Telecommunications companies are a favored cyberattack target. After all, telcos build, control, and operate critical infrastructure that almost everyone uses to communicate. They also store large amounts of sensitive data that could easily be exploited when falling into the wrong hands.

We sought to determine a small portion of the potential attack surface of today’s biggest telcos in terms of revenue using domain intelligence. In particular, we hunted down possible rogue domains and subdomains containing their brand or company names, as some of these could end up being used in phishing attacks.

The Subjects

According to Statista, some of the world’s top telcos based on revenue in 2020 are:

• Verizon with a 2020 revenue of US$143.3 billion
• China Mobile with a 2020 revenue of US$120.0 billion
• Comcast with a 2020 revenue of US$118.4 billion
• Deutsche Telekom with a 2020 revenue of US$98.2 billion
• Softbank with a 2020 revenue of US$63.9 billion
• China Telecom with a 2020 revenue of US$60.5 billion
• Telefonica with a 2020 revenue of US$59.0 billion
• America Movil with a 2020 revenue of US$58.1 billion

We used the strings “verizon,” “chinamobile,” “comcast,” “t-mobile,” “softbank,” “chinatelecom,” “telefonica,” and “americamovil” as search terms on Domains & Subdomains Discovery to obtain reduced lists of domains and subdomains containing their brand or company names.

Our Findings

A total of 1,720 domains and subdomains that could serve as potential hosts to phishing pages and malware were recently found for the eight companies. This number is broken down into:

• 263 domains and subdomains containing the string “verizon” for Verizon
• Seven domains and subdomains containing the string “chinamobile” for China Mobile
• 1,385 domains and subdomains containing the string “comcast” for Comcast
• 10 domains and subdomains containing the string “t-mobile” for Deutsche Telekom
• Two domains and subdomains containing the string “softbank” for Softbank
• 53 domains and subdomains containing the string “telefonica” for Telefonica
• No domains and subdomains containing the strings “chinatelecom” and “americamovil” for China Telecom and America Movil, respectively

Of these 1,720 web properties identified above, we handpicked 21 of these as unique domains for closer analysis. WHOIS lookups to compare registrant information with the companies’ WHOIS record details revealed that 12 domains out of our reduced sample were publicly attributable to the companies whose brands or names appear in them.

Taking this into account, we can infer that 9 of the 21 domains uncovered in our reduced selection could put the global telcos’ customers, stakeholders, and employees at risk of phishing in its various forms, including business email compromise (BEC) and spear phishing. These potential threat vectors could be the cause of loss of sensitive data from the telcos’ thousands of service subscribers worldwide.

We expect, however, that those nine domains may only be the very tip of the iceberg. Considering larger samples would likely lead to far more extensive and non-attributable footprints, possibly consisting of hundreds if not thousands of domains and subdomains.

Monitoring possibly rogue websites or pages or those that are not owned by the companies whose brands or names appear in their URLs using tools like Domains & Subdomains Discovery is one way to lessen your attack surface. The organizations these web properties may be spoofing can also benefit from such monitoring to request that these be taken down, if possible.

Are you conducting a similar investigation on threats targeting specific industries? Maybe we can work together on joint analyses. If you’re interested, feel free to contact us.