputable, as these could add to the weaponized domains’ trustworthiness.

With the help of Third-Party Risk Management (TPRM) Solutions developed by WhoisXML API, companies can better understand, mitigate, and reduce the risks associated with third-party vendors. These solutions are powered by Domain Name System (DNS), WHOIS, and IP intelligence and can be integrated into cybersecurity products or used as standalone third-party risk assessment solutions by security teams.