Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

How Do Attackers Hijack Old Domains and Subdomains?

Here is a cautionary tale of what happens if you don't remove obsolete side projects or sections of your website: Someone might hijack your subdomain.

Edge Editors, Dark Reading

March 16, 2023

1 Min Read
person looking at a screen and reading about a fake tax refund scam.
Source: Ron Bull via Alamy Stock Photo

Question: What are the risks of letting domains and subdomains expire? How do attackers hijack them?

Answer: It's ridiculous how easy it is to find and take over an abandoned domain, says Jossef Harush Kadouri, head of software supply chain at Checkmarx.

Subdomain hijacking is a type of cyberattack in which an attacker takes control of a subdomain of a legitimate domain and uses it to host their malicious content or to launch further attacks.

Here is an example: CocoaPods is a popular dependency manager for iOS and MacOS projects that developers use to add third-party code to their applications. The company had a subdomain, cdn2.cocoapods.org, which had been used years ago but was no longer in use. However, the DNS records for the subdomain still pointed to GitHub Pages, where presumably the pages for this subdomain had been hosted at one point.

Since this subdomain was no longer linked to a GitHub Pages project, attackers were able to create their own project — a casino site — and the existing DNS record meant users looking for that subdomain were directed to that fishy-looking site. This kind of subdomain hijacking works as long as the subdomain is unoccupied by another GitHub Pages project, Kadouri says.

When an organization no longer needs a subdomain or domain, it is not enough to take the relevant pages down. There needs to be an action item to delete the subdomain records from DNS. In short, the DNS entry needs to reflect the fact that example.com and a.example.com are still in use, but that b.example.com is not.

About the Author

Edge Editors

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights