Phishing attacks’ success can be partially attributed to threat actors’ use of branded domain names, including both legitimate and misspelled variants. It’s no wonder, therefore, that blacklisting sites like PhishTank provide users a way to search phishing URLs by target brand. To date, around 250 companies make up PhishTank’s brand categories, some of which belong to the Fortune 500 list.

Some of the malicious URLs found on blacklist sites even use branded subdomains hidden inside the domain of a legitimate organization—e.g., subdomainexample[.]brand[.]com.

This suggests the need for companies to monitor subdomains so these do not end up used as attack vectors. We illustrate two main ways to do so in this post, starting from a phishing blacklist or a subdomain lookup tool.

1. Looking into Subdomains Found on a Phishing Blacklist

An analysis of over 2.2 billion emails sent in the second quarter of 2019 revealed that cyber attackers are increasingly targeting cloud services—a trend that could be due to businesses migrating to the cloud.

On PhishTank, we saw several phishing URLs hosted on the domains of cloud computing services and platforms. One such company is appspot[.]com, a Google cloud computing platform for developing and hosting web applications.

We found six appspot[.]com subdomains that have been reported and confirmed as phishing sites as of 2 October 2020. These malicious subdomains are:

• vwyrebi[.]ts[.]r[.]appspot[.]com
• iajsd-av-adf-afs-av-d-ve-fs[.]uk[.]r[.]appspot[.]com
• ff-c-c[.]ey[.]r[.]appspot[.]com
• 20201001154315-dot-py76tw62[.]rj[.]r[.]appspot[.]com
• 20201001082449-dot-py76tw62[.]rj[.]r[.]appspot[.]com
• 20201001074745-dot-py76tw62[.]rj[.]r[.]appspot[.]com

These subdomains were also cited for phishing and other malicious activities on VirusTotal by several cybersecurity solution engines.

To illustrate how these subdomains can be used in phishing, below is a side-by-side comparison of the actual Appspot login page and two sites hosted on malicious subdomains, which we ran on a website screenshot service.

In both cases, the phishing pages’ end goal was probably to capture victims’ login information.

2. Using a Subdomains Lookup Tool

Users can also establish an organization’s attack surface by checking all the subdomains connected to its root domain. A subdomain search for appspot[.]com with our subdomain lookup tool, for example, returned 10,000 subdomains.

We searched for subdomains that contain “.r.” (as this expression was commonly found in the subdomains listed on PhishTank) and identified 289 matches.

Randomly selecting 15 subdomains from the list, we found that those with random characters seemed more likely to be malicious than those that featured readable words.

We then zoomed in on the subdomains with the string “rj.r,” which was present in three of those listed on PhishTank. We found nine subdomains, seven of which look very similar to the proven phishing subdomains since they used long strings of random alphanumeric characters.

Out of the nine subdomains similar to those reported on PhishTank, eight were tagged “malicious” by several engines on VirusTotal. Here as well, we noticed that the subdomains contained random strings of alphanumeric characters. These may have been created using domain generation algorithms (DGA), a technique favored by malicious actors to generate malicious domains automatically.

Subdomains, just like domains, represent possible attack vectors that phishers might use to deceive their victims. Monitoring them as part of attack surface management practices is, therefore, essential.

Manually identifying malicious subdomains can be time-consuming, however, especially since thousands of them are likely to exist for brands with a major digital presence. For this reason, integrating Subdomains API/Data Feed into security platforms may be an effective way to skip the legwork for organizations who wish to monitor their subdomain attack surface.