What is Subdomain Hijacking?
Subdomain hijacking is an attacker having control of your subdomain even though you own the domain is called a subdomain takeover. This can happen due to hosting domains on hosting providers like AWS, GitHub, Shopify, and Zendesk and having incorrect configurations.
One example of incorrect configurations is Dangling CNAME Records. Admins make DNS records but never claim them. In a CSC study analyzing 440,000 DNS records, over 21% pointed to non‑resolving resources, and 63% returned error codes, indicating widespread dangling subdomains at risk of takeover.
Subdomain Hijacking Example
Let’s say you want to start selling merchandise for your brand and decide to use Shopify’s services. Here is what you would be doing:
- Create your shop on Shopify – yourbrand[.]shopify[.]com
- Now, create a CNAME record that points shop[.]yourdomain[.]com to yourbrand[.]shopify[.]com
Every time a user tries accessing shop[.]yourdomain[.]com they will start seeing the online store you created using Shopify. It is all good until you cancel Shopify’s subscription and forget to remove the associated CNAME. Once you cancel Shopify’s subscription yourbrand[.]shopify[.]com becomes available for anyone to purchase and host their shop. And because you forgot to remove shop[.]yourdomain[.]com, every time a user tries to access it, they will still be redirected to yourbrand[.]shopify[.]com, which you don’t own anymore.
Shopify is just an example. Think about the subdomains of a brand using multiple third-party services like AWS, GitHub, Zendesk, and more. A Detectify writeup highlights at least 17 major providers (e.g., Heroku, GitHub, Shopify, Desk) where subdomain takeovers have been observed.
Thus, there are two stages of subdomain hijacking:
- Using a subdomain hijack checker to identify vulnerable subdomains
- Scanning each domain for an outstanding threat
Using a Subdomain Hijack Checker to Identify Vulnerable Subdomains
Multiple free and open-source tools are available to discover subdomains on a given domain and help protect against subdomain hijacking. Two of the most common subdomain discovery tools are Sublist3r and Findomain. Both are easy-to-use open-source intelligence to gather subdomains. Once you enter a domain into one of these tools, they search on multiple sources, including VirusTotal, Threatcrowd, Google, Yahoo, and DNSDumpster.
Sublist3r
It is available as a terminal version. You can download the Sublist3r git and execute it in your terminal. If you are a Python user, Sublit3r can also be downloaded via pip using ‘pip install sublist3r’. Below is the screenshot of an example run for searching subdomains on yahoo[.]com. It detected 101,168 subdomains in under a minute.
Findomain
Findomain can also be run via a terminal. Mac users can install it using ‘brew install findomain’. Here is a sample run for yahoo[.]com. It discovered over 113,055 subdomains in 15 seconds.
Detecting Subdomains at Risk of Subdomain Hijacking
One, you have a list of these subdomains; it’s easy to find which are at risk of subdomain hijacking. We can determine if a given subdomain is a threat for hijacking by a simple regex matching on the webpage’s content.
Here is an example of a subdomain using Freshservice to host its services. An attacker can now claim this subdomain and use it to host a phishing/ scam page.
Here is another example of a subdomain using Acquia Cloud to host its services.
We compile a list of CNAMEs and Fingerprints associated with them. For example, from the Freshservice example: ‘Maybe this is still fresh!’ is the fingerprint, and ‘freshservice.com’ is the CNAME. Similarly, for the Acquia Cloud example: ‘If you are an Acquia Cloud customer’ can be a fingerprint.
There are multiple open-source GitHub repositories out there that maintain a list of these fingerprints and keep updating them daily. All an attacker needs to do is combine the discovery and fingerprinting tools to find subdomains at risk of subdomains hijacking
Here are a few
- can-i-take-over-xyz – A community-maintained resource that tracks which third-party services are vulnerable to subdomain takeover and how to test for them.
- Subjack – A fast subdomain hijack checker that uses fingerprints to identify dangling CNAMEs across multiple services.
- tko-subs – Provides detection logic for several cloud providers with a focus on automation and scale.
- SubOver – Automates the process of checking for subdomain takeovers using provider-specific fingerprints.
- ItsOver – Scripted approach to subdomain hijack detection based on known takeover signatures.
- subdomain.py by ArifulProtik – Useful for scanning and checking domain ownership gaps.
- takeover.py by antichown – Lightweight hijack checker focused on misconfigured DNS and CNAMEs.
Conclusion
Subdomain monitoring, like typosquatting monitoring, should be done regularly to identify and mitigate threats against your domain from subdomain hijacking. There are also open-source tools that can perform both the discovery and detection of subdomains at risk.
Bolster Research Labs publish this blog. We also own Checkphish, a free URL scanner to detect phishing and scam sites in real-time. If you are interested in advanced research, uncovering new scams, or working with cutting-edge AI, work with us at the Bolster Research Labs. Check out open positions here.
References
- Sublist3r: https://github.com/aboul3la/Sublist3r
- Findomain: https://github.com/Findomain/Findomain
