Thursday, 14 April 2022

The world of the subdomain

A web domain name is the foundational piece of Internet property allowing its owner (registrant) to construct and host an associated website. On a domain, the owner is also able to construct whatever subdomains they wish - a process that is technically achieved via the configuration of records on the authoritative DNS (domain name system) server. A subdomain name is the part of the URL before the domain name, and separated by a dot (e.g. 'blog' in the URL https://blog.cscglobal.com/). Subdomains can be used in the construction of web addresses for a number of different purposes, such as the creation of individual microsites for sub-brands or campaigns, or the production of region- or subject-specific subsites. Some Internet service providers (ISPs), known as private subdomain registries, also offer the sale of specific commoditised subdomains of their site, allowing users to create their own sites (e.g. 'second-level' domains such as blogspot.com, which allows users to register URLs in the form username.blogspot.com, for the creation of a personalised blog in this case).

Subdomain name abuse in general Internet content

From a brand monitoring point of view, the appearance of a brand name or other relevant keyword(s) in the subdomain name of a third-party URL can be associated with a variety of brand infringement types. Some areas of potential concern include:

  • As a means of driving traffic to third-party content via misdirected search-engine queries
  • Creating sites featuring claims of affiliation with the brand in question
  • Reputation issues - e.g. creating sites containing information, customer comments, or activism-related material pertaining to a particular brand
  • As a means of creating a URL appearing deceptively similar to that of an official brand site (e.g. for fraudulent activity, phishing, or the distribution of malware)

Brand-specific subdomains can be a source of confusion for Internet users - and thus an effective threat vector - because of their similarity to familiar, legitimate URLs. For example, the hypothetical and unofficial domain cscglobal.blog.com could be used to create a convincing fake version of the official blog.cscglobal.com.

In recent months, a number of (often SMS-based) phishing attacks have been observed to make use of a brand name in the subdomain name to create a highly convincing, deceptive URL in a particular way[1,2], as shown in the example in Figure 1.

Figure 1: Example of a 2021 SMS-based phishing attack targeting HSBC customers

In this example, targeting UK customers of the bank, the phishing URL makes use of a reference to HSBC in the subdomain name, together with a domain name beginning with 'uk-' (uk-account[.]help), as a means of producing a URL that appears visually very similar to the real 'hsbc[.]co[.]uk/account-help'. The phishing site link also uses the HTTPS protocol, historically an indicator of trust, but now a characteristic shared by over 80% of phishing sites[3] in response to the easy availability of SSL (secure sockets layer) certificates from free providers. This approach is particularly effective for a number of reasons, including the fact that it uses a new generic top-level domain (gTLD) extension that may be unfamiliar to some users, and the tendency for the displays in mobile devices to insert line-breaks after hyphens. Zone file analysis shows there are at least several hundred registered new gTLD domains with names of a similar format that have the potential to be used fraudulently. Identified examples include uk-authorization-online[.]supportuk-gov[.]taxuk-insurance[.]claimsuk-border[.]agency, and uk-lottery[.]win.

Other recent identified examples of branded subdomains in phishing scams include hermes[.]online-parcel-reschedule[.]com (for logistics company Hermes); and o2[.]billing9k7j[.]com (for telecommunications organisation O2). This type of attack circumvents the requirement for the fraudster to register a brand-specific domain name (which is potentially easier to detect by a brand owner employing a basic domain monitoring service). In many cases, the whois records for the parent domains are anonymised, making it difficult to establish links between cases. These domains are also often registered immediately prior to the attack and are used for a short period, in an effort to circumvent detection and takedown efforts.

In general, brand-related subdomains on third-party sites are more difficult to detect than domain names themselves, which can much more easily be identified through wildcard searches of registry zone files. The most straightforward method for identifying subdomains is through search engine metasearching, providing the subdomains in question are linked from other sites and have been indexed by the search engines. Beyond this, the issue can partially be addressed through the use of other techniques, such as a detailed analysis of domain-name zone configuration information (e.g. passive DNS analysis), certificate transparency (CT) analysis, or via the use of explicit queries on particular domains for the existence of specific subdomain names.

Other issues include private subdomain registries being problematic because they are not necessarily regulated by ICANN (the Internet Corporation of Assigned Names and Numbers), and thus may lack dispute resolution procedures, abuse reporting processes, or records of any sort of whois information.

When considering enforcement against infringing subdomains, options can be relatively limited - particularly in comparison with the range of approaches available for domain names. It is sometimes possible to achieve engagement with the registry, registrar, hosting provider or DNS provider, but they may not be obligated to comply. Furthermore, many established dispute processes, such as UDRP (the Uniform Domain-Name Dispute-Resolution Policy), do not necessarily apply to subdomains. However, exceptions do exist in some cases, such as certain new gTLDs, instances where the host domain name corresponds to a country code (e.g. jp.com), or other limited circumstances (e.g. those covered by the Dispute Resolution Service (DRS) for .nz). Failing this, court litigation is often a last resort[4].

Finally, the use of fraudulent domains in conjunction with wildcard MX records (which allow the domain owner to receive emails sent to any subdomain on the domain name) can also be a highly efficient way for criminals to intercept mail intended for trusted organisations, and thereby harvest sensitive information. This can be successful in cases where the recipient e-mail address has been mistyped (i.e. with an extra '.' inserted). If the domain name is carefully selected, it can enable attacks against a range of different organisations (e.g. *.bank.[tld] can be used to harvest mis-addressed e-mails intended for any organisation with an official domain name of the form [brand]bank.[tld]).

Subdomains of official domains within the brand owner’s own portfolio

Considering the domain security landscape, an area of primary concern for a brand owner is the existence of subdomains on domains under their own ownership.

Subdomain hijacking

Brand owners may use subdomains of official sites for a number of different purposes, as discussed previously. However, when they register a lot of subdomains - IBM has around 60,000 and Microsoft over 120,000 - subdomain management can become a significant endeavour. The associated risks make it possible for bad actors to take over the subdomains through exploitation of expired hosting services (an issue known as 'dangling DNS records'), DNS misconfigurations, or untrustworthy legitimate users. Compromise can also be achieved using pharming (DNS poisoning) attacks, where subdomain records are modified to re-direct traffic to a fraudulent IP address. This can give fraudsters the ability to create fake sites, upload content, monitor traffic, or hack official corporate systems[5]. A 2021 study identified over 1,500 vulnerable subdomains across 50,000 of the world’s most important websites[6].

A number of news stories have emerged in recent years of corporations being attacked in this way, including instances of official corporate subdomains being hijacked to re-direct to content including malware, pornography, and gambling-related material. Subdomains of the Xerox website, for example, were used in 2020 to drive traffic to sites selling fake goods, taking advantage of the trusted reputation of the official corporate domain to boost the search-engine ranking of the malicious content[7]. In another case in 2019, GoDaddy shut down 15,000 abused subdomains that drove a massive spam campaign geared towards the sale of counterfeits[8].

Brand owners can mediate these threats by analysing their own domain portfolio and being mindful of any subdomains pointing to external IP addresses.

Domain shadowing

Another risk is the possibility for criminals to create new, unofficial subdomains of official sites via DNS compromise through a method such as phishing or dictionary attacks - a practice known as 'domain shadowing'. This approach can also be used to drive users to threatening content, while taking advantage of the protections associated with being hosted on a trusted website (e.g. to circumvent site block-listing). In one reported example of this practice, a number of domains (primarily registered through GoDaddy) were compromised to create over 40,000 subdomains pointing to Russian IP addresses hosting a range of malware variants[9,10].

This type of attack can be difficult to detect, both because it avoids the requirement to make changes on the official corporate webserver, and because the infringing content is typically hosted externally. The damage may only become apparent following complaints by users, or in response to the official domain being added to a block-list due to the malicious activity. Rigorous security measures are the primary preventative approach, including the use of strong passwords and two-factor authentication[11].

A related attack vector is the use of wildcard DNS records, which can result in any arbitrary subdomain name being set to re-direct to a malicious external IP address. Bad actors can use randomised, changing subdomains to circumvent hostname-based block-listing (e.g. in coordinated phishing campaigns). This type of attack can be applied both to official (compromised) or third-party (standalone) domains[12].

Overall, to mitigate these threats, brand owners should employ a robust domain security posture combined with a comprehensive programme of brand monitoring and enforcement.

References

[1] https://www.cscdbs.com/blog/phishing-scams-how-to-spot-them/

[2] https://thewebisround.xyz/2021/06/28/the-reality-behind-the-smishers/

[3] https://docs.apwg.org/reports/apwg_trends_report_q2_2021.pdf

[4] https://www.worldtrademarkreview.com/enforcement-and-litigation/subdomains-and-online-brand-protection-what-you-need-know-long-read

[5] https://www.networkworld.com/article/3623949/don-t-let-subdomains-sink-your-security.html

[6] https://www.eurekalert.org/news-releases/698257

[7] https://www.theregister.com/2020/07/07/microsoft_azure_takeovers/

[8] https://www.techradar.com/news/godaddy-shuts-down-15k-subdomains-used-in-massive-spam-campaign

[9] https://www.domaintools.com/resources/blog/domaintools-101-dns-shadow-hack-attacked

[10] https://threatpost.com/40000-subdomains-tied-to-rig-exploit-kit-shut-down/126072/

[11] https://encyclopedia.kaspersky.com/glossary/domain-shadowing/

[12] https://www.phishlabs.com/blog/phishing-with-wildcard-dns-attacks-and-pharming/

This article was first published on 14 April 2022 at:

https://www.cscdbs.com/blog/the-world-of-the-subdomain/

Also published at:

https://circleid.com/posts/20220504-the-world-of-the-subdomain

No comments:

Post a Comment

Phishing trends 2024 - and a look at some new data for domain threat quantification

Overview This year's annual phishing report by Internet technology consultants Interisle [1] has provided a number of key insights into...