Do you have old pages on your website that you’ve forgotten about? Obsolete projects with old domain names? Old pages that are no longer active?
If so, beware. Those subdomains you’ve forgotten about can be highly valuable to cyber attackers.
Keeping your organization’s website up-to-date typically means updating content. But while you focus on the new, don’t neglect any old domains or unused subdomains.
Those forgotten corners of your website are security vulnerabilities. From a cyber security best practices perspective, keeping things up-to-date also means cleaning house.
Let’s discuss why and how bad actors exploit those loose ends if you don’t manage them carefully and consistently.
Why are Abandoned Domain Names So Dangerous?
Your domain name is your website’s home address and calling card. It’s how people find you and connect with you. It also connects you to key services, the most important being email.
Organizations need to retire or swap their domain names from time to time due to company re-organizations such as mergers or rebranding. If they don’t, domain registries return those original names to a domain name drop list.
When this happens, anyone can purchase the name in an auction, re-register the domain, and set up an email server.
Cyber criminals scan those registries for select domains, knowing they’ll receive emails that vendors, banks, and customers used to send to you. Those emails often contain or unlock sensitive information.
If you used your website for e-commerce, a fraudster could even build a phishing site that tricks visitors into sharing personal data or making illegitimate purchases. Worse, they might build a spoofing site that poses as your company, duping your audience and harming your brand.
Thankfully, the cost of keeping a domain name—even if you’re no longer using it—doesn’t break the bank. What you lose in domain registration fees, you win in maintaining your brand reputation, user trust, and data privacy.
Make sure you redirect any email accounts for that domain to an active account to stay on top of potential password resets and any incoming messages.
How Does Subdomain Hijacking Work?
Even if your domain is still active, you might have dormant or unused subdomains.
Websites usually create subdomains that point to shared hosting accounts, such as blog hosting services (Squarespace, WordPress), e-commerce platforms (Shopify), or code repositories (GitHub). When site admins forget about them, they become highly valuable assets for cyber attackers.
Subdomain owners might think deleting the subdomain on the shared hosting service side is the end of the story. However, it leaves the other side of the subdomain “dangling.” The Domain Name System (DNS) remembers where it pointed before.
Subdomain takeovers can be difficult to prevent because they’re more often the result of “not” doing something. A lack of communication between departments can exacerbate the issue.
For example, a marketing team might create a temporary website for a contest or promotional campaign, leveraging subdomains to support it. When the promotion ends, the marketers might take down the site but not let IT know, leaving subdomains vulnerable to takeover.
If a cyber criminal catches wind of this type of subdomain, they can swoop in and recreate the page with their own content, knowing the DNS record remains intact.
Then, when an external user tries to visit your older page, the DNS directs them to the right place. However, this time it’s under the cyber criminal’s control.
Fraudsters take advantage of imposter subdomains to host illegitimate businesses or post malicious links for use in other schemes.
When bad actors hitch a ride on your domain for unlawful purposes, it damages your reputation. You can also lose the trust of employees, customers, or other end-users that visit your site.
Common Ways Bad Actors Exploit Subdomain Vulnerabilities
Cyber attackers often use subdomain takeovers to host malicious links or content directly on the hijacked subdomain. However, they also exploit subdomain security weaknesses to undermine companies or collect information to leverage in further criminal activities. Here are some common techniques.
Exploiting password managers
Website admins often set up password management applications for primary sites that automatically log them into underlying subdomains. If a cyber criminal locates one of these with the login details already entered, lifting the owner's credentials will be a breeze.
Changing and adding cookies
Sometimes subdomains can alter cookies on the primary site. In this case, a subdomain hijacker can introduce illegitimate cookies into the process. That action lets them observe user activity and access their personal information.
Holding data hostage
Some organizations use subdomains to store important and confidential information, such as code, product specs, product research, and business plans. If a cyber attacker discovers this information using a brute force search for subdomains, they could demand that the owner pays them a ransom to stop them from sharing it publicly.
What Should You Do with Old Subdomains?
While unused subdomains can become vulnerabilities, just deleting them isn’t the right solution, either. The key is the DNS record—you need to edit your DNS settings.
It sounds simple, but even simple tasks get lost amid the endless duties of IT departments. The problem shines a light on security procedures in your organization.
Departments need to communicate about the status of every subdomain they have. They need to work together to ensure they’re up-to-date and fully secure.
How to Prevent a Subdomain Takeover
Organizations need policies for domain and subdomain creation, use, and management. Guidelines should set out procedures for firewalls, access credentials, password changes, cleanup of inactive subdomains, and naming conventions.
Cyber criminals often search for exploitable subdomains using brute force methods. Unusual subdomain names make that process more difficult.
Most importantly, security leaders must share those procedures with team members in every department. Employees need to know why they should read domain expiry notification emails instead of deleting them.
They need to understand why and how subdomain upkeep keeps employees, site visitors, and the organization safe.
Prevent Takeovers with a Cyber Aware Culture
Team communication and conduct are critical to keep domains out of criminal hands and shield subdomains from hijacking. Employees are always your first line of defense against any type of cyber attack.
Discover how to implement a 5-step framework for cyber security awareness in your organization
A cyber security awareness training program tailored to your needs efficiently and effectively instills cyber security best practices across your operations.