I discovered that one of the subdomains owned by a company I worked on a project for recently (I won’t say which one) had one of their subdomains taken over. 💀💀💀
Subdomains are like a ‘branch’ off of your main domain that can essentially function as a separate – yet related – website. They power services or functions that run through your website; for example, in WordPress you’ll notice that your site comes with the subdomain yourblogname.wordpress.com.
I found several subdomains which were returning a 404, and was able to confirm that they were related to services which were previously cancelled/removed. However, one of the subdomains took me to an active web page for a COMPLETELY DIFFERENT COMPANY and prompted the user to enter their personal info! However, this was for a legitimate company with a multi-page website, and looked more like an error than any malicious hacking intent (it looked like perhaps a developer for the other company simply accidentally entered the wrong IP address in AWS somehow).
The good news is, I was able to simply delete these subdomains to mitigate the risk.
How can a hacker take over a subdomain? Here’s an example of how it could go:
- Company decides to have tickets automatically generate any time someone messages them via their website, so they set up an integration with a service such as Zendesk, and use a code plug in or snippet on their website to power the integration.
- A subdomain is created during this process along the lines of zendesk.companydomain.com, which appears in DNS records for companydomain.com.
- The company tries out the integration, but ultimately decide they don’t like it, and cancel their Zendesk subscription. However, they don’t remove it from their DNS records, so zendesk.companydomain.com remains in their DNS records, but is returning a 404.
- A hacker runs a scan against the company’s domain, and sees that zendesk.companydomain.com is returning a 404. They start to smile – no, grin -, because this means that subdomain is ripe for potential takeover! They set up a Zendesk subscription and point it to zendesk.companydomain.com. The DNS check goes through fine and the hacker sets up their own website at zendesk.companydomain.com that says something like “welcome to our company’s new ticketing system! Simply enter your username, password, and social security number here to open a ticket with our company. We appreciate your business and look forward to assisting you within 1 business day!”
- The hacker uses phishing or other spammy tactics to try to route current or potential new clients for the target business directly to zendesk.companydomain.com, to fill out the form with their personal information, and submit it.
- The hacker can now get this companys’ users’ personal information.
Subdomain takeover can be difficult to track, so the best thing to do to prevent this is to always check DNS records to ensure you’ve removed stale subdomains when a service is cancelled.
As always, I am open to learning from you – if you have further info that will help me increase my knowledge of DNS and subdomains, I am open to hearing it!
Here’s to your security 💻 🥂
Leave a Reply