Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Forgotten subdomains boost risk of account hijacking, other attacks

Lucian Constantin | Dec. 10, 2014
Some sites have subdomains pointed at old domains that have long expired and can be registered by attackers.

internet url

Subdomains that once served a purpose but later were forgotten by website administrators can be abused by hackers to attack users of sites under the same main domain.

Back in October, a Web security firm called Detectify warned that many companies have created subdomains to use with third-party services, such as remotely hosted helpdesk systems, code repositories and blogs, but then forgot to disable them after closing their accounts on those third-party services.

As a result, attackers can now open accounts with the same services, claim the subdomains pointed there as their own, and create credible phishing pages, the Detectify researchers explained at the time. This is possible because online services often don't verify the ownership of subdomains.

But the issues stemming from outdated DNS records are not limited to abuse through accounts on third-party services. Since October, Szymon Gruszecki, an independent security researcher who regularly participates in bug bounty programs, has told Detectify about another attack vector: subdomains pointed to domain names that are no longer registered.

In such a case, a company has created a subdomain under its main domain and pointed it at another website, such as a site set up for a one-time event like a contest or promotion. After serving its purpose, that website was later taken down and its domain was left to expire, but the subdomain's DNS records remained pointed at it.

An attacker could exploit such a situation by registering the expired domain and setting up a phishing page that mimics the company's main website. The page would then be accessible through the forgotten subdomain and could be spammed to users.

One year ago, Gruszecki scanned the Internet's 5,000 most trafficked domains as listed by Amazon.com subsidiary Alexa Internet. He found 49 subdomains that had a CNAME (Canonical Name) DNS record pointing to a domain that was no longer registered.

One of those subdomains was the Microsoft-owned racing.msn.com, which points to msnbrickyardsweeps.com. According to a November 2001 snapshot of msnbrickyardsweeps.com on the Internet Archive's Wayback Machine, the site was used for a Microsoft Windows XP peak performance sweepstakes.

Gruszecki registered msnbrickyardsweeps.com and was able to set up a rogue page on racing.msn.com as a proof of concept. He has since redirected the domain to Bing.com and is waiting for Microsoft to update the CNAME record for racing.msn.com.

The danger extends beyond mere phishing. If a subdomain doesn't have its own MX (mail exchanger) record configured -- and most don't -- it uses the same email server as the domain specified in the CNAME record. In other words, the owner of msnbrickyardsweeps.com would also be able to receive and send email on behalf of @racing.msn.com email addresses.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.