Avoid Hijacking of Your Subdomains!

Inactive subdomains pose an very real security threat to your business.

A recent study found that over 8,000 domains and 13,000 subdomains from well-known brands had been hijacked for spam and phishing purposes. The study also revealed that the cybercriminal grouping ResurrecAds was responsible for the hijackings and abuse, also known as SubdoMailing, which began in September 2022.

ResurrecAds exploited non-resolving subdomains to forward malicious emails from well-known brands like eBay, Marvel and UNICEF. Their phishing methods bypassed individuals’ and companies’ security measures by using images in emails and manipulating the sender information.

They employed an extensive global infrastructure of hijacked users, IP addresses and domains to evade spam filters and email authentication methods like SPF, DKIM and DMARC. Their phishing techniques included fake alerts and malware downloads, targeting both individuals and businesses.

The study also showed that the subdomains were hijacked via outdated CNAME records, allowing them to send emails that made recipients believe they came from legitimate senders. For example, the domain msnmarthastewartsweeps.com was revived after 21 years and used for phishing attacks.

This type of hijacking can have serious consequences for a company, as cybercriminals misuse domains and subdomains containing trusted brands to send emails with various forms of malware (e.g. spyware and ransomware). Additionally, it can lead to financial losses and damage to the brand’s value.

Therefore, it is important to be vigilant and protect your subdomains from hijacking by regularly checking if they are being actively used and are resolving. If a subdomain does not resolve, redirect or is not being actively used, it should be deleted immediately. The longer you wait to delete inactive subdomains, the greater the risk that your brand will be involved in an unfortunate incident.

We recommend developing a policy for the creation and deletion of subdomains to avoid getting into an unfortunate situation.

Do you need help ensuring that your domains and subdomains are secure and not being misused by criminals?

At IP Dots, we can help our customers in several ways:

• Subdomain Audit: We examine all of your domains and create a full report that describes which subdomains are registered under each domain in your portfolio. This report can then be used internally to check if they resolve and should remain active—or if they should be decommissioned.

• Portfolio Analysis: We examine all domains in your portfolio to check if active redirects are set up, ensure correct legal ownership, and eliminate names and email addresses of former employees. Additionally, we check for missing vital DNS records.

• Domain Monitoring: We monitor domain registrations that include your brand, initially those domains that have already been registered and subsequently the ongoing registrations committed by various third parties. We can monitor domain registrations matching your brand or a variation of your brand with misspellings or typos. We also monitor for domain registrations which are confusingly similar to your brands (e.g. with swapped or replaced letters) or domains where letters are replaced with lookalike symbols, e.g. an “o” replaced with a zero (also called homoglyphs).

Do you want to know more?

#cybersecurity #subdomain #domain #hijacking