|
Cybercrime is first and foremost financially motivated. Cybercriminals look for lucrative targets, including social media networks with hundreds of millions of monthly active users. We put this perspective to the test by analyzing the domain attack surface of three of today’s largest social media platforms.
In total, our Attack Surface Management (ASM) Solutions found 22,785 subdomains that could be used as attack vectors, as they contain the strings “linkedin,” “youtube,” and “facebook.” We analyzed this data and present our main findings in this post.
One of the first steps in an attack surface analysis is to distinguish between domains that are under the organization’s control and those that are not. For this study, we ran the 22,785 subdomains on a bulk WHOIS lookup tool to see if there are records that match the WHOIS details of Facebook, LinkedIn, and YouTube.
Registrant Name | Number of Domains Found | Percentage of the Total Number of Subdomains |
---|---|---|
Others | 22,746 | 99.83% |
Google LLC (YouTube) | 36 | 0.16% |
Facebook, Inc. | 3 | 0.01% |
LinkedIn Corporation | 0 | 0% |
We found that only 39 domains were owned by the social media companies, comprising only 0.17% of the whole sample size. That means that only a small number of the subdomains are owned and under the control of the social media giants. The rest may be used by other entities as they please, which could be a problem, as they make use of the companies’ brand names.
Alongside the brand names, we found that about 20% of the subdomains in our sample contain the word “blog.” Some also contained other text strings that could be used to lure social media users into clicking a link or downloading an email attachment.
Terms such as “download,” “login,” “signin,” and “free” could make message recipients think a subdomain is legitimate. The terms “advert,” “advertise,” or “advertising,” on the other hand, could be used to target small businesses.
The chart below shows the breakdown of 10 of the commonly used terms in the subdomains.
A more in-depth attack surface analysis found three malicious root domains that were repetitively used with subdomains containing strings related to the three social media platforms.
Malicious Root Domain | Number of Subdomains Found with Branded Strings |
---|---|
shnpoc[.]net | 343 |
duckdns[.]org | 103 |
serveo[.]net | 48 |
These were all cited for phishing and other malicious activities on VirusTotal. Shnpoc[.]net, for one, was seen trying to phish a bank, according to this tweet and other reports:
Aside from the three domains above, others with subdomains included in our attack surface analysis may also require further investigation, such as:
Some subdomains in the list have also been reported “malicious,” which means they already likely figured in cyber attacks. Even so, certain subdomains remain active and could be reused in other malicious campaigns.
While this post focused only on the hidden domain footprints of three social media platforms, it does show that attack surface analysis is a crucial cybersecurity practice for any organization. You can learn more about it and our Attack Surface Management (ASM) Solutions here.
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byRadix
Sponsored byIPv4.Global