Home / Industry

Attack Surface Analysis of 3 Social Media Giants

Cybercrime is first and foremost financially motivated. Cybercriminals look for lucrative targets, including social media networks with hundreds of millions of monthly active users. We put this perspective to the test by analyzing the domain attack surface of three of today’s largest social media platforms.

In total, our Attack Surface Management (ASM) Solutions found 22,785 subdomains that could be used as attack vectors, as they contain the strings “linkedin,” “youtube,” and “facebook.” We analyzed this data and present our main findings in this post.

Legitimate versus Suspicious Ownership

One of the first steps in an attack surface analysis is to distinguish between domains that are under the organization’s control and those that are not. For this study, we ran the 22,785 subdomains on a bulk WHOIS lookup tool to see if there are records that match the WHOIS details of Facebook, LinkedIn, and YouTube.

Registrant NameNumber of Domains FoundPercentage of the Total Number of Subdomains
Google LLC (YouTube)360.16%
Facebook, Inc.30.01%
LinkedIn Corporation00%

We found that only 39 domains were owned by the social media companies, comprising only 0.17% of the whole sample size. That means that only a small number of the subdomains are owned and under the control of the social media giants. The rest may be used by other entities as they please, which could be a problem, as they make use of the companies’ brand names.

Terms Appearing alongside the Brand Names

Alongside the brand names, we found that about 20% of the subdomains in our sample contain the word “blog.” Some also contained other text strings that could be used to lure social media users into clicking a link or downloading an email attachment.

Terms such as “download,” “login,” “signin,” and “free” could make message recipients think a subdomain is legitimate. The terms “advert,” “advertise,” or “advertising,” on the other hand, could be used to target small businesses.

The chart below shows the breakdown of 10 of the commonly used terms in the subdomains.

Frequency of Commonly Used Terms

Malicious Domains and Subdomains Found

A more in-depth attack surface analysis found three malicious root domains that were repetitively used with subdomains containing strings related to the three social media platforms.

Malicious Root DomainNumber of Subdomains Found with Branded Strings

These were all cited for phishing and other malicious activities on VirusTotal. Shnpoc[.]net, for one, was seen trying to phish a bank, according to this tweet and other reports:

Aside from the three domains above, others with subdomains included in our attack surface analysis may also require further investigation, such as:

  • foxmos[.]com: 42 subdomains
  • novaposhta[.]me: 10 subdomains
  • dmoz[.]website: 8 subdomains
  • winmonitor[.]com[.]br: 7 subdomains
  • kamalharmoni[.]com: 2 subdomains
  • ach[.]cl: 2 subdomains

Some subdomains in the list have also been reported “malicious,” which means they already likely figured in cyber attacks. Even so, certain subdomains remain active and could be reused in other malicious campaigns.

While this post focused only on the hidden domain footprints of three social media platforms, it does show that attack surface analysis is a crucial cybersecurity practice for any organization. You can learn more about it and our Attack Surface Management (ASM) Solutions here.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API