A recent study showed that non-attributable domain and subdomain names containing popular brands present a risk for big organizations. The potential domain attack surface of 10 of the world’s most-imitated brands today comprises an average of 17,734 domains and subdomains, according to whoisxmlapi.com’s attack surface management tools.
The findings from the said research were extended by subjecting the top 25 Fortune 500 companies to an attack surface discovery study this time. Here are the key results.
Non-Attributable Domains Containing the Top 25 Fortune 500 Companies’ Brands
Domain Types
We define non-attributable domains as the sum of all domain names that contain a registered or trademarked company brand but may not be under the organization’s control as per a lack of identifiable detail in their WHOIS records. For this particular study, we identified the domains in our sample as:
- Attributable domains: Contain the company’s brand and indicate its publicly acknowledged name as the registrant organization in their WHOIS records. For instance, the official Exxon Mobil domain name’s (exxonmobil[.]com) WHOIS record indicates “Exxon Mobil Corporation” as its registrant organization.
- Non-attributable domains: Contain the company’s brand but have a different or masked registrant organization in their WHOIS records. An example would be exxon-mobil-mal[.]com, which contains “exxon mobil” (top 3 Fortune 500 company) but has a privacy-protected individual’s customer number under the registrant organization field in its WHOIS record.
Study Subjects
We began our investigation by identifying the top 25 Fortune 500 companies’ official domains (see Table 1).
| Table 1: Top 25 Fortune 500 Companies and Their Respective Domains | ||
| Rank | Company | Domain |
| 1 | Walmart | walmart[.]com |
| 2 | Amazon | amazon[.]com |
| 3 | Exxon Mobil | exxonmobil[.]com |
| 4 | Apple | apple[.]com |
| 5 | CVS Health | cvshealth[.]com |
| 6 | Berkshire Hathaway | berkshirehathaway[.]com |
| 7 | UnitedHealth Group | unitedhealthgroup[.]com |
| 8 | McKesson | mckesson[.]com |
| 9 | AT&T | att[.]com |
| 10 | AmerisourceBergen | amerisourcebergen[.]com |
| 11 | Alphabet | abc[.]xyz |
| 12 | Ford Motor | ford[.]com |
| 13 | Cigna | cigna[.]com |
| 14 | Costco Wholesale | costco[.]com |
| 15 | Chevron | chevron[.]com |
| 16 | Cardinal Health | cardinalhealth[.]com |
| 17 | JPMorgan Chase | jpmorganchase[.]com |
| 18 | General Motors | gm[.]com |
| 19 | Walgreens Boots Alliance | walgreensbootsalliance[.]com |
| 20 | Verizon Communications | verizon[.]com |
| 21 | Microsoft | microsoft[.]com |
| 22 | Marathon Petroleum | marathonpetroleum[.]com |
| 23 | Kroger | kroger[.]com |
| 24 | Fannie Mae | fanniemae[.]com |
| 25 | Bank of America | bankofamerica[.]com |
Investigation Tools
We used two WhoisXML API tools to identify the top 25 Fortune 500 companies’ potential domain attack surfaces:
- Bulk WHOIS Lookup: To determine if any of the top 25 Fortune 500 companies’ WHOIS records have been redacted or privacy-protected.
- Reverse WHOIS Search: To know how many of the domains containing their brand names the companies own.
Study Findings
We ran the companies’ official domains on Bulk WHOIS Lookup and found that only two (Walmart and Berkshire Hathaway) or 8% of the sample didn’t indicate their registrant details. Walmart’s WHOIS record was redacted, while Berkshire Hathaway’s was privacy-protected.
Using Reverse WHOIS Search, we obtained two data sets to get the ratio of attributable to non-attributable domains. Note that we took out Walmart and Berkshire Hathaway from the sample as they did not reveal their registrant organization names in their official domains’ WHOIS records.
| Table 2: Top 23 Fortune 500 Companies and Their Respective Registrant Organizations | ||
| Rank | Company | Registrant Organization |
| 2 | Amazon | Amazon Technologies, Inc. |
| 3 | Exxon Mobil | Exxon Mobil Corporation |
| 4 | Apple | Apple Inc. |
| 5 | CVS Health | CVS Pharmacy, Inc. |
| 7 | UnitedHealth Group | UnitedHealth Group Incorporated |
| 8 | McKesson | McKesson Corporation |
| 9 | AT&T | AT&T Services, Inc. |
| 10 | AmerisourceBergen | AmerisourceBergen Corporation |
| 11 | Alphabet | Google LLC |
| 12 | Ford Motor | Ford Motor Company |
| 13 | Cigna | Cigna Intellectual Property, Inc. |
| 14 | Costco Wholesale | Costco Wholesale Membership, Inc. |
| 15 | Chevron | Chevron Corp. |
| 16 | Cardinal Health | Cardinal Health |
| 17 | JPMorgan Chase | JPMorgan Chase & Co. |
| 18 | General Motors | General Motors LLC |
| 19 | Walgreens Boots Alliance | Walgreens |
| 20 | Verizon Communications | Verizon Trademark Services LLC |
| 21 | Microsoft | Microsoft Corporation |
| 22 | Marathon Petroleum | Marathon Petroleum Company |
| 23 | Kroger | The Kroger Co. |
| 24 | Fannie Mae | Fannie Mae |
| 25 | Bank of America | Bank of America |
Comparing the two Reverse WHOIS Search data sets allowed us to conduct an attack surface discovery analysis for the 23 remaining companies (see the results in the figure below). Note that we took out Apple, AT&T, Alphabet, Walgreens Boots Alliance, Verizon Communications, Microsoft, and Bank of America from the sample since they owned more of the domains included in the reverse WHOIS search results than not.
The remaining 14 companies’ brands (Exxon Mobil, UnitedHealth Group, McKesson, AmerisourceBergen, Ford Motor, Cigna, Costco Wholesale, Chevron, Cardinal Health, JPMorgan Chase, General Motors, Marathon Petroleum, Kroger, and Fannie Mae) appeared in the WHOIS records of 63,215 domains. Of these, only 43,211 or 68% contained their legally recognized organization names as registrants. That means cyber attackers could theoretically use 20,004 domains for phishing or more sinister malware-enabled attacks.
As we’ve seen in this attack surface discovery study and the previously published research, non-attributable domains can increase spoofed companies’ exposure to cyber attacks such as phishing, spam, and business email compromise (BEC). As a result, customers can suffer from identity or financial theft. And the companies mimicked? They could lose the public’s trust and damage their reputation. These repercussions are, however, mitigable with the help of attack surface discovery tools.
