Subdomain Impersonation

S
Written By Threat NG Staff

In the context of cybersecurity, subdomain impersonation is a deceptive tactic where an attacker creates a fraudulent subdomain to mimic a legitimate service or department of a brand. The attacker's goal is to leverage the trusted name of the brand to trick users into believing they are on an official site. This is often done by registering a domain name that includes the brand's name as a subdomain, but on a domain the attacker controls.

For example, if a legitimate company's service is found at login.mycompany.com, an attacker could register the domain security-update.com and then create a subdomain that impersonates the legitimate service, such as login.mycompany.com.security-update.com. To an unsuspecting user, the beginning of the URL—login.mycompany.com—appears legitimate, and they may overlook the actual malicious domain at the end (security-update.com).

This technique is a powerful tool for phishing and credential theft. Attackers use these fraudulent subdomains in phishing emails or text messages, directing users to fake login portals or update pages. Once a user enters their credentials or other sensitive information, the attacker can steal the data and use it for financial fraud or further cyberattacks.

ThreatNG helps an organization with subdomain impersonation by proactively discovering and assessing these fraudulent domains, providing detailed intelligence to mitigate risk before an attack can cause damage.

External Discovery and Assessment

ThreatNG performs purely external, unauthenticated discovery to find potential threats from an attacker's perspective. It automatically generates and looks for variations that use subdomain impersonation, such as a malicious actor creating a domain that impersonates a legitimate service like security.mycompany.com or login.mycompany.com.

The platform uses this discovery to assess an organization's susceptibility to risks directly related to subdomain impersonation:

  • Web Application Hijack Susceptibility: ThreatNG analyzes parts of a web application accessible from the outside world to identify potential entry points for attackers. A fraudulent subdomain could be used to create a fake login page, which would be identified as a possible web application hijack risk.

  • Subdomain Takeover Susceptibility: The ThreatNG Security Rating uses external attack surface and digital risk intelligence that incorporates Domain Intelligence to evaluate this susceptibility. This intelligence includes a comprehensive analysis of the website's subdomains and DNS records.

  • BEC & Phishing Susceptibility: This score is derived from Domain Intelligence and its DNS Intelligence capabilities, which include Domain Name Permutations. This helps identify fraudulent subdomains that could be used in phishing attacks.

  • Brand Damage Susceptibility: ThreatNG utilizes digital risk intelligence and domain intelligence to identify potential permutations that could lead to brand damage, such as fake login portals or security pages created through subdomain impersonation.

Investigation Modules and Intelligence Repositories

The Domain Intelligence module is the primary tool for detecting threats related to subdomain impersonation. Within this module, the DNS Intelligence capability includes Domain Name Permutations, which detects and groups these manipulations. ThreatNG's platform identifies both available and taken subdomain impersonation permutations, providing the associated IP address and mail record for those that are already registered and potentially in use by malicious actors.

ThreatNG's intelligence repositories, known as DarCache, provide valuable context. For example, DarCache Rupture (Compromised Credentials) can reveal if a fraudulent subdomain is tied to compromised user data. At the same time, DarCache Dark Web can show if a planned phishing campaign using such a domain is being discussed in dark web forums.

Continuous Monitoring and Reporting

ThreatNG provides continuous monitoring of the external attack surface and digital risk. This ensures that new subdomain impersonations are detected as soon as they appear, enabling a swift and proactive response to mitigate the impersonation before it causes significant damage. The platform's reports, which can be Executive, Technical, or Prioritized, highlight any discovered fraudulent subdomains and their associated risks. The Prioritized reports use risk levels to help organizations focus on the most critical risks and make informed decisions about mitigation.

Complementary Solutions

ThreatNG's proactive intelligence makes it a strong complement to other security solutions. For example, if ThreatNG identifies a newly registered subdomain impersonation like login.mycompany.com.hacker.com and its associated IP address, this information can be used to update a DNS firewall to automatically block internal network traffic from accessing that fraudulent site. Alternatively, if ThreatNG detects that a fraudulent subdomain has active mail records, this intelligence can be shared with an email security gateway. This allows the gateway to proactively block any emails originating from that domain, preventing a phishing campaign from reaching employees' inboxes before it even begins.

Threat NG Staff
Previous

Subdomain Status Verification
Next

Subdomain Takeover