Home / Industry

To our readers: Does your company offer DNS or DNS Security services? CircleID has an opening for an exclusive sponsor for our DNS topic. Gain unparalleled results with our deep market integration. Get in touch: [email protected]

Are Cybersquatters Going After the Car Manufacturing Sector?

The cyber attack targeting Toyota’s top-tier supplier in February led to the loss of about 13,000 cars in production output. Aside from the quantified damage, the supply chain attack highlights how massive and scattered threat vectors can be. Covering all bases requires looking at every possible source of risk, including the Domain Name System (DNS).

In line with this, WhoisXML API researchers explored domains and subdomains bearing the names of leading car manufacturers. These digital properties could be vehicles for attack vectors, such as third-party phishing and business email compromise (BEC) scams. Our analysis uncovered:

  • More than 10,000 domains and subdomains containing top car manufacturers’ brand names that have been added since 1 February 2022
  • Almost all uncovered cyber resources are not publicly attributable to the respective companies whose names appear in them
  • Several domains and subdomains have been flagged as malicious

Feel free to download the complete list of properties and relevant data points from our website. We’ll discuss our analysis and research below.

10,000+ Car Manufacturing-Related Domains and Subdomains

This research focuses on seven car companies named by Forbes as the top 10 cars and best brands of 2021. These are Toyota, Mazda, Subaru, Kia, Honda, Lexus, and Tesla. Since Toyota’s supply chain attack occurred on 28 February 2022, we limited the properties to only those added since 1 February 2022.

We uncovered 4,972 domains and 5,148 subdomains, totaling 10,120 properties. The chart below shows the distribution of these cyber resources among the companies included in this study.

Possibly Rogue Digital Properties

Distinguishing properties added by the companies themselves is an essential part of this study. If the legitimate company owns the domains and subdomains, they have control over these assets. Otherwise, the digital properties can be considered rogue that can be potentially used in brand abuse, phishing campaigns, and other malicious activities.

While companies can register domains using different registrant details, most large corporations, like the ones in this research, often use the same registrant email address and privacy protection service. As such, the registrant email addresses of the car companies’ official domains can help identify potentially rogue properties.

We discovered only 10 domains that are publicly attributable to the top brands, all of which belong to Toyota. It’s important to note that Mazda and Honda had redacted or privacy-protected registrant details. Even then, none of the domains and subdomains share the same attributes, such as the combined use of privacy protection companies, nameservers, and registrant countries.

Below are some examples of the potentially rogue cyber resources for each brand. You may download the complete list from our website.

Brand NameDomainsSubdomains
Toyota• toyota[.]xn—fiqz9s
• toyota[.]bar
• etoyota[.]ir
• toyota[.]grupolagrajera[.]com
• toyota[.]e-mobilio[.]de
• toyotadpeer[.]toyotadnet[.]toyota[.]blockedge[.]dev
Mazda• mazda[.]tk
• armazda[.]ir
• mazdausa[.]ca
• mazda-cx-50[.]devonline[.]me
• mazdacarsmy[.]toyotaalphard[.]com[.]my
• 2010-mazda3[.]blogspot[.]com
Subaru• sportsubarucares[.]com
• clearshiftsubaru[.]com
• tellhaddadsubaru[.]com
• wyattjohnsonsubaru[.]dsi360[.]com
• subarurussia[.]users[.]photofile[.]ru
• www-carrsubaru-com[.]translate[.]goog
Kia• gkia[.]shop
• komkia[.]vg
• vlgkia[.]ru
• www[.]cowboykia[.]phpup[.]fzinternal[.]com
• kia[.]boravto-vrz[.]mss[.]7apps[.]ru
• tutkia[.]plat-xxxx[.]dev[.]plattan[.]fi
Honda• hondacars-kitachiba-newstepwgn-teaser[.]com
• hondausedcrossovers[.]com
• hondahonda1739[.]com
• honda[.]simpelink[.]com
• honda[.]yasu[.]name
• honda[.]demowebku[.]xyz
Lexus• lexus[.]fo
• elexus[.]ph
• toyotalexusfinancialservices[.]lu
• autorepairyorbalindaplac
entiaanaheimtoyota
hondaacuralexusvw[.]spb[.]ru
• lexus[.]retehk[.]com
• lexus[.]oempartsonline[.]com
Tesla• teslainvestment[.]international
• teslatechsolucoeseletricas[.]com
• tourismehauteslaurentides[.]com
• ps-st-3344[.]schneider[.]tesla[.]aristos[.]pw
• loving-tesla[.]74-208-187-83[.]plesk[.]page
• tesla[.]vishwabhartiprojects[.]com
Malicious Domains Alert

There could be legitimate reasons behind the rogue domains and subdomains. For instance, car dealerships, used car dealers, and brand enthusiasts could find it necessary to register them.

However, that doesn’t discount the possibility of threat actors using the domains for malicious campaigns. In fact, we already found dozens of malicious properties despite them being newly added.

While some of the malicious domains and subdomains have already been taken down, others still hosted live content. Here are some examples of malicious domains encouraging visitors to take part in an Elon Musk project and earn US$4,000 per month.


Monitoring the DNS for rogue domains and subdomains can help security teams take timely actions before they are put to use by threat actors. Early detection can help protect third parties, customers, and the general public.

If you’re interested in the domains and subdomains related to the car manufacturing sector discussed in this post, you can download the research materials here. You may also contact us for research collaboration.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Commenting is not available in this channel entry.

Related

Topics

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API