The term “attack surface” is often heard in cybersecurity conversations. It refers to the sum of all possible attack vectors or the vulnerabilities that threat actors can exploit to penetrate a target network or damage an organization somehow. An unused and forgotten subdomain, for instance, can become an attack vector when taken over.

Certain categories of companies have very large attack surfaces. Such is the case of streaming media businesses like Netflix and HBO Max. Netflix has around 195 million users worldwide, while HBO Max recently hit 28.7 million subscribers. Such user bases make them lucrative targets.

For illustration purposes, we decided to analyze the potential joint attack surface of those two companies using our attack surface management system. Here are our main findings.

Studying the Attack Surface of Streaming Media Companies

In total, we found 2,708 domains and subdomains that contain the strings “netflix” and “hbomax” and these didn’t seem to be owned by the brands. In fact, we ran a bulk WHOIS lookup on all of the subdomains and compared their WHOIS record details with those of the legitimate companies. None of them had “Netflix, Inc.” or “Home Box Office, Inc.” as a registrant organization. Also, the subdomains’ WHOIS records didn’t match any other registrant detail indicated by the streaming companies.

Terms Used along with the Brand Names

Apart from the brand names, the subdomains also contained other text strings that could trick subscribers into clicking them. These include “account,” “login,” “update,” “app,” “secure,” “info,” “help,” “center,” “service,” and “hostmaster.” About 44% of the subdomains used these terms, as shown in the chart (Fig. 1).

When used alongside Netflix and HBO Max, these terms could make users believe that they are visiting the official web pages of the streaming companies. Subdomains that contain these text strings could successfully be used in phishing campaigns.

Top-Level Domain Distribution of Subdomains

The subdomains related to Netflix and HBO Max were spread over several top-level domains (TLDs). However, more than half belonged to the .com space. Some 15% fell under the .net TLD, while .live and .org were used by 7% of the subdomains. The chart below shows the top 10 TLDs used for the subdomains.

Are These Subdomains Dangerous?

The subdomains identified in this study are a cause for concern from a cybersecurity standpoint. We were able to track down multiple cases that were already identified as malicious. Here is an example of a Netflix-related subdomain—billing[.]netflix[.]user[.]solution[.]id2[.]client-redirection[.]com—that has been flagged by five engines on VirusTotal:

Source: VirusTotal

Interestingly, we found far more suspicious instances that were not flagged by any engine. Such was the case of these subdomains (among many others):

• security[.]netflix[.]com[.]userid[.]874585[.]compraycambia[.]com
• dash[.]pro42[.]lv3[.]cdn[.]hbomax[.]com[.]c[.]footprint[.]net
• hbomaxdash[.]s[.]llnwi[.]net

While we can’t say for sure why subdomains like these were created, it’s hard to think of a plausible legitimate reason why a root domain such as “compraycambia[.]com” would need subdomains containing strings like “security” or “userid.” It is possible that these subdomains have yet to be used in cyberattacks and so have not been identified as indicators of compromise (IoCs).

The subdomains might also pertain to a much larger attack infrastructure, only a small part of which will ever be used in a phishing or other cyber attack.

Still, knowing about the entire scope of risky subdomains can fuel a more informed perspective on active and dormant threats.