Home Did you know ? Attack Surface Discovery: Do Non-Attributable Domain Names Present a Risk?

Attack Surface Discovery: Do Non-Attributable Domain Names Present a Risk?

by Mic Johnson

A recent study showed that non-attributable domain and subdomain names containing popular brands present a risk for big organizations. The potential domain attack surface of 10 of the world’s most-imitated brands today comprises an average of 17,734 domains and subdomains, according to whoisxmlapi.com’s attack surface management tools.

The findings from the said research were extended by subjecting the top 25 Fortune 500 companies to an attack surface discovery study this time. Here are the key results.

Non-Attributable Domains Containing the Top 25 Fortune 500 Companies’ Brands

Domain Types

We define non-attributable domains as the sum of all domain names that contain a registered or trademarked company brand but may not be under the organization’s control as per a lack of identifiable detail in their WHOIS records. For this particular study, we identified the domains in our sample as:

  • Attributable domains: Contain the company’s brand and indicate its publicly acknowledged name as the registrant organization in their WHOIS records. For instance, the official Exxon Mobil domain name’s (exxonmobil[.]com) WHOIS record indicates “Exxon Mobil Corporation” as its registrant organization.
  • Non-attributable domains: Contain the company’s brand but have a different or masked registrant organization in their WHOIS records. An example would be exxon-mobil-mal[.]com, which contains “exxon mobil” (top 3 Fortune 500 company) but has a privacy-protected individual’s customer number under the registrant organization field in its WHOIS record.

Study Subjects

We began our investigation by identifying the top 25 Fortune 500 companies’ official domains (see Table 1).

Table 1: Top 25 Fortune 500 Companies and Their Respective Domains
Rank Company Domain
1 Walmart walmart[.]com
2 Amazon amazon[.]com
3 Exxon Mobil exxonmobil[.]com
4 Apple apple[.]com
5 CVS Health cvshealth[.]com
6 Berkshire Hathaway berkshirehathaway[.]com
7 UnitedHealth Group unitedhealthgroup[.]com
8 McKesson mckesson[.]com
9 AT&T att[.]com
10 AmerisourceBergen amerisourcebergen[.]com
11 Alphabet abc[.]xyz
12 Ford Motor ford[.]com
13 Cigna cigna[.]com
14 Costco Wholesale costco[.]com
15 Chevron chevron[.]com
16 Cardinal Health cardinalhealth[.]com
17 JPMorgan Chase jpmorganchase[.]com
18 General Motors gm[.]com
19 Walgreens Boots Alliance walgreensbootsalliance[.]com
20 Verizon Communications verizon[.]com
21 Microsoft microsoft[.]com
22 Marathon Petroleum marathonpetroleum[.]com
23 Kroger kroger[.]com
24 Fannie Mae fanniemae[.]com
25 Bank of America bankofamerica[.]com

Investigation Tools

We used two WhoisXML API tools to identify the top 25 Fortune 500 companies’ potential domain attack surfaces:

  • Bulk WHOIS Lookup: To determine if any of the top 25 Fortune 500 companies’ WHOIS records have been redacted or privacy-protected.
  • Reverse WHOIS Search: To know how many of the domains containing their brand names the companies own.

Study Findings

We ran the companies’ official domains on Bulk WHOIS Lookup and found that only two (Walmart and Berkshire Hathaway) or 8% of the sample didn’t indicate their registrant details. Walmart’s WHOIS record was redacted, while Berkshire Hathaway’s was privacy-protected.

Using Reverse WHOIS Search, we obtained two data sets to get the ratio of attributable to non-attributable domains. Note that we took out Walmart and Berkshire Hathaway from the sample as they did not reveal their registrant organization names in their official domains’ WHOIS records.

Table 2: Top 23 Fortune 500 Companies and Their Respective Registrant Organizations 
Rank Company Registrant Organization
2 Amazon Amazon Technologies, Inc.
3 Exxon Mobil Exxon Mobil Corporation
4 Apple Apple Inc.
5 CVS Health CVS Pharmacy, Inc.
7 UnitedHealth Group UnitedHealth Group Incorporated
8 McKesson McKesson Corporation
9 AT&T AT&T Services, Inc.
10 AmerisourceBergen AmerisourceBergen Corporation
11 Alphabet Google LLC
12 Ford Motor Ford Motor Company
13 Cigna Cigna Intellectual Property, Inc.
14 Costco Wholesale Costco Wholesale Membership, Inc.
15 Chevron Chevron Corp.
16 Cardinal Health Cardinal Health
17 JPMorgan Chase JPMorgan Chase & Co.
18 General Motors General Motors LLC
19 Walgreens Boots Alliance Walgreens
20 Verizon Communications Verizon Trademark Services LLC
21 Microsoft Microsoft Corporation
22 Marathon Petroleum Marathon Petroleum Company
23 Kroger The Kroger Co.
24 Fannie Mae Fannie Mae
25 Bank of America Bank of America

 

Comparing the two Reverse WHOIS Search data sets allowed us to conduct an attack surface discovery analysis for the 23 remaining companies (see the results in the figure below). Note that we took out Apple, AT&T, Alphabet, Walgreens Boots Alliance, Verizon Communications, Microsoft, and Bank of America from the sample since they owned more of the domains included in the reverse WHOIS search results than not.

The remaining 14 companies’ brands (Exxon Mobil, UnitedHealth Group, McKesson, AmerisourceBergen, Ford Motor, Cigna, Costco Wholesale, Chevron, Cardinal Health, JPMorgan Chase, General Motors, Marathon Petroleum, Kroger, and Fannie Mae) appeared in the WHOIS records of 63,215 domains. Of these, only 43,211 or 68% contained their legally recognized organization names as registrants. That means cyber attackers could theoretically use 20,004 domains for phishing or more sinister malware-enabled attacks.

As we’ve seen in this attack surface discovery study and the previously published research, non-attributable domains can increase spoofed companies’ exposure to cyber attacks such as phishing, spam, and business email compromise (BEC). As a result, customers can suffer from identity or financial theft. And the companies mimicked? They could lose the public’s trust and damage their reputation. These repercussions are, however, mitigable with the help of attack surface discovery tools.

You may also like

Latest Hacking News

Privacy Preference Center

Necessary

The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]

Advertising

DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.

doubleclick

Analytics

The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid