Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Subdomain infringement is the most dangerous threat your security team may not be detecting.
Domain infringement is when threat actors use brand names within illegitimate web domains to imply affiliation with a brand to deceive end users about who’s behind the content they see on a site. They use this exploitation of trust as a lure to phish for sensitive data, distribute malware, promote scams, generate revenue from ads on parked domains, and drive monetizable traffic to other sites.
Most brands are well aware of these risks and have an internal program in place to identify and prevent domain infringement, but typically, these only cover searching for infringement in parent domain names, i.e., example.com, leaving all fraudulent subdomains, i.e., somethingelse.example.com, in use by threat actors undetected.
But therein lies a critical problem: infringing subdomains are just as dangerous and destructive to a brand and an organization’s security posture in the hands of threat actors as infringing parent domains. By ignoring instances where a brand is being abused in subdomains can be severely detrimental to the organization and its employees and customers.
RiskIQ recently took a sample of nearly 4,000 recent infringements, both parent and subdomain, across five financial services brands. We found that subdomains make up a sizeable chunk of domain infringements (about 25% of the total). And, even though subdomain infringements make up just a quarter of the total, they make up an overwhelming majority of the bad stuff—75% of malware and phishing instances identified within infringing domains were found when the infringement took place in the subdomain rather than the parent domain name.
Fig-1 Subdomain infringement leads to more instances of malware and phishing
Given this data, any given subdomain infringement that you find is significantly more likely to be a severe security risk than a given parent domain infringement. In our sample, the risk increase was ten-fold. The chance of a domain with brand infringement in the subdomain being associated with malware or phishing was almost 1,000% that of domains with brand infringement in the parent domain only.
Any security programs that aren’t looking for subdomain infringement are missing a significant piece of the puzzle—the piece most likely to be associated with the high-risk group of infringements that pose the greatest threats to an organization and its users.
Layering Passive DNS data over WHOIS lookups tells a much more detailed story about the threat actors behind domain infringement and allows brands to consider subdomains as well as parent domains.
Passive DNS is a system of record that stores DNS resolution data for a given location, record, and period. This historical resolution data set allows analysts to view which domains resolved to an IP address and vice versa, as well as time-based correlation of domain or IP overlap.
That means Passive DNS can help determine when a new subdomain is first observed and analyze all newly observed hosts containing a brand-infringing subdomain in much the same way that monitoring new WHOIS registrations can provide this information for parent domains.
RiskIQ has one of the largest repositories of PDNS data in the world. The DNSIQ program allows organizations who contribute data from their own network to gain access to the central repository of data shared by all contributing members.
RiskIQ’s industry-leading External Threat Management platform combines huge stores of threat data with a sophisticated and powerful crawling infrastructure and a vast global proxy network to give organizations visibility into their security posture outside the firewall.
As the only company that monitors digital risk across all channels, Forrester Research recognized RiskIQ as a Leader in the category-defining Forrester Wave™: Digital Risk Monitoring Q3 2016 report. The independent research firm, which evaluated nine different companies based on 27 criteria such as the ability to detect and mitigate corporate risk and gather data to monitor for risk, gave our External Threat Management Platform the highest scores for Current Offering and Market Presence categories.
With the broadest coverage of channels, RiskIQ is uniquely positioned to help companies understand their digital footprint and to detect and respond to threats across the web, mobile, and social threat landscapes.
Download our Whitepaper, Subdomain Infringement: An Unseen Threat, for much, much more on subdomain infringement
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
Dream situation for adversaries. Holes open daily in the attack surface to support remote work. Time to adapt! Proud to be helping with free access in @PassiveTotal and via the @RiskIQ Illuminate platform. Purpose built for the #CISO and #cybersecurity teams. https://twitter.com/RiskIQ/status/1266444273207083009
Microsoft Remote Desktop is spiking. Why? Because all work is now remote work and all access is now remote access. RiskIQ scans hundreds of ports and maps exposed services to provide security teams with a picture worth a thousand log lines. https://bit.ly/2xJ1Dgx
RiskIQ's #COVID19 Weekly Update:
➡️Car rental company Hertz filed for bankruptcy protection
➡️For the first time, the Boston Marathon has been canceled
➡️Most of the malicious coronavirus emails are coming from US IP space
Read full update here: http://bit.ly/2Uv3CMV
RiskIQ's #COVID19 Internet Intelligence Gateway will enable the cybersecurity community to fight a surge in pandemic-related cybercrime. Sign up, submit any suspicious COVID-19-related URL, and have RiskIQ's powerful global crawling network at your command http://bit.ly/3eon6ek
Via @InfosecurityMag, @DanRaywood highlights RiskIQ's new #COVID19 Internet Intelligence Gateway. This one-stop cybersecurity resource is the latest weapon in the fight against the surge in pandemic-related cybercrime. Read more here https://bit.ly/36ALU02