What is it?

Subdomain takeover is a process of taking control of a subdomain. This can be done when a subdomain is pointing to a third party provider that is no longer in use - seeing that an attacker can register another non-existing domain name on the third party service and hijack the subdomain.


Example:

Let’s say we are running a blog at blog.example.com. We have the blog at Blogosphere and are pointing the subdomain blog.example.com towards Blogosphere so it is accessible that way.

At some point we decide to stop blogging and delete the blog at Blogosphere. However, blog.example.com still leads to Blogosphere as we forgot to delete that connection.


An attacker can now sign up at Blogosphere, create their own blog and claim blog.example.com as the address. If it points to the Blogosphere already, Blogosphere will accept this without further questions.


blog.example.com now leads to the hacker’s blog, of which they control the content.



How do we check for potential takeovers?

  1. Asset monitoring would detect the subdomain: blog.example.com


  1. Asset monitoring will find that there is a CNAME entry pointing to a website which isn’t connected to the asset


Eg. blog.example.com has a CNAME entry that redirects it to fakewebsite.example.com


  1. Each time the page is requested from the DNS server, the user has a chance of being redirected to the fake website.


In this instance the DNS record on the server is malicious, and redirects the user to a fake server/website.



A subdomain takeover claims the server, and rather than taking control over it makes the fake website look as it’s the original one.