Forgotten subdomains boost risk of account hijacking, other attacks

Some sites have subdomains pointed at old domains that have long expired and can be registered by attackers

Subdomains that once served a purpose but later were forgotten by website administrators can be abused by hackers to attack users of sites under the same main domain.

Back in October, a Web security firm called Detectify warned that many companies have created subdomains to use with third-party services, such as remotely hosted helpdesk systems, code repositories and blogs, but then forgot to disable them after closing their accounts on those third-party services.

As a result, attackers can now open accounts with the same services, claim the subdomains pointed there as their own, and create credible phishing pages, the Detectify researchers explained at the time. This is possible because online services often don't verify the ownership of subdomains.

But the issues stemming from outdated DNS records are not limited to abuse through accounts on third-party services. Since October, Szymon Gruszecki, an independent security researcher who regularly participates in bug bounty programs, has told Detectify about another attack vector: subdomains pointed to domain names that are no longer registered.

In such a case, a company has created a subdomain under its main domain and pointed it at another website, such as a site set up for a one-time event like a contest or promotion. After serving its purpose, that website was later taken down and its domain was left to expire, but the subdomain's DNS records remained pointed at it.

An attacker could exploit such a situation by registering the expired domain and setting up a phishing page that mimics the company's main website. The page would then be accessible through the forgotten subdomain and could be spammed to users.

One year ago, Gruszecki scanned the Internet's 5,000 most trafficked domains as listed by subsidiary Alexa Internet. He found 49 subdomains that had a CNAME (Canonical Name) DNS record pointing to a domain that was no longer registered.

One of those subdomains was the Microsoft-owned, which points to According to a November 2001 snapshot of on the Internet Archive's Wayback Machine, the site was used for a Microsoft Windows XP peak performance sweepstakes.

Gruszecki registered and was able to set up a rogue page on as a proof of concept. He has since redirected the domain to and is waiting for Microsoft to update the CNAME record for

The danger extends beyond mere phishing. If a subdomain doesn't have its own MX (mail exchanger) record configured -- and most don't -- it uses the same email server as the domain specified in the CNAME record. In other words, the owner of would also be able to receive and send email on behalf of email addresses.

If a subdomain like is vulnerable, an attacker could use email addresses like or to prove his ownership over that subdomain and register a valid SSL certificate, said Frans Rosén, co-founder of Detectify.

The attacker could then set up an HTTPS (HTTP Secure) website on the subdomain and trick users to visit it in order to steal their authentication cookies.

Authentication cookies are unique identifiers that websites store in browsers to track authenticated users after they sign in. If stolen, for example by intercepting the traffic between a user's browser and a website, an authentication cookie can be placed into another browser to gain access to the account it corresponds to.

In order to prevent such man-in-the-middle cookie thefts, webmasters use SSL to encrypt the traffic between users' browsers and their websites and set a "Secure" flag for cookies so that they only get transmitted over HTTPS connections.

Many sites set cookies to be valid not only for their main domain, but for all subdomains under that domain. That's why after you log into your Google or Microsoft account you will be logged into all of those companies' services, even though the various services use different subdomains.

The cookie theft issue doesn't apply to because is not an HTTPS website, and the log-in process is actually handled through, so the cookies are tied to that domain. However, the attack could be possible on other sites that have similarly vulnerable subdomains.

In addition to cookie theft, the ability to load arbitrary code on a subdomain could also help attackers to bypass same-origin and cross-domain security restrictions for the corresponding domain.

"It's not only CNAME entries that can be vulnerable to this, other records can also be used, such as DNAME and NS," the Detectify researchers said in a blog post.

In addition to DNS resource records pointing to expired domains, Gruszecki found instances where the entries had been mistyped -- instead of, the administrator typed In such a case, the attacker could register

"In conclusion, even though the administration of DNS records is a hassle by itself, the Resource Records need to be constantly validated and checked," the Detectify researchers said. "Not only for unused services, but for typos and/or misconfigurations."

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetyMicrosoftsecurityAccess control and authenticationencryptionExploits / vulnerabilitiesDetectify

More about Amazon.comGoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place