NordVPN Promotion

Home / Industry

Strengthening Brand Protection with Subdomain Lookups: A Short Study

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]

Threat actors usually ride on a brand’s popularity to make phishing campaigns believable. A common approach involves registering typosquatting domains that closely resemble those of the legitimate owners. Yet monitoring typosquatting domains may just be the tip of the iceberg in the fight against phishing.

Organizations should also stay on the lookout for subdomains that contain their brand names, as these could be used to tarnish their image. To illustrate, we compiled a list of 4,330 subdomains that contain the string “eBay” and analyzed them. Below are our key findings.

1. Malicious Lookalike Subdomains

eBay is one of the most spoofed brands in the world. Take the phishing email below as an example. It asks users to update their account information or face account suspension.

Image source: social-engineer.org

Note the URL that starts with the subdomain “signin.ebay,” which is consistent with the e-commerce website’s login page shown below.

In our sample, we found 77 subdomains that start with “signin.ebay,” which could prompt users to attempt to sign in and reveal their credentials in the process. Some of the subdomains were tagged “malicious” by multiple engines on VirusTotal.

  • signin[.]ebay[.]de-ws[.]itm2108445557[.]icu
  • signin[.]ebay[.]de-ws[.]1i1i[.]icu
  • signin[.]ebay[.]co[.]uk-wsebayisapidllsigninrucpsess431608060754354[.]chidospr[.]com
  • signin[.]ebay[.]co[.]uk[.]ebayisapi[.]dll[.]permakultur[.]jetzt

Other commonly found words in the subdomains (along with “eBay”) include:

  • mail
  • payment
  • secure
  • online
  • reply
  • store
  • shop

2. Majority of the Subdomains Are Not Owned by eBay

Of the 4,330 subdomains, only 681 or 17% appeared to be owned by eBay. These include subdomains that use the following eBay-owned domains (that is, domains whose WHOIS records indicate eBay, Inc. as registrant company):

  • ebay[.]com (627 subdomains)
  • ebay[.]co[.]uk (11 subdomains)
  • ebay[.]com[.]au (10 subdomains)
  • ebay[.]co[.]kr (7 subdomains)
  • ebay[.]com[.]hk (6 subdomains)

Other domains owned by eBay, such as ebay[.]us and ebay[.]jp, are not found on the list. The rest of the subdomains, on the other hand, only contain the word “eBay” but use unrelated root domains likely owned by someone else. Some examples are:

  • pctdev1[.]corp[.]ebay[.]com[.]secure-log[.]in
  • payments[.]www[.]ebay[.]com[.]breakpoint[.]xyz
  • signin[.]ebay[.]it[.]izarbrokers[.]com
  • signin[.]ebay[.]com[.]ws[.]ebayisapi[.]dll[.]signin[.]mcleodsorganicfertiliser[.]com
  • signin[.]ebay[.]it[.]ahqfood[.]com
  • www[.]signin[.]ebay[.]it[.]beach420[.]com # 3. Dedicated versus Shared IP Addresses and eBay Ownership

Another finding is that eBay’s subdomains resolve to dedicated IP addresses, while the lookalikes point to shared ones. For instance, below are 25 subdomains not owned by eBay along with the IP addresses they resolved to and the number of domains and subdomains that shared them.

By contrast, legitimate eBay subdomains, as revealed by Subdomains Lookup, only share IP addresses with other eBay subdomains.

To illustrate, consider the subdomain payments[.]ebay[.]es[.]g[.]ebay[.]com. On 21 August, it resolved to 66[.]135[.]204[.]244, 66[.]211[.]185[.]22, and 66[.]211[.]185[.]28. A reverse IP lookup tells us that these IP addresses are not associated with non-eBay-owned domains. Below are other subdomains owned by eBay with the number of domains that use their IP addresses.


This case study on subdomains that contain the word “eBay” shows that threat actors are likely to abuse subdomains and even use them maliciously as part of phishing and other schemes. As such, performing subdomain lookups and other audits could be a vital part of a company’s brand protection strategies.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

NordVPN Promotion