Why Forgotten Subdomains Are Easy Targets for Attackers

Exposed digital assets are often overlooked by security teams, leading to serious security problems. Expired and forgotten subdomains can easily become entry points for attackers to steal sensitive data and launch phishing campaigns.

It’s no secret that with increasing third-party services and more subdomains, comes a larger attack surface, therefore a higher risk of potential cyber threats. A subdomain takeover is a type of cyberattack in which attackers gain control over an organization's subdomain. This often happens when a subdomain is misconfigured or left unattended, allowing attackers to exploit orphaned DNS records or expired services. Once in control, attackers can host malicious content, phish for credentials, or redirect users to harmful sites, all while masquerading as a trusted domain.

Recent Examples of Subdomain Takeovers

SubdoMailing 

A recent scam named "SubdoMailing" took over 8,000 domains and 13,000 subdomains belonging to well-known brands and organizations, including the Better Business Bureau, CBS, eBay, and Marvel. Attackers used these hijacked websites to send spam emails and lure victims into clicking on harmful links, leveraging the trust in these legitimate names to bypass security checks. As the malicious actors are using expired domains the emails appear to have come from a trusted brand source, creating a complete lack of trust in a brand's legitimacy. 

When users clicked the links, they were redirected multiple times, ultimately leading to the display of advertisements that generated revenue for the scammers. The links also directed victims to fake websites promoting bogus giveaways and other scams. The attackers sent around 5 million daily emails every day, reaching a wide audience of potential victims.

Despite the extensive reach of the SubdoMailing campaign, details regarding the monetary amounts stolen or the exact financial impact on victims have not been publicly disclosed. The operation's primary focus appears to be the mass distribution of spam emails, potentially leading to various forms of cyber fraud.

CocoaPods

Critical vulnerabilities in the CocoaPods dependency manager may have allowed threat actors to take control of thousands of orphaned packages, execute shell commands, and gain access to accounts, potentially affecting millions of iOS and macOS applications.

In 2014, CocoaPods migrated to a centralized Trunk server acting as a repository and distribution platform. This process left behind thousands of orphaned packages, as authorship information was reset for all pods, and many previous owners were unknown.

Although the subdomain was no longer in use, the DNS records still pointed to GitHub Pages, where it had been hosted previously. Since the subdomain was not associated with any active project, attackers were able to create their own project—a casino site—and exploit the existing DNS records to redirect users to this fraudulent page. As long as a subdomain remains unoccupied, attackers can seize control of it using platforms like GitHub Pages or other cloud services.

Commonly Targeted Subdomains 

Hackers target common subdomains for several reasons, including misconfigurations, weaker security controls, and the potential for exploiting vulnerabilities.  What appears to be an unimportant leftover can quickly turn into a major security vulnerability if not properly managed. Some of the most commonly targeted subdomains include:

• Development and Staging Environments: These subdomains often contain less secure versions of an application, revealing sensitive information, hardcoded credentials, or unpatched vulnerabilities.
• Administrative Panels: Administrative interfaces are attractive because they often grant full control of systems or sensitive data.
• APIs: APIs can be vulnerable to issues like insufficient authorization checks, rate-limiting issues, or data leaks.
• Static Assets: Misconfigured Content Delivery Networks (CDNs) or static asset servers can reveal private files, source code, or configurations.
• File Storage: Misconfigured file storage servers may allow unauthorized file access or arbitrary file uploads.
• Forgotten Subdomains: Legacy or outdated systems are often abandoned and unmaintained, making them vulnerable to attack.
• Third-Party Services: Third-party services may introduce vulnerabilities due to misconfiguration, outdated software, or poor security practices.
• Unsecured Subdomains: Ironically, subdomains intended to be secure can sometimes have weak configurations or default credentials.
• Wildcard Subdomains: If a wildcard DNS record (e.g., *.example.com) is used carelessly, it may allow hackers to generate arbitrary subdomains that point to unprotected systems.

Consequences of Exposed Subdomains

Exposed subdomains can pose significant security and operational risks to organizations. Here are the key consequences:

• Increased Attack Surface: Exposed subdomains may host outdated or vulnerable software, making them susceptible to attacks such as SQL injection, cross-site scripting (XSS), or remote code execution. Cybercriminals can exploit these subdomains as entry points to compromise the broader network.
• Subdomain Takeovers: If a subdomain points to a decommissioned cloud service or a third-party platform, attackers can claim ownership of it, allowing them to host malicious content or impersonate the organization.
• Brand Reputation Damage: A hijacked subdomain could be used for phishing or distributing malware, thereby damaging the organization’s trustworthiness.
• Data Exposure: Exposed subdomains might inadvertently expose sensitive data, such as internal APIs, configuration files, or employee information. Some may host development or staging environments containing debugging tools or logs with confidential details.
• Phishing and Social Engineering: Subdomains under a legitimate domain can lend credibility to phishing campaigns, increasing their effectiveness. Attackers can target employees using realistic-looking subdomains to harvest credentials.
• Operational Disruption: Exposed subdomains can be targeted for denial-of-service attacks, causing service disruptions. If an exposed subdomain is exploited for malicious activity, it may affect the performance of legitimate services.
• Delayed Incident Detection: Any delay in detecting and responding to such vulnerabilities can result in more significant damage. This raises concerns for Chief Information Security Officers (CISOs), who may fear job loss in the event of a massive data breach involving forgotten assets. Each forgotten asset can expand the attack surface and serve as a potential entry point for attacks.
• Regulatory and Legal Implications: The exposure of sensitive data through subdomains can lead to violations of privacy laws such as GDPR, CCPA, or HIPAA. Additionally, forgotten assets could mean non-compliance with the U.S. Securities and Exchange Commission's (SEC) new rules on cybersecurity risk management, governance, and incident disclosure for public companies, which require asset-to-asset dependency mapping. Organizations may face financial penalties or lawsuits resulting from data breaches linked to exposed subdomains.

Get a Clear Picture of Your External Attack Surface with Zerofox 

Implementing a comprehensive external attack surface discovery and management strategy, leveraging advanced methods, can significantly reduce the risk of overlooking valuable digital assets. 

The ZeroFox external cybersecurity platform combines the power of AI, full-spectrum intelligence services, and takedown and incident response capabilities. Our External Attack Surface Management (EASM) solution adds powerful continuous discovery, identification, and inventory capabilities to protect your expanding external attack surface, including:

• Discover and inventory digital assets
• Visualize your external digital risk from one view
• Analyze and prioritize exposures and vulnerabilities
• Combat asset sprawl and shadow IT
• Detect data leakage
• Reduce the risk of phishing and social engineering attacks
• Adhere to regulatory compliance requirements

Are you serious about detecting forgotten digital assets? Learn how Zerofox’s EASM asset discovery methods can help. Contact us today to uncover and protect unknown exposures including forgotten subdomains in your external attack surface.

Tags: Cyber Trends, External Attack Surface Management