Subdomain Takeovers And What You Can Do To Protect Your Site

22 Mar 2024


Out of the many cyberattacks that threaten modern website security, subdomain takeovers are among the most significant, yet they continue to be overlooked. In this digital age, organisations commonly use multiple subdomains to differentiate between their audiences or separate one online business function from another. However, as mentioned, this approach can expose businesses to cyberattacks if it is improperly managed.

Subdomain takeover defined

Before we can understand this cyberattack, we must first learn what a domain is in the context of a domain name system (DNS) and how threat actors can exploit it. A domain is a website's main web address, like "yourbusiness.com," and it is also referred to as a "top-level" domain name.

This primary domain is the URL visitors input into their browser to access a business's home page, and they are essentially telling their web browser to access a specific server on the internet and access the contents stored in a top-level folder on that server.

A subdomain is just another different top-level folder on that same server or sometimes on a different server. That is why browsers treat subdomains as completely different websites, as the information stored on a subdomain is not accessible from the primary domain and vice versa.

Now, a subdomain takeover simply involves an attacker exploiting and controlling a vulnerable subdomain. This typically occurs when a subdomain points to an external service like a cloud provider as part of the DNS configurations, and that service is no longer active or misconfigured.

Hackers can then claim that the DNS entry for the target subdomain remains intact and the service it points to becomes available for registration. They can then turn that subdomain into a launchpad for deploying malicious content, phishing campaigns, and other cyberattacks.

A few common scenarios of subdomain takeovers include:

● Orphaned services: A company creates an app on its main website using the subdomain "marketing.brand.com" to host a promotional campaign. Now, if the DNS configuration remains unchanged once the campaign ends, attackers can take advantage of this oversight and gain control of the subdomain.

● Expired third-party accounts: Organisations may rely on third-party platforms like GitHub or AWS for their web applications. If their account on these platforms expires yet the DNS still points there, it then turns into a potential attack vector.

● Migration oversights: Old subdomains typically get overlooked when performing website migrations. Suppose an organisation switches to a different hosting provider but fails to audit all its subdomain configurations during migration. In that case, some subdomains may continue pointing to the old (and potentially unclaimed) hosting service.

Best practices to prevent subdomain takeovers

Subdomain takeover attacks can lead to dire consequences ranging from reputational damage and customer data theft to chain attacks. The last one is particularly severe, as a compromised domain can become a springboard for more cyberattacks targeting other parts of a company's IT infrastructure. So, to guarantee the safety of your subdomains, here are some strategies you should incorporate into your website security programme.

1. Routinely audit and clean DNS records

Proactively reviewing and auditing DNS records ensures your domain remains accurate, secure, and configured correctly. During this process, be thorough in updating or removing outdated subdomain entries that point to unused third-party services to prevent your subdomains from becoming vulnerable to exploitation. Also, it is crucial to focus specifically on the canonical name or CNAME records, as they are responsible for directing a subdomain to another target domain or service.

2. Domain registrar locking

One way to further protect your online assets from unauthorised access is to leverage the domain-locking features that many domain registrars now offer. As you may have guessed, domain locking prevents unauthorised modifications to your DNS settings. Pair this with activating MFA for your domain registrar account, and it becomes incredibly difficult for hackers to carry out a potential subdomain takeover.

3. Monitor third-party services

Using third-party services like hosting providers, Content Delivery Networks, or cloud platforms for your subdomains comes with the responsibility of making sure that these services are always properly configured. Moreover, stay on top of the expiry of your accounts or trial periods with these services, as any lapses could direct your subdomain to unclaimed addresses and leave it vulnerable to breaches.

4. External Attack Surface Management (EASM)

EASM plays a crucial role in defending against subdomain takeovers, one that necessitates organisations to focus on. This is because one of the primary features that contribute to its purpose of identifying vulnerabilities before they get exploited is to detect abandoned misconfigured subdomains. EASM solutions proactively uncover these weak points and bring attention to them so they get resolved immediately.

Conclusion

Subdomains are one of the many digital assets that an organisation has at their disposal. And just like the rest, they need to be protected and accounted for to maintain the integrity of the business's online presence and keep avoidable risks like subdomain takeovers at bay.

As organisations focus more on the bigger threats that emerge day by day, it is natural to overlook the less important yet just as harmful security risks like subdomain takeover attacks. By working with GROUP8, you can ensure all your bases are covered as our tried-and-true cybersecurity services in Singapore encompass the entire ecosystem, ranging from data loss prevention and blockchain security to VAPT in Singapore. To learn more about our other solutions, feel free to contact us at hello@group8.co at any time.