[New research] Subdomain takeovers are on the rise and are getting harder to monitor

New research from Detectify, the SaaS security company powered by ethical hackers, found that Subdomain takeovers are on the rise but are also getting harder to monitor as domains now seem to have more vulnerabilities in them. In 2021, Detectify detected 25% more vulnerabilities in its customers’ web assets compared to 2020 with twice the median number of vulnerabilities per domain, demonstrating the outsized impact an External Attack Surface Monitoring (EASM) tool can have on an organization’s cybersecurity programme.

Marketing Technology News: MarTech Interview with Greg Sheppard, CMO at Templafy

The modern infrastructure is controlled by the DNS with pointers to both internal and third-party services. As a result, organizations are simultaneously expanding their attack surface and inviting potential cyber threats. Unknown subdomains can be challenging, as they are not always closely monitored. When the service which points to the subdomain expires or is forgotten, they become a potential foothold or entry point for attackers to steal sensitive company information or launch phishing campaigns.

Over the past year, we have narrowed in on a recent trend – as attack surfaces grow, so do subdomain takeovers. Domain takeovers grew 20% faster with the increase in attack surfaces. Our research found that of the number of scanned apex and subdomains from 2020 to 2021, vulnerabilities increased as much as 25%.

Key Findings

Subdomain takeovers and vulnerabilities per domains on the rise

Detectify has been monitoring subdomain takeovers among our customers year-over-year to detect patterns and ensure we are providing the proper mitigation support needed. Over the past year, a 20% increase was seen in domain takeovers. Out of the assets scanned – which includes apex domains and subdomains – 25% more vulnerabilities were seen in 2021 than in 2020. In addition, the median number of vulnerabilities per domain has increased 100% since 2020. The research shows that not only are more domains vulnerable to subdomain takeovers, but above all, apex domains typically contain more vulnerable subdomains now than in the past.

Background: What are subdomains and why are they important?

Subdomains are an additional part of a larger domain under the Domain Name System (DNS) structure. For instance, blog.acme.com and helpdesk.acme.com are subdomains where acme.com is an apex domain. Subdomain takeovers occur when an agent gains control over a subdomain of a target domain. This can happen when the subdomain has a canonical name in the DNS, but no host is providing content for it, which can happen because either a virtual host hasn’t been published yet or a virtual host has been removed.

Subdomain takeover can also be done by DNS hijacking where the attacker compromises the target’s name server records. Attackers can exploit DNS misconfigurations to hijack subdomains that are considered as trusted by the target website. While this method is less common, the severity is typically a lot higher in the latter case.

Marketing Technology News: MarTech Interview with Greg Sheppard, CMO at Templafy