What is a hostile subdomain takeover?
A hostile subdomain takeover is a situation in which an attacker is able to take over an official subdomain of a company and use it to carry out various types of attacks such as setting up a phishing website, serving malicious content and stealing cookies among other. The domain owner will have no idea this has happened and the attacker will leave no traces.
How does it happen?
1. A subdomain becomes susceptible to a hostile takeover when it points to an external service that is no longer in use and the CNAME which directed to this service still appears in the company’s DNS entries.
2. Attackers find vulnerable subdomains by leveraging various techniques and tools.
3. Once a target subdomain is identified, the attacker can sign up for the discontinued service and gain control of the subdomain.
4. The attacker is now ready to carry out an attack or serve malicious content on the subdomain.
1. You set up a new external service like a cloud storage or an eCommerce solution and update a CNAME record in order to point users from your subdomain to the new service (e.g.ecommerce.acme.com).
What is a CNAME?
A CNAME record (Canonical Name) is a type of DNS entry which among other use cases, allows you to point your subdomain to another domain. It is typically used for directing users from your subdomain to a specific third-party cloud service.
2. You decided to replace the service provider but forgot to remove the CNAME from your DNS entries and so this subdomain continues to direct traffic to this service provider.
This is how a page which is vulnerable to a takeover attack looks like:
An Abandoned subdomain connected to Microsoft Azure Web App
An Abandoned subdomain connected GitHub
This is where your part is over and the attackers come in. Attackers have various ways to hunt for abandoned subdomains. Once such a page is detected, they can sign up for the service and claim the domain as theirs while the domain owner will have no idea about it. Typically, no verification is done by the service provider, and the CNAME set up in the DNS already exists.
4. Attackers now gained control of this subdomain and can leverage it to carry out a wide range of attacks.
What are the risks?
The risks may vary depending on the service that is connected to the subdomain but there is no shortage of options that attackers can choose from:
- Host phishing pages, send phishing emails from the legitimate domain and harvest login credentials
- Generate SSL certificates for the hijacked subdomain in order to increase the credibility of the phishing site.
- Serve spam ads - like in case earlier this year, where spammers hijacked Microsoft subdomains to advertise poker casinos.
- Steal Cookies.
- If the subdomain is whitelisted, attackers will be able to bypass platform policies and execute client-side code on the application.
- If whitelisted, attackers can also redirect users during the Oauth flow to your subdomain and leak their Oauth tokens for later use.
- Carry out cross-site scripting (XSS) and session hijacking attacks.
- Leverage the hijacked subdomain for CSRF and CORS bypass.
This is of course in addition to destroying the business credibility of the company that owns the domain.
In some cases companies “get lucky” and the abandoned subdomains are discovered by researchers who report it. The damage is relatively mild and ends in a bounty paid out to the finder and a headline on the news. This was the case for Starbucks and electronic arts last year.
But In other cases, the damage is much worse. It was reported earlier this month that 240 website subdomains belonging to well-known organizations, including Chevron, 3M, Getty Images, Hawaiian Airlines, Arm and many others were hijacked and redirected visitors to malware, online gambling and other unexpected content.
Companies are not the only target for such attacks. In 2017, the Donald Trump’s presidential campaign fundraising site suffered from a hostile takeover in which the attacker, who took over the site defaced it and posted various messages and images.
How to avoid subdomain takeovers?
If you are the domain owner there are several steps you can take:
- Review your DNS entries and remove all entries which are active but no longer in use - especially those pointing to external services. Make sure to remove the stale CNAME record in the DNS zone file.
- Ensure your external services are configured to listen to your wildcard DNS.
- Don't forget the “off-boarding”- add “DNS entry removal” to your checklist.
- When creating a new resource, make the DNS record creation the last step in the process to avoid it from pointing to a non-existenting domain.
- Continuously monitor your DNS entries and ensure there are no dangling DNS records
If you are the service provider - it's time to acknowledge the risk of subdomain takeovers and apply stricter requirements around domain verification and proof of ownership.
How can reposify help?
Manually trying to stay on top of all your subdomains and checking your DNS entries is not only time consuming but it is also error prone. Automatically monitoring for any potential vulnerabilities in your domains and subdomains is the best way to go.
Reopsify’s attack surface management platform detects and alerts you of vulnerabilities to a subdomain takeover, in addition to many other security issues.
By leveraging various techniques, the platform automatically discovers all your and your subsidiaries domains and subdomains including unknown and legacy domains and subdomains that might be managed by your third party vendors. Next, it detects whether these are vulnerable to a takeover among other security issues and delivers the insights and remediation guidance you need to quickly eliminate these risk.
Want to make sure you don't have any unknown subdomains that might be vulnerable to a hostile takeover? Get your free attack surface snapshot today.