NordVPN Promotion

Home / Industry

Attack Surface Analysis of 3 Social Media Giants

Cybercrime is first and foremost financially motivated. Cybercriminals look for lucrative targets, including social media networks with hundreds of millions of monthly active users. We put this perspective to the test by analyzing the domain attack surface of three of today’s largest social media platforms.

In total, our Attack Surface Management (ASM) Solutions found 22,785 subdomains that could be used as attack vectors, as they contain the strings “linkedin,” “youtube,” and “facebook.” We analyzed this data and present our main findings in this post.

Legitimate versus Suspicious Ownership

One of the first steps in an attack surface analysis is to distinguish between domains that are under the organization’s control and those that are not. For this study, we ran the 22,785 subdomains on a bulk WHOIS lookup tool to see if there are records that match the WHOIS details of Facebook, LinkedIn, and YouTube.

Registrant NameNumber of Domains FoundPercentage of the Total Number of Subdomains
Others22,74699.83%
Google LLC (YouTube)360.16%
Facebook, Inc.30.01%
LinkedIn Corporation00%

We found that only 39 domains were owned by the social media companies, comprising only 0.17% of the whole sample size. That means that only a small number of the subdomains are owned and under the control of the social media giants. The rest may be used by other entities as they please, which could be a problem, as they make use of the companies’ brand names.

Terms Appearing alongside the Brand Names

Alongside the brand names, we found that about 20% of the subdomains in our sample contain the word “blog.” Some also contained other text strings that could be used to lure social media users into clicking a link or downloading an email attachment.

Terms such as “download,” “login,” “signin,” and “free” could make message recipients think a subdomain is legitimate. The terms “advert,” “advertise,” or “advertising,” on the other hand, could be used to target small businesses.

The chart below shows the breakdown of 10 of the commonly used terms in the subdomains.

Frequency of Commonly Used Terms

Malicious Domains and Subdomains Found

A more in-depth attack surface analysis found three malicious root domains that were repetitively used with subdomains containing strings related to the three social media platforms.

Malicious Root DomainNumber of Subdomains Found with Branded Strings
shnpoc[.]net343
duckdns[.]org103
serveo[.]net48

These were all cited for phishing and other malicious activities on VirusTotal. Shnpoc[.]net, for one, was seen trying to phish a bank, according to this tweet and other reports:

Aside from the three domains above, others with subdomains included in our attack surface analysis may also require further investigation, such as:

  • foxmos[.]com: 42 subdomains
  • novaposhta[.]me: 10 subdomains
  • dmoz[.]website: 8 subdomains
  • winmonitor[.]com[.]br: 7 subdomains
  • kamalharmoni[.]com: 2 subdomains
  • ach[.]cl: 2 subdomains

Some subdomains in the list have also been reported “malicious,” which means they already likely figured in cyber attacks. Even so, certain subdomains remain active and could be reused in other malicious campaigns.


While this post focused only on the hidden domain footprints of three social media platforms, it does show that attack surface analysis is a crucial cybersecurity practice for any organization. You can learn more about it and our Attack Surface Management (ASM) Solutions here.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

NordVPN Promotion