Subdomain takeovers may not make the headlines that much anymore, but that doesn’t mean they no longer pose a serious threat to any corporate website. Remember when a hacker defaced Donald Trump’s fundraising site back in 2017? A subdomain takeover attack made that possible.
This post tells you more about the role subdomains play in cybersecurity by taking a look at subdomain takeovers, how they work, and how to avoid becoming a victim.
What Is a Subdomain Takeover?
A subdomain takeover occurs when a threat actor seizes control of a subdomain of a target domain. In more technical terms, this means taking control of a Domain Name System (DNS) record that points to a deleted webpage an organization may have forgotten still exists, known as a “dangling DNS entry.” It typically affects companies that regularly create and delete pages from their websites.
Subdomain takeovers allow cyber attackers to redirect traffic meant to go to an organization’s website to a malicious site.
What Risks Does a Subdomain Takeover Pose?
Subdomain takeovers can lead to negative consequences, such as:
- Loss of control over a page’s content: This happened to Trump’s fundraising page. And should it affect your corporate page, your organization may have to deal with negative press about being unable to secure its content. And that could lead to brand damage and loss of customer trust.
- Site visitor cookie harvesting: This can occur if the hackers redirect an affected page’s visitors to a website specially crafted to harvest their browser cookies. Users who save login credentials on their browsers would then be susceptible to personal information and even identity theft.
- Phishing: This happens when threat actors point the subdomains they’ve taken over to legitimate-looking login pages designed to steal their username-password combinations. The risk gets exacerbated for users who reuse login credentials for several accounts.
How Do You Avoid Becoming a Victim of a Subdomain Takeover?
A subdomain takeover, as you’ve seen above, can cause severe reputational damage. But such a consequence is avoidable if organizations follow these best practices:
- Keep dangling DNS entries out: Audit your DNS records regularly. If you often delete pages from your site, make sure you also decommission all the DNS entries that point to them. Practice good DNS hygiene by ensuring none of your DNS records point to pages other than those that belong to your website.
- Set up firewalls: While most companies already employ firewalls for their domains, some may forget to do the same for subdomains. To sufficiently defend against subdomain takeovers, you must configure your firewall to cover all web properties or a multisystem environment.
- Take note of all subdomains: It might be hard to keep track of all the pages and subpages on your site, especially if you have hundreds or even thousands of them; that’s true. But keeping a log of all your web properties can help monitor and prevent subdomain takeovers. Take it to the next level. Add subdomain monitoring to your cybersecurity strategies. You can use a tool like https://subdomains.whoisxmlapi.com/ to check if threat actors are misusing or abusing your brand names by appending them to subdomains pointing to malicious sites.
- Give uncommon names for subdomains: We get it. Remembering what domain name points to what page can be challenging. That’s why companies often assign domain names containing a specific application’s name for easier recollection, such as marketo[.]productpage[.]companynname[.]com. While there’s nothing wrong with that, the practice also tells threat actors what application the page uses, making it easier to find a corresponding exploit. An ideal subdomain would be mkt[.]productpage[.]companyname[.]com, which doesn’t give away the application it’s for from the get-go. Giving specific apps nicknames like “mkt” for “marketo,” in the example’s case, can help. Distributing the list of approved nicknames to users can ease the memorization process as well.
- It pays to be strict: In organizations, the adage, “Rules are meant to be broken,” shouldn’t apply. But not all employees can remember all the office guidelines all the time. Enforce strict rules on creating and using subdomains. Share them with all teams and stringently implement them.
—
Subdomains are essential to keep websites organized and easy to navigate, but they can also be weak points. Use them but make sure you secure them.