Note: A special thanks to Ed Gibbs, WhoisXML API’s Advanced Threat Researcher & Technical Account Manager, for his help compiling the domain and subdomain files used in this post.

Did you know that a comprehensive subdomain database can give you 69,383 fully qualified domain names (FQDNs) with the string “firewall,” 241,654 FQDNs for “cctv,” and 19,048 FQDNs for “scada”? That data can give cybersecurity researchers possible starting points for an article or even a full-blown research paper.

A security analyst tasked to expand the footprint of a domain of interest containing the aforementioned terms would also benefit from tools like Domains & Subdomains Discovery that pulls data from a subdomain database. This post illustrates how.

Cybersecurity Term Footprint Expansion

One could imagine that domains and subdomains containing the strings “firewall,” “cctv,” or “scada” may figure in phishing and other malware-enabled attacks targeting the technologies’ users or those interested in using them and are currently looking for vendors.

Analysis of Domains Containing the String “Firewall”

Our analysis of the thousands of domains containing the string “firewall” revealed the use of popular brands that include but are not limited to Linux, Sophos, and Apple. There are others, of course, the specific domain numbers for which are shown below.

Of the 66 “linux” domains/subdomains, only 24 could be publicly attributed to an individual or organization. These could be considered safe to access as cyber attackers typically hide their tracks and identities. Based on a look at the 23 “sophos” domains/subdomains’ WHOIS records, meanwhile, we saw that three of them could be publicly attributable to an individual or organization. Finally, for the “cisco” domains/subdomains, four could be publicly attributed to an individual or organization.

Security teams can perform similar queries for the remaining brands to ensure that none of them is spoofing the legitimate companies hoping to bypass filters for malicious purposes.

Domains containing the string “firewall” were also checked for other strings that may serve as lures to trick users into revealing their account login credentials or downloading malware (e.g., alert, security, and error). They were also checked to gauge if they could be used for tutorial pages for wanna-be cybercriminals (e.g., anti, off, and block/unblock). The chart below shows our findings in greater detail.

Current firewall users could be at the greatest risk of getting tricked into giving their credentials to attackers or downloading malware onto their computers with emails supposedly alerting them to threats.

Analysis of Domains Containing the String “CCTV”

Testing various “cctv” domains for the presence of the same brands provided a list for nine names shown in the chart below.

A majority of the 20 domains/subdomains containing “asus” (19, specifically) could be publicly attributed to an individual or organization. All 10 of the “wordpress” domains/subdomains, meanwhile, are publicly attributable. Finally, two of the six “aws” domains/subdomains are publicly attributable.

To compare the “cctv” sample with the “firewall” domains/subdomains, we sought to determine how many of them used the same terms that could figure in domains that can serve as either victim lures or attacker tool ads. The following chart shows our findings.

Analysis of Domains Containing the String “SCADA”

Finally, for the domains with the “scada” string, 12 brands were seen, as shown in the chart below.

All of the 81 domains/subdomains containing the string “wordpress” could be publicly attributed to an individual or organization. Of the 36 “aws” domains/subdomains, meanwhile, 27 are publicly attributable. Finally, five of the eight “linux” domains/subdomains are publicly attributable and fairly safe to access.

To compare the domains with those containing “firewall” and “cctv,” we scanned them for the presence of the same strings that could serve as either social engineering lures. The chart below shows our findings.

Based on the footprint expansion findings for the three strings analyzed, RedHat and Linux users might be at risk of being victimized by related threats, if any. What’s more, those looking for ways to secure their firewalls, CCTV systems, and SCADA devices from attacks could be at risk should the domains figure in malicious campaigns. And should domains with any of the three strings get flagged as suspicious by an organization’s filters, prioritizing those combined with “block/unblock” may be a good starting point.

If you wish to further enhance footprint expansion investigations such as that done in this post, you may be interested in applying for the Typosquatting Community Feed. Please note that applications are currently open exclusively to security professionals.