Navigating the Risk of Subdomain Hijacking: Practical Solutions for 2025

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching us on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "Navigating the Risk of Subdomain Hijacking: Practical Solutions for 2025." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Mark Flegg. Mark is CSC's Global Director of Security Services and is responsible for advising a global client base on digital risk and the preventative measures brands can take to safeguard their digital assets. To raise awareness of digital threats to businesses, Mark presents programs dealing with domain security and cybersecurity assets at leading industry conferences and events. And with that, let's welcome Mark.

Mark: Thanks very much, Christy. Hi, everybody. Today we're going to cover a subject that we have done in the past, but it's still very, very relevant and we're not seeing any decline in this threat vector. So we're going to talk about subdomain hijacking. We're going to show you a short video, which hopefully outlines everything that you need to know about it. We'll talk about the history and the evolution and how we've created what's called dangling DNS records. And then, of course, we need to share how we believe you should be mitigating your subdomain hijacking threats. And then we'll cover, at the end, some highlights from our Subdomain Hijacking Vulnerabilities Report. So with that, I'm going to show you a short video.

Narrator: Global businesses rely on the internet for everything, from emails, websites, authentication, and voice over IP. Throughout the year, businesses launch promotional websites, service announcements, and applications. Before users can reach the destination website to access content, there's a process that must be followed.

First, the website owner will engage with a web hosting provider to request a landing page for an upcoming promotion. Next, they will reach out to their DNS administrator or IT team to make that connection. Behind the scenes, there's a lot more going on than meets the eye. In order for the site to display live content, they need to connect the dots, which is the DNS. When the campaign is over, the marketing team will realize that the website is no longer needed and will remove it by going to the web host.

The marketing team doesn't realize that they need to also go back to their DNS team to remove the DNS record. The DNS record that was used to map users to the destination is left behind, referred to as dangling DNS. Over time, these DNS records will accumulate and can be used against victims in an attack, known as subdomain hijacking. Cyber criminals crawl the web asking, "Where does this point to?" They can go to the web hosting provider and ask for a specific host name. As long as it's not in use, no questions asked.

Cyber criminals will use dangling DNS records to display their own malicious content. They can easily set up their spoof website and attract genuine traffic for their fake content using the host name no longer in use. Security protocols that detect bad actors and their activities are circumvented by this method. Security teams can't detect a breach, and end users can't tell the difference. Cyber criminals can even get a free domain validated digital certificate to add the https padlock to seem more authentic.

With time and business growth, more of these dangling DNS will accumulate, and teams will hesitate to delete DNS records they are unfamiliar with. It's a challenge for enterprise organizations to manage assets outside the firewall where there are a variety of complex external attack surfaces.

CSC has developed a subdomain monitoring solution that provides comprehensive analysis and daily alerts to any change in state, allowing you to quickly take action and remove the offending dangling DNS record, receive full reporting on all your DNS zone records daily, and finally get some closure to this vulnerability that is very difficult to manage across departments. Secure your organization's continuity, reputation, and revenue with CSC's Subdomain Monitoring.

Mark: Let's talk about how history and evolution has changed and created dangling DNS. And a very simplistic kind of timeline here, in 2005 roughly, these dates aren't precise, but when business decided they wanted to get online, internal data centers were commonplace and it was great. No threat existed there. We're not in the business of giving up our IP addresses or our host names to a third party that can do bad things with it. So we had complete control.

And then, about five years later, business realized, hang on, there's quite a responsibility here to manage these data centers. It's not our core competence. It's not what we're good at doing. We should outsource this to somebody that's doing it better. And we saw that, and there was limited risk of a subdomain takeover, meaning these were professional data centers that weren't in the business of recycling host names and IP addresses. So whilst it was theoretically possible it could happen, it didn't really.

But then if you kind of fast-forward to 2015, the general trend is to move everything to the cloud. We all know "cloud" is just a term for somebody else's named server or data center. And they are handling most of the web hosting for us, and this is really where we introduce the risk of subdomain takeover. These organizations will recycle IP addresses. They will recycle host names to anybody that wants to buy them. So if it's available, they don't care if it has history. They will allocate it to the person asking for it. And that's how it all happens.

So this is kind of an evolution, if you like. We didn't have the risk. We started using emerging technologies, like the cloud providers. And as we do so, we introduce other risks.

And this has got to a point that, a couple of years ago now, even ICANN, the Internet Corporation for Assigned Names and Numbers, the governing body of the domain world essentially, issued a statement because they recognized the risks that were here. And I'm sure a lot of you have heard of ICANN, you know of ICANN. They don't issue these threat updates lightly. They hardly do it. So for them to come out and do this kind of tells you the gravity of the situation here.

So the all important, so how do I mitigate subdomain hijacking? Well, there are kind of three steps to it. And if you recall the video that we've just shown there, the cyber criminals are preying on our lack of zone cyber hygiene, if you like. And for companies that have got good cyber hygiene, the risk is minimized. So essentially we're dealing with kind of 20 years now of noise that has built up and built up, and what we need to do is baseline that. We need to go back, we need to look at all of those subdomains that we have, and make a determination are they needed or can we delete them. And once you've done that, you're in a much better position. The hard yards are done, if you like.

But then it's about keeping on top of it. Don't wait another 20 years before you review this because the cyber criminals are looking at this every single day and you need to react to it. So you need that feed. You then need to take an action, and that's one of two things. You either reinstate content for that subdomain, or you delete it. One of those two things must happen if you want to mitigate the risk of a subdomain hijack or a takeover. So this is something that while we're using cloud providers, it's something we're always going to have to do. And it has to become the new norm unfortunately.

The Subdomain Hijacking Report Highlights, global businesses rely on the internet for everything now. It's our websites. It's our email. It's authentication, whether it's Office 365 or Google Authenticate, whatever it might be, voice over IP. Pretty much everything depends on the internet. And for us, that's certainly under the category of DNS. DNS is definitely part of an organization's external attack surface, and it has to be continuously monitored for cyber crime attacks and fraud.

And again, just a little refresher, DNS, domain name system, it's essentially the phone book of the internet. It's how we're found. If somebody wants to get to a website, you've got to convert www.cscglobal.com into a machine readable IP address so it knows exactly where to take the user that's asking for it. Same for your email. Where is your mail server located? There has to be this central repository. And that's what DNS does.

But that 20 years of history, the reluctance to delete things, cyber criminals have cottoned on to this, and they realize, hey, this is low-hanging fruit for us because I don't need special skills, I don't need to breach anybody's system. I just need to do a little bit of data mining, connect some dots, and where the dots don't connect, I'm going to go to that cloud provider and I'm going to ask for that IP address or host name. Job done. I hijack. So it's very, very simple for them, and it's very fruitful.

Pretty much one in five of the records we analyzed on CSC DNS were susceptible to subdomain takeover. That's it's a huge number, 21%. That's why cyber criminals are doing what they are doing. It's rich pickings. They've got a lot of opportunities there. For companies that issue bug bounties or have a bug bounty program where they will pay a third party, an ethical hacker, if you like, to find problems with their infrastructure, that's what they're looking for. They're mining data to look for these records because they can get paid on it. So even the ethical hackers out there can profit from our poor zone cyber hygiene.

If we were to look at this where business has been outsourcing to cloud providers instead of the traditional internal data centers, it's obvious why we want to do that. It allows you to have access to new technologies, to be more agile, dynamic. It's certainly more cost effective. But those risks open up. And if we have a look at Figure 2 here, 58% of the companies analyzed appear to be doing a better job at consolidating their subdomains under just one or two cloud providers, but they tend to want smaller domain portfolios that are much more easy to manage.

Conversely, 11% of the companies analyzed used 5 or more cloud providers. And at this stage, I'm kind of throwing my hands in the air. Why do we need five cloud providers to do web hosting? They're all much of a muchness. They're all global. We're talking Cloudflare, Akami, AWS, Microsoft with Azure, etc. It's not as if they're regional like they used to be back in the day. But it seems that the bigger the domain portfolio, the more cloud providers we have.

Just like anything in life, the more vendors or suppliers that you have to manage, the harder it is. And in a crisis situation, the last thing you want to try and do is figure out which provider do I need to pick the phone up to. You're under pressure. So consolidation is a common theme that we recommend to our customers for digital assets. Whether it's domains, DNS, SSL certificates, cloud providers, consolidation is definitely the way to go here.

If we look at some of those key cloud providers used, you can see the Akamai, the Microsoft, AWS, Cloudflare that I mentioned. They've all got a relatively equal slice of the pie. GoDaddy is slightly bigger because of all the WordPress that we have on there.

So what happens if this issue is not addressed? Well, go ask Microsoft, unfortunately for them. This is an older article, but nevertheless still relevant because the same things can happen today if you're not managing it properly. And Microsoft had 240 of their subdomains that were sitting on their Azure platform hijacked. And the intent of the cyber criminal there was basically going to add content that downloads malware, which is never a great thing. You go to Microsoft, you expect to trust it. So if they can fall foul of this, anybody can.

And I just want to highlight this. This was one of the kind of pages, if you like, in the video that we saw and why are they going after subdomain takeovers. What's in it for the cyber criminal? They've done phishing email campaigns before. They'll continue to do it. It'll be relatively successful. But why do they want to come after my brand?

Well, business has got a lot smarter. We've got intrusion detection systems (IDS), email gateways. We've put many things in place to stop malicious emails coming into our organization. And it's a numbers game for them. So if they register a random string, chances are that's going to get picked up it's not a trusted domain name and it's going to get blocked. We'll strip the links out, etc.

But if I use your subdomain, it's a trusted brand. So let's run through and figure out the bad signals to prove that this is fraudulent. It's your subdomain. It's on your domain name. It's using the DNS provider that you use for your other domain names. It's using a cloud provider that you use for your other properties. I don't get a single bad signal from this, and that means our IDS or gateways for email, they're not going to get a bad signal either.

And the chances are these emails will slip through the filters that we put in place. And even the links that they embed into the email for somebody to click, some unsuspecting victim, what do we teach people in phishing awareness? We say hover over the link. Do not click on the link. Hover over the link, look at the right-hand side. How does it end? Is this a domain name that you expect to go to? So using our brand, cscglobal.com, that's the right-hand side. Yeah, this is legitimate. I'm going to click it. I feel more confident.

And that's why cyber criminals want it. They want to piggyback on your brand, on your reputation so that they increase their odds of getting those phishing emails delivered. And then they can deploy whatever agenda that they have, whether it's malware, whether it's a spoof website to capture credentials and passwords, etc. We've seen everything. We've seen adult content, online gaming, gambling, you name it. It's whatever they want to do with it. And, obviously, that impacts your reputation as a brand.

And subdomain monitoring is just one of the controls that you can put into place to really mitigate some of the external threat vectors that are out there for you. From our perspective, we believe in a multi-layered approach. Makes it more secure by default. And it starts with enterprise-class provider at the bottom there. That's your outer shell. Then you have your secure portal access. You're controlling your user permissions. And then you can add the other things in. So for email, for example, you've got SPF, DKIM, DMARC, obviously employ that.

But registry locks and importantly CAA records. For those that don't know, CAA records is a zone resource record. It stands for certificate authority authorization. It's free to add the records. And what it does is it sends a signal to the certificate authorities around the world that says if you are not listed as a CAA record, you are not permitted to issue a certificate. So this is an extra defense in-depth layer for subdomain hijacking. So if a cyber criminal is successful, they'll go to somebody like Let's Encrypt because they're free. They'll get a 90-day domain validated certificate to lend that authenticity to the website because nobody is going to click on it if it hasn't got a padlock, and chances are the browsers these days will not allow you to proceed. So it's important that they get the certificate.

But if you have a CAA record in play that says, hey, only CSC can issue certificates, then Let's Encrypt can't. And that stops the cyber criminal. They've then got to sit back and say, "Right, am I going to get a relationship with a CSC, a Sectigo, DigiCert, etc. in order to get a certificate on here? And that's going to cost me money, and I'm going to be known to these companies." Yeah, I'll move on to the next victim, if you like, the next brand because there's CAA record and that stops me.

So again, these are just techniques that you can do to help mitigate this risk. From our perspective, hopefully those that know CSC realize we are super security focused. Those that don't, here's a little timeline of some of the things that we've done over the years. We were the first to mandate two-factor authentication back in 2017. Sounds simple today, kind of seven, eight years later. Back then, it was a big deal because a lot of our users didn't have company issued mobile devices and they were reluctant to install apps. So we got some backlash for that. But you know what? I'm going to take that every day. Sometimes we just have to force people to do the right things.

And you can see last year we did the, that's two years ago now I guess, Subdomain Monitoring. And last year, we released our DomainSec UI. So this is a constantly evolving timeline, where CSC is heavily focused in making things more secure for our clients.