Home / Industry

When Marketing Vendors Get Attacked, Clients Suffer: Third-Party Risk Discovery in the DNS

Organizations get bombarded with countless attacks from every direction, including via their supply chain. FortifyData’s recent record of the top third-party data breaches in 2023 brings to light how multidirectional threat sources can be.

In one of the data breaches on the list, AT&T disclosed in March 2023 that threat actors accessed the information of approximately 9 million wireless accounts through the telecommunication company’s marketing vendor. Building on this threat source, WhoisXML API researchers looked into domains impersonating marketing service providers that can serve as possible vehicles of third-party threats. Our key findings include:

  • 8,400+ domains containing the names of popular marketing vendors, very few of which could be publicly attributed to the companies
  • Less than half had IP resolutions, with several hosting suspicious content unrelated to the imitated companies
  • Dozens of domains were flagged as malicious, hinting at a pattern that uses the string us followed by a number
  • 570+ domains following the malicious pattern added from 1 January to 5 May 2023
  • 4% of the us-containing domains were malicious

The domains found in the study can be used to target employees and partners of the imitated marketing companies, creating a domino effect that can affect their clients, as in AT&T’s case.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Cybersquatting Domains Targeting Popular Marketing Vendors

Our research focused on 10 famous marketing service providers. We looked up their company names on Domains & Subdomains Discovery. In one case, we added crm as a search term to avoid false positives. The table below shows the marketing vendors, the search strings used, and the number of domains found as of 5 May 2023.

Marketing VendorOfficial DomainSearch String UsedNumber of Domains Found as of 5 May 2023Sample of Discovered Domain
ActiveCampaignactivecampaign[.]comContainsactivecampaign450101activecampaign[.]xyz
Aweberaweber[.]comStarts withaweber389aweber[.]click
Brevo (formerly Sendinblue)brevo[.]comStarts withbrevo512brevo[.]marketing
HubSpothubspot[.]comContainshubspot3,491hubspots[.]cloud
Klaviyoklaviyo[.]comContainsklaviyo330trkklaviyomail[.]com
Mailchimpmailchimp[.]comContainsmailchimp1,352us19-mailchimp[.]com
Marketing 360marketing360[.]comContainsmarketing3601,086appsmarketing360[.]com
Omnisendomnisend[.]comContainsomnisend106app-omnisend[.]top
Pardotgo[.]pardot[.]comContainspardot558xpardotop[.]tk
Zoho CRMzoho[.]comContainszohoandcrm190zohocrm[.]org

We found a total of 8,464 domains containing the marketing companies’ names. About 4.4% of them were registered this year.

Cybersquatting Domain Attribution

We then obtained the current WHOIS records of the cybersquatting domains using Bulk WHOIS Lookup to determine their ownership. Based on the registrant organization field, 50% of the cybersquatting domains could be publicly attributed to the marketing vendors. The legitimate companies may own or have some control over the domains.

However, when we based the attribution analysis on the more reliable registrant email field, we found that only 1% could be publicly attributed to the imitated companies. The rest either had redacted WHOIS records or were maintained by other entities.

Suspicious Usage of the Cybersquatting Domains

About 45% of the cybersquatting domains actively resolved to IP hosts. Most were parked, while several hosted or redirected to websites with questionable content. Below are some examples of domains whose content was not directly related to the imitated companies.

Malicious Usage of the Cybersquatting Domains

A bulk malware check on the domains revealed that dozens of them were malicious, with some still hosting active content, as shown below.

Note the similarity between the content of zohocrm[.]ro and hubspotn[.]com from the previous section.

Threat Expansion: Zooming in on Third-Party Threat Patterns

Several malicious cybersquatting domains hinted at a possible campaign tactic where threat actors use domains starting with the string us followed by a number and a dash, such as us1-mailchimp[.]com and us2mailchimp[.]com.

Expanding our threat discovery to include this pattern, we turned to Domains & Subdomains Discovery again and searched for domains that began with the same suspicious strings. We found 575 such web properties added from 1 January to 5 May 2023. The table below shows the breakdown per search string.

Beginning Text StringNumber of Domains Added from 1 January to 7 May 2023
us197
us2101
us363
us472
us540
us654
us744
us856
us948

We ran a bulk malware check on these properties and found that 4% of the domains were malicious.


The suspicious and malicious domains found in this study can help organizations avoid third-party threats riding on cybersquatting domains. A deeper look into the usage of these properties led us to a suspicious domain pattern, which uncovered hundreds of malicious us-containing domains.

The findings of this study further highlight the multidimensional nature of the current threat landscape. Threat actors could use various threat vectors from different sources, making proactive and extensive threat discovery essential.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC