From Trusted to Targeted: The Unseen Dangers of Subdomain Hijacking on DNS Security

The exploitation of legitimate subdomains is on the rise, compromising Namespace Security, damaging brands, and generating millions in losses. Domain names, email addresses, and social media handles are definitive marks of an organisation’s authenticity. When these digital identifiers are compromised the fallout can be devastating. The recent SubdoMailing ad fraud campaign is a case in point. Compromising over 8,000 legitimate internet domains and 13,000 subdomains, this campaign has been using them to send a staggering number of spam emails — up to 5 million per day. Its success hinges on the exploitation of abandoned subdomains and domains of reputable companies. As these domains belong to trusted companies, they are able to bypass spam filters and can take advantage of email policies configured to tell secure email gateways that the emails are legitimate.

A large number of global brands and public sector bodies have fallen victim to this particular attack including MSN, VMware, McAfee, CBS, Unicef, and eBay. Namespace attacks on the DNS not only happen regularly, but are also becoming increasingly common.

The incidents occurred outside the organisation’s firewalls, leaving brands unaware that they are being targeted due to their existing security systems’ inability to detect the misuse. These Corporate Identity hijacks operate in a different realm — one that is outside of the monitored corporate environment. DNS integrity attacks, including covert domain-level manipulations, divert users to malicious content before they reach the organisation’s security defences.

It’s all a matter of trust

Many people are now somewhat savvy to emails containing tempting offers from a global brand or threatening rhetoric from a government department when they are received from a suspicious looking email address. However, this is not the case when the sender’s email or web address appears to be (and indeed are) genuine but have been hijacked by someone with criminal intent.

This fact alone highlights the urgency and importance of securing these exploitable digital identifiers in your Namespace. Online, a business’s name is synonymous with its credibility and underpins every interaction it has online If a business name is compromised, its hard-won reputation is rapidly ruined and revenues are affected.

So digital identifiers, such as domain names, email addresses and social media handles, are not just technical digital assets, they are an organisation’s trust anchor online.

Managing growing DNS namespaces is key

Due to the global movement towards digital transformation, the use of subdomains is exploding. There are now billions of subdomains in the wild. However, the Domain Name System (DNS), despite being a foundational internet protocol, is over 40 years old and was never designed with security in mind. Its application has dramatically shifted from its initial intent, now serving as a vital component of brand trust. A company’s domain name acts as a primary indicator of its authenticity to stakeholders.

The DNS has become the cornerstone of brand trust, with a company’s Domain Name being what stakeholders rely on to provide the initial verification of a brand’s authenticity. As digital landscapes grow more complex, the proliferation of subdomains within organisations has surged. It’s common for companies to operate hundreds of thousands, if not millions, of these digital touchpoints, which are frequently overlooked and almost always undermanaged.

There’s a widespread lack of awareness within organisations about the extent of their digital identifiers and unclear accountability for their management. The responsibility for overseeing these critical digital assets is often distributed among technical teams; such as system administrators who handle domain name settings, as well as marketing, legal departments, and external vendors. This fragmentation of responsibility and management often leads to perilous oversights

What is namespace security?

Namespace Security, the practice of securing and managing Digital Identifiers, is often seen as a technical issue, but it is not that straightforward. It’s an asset management challenge spanning departments, subsidiaries, suppliers, and involves significant life cycle management components, necessitating cross-functional collaboration for effective oversight. And while it is common for organisations to manage their inventory of physical assets such as computers, laptops and mobile devices, and to a lesser extent software installations, managing inventories for digital identifiers is almost unheard of.

For organisations, effectively managing their vast numbers of digital identifiers is a daunting task. Domain names and, in particular, subdomains are frequently created in a sporadic and decentralised manner. Importantly, there is a lack of centralised tools available to perform lifecycle management on these decentralised assets. For an established business, simply discovering the vast numbers of digital identifiers it is responsible for is a significant challenge; couple this to the task of managing them manually on a daily basis and it isn’t surprising that the majority of companies simply let sleeping dogs lie. However, this strategy is a ticking time bomb for brand owners that is just waiting to go off.

Domain names are valuable brand assets

To stay secure for the long-term, it’s crucial to view these digital identifiers not just as technical details, but as critical and valuable brand assets.

The most serious compromise is the “Full Digital Identifier Compromise”. This is when someone has “Absolute control over an organisation’s domain name identity.” This is what happened in many instances of the SubdoMailing attack described above. A malicious entity took over the legitimate identity of a number of major brands to perpetrate fraud. This is not just simple impersonation, the attacker had legitimate credentials that could prove to prospective victims that they were indeed the major brand from which they were receiving mail.

These namespace vulnerabilities occur due to a lack of visibility over a corporate namespace and poor or non-existant Lifecycle and security management.

Due to its enormous size, and the fact that it is self managed by those using it, the DNS is just too good at burying issues in plain sight until someone exploits them. Paul Mockapetris, Jon Postel, and other Internet pioneers crafted the DNS with exceptional foresight, creating an ultra-resilient system. This resilience, while ensuring continuous operation, also masks vulnerabilities until exploited, making DNS a repository for hidden issues, only noticeable to those with detailed insight.

A complete identity compromise facilitates the creation of unlimited authentic resources like websites, email systems, CRM, HR platforms. This allows for the establishment of a “shadow version” of a business that not only seems legitimate but is, for all intents and purposes, verifiably genuine.

What can you do?

Ensuring the security of your digital identifier assets is crucial and requires implementing appropriate lifecycle management practices. For domain names, this encompasses establishing protocols for the creation, maintenance, and eventual decommissioning of domains and subdomains. Decommissioning doesn’t necessarily equate to deletion — refer to the UK NCSC’s guidance on “Protecting parked domains for the UK public sector” for further insights.

Breaches in Namespace Security can extend into the Domain Name Supply Chain, where vulnerabilities may lie outside a company’s direct control, resulting no visibility or trace, in a post-incident analysis.

Supply Chain Compromise / account breach — examples include the breach of X (formerly known as Twitter) accounts like @SECgov and others.

Subdomain misconfigurations (such as dangling or misconfigured CNAME and MX records ) attract malicious actors and bug bounty hunters due to their range of vulnerabilities — a risk applicable to all DNS records, including Mail Exchangers (MX) and SPF records.

The absence of comprehensive lifecycle management and limited control over supply chains can lead to domain names linking to obsolete services or defunct providers.

In essence, safeguarding corporate digital identifiers goes beyond mere IT issues, elevating to a fundamental business priority.

It centres on preserving the brand’s reputation, ensuring operational stability, and upholding stakeholder confidence. It’s not just about preventing security breaches; it’s about sustaining the trust and integrity stakeholders have in brands and organisations.

About NodeZro

The founders of NodeZro, a team of IT Security, DNS and Domain Industry experts, drawn from the public and private sectors, identified the problems with managing large namespaces. They devised an enterprise grade solution to discover, analyse, fix and manage namespace vulnerabilities including threats to subdomains. Governments and Businesses use NodeZro to minimise their risks of namespace threats such as subdomain takeovers and other equally devastating attacks.

If you want to master your digital identifier security and protect your brand from online threats, you need NodeZro. NodeZro is the leading provider of namespace security solutions, offering unparalleled insights and actionable intelligence. NodeZro helps brands discover, manage, and secure their digital assets, ensuring compliance and trust.

Contact NodeZro today and get a free Namespace Essentials report tailored to your needs. NodeZro: the ultimate partner for digital resilience.