Subdomain Takeover Through Simple Yet Serious Attack
March 3, 2017 1840
Hackers are always finding new ways to get into your application, email or web server.
Most hacking attempts are automated while fishing for known vulnerabilities such as outdated WordPress plugins, old application codes, etc... On the other hand sophisticated attacks are more one on one laser targeted to companies with large customer base such as brands. Regardless of your attack or company type, getting hacked can result serious downtimes, private data breach and in some cases domain name hijacking.
The fact that some large scale attacks are automated, simple, non-traceable and affect lots of websites does not surprise us. What eggs us as Cyber Security professionals is how preventible such hacks could have been since it's mostly due to human negiligence. In this article we will cover subdomain takeover by hackers.
First, what is subdomain? A subdomain is a variation or forwarder address derived from your root domain name, such as help.yourdomainname.com. Your IT department, web master or you usually set subdomains for use with 3rd party services such as helpdesk applications, calendar or mail apps, and sometimes used to host a micro website.
When subdomains are setup, the DNS settings are configured and forwarded to a 3rd party service or server. That all works well until you stop using such services. In most cases website owners or web masters fail to remove the DNS entries from the domain name settings leading to a serious yet simple subdomain takeover hack attack.
The Attack Scenario
So how does this work in real life scenario. Your company decides to start using 3rd party service such as external customer support ticketing service.
Your IT department, web master or you point a subdomain, let's say support.domainname.com to the support ticketing service.
Now, for whatever reason your company decided to stop utilizing this service, cancels it but fail to remove the subdomain redirection pointing to the ticketing service.
Hackers find out that your subdomain is offline but still offers active redirects to the ticketing service - signs up for the same service and claims the subdomain as their own! As this subdomain is already setup and verified previously, no additional verification will be required for the new account created by the hacker.
Your attacker clones your website, create login pages, redirect your users to login to the subdomain - yes they can email your user-base in some cases - and in turn steal thier password credentials. This will lead to large scale hacking and in turn create a bad business credibility for your company data handling and security practices.
The Danger of Such Hacks
Unfortuantlty it is very easy to sign up for a new account and claim a subdomain while you, as a domain owner, have no idea what's taking place until it's too late!
A worst scenario can include a * (wildcard) DNS entry like for Heroku-apps or Amazon services, which basically open the door to claim any subdomain whether previously used or new. Well that's a major exploit!
These precautions and recommendation can help you stay safe:
- Keep a log of all 3rd party serivces used and its subdomains
- Periodically check your subdomains DNS configuration
- Update your company's standard operating procdedure (SOP) to immediately delete subdomain redirects when you cancel such 3rd party service
- Secure your domain name access credentials, update your password every 90 days, and document who has access to it
Our best advice though is to have a company like eLab Communications manage your domain name services which offers periodic checks on your DNS entries, as part of your yearly Service Level Agreements. Regardless of how you handle your cyber security, give the dough to the breadmaker and don't have your next door neighbour manage that for you!
For more information, contact our Cyber Security Team at 888.624.8321.