How Do Attackers Hijack Old Domains and Subdomains?

Question: What are the risks of letting domains and subdomains expire? How do attackers hijack them?

Answers provided by Jossef Harush, head of software supply chain, Checkmarx: It’s ridiculous how easy it is to find and take over an abandoned domain, says Harush.

Subdomain hijacking is a type of cyber-attack where an attacker takes control of a subdomain of a legitimate domain and uses it to host their malicious content or to launch further attacks.

Here is an example: CocoaPods is a popular dependency manager for iOS and MacOS projects used by developers to add third-party code to their applications. The company had a subdomain, cdn2.cocoapods.org, which had been used years ago but was no longer in use. However, the DNS records for the subdomain still pointed to GitHub Pages, where presumably the pages for this subdomain had been hosted at one point.

Since this subdomain was no longer linked to a GitHub Pages project, attackers created their own project –a casino site — and the existing DNS record meant users looking for that subdomain were directed to that fishy-looking site. This kind of subdomain hijacking works as long as the subdomain is unoccupied by another GitHub Pages project, Harush says.

When an organization no longer needs a subdomain or domain, it is not enough to take the relevant pages down. There needs to be an action item to delete the subdomain records from DNS. In short, the DNS entry needs to reflect the fact that example.com and a.example.com are still in use, but that b.example.com is not.