Home Did you know ? Attack Surface Discovery: Do Non-Attributable Domain Names Present a Risk?

Attack Surface Discovery: Do Non-Attributable Domain Names Present a Risk?

by Mic Johnson

A recent study showed that non-attributable domain and subdomain names containing popular brands present a risk for big organizations. The potential domain attack surface of 10 of the world’s most-imitated brands today comprises an average of 17,734 domains and subdomains, according to whoisxmlapi.com’s attack surface management tools.

The findings from the said research were extended by subjecting the top 25 Fortune 500 companies to an attack surface discovery study this time. Here are the key results.

Non-Attributable Domains Containing the Top 25 Fortune 500 Companies’ Brands

Domain Types

We define non-attributable domains as the sum of all domain names that contain a registered or trademarked company brand but may not be under the organization’s control as per a lack of identifiable detail in their WHOIS records. For this particular study, we identified the domains in our sample as:

  • Attributable domains: Contain the company’s brand and indicate its publicly acknowledged name as the registrant organization in their WHOIS records. For instance, the official Exxon Mobil domain name’s (exxonmobil[.]com) WHOIS record indicates “Exxon Mobil Corporation” as its registrant organization.
  • Non-attributable domains: Contain the company’s brand but have a different or masked registrant organization in their WHOIS records. An example would be exxon-mobil-mal[.]com, which contains “exxon mobil” (top 3 Fortune 500 company) but has a privacy-protected individual’s customer number under the registrant organization field in its WHOIS record.

Study Subjects

We began our investigation by identifying the top 25 Fortune 500 companies’ official domains (see Table 1).

Table 1: Top 25 Fortune 500 Companies and Their Respective Domains
Rank Company Domain
1 Walmart walmart[.]com
2 Amazon amazon[.]com
3 Exxon Mobil exxonmobil[.]com
4 Apple apple[.]com
5 CVS Health cvshealth[.]com
6 Berkshire Hathaway berkshirehathaway[.]com
7 UnitedHealth Group unitedhealthgroup[.]com
8 McKesson mckesson[.]com
9 AT&T att[.]com
10 AmerisourceBergen amerisourcebergen[.]com
11 Alphabet abc[.]xyz
12 Ford Motor ford[.]com
13 Cigna cigna[.]com
14 Costco Wholesale costco[.]com
15 Chevron chevron[.]com
16 Cardinal Health cardinalhealth[.]com
17 JPMorgan Chase jpmorganchase[.]com
18 General Motors gm[.]com
19 Walgreens Boots Alliance walgreensbootsalliance[.]com
20 Verizon Communications verizon[.]com
21 Microsoft microsoft[.]com
22 Marathon Petroleum marathonpetroleum[.]com
23 Kroger kroger[.]com
24 Fannie Mae fanniemae[.]com
25 Bank of America bankofamerica[.]com

Investigation Tools

We used two WhoisXML API tools to identify the top 25 Fortune 500 companies’ potential domain attack surfaces:

  • Bulk WHOIS Lookup: To determine if any of the top 25 Fortune 500 companies’ WHOIS records have been redacted or privacy-protected.
  • Reverse WHOIS Search: To know how many of the domains containing their brand names the companies own.

Study Findings

We ran the companies’ official domains on Bulk WHOIS Lookup and found that only two (Walmart and Berkshire Hathaway) or 8% of the sample didn’t indicate their registrant details. Walmart’s WHOIS record was redacted, while Berkshire Hathaway’s was privacy-protected.

Using Reverse WHOIS Search, we obtained two data sets to get the ratio of attributable to non-attributable domains. Note that we took out Walmart and Berkshire Hathaway from the sample as they did not reveal their registrant organization names in their official domains’ WHOIS records.

Table 2: Top 23 Fortune 500 Companies and Their Respective Registrant Organizations 
Rank Company Registrant Organization
2 Amazon Amazon Technologies, Inc.
3 Exxon Mobil Exxon Mobil Corporation
4 Apple Apple Inc.
5 CVS Health CVS Pharmacy, Inc.
7 UnitedHealth Group UnitedHealth Group Incorporated
8 McKesson McKesson Corporation
9 AT&T AT&T Services, Inc.
10 AmerisourceBergen AmerisourceBergen Corporation
11 Alphabet Google LLC
12 Ford Motor Ford Motor Company
13 Cigna Cigna Intellectual Property, Inc.
14 Costco Wholesale Costco Wholesale Membership, Inc.
15 Chevron Chevron Corp.
16 Cardinal Health Cardinal Health
17 JPMorgan Chase JPMorgan Chase & Co.
18 General Motors General Motors LLC
19 Walgreens Boots Alliance Walgreens
20 Verizon Communications Verizon Trademark Services LLC
21 Microsoft Microsoft Corporation
22 Marathon Petroleum Marathon Petroleum Company
23 Kroger The Kroger Co.
24 Fannie Mae Fannie Mae
25 Bank of America Bank of America


Comparing the two Reverse WHOIS Search data sets allowed us to conduct an attack surface discovery analysis for the 23 remaining companies (see the results in the figure below). Note that we took out Apple, AT&T, Alphabet, Walgreens Boots Alliance, Verizon Communications, Microsoft, and Bank of America from the sample since they owned more of the domains included in the reverse WHOIS search results than not.

The remaining 14 companies’ brands (Exxon Mobil, UnitedHealth Group, McKesson, AmerisourceBergen, Ford Motor, Cigna, Costco Wholesale, Chevron, Cardinal Health, JPMorgan Chase, General Motors, Marathon Petroleum, Kroger, and Fannie Mae) appeared in the WHOIS records of 63,215 domains. Of these, only 43,211 or 68% contained their legally recognized organization names as registrants. That means cyber attackers could theoretically use 20,004 domains for phishing or more sinister malware-enabled attacks.

As we’ve seen in this attack surface discovery study and the previously published research, non-attributable domains can increase spoofed companies’ exposure to cyber attacks such as phishing, spam, and business email compromise (BEC). As a result, customers can suffer from identity or financial theft. And the companies mimicked? They could lose the public’s trust and damage their reputation. These repercussions are, however, mitigable with the help of attack surface discovery tools.

You may also like