Attack Surface Management: 4 Possible Reasons Behind Non-Attributable Subdomains

Non-attributable subdomains refer to those that contain popular companies’ brand names but which WHOIS records cannot be publicly attributed to them. The subdomain bankofamerica[.]com[.]apogeeconcepts[.]com is one example. It contains the string “bankofamerica,” although the root domain’s WHOIS data does not coincide with the official and publicly available WHOIS record details of the Bank of America domain bankofamerica[.]com.

There are a variety of reasons why non-attributable subdomains exist, and this post looks at four of them.

Non-Attributable Subdomains That Aim to Imitate Other Brands

Threat actors could use non-attributable subdomains to imitate brands in malicious campaigns, such as phishing and business email compromise (BEC) scams. Including reputable brands in the subdomains make emails and websites more believable. Take a look at an actual phishing email below.

The message instructs the recipients to log in to their Bank of America accounts, and the link http[:]//secure[.]bankofamerica[.]com/login/sign-in/signOnV2Screen[.]go looks very similar to this subdomain secure[.]bankofamerica[.]com-login-sign-in-signonv2screen[.]go[.]suzukihaiphong[.]com[.]vn that has been reported 132 times on PhishTank between June and October 2020. Note that the subdomain’s third- and fourth-level domain names look much alike the link in the screenshot, although the root domain suzukihaiphong[.]com[.]vn can’t be attributed to Bank of America based on its WHOIS records.

The subdomain is among the thousands found in a study that used a suite of attack surface management solutions to uncover the potential attack surfaces of 10 of the most-spoofed brands today. The study found an average of 17,734 domains and subdomains that could be used maliciously, the majority of which are non-attributable subdomains.

Since they could figure in cyber attacks, it is recommendable to include non-attributable subdomains in an organization’s total attack surface. You may visit https://main.whoisxmlapi.com/solutions/attack-surface-management to learn more about how organizations can monitor their digital footprints and web assets as part of their attack surface management strategies.

Subdomains Could Be Good for SEO Purposes

Several experts believe that subdomains are great for search engine optimization (SEO), as each subdomain can stand on its own and be treated as a separate entity. Search engines can, therefore, crawl subdomains and rank them.

While Google does not confirm the benefit of subdomains for SEO, large companies are known to use them. Disney, for example, uses different subdomains for its ventures. The subdomain liveshows[.]disney[.]com is for Disney shows and musicals on Broadway and other theaters, while disneyjunior[.]disney[.]com is dedicated to Disney Junior shows and videos.

Non-attributable subdomains may also be created for the same reason. Subdomains like applegiveaways[.]com-freestock[.]pro are used to promote contests and giveaways that use famous brand names (legitimately or not) to rank better.

Subdomains Could Be Necessary When Using a Third-Party Provider

Companies may enlist third-party companies’ services, such as customer service software, e-commerce shopping platforms, and customer relationship management (CRM) software. As a result, they would have to use a subdomain of the third-party provider.

The default help center address of Zendesk clients, for instance, is a Zendesk subdomain. A study on the attack surface of PayPal, Transferwise, and Payoneer revealed several non-attributable subdomains with the root domain zendesk[.]com.

Although some of these subdomains could be the help center addresses of the payment processing companies, others may theoretically have been created by malicious actors.

Subdomains Could Be Useful for Selling Products

Another reason behind non-attributable subdomains is when the root domain owner sells or resells the products of a particular company. These non-attributable subdomains, for example, are used to showcase refurbished Macbooks that are for sale.

  • macbookforsale[.]shotblogs[.]com

  • usedmacbookforsale[.]skyrock[.]com

    • usedapplemacbookforsaleuk[.]angelfireb[.]com

Subdomains have legitimate and acceptable uses, especially for businesses that are building up their online presence. They are also used to host indispensable business processes like help centers and shopping sites.

But, like other digital footprints, threat actors can also weaponize subdomains. As such, special attention should be paid to non-attributable subdomains by including them in a company’s attack surface management efforts.