Third-Party Risk Management
Mitigating Potential Third-Party Risks Posed by Domains and Subdomains
10:53 16 December 2020
At its core, third-party vendor risk management aims to reduce the risks posed by an organization's relationships with outsiders. They could be software vendors, cloud service providers, payment processors, and other supply chain players. Reducing third-party risks involves identifying them, and it is a continuous program that begins from procurement and ends well after the contract is terminated.
While third-party risk management involves different types of threats, this post focused on those in the form of domains and subdomains.
What Threats Do Domains and Subdomains Pose?
Threat actors often use domains and subdomains in phishing campaigns, spamming activities, and business email compromise (BEC) scams. Effective third-party risk assessment involves domains and subdomains that use a third-party vendor’s name even if they do not own or manage these. Specifically, these are called “typosquatting domains” and “wild subdomains.”
A domain that imitates Microsoft, such as micosoft[.]com (notice the missing “r”), is a typosquatting domain. It uses a misspelled variation of the company’s name and is registered by another entity. A subdomain that contains the company name like account[.]mail[.]microsoft[.]com[.]service[.]login[.]com-website33[.]biz, on the other hand, is considered a wild subdomain because its WHOIS record cannot be attributed to the spoofed company. If the organization does not own such subdomains, it does not have control over them.
Both typosquatting domains and wild subdomains can be used to send phishing emails or lead clients to malicious sites. Take a look at a spoofed Microsoft login page below and note that the fully qualified domain name (FQDN) contains the company’s name.
Clients of the software provider could be lured into typing their usernames and passwords, passing on their sensitive information to threat actors.
Illustrating Domain- and Subdomain-Related Third-Party Risk Identification
The first step toward mitigating third-party risks is identifying potential attack vectors, including typosquatting domains and wild subdomains. Third-party risk management tools and solutions become more comprehensive when they consider these, among other attack vectors. That way, enterprises would know what they are up against, as they continue dealing with their supply chains.
For instance, a domain attack surface study, or the sum of suspicious domains and subdomains, of three commonly used third-party providers and picked out three or four companies in each industry:
- Courier service companies (China Post, DHL, FedEx, and UPS)
- Online payment processors (PayPal, Payoneer, and Transferwise)
- Software providers (Microsoft, Oracle, and Salesforce)
Domain Attack Surface
Software providers had the largest domain attack surface, comprising 44,514 suspicious subdomains, followed by couriers with 24,601 and payment processors with 7,512.
Almost all of the domains and subdomains in each industry’s domain attack surface are wild subdomains, increasing their chances of being used maliciously. The chart below shows that less than 1% of the subdomains that make up the couriers’ and payment processors’ domain attack surfaces can be attributed to the companies in the sample.
Phishing Subdomains Found
Several wild subdomains have been reported for phishing on PhishTank. For instance, many PayPal look-alike domains appear on PhishTank. Some examples of these phishing subdomains are:
Domains and subdomains that contain a third-party vendor’s name can be used to imitate the company in emails, websites, and other platforms. As such, they pose threats to organizations, and the first step toward mitigating these is to identify the domains and subdomains as part of a company’s third-party risk assessment strategy.