Subdomain Infringement: An Unseen Threat That’s Cashing In

Subdomain Infringement: An Unseen Threat That’s Cashing In

December 7, 2016, Mike Browning

Subdomain infringement is the most dangerous threat your security team may not be detecting.

Domain infringement is when threat actors use brand names within illegitimate web domains to imply affiliation with a brand to deceive end users about who’s behind the content they see on a site. They use this exploitation of trust as a lure to phish for sensitive data, distribute malware, promote scams, generate revenue from ads on parked domains, and drive monetizable traffic to other sites.

Most brands are well aware of these risks and have an internal program in place to identify and prevent domain infringement, but typically, these only cover searching for infringement in parent domain names, i.e., example.com, leaving all fraudulent subdomains, i.e., somethingelse.example.com, in use by threat actors undetected.

But therein lies a critical problem: infringing subdomains are just as dangerous and destructive to a brand and an organization’s security posture in the hands of threat actors as infringing parent domains. By ignoring instances where a brand is being abused in subdomains can be severely detrimental to the organization and its employees and customers.

More Dangerous than Parent Domain Infringement

RiskIQ recently took a sample of nearly 4,000 recent infringements, both parent and subdomain, across five financial services brands. We found that subdomains make up a sizeable chunk of domain infringements (about 25% of the total). And, even though subdomain infringements make up just a quarter of the total, they make up an overwhelming majority of the bad stuff—75% of malware and phishing instances identified within infringing domains were found when the infringement took place in the subdomain rather than the parent domain name.

Subdomain infringement is the most dangerous threat your security team may not be detecting.

Fig-1 Subdomain infringement leads to more instances of malware and phishing

Given this data, any given subdomain infringement that you find is significantly more likely to be a severe security risk than a given parent domain infringement. In our sample, the risk increase was ten-fold. The chance of a domain with brand infringement in the subdomain being associated with malware or phishing was almost 1,000% that of domains with brand infringement in the parent domain only.

Any security programs that aren’t looking for subdomain infringement are missing a significant piece of the puzzle—the piece most likely to be associated with the high-risk group of infringements that pose the greatest threats to an organization and its users.

Going Beyond WHOIS with Passive DNS

Layering Passive DNS data over WHOIS lookups tells a much more detailed story about the threat actors behind domain infringement and allows brands to consider subdomains as well as parent domains.

Passive DNS is a system of record that stores DNS resolution data for a given location, record, and period. This historical resolution data set allows analysts to view which domains resolved to an IP address and vice versa, as well as time-based correlation of domain or IP overlap.

That means Passive DNS can help determine when a new subdomain is first observed and analyze all newly observed hosts containing a brand-infringing subdomain in much the same way that monitoring new WHOIS registrations can provide this information for parent domains.

RiskIQ has one of the largest repositories of PDNS data in the world. The DNSIQ program allows organizations who contribute data from their own network to gain access to the central repository of data shared by all contributing members.

RiskIQ’s Domain Threat Detection

RiskIQ’s industry-leading External Threat Management platform combines huge stores of threat data with a sophisticated and powerful crawling infrastructure and a vast global proxy network to give organizations visibility into their security posture outside the firewall.

As the only company that monitors digital risk across all channels, Forrester Research recognized RiskIQ as a Leader in the category-defining Forrester Wave™: Digital Risk Monitoring Q3 2016 report. The independent research firm, which evaluated nine different companies based on 27 criteria such as the ability to detect and mitigate corporate risk and gather data to monitor for risk, gave our External Threat Management Platform the highest scores for Current Offering and Market Presence categories.

With the broadest coverage of channels, RiskIQ is uniquely positioned to help companies understand their digital footprint and to detect and respond to threats across the web, mobile, and social threat landscapes.

Download our Whitepaper, Subdomain Infringement: An Unseen Threat, for much, much more on subdomain infringement

Share This