|
The term “attack surface” is often heard in cybersecurity conversations. It refers to the sum of all possible attack vectors or the vulnerabilities that threat actors can exploit to penetrate a target network or damage an organization somehow. An unused and forgotten subdomain, for instance, can become an attack vector when taken over.
Certain categories of companies have very large attack surfaces. Such is the case of streaming media businesses like Netflix and HBO Max. Netflix has around 195 million users worldwide, while HBO Max recently hit 28.7 million subscribers. Such user bases make them lucrative targets.
For illustration purposes, we decided to analyze the potential joint attack surface of those two companies using our attack surface management system. Here are our main findings.
In total, we found 2,708 domains and subdomains that contain the strings “netflix” and “hbomax” and these didn’t seem to be owned by the brands. In fact, we ran a bulk WHOIS lookup on all of the subdomains and compared their WHOIS record details with those of the legitimate companies. None of them had “Netflix, Inc.” or “Home Box Office, Inc.” as a registrant organization. Also, the subdomains’ WHOIS records didn’t match any other registrant detail indicated by the streaming companies.
Apart from the brand names, the subdomains also contained other text strings that could trick subscribers into clicking them. These include “account,” “login,” “update,” “app,” “secure,” “info,” “help,” “center,” “service,” and “hostmaster.” About 44% of the subdomains used these terms, as shown in the chart (Fig. 1).
When used alongside Netflix and HBO Max, these terms could make users believe that they are visiting the official web pages of the streaming companies. Subdomains that contain these text strings could successfully be used in phishing campaigns.
The subdomains related to Netflix and HBO Max were spread over several top-level domains (TLDs). However, more than half belonged to the .com space. Some 15% fell under the .net TLD, while .live and .org were used by 7% of the subdomains. The chart below shows the top 10 TLDs used for the subdomains.
The subdomains identified in this study are a cause for concern from a cybersecurity standpoint. We were able to track down multiple cases that were already identified as malicious. Here is an example of a Netflix-related subdomain—billing[.]netflix[.]user[.]solution[.]id2[.]client-redirection[.]com—that has been flagged by five engines on VirusTotal:
Source: VirusTotal
Interestingly, we found far more suspicious instances that were not flagged by any engine. Such was the case of these subdomains (among many others):
While we can’t say for sure why subdomains like these were created, it’s hard to think of a plausible legitimate reason why a root domain such as “compraycambia[.]com” would need subdomains containing strings like “security” or “userid.” It is possible that these subdomains have yet to be used in cyberattacks and so have not been identified as indicators of compromise (IoCs).
The subdomains might also pertain to a much larger attack infrastructure, only a small part of which will ever be used in a phishing or other cyber attack.
Still, knowing about the entire scope of risky subdomains can fuel a more informed perspective on active and dormant threats.
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign
I’m not sure it’s fair to consider those hostnamess part of the attack surface of the streaming media company they’re trying to impersonate. They can’t be used to gain any access to the company’s infrastructure, and there’s absolutely nothing the company can do about them since they belong to completely different domains the company doesn’t control.
I would consider them part of the user’s attack surface, though. The hostnames work by tricking the user into giving their info to someone other than the streaming media company. That lets the attackers access that user’s account, but not to gain any access to the media company’s infrastructure beyond what the user has normally.
You raise two important points in your comment—control and who the potential victims are.
Control over such (sub)domains is indeed problematic. External entities set them up and the impersonated organizations can’t take them down immediately. It doesn’t mean that the affected brands are totally powerless though. Let’s consider the case where the root domain of the suspicious/malicious subdomain is owned by a legitimate domain owner/business whose domain has been hijacked. A representative of the mimicked brand in this situation can still reach out to the domain owner and inform him that his property is being misused without his knowledge/consent. Surely, the domain owner would be motivated to take it down quickly. If the domain in question does belong to a perpetrator, the legitimate brand owner can report the domain to the registrar for abuse and list it on OSINT sharing communities.
Considering the potential victims, users are indeed likely to be the common targets (in line with your description of the user’s attack surface). That said, perpetrators could also use the subdomains to fool third parties that may hold confidential information about the brand in question and do not have the strictest cybersecurity measures in place.
I’d be happy to continue this conversation. Is there a way I could reach out? Here is my LinkedIn profile: https://www.linkedin.com/in/jonathanmzhang/
My email's [email protected]