Domain Takeover

Domain Takeover (also “Domain Hijacking” or “Subdomain Takeover”) is a type of cyber attack where an attacker takes control of a domain or subdomain that has been abandoned, misconfigured, or whose associated service has been decommissioned. This type of attack can allow attackers to intercept communications, perform phishing attacks, compromise the organization’s reputation, and access associated services, being especially dangerous when combined with social engineering techniques and identity spoofing, potentially leading to credential theft and further security compromises.

What is Domain Takeover?

Domain Takeover occurs when a domain or subdomain points to a third-party service (such as GitHub Pages, Heroku, AWS S3, etc.) that has been deleted or is not properly configured, allowing an attacker to register that service and take control of the domain.

Features

Operation

• Misconfigured DNS: DNS records pointing to non-existent services
• Abandoned Services: Decommissioned third-party services
• Orphaned Subdomains: Unprotected subdomains
• Service Registration: Attacker registers available service
• Total Control: Complete access to domain/subdomain

Objectives

• Phishing: Create legitimate-looking phishing sites
• Malware Distribution: Malware distribution
• Credential Theft: Credential theft
• Man-in-the-Middle: AitM attacks
• Reputation: Damage to corporate brand

Types of Domain Takeover

By Service

• GitHub Pages: Abandoned GitHub pages
• Heroku: Deleted Heroku applications
• AWS S3: Deleted S3 buckets
• Azure: Deleted Azure resources
• Google Cloud: Deleted GCP resources
• Vercel/Netlify: Deleted deployments

By Scope

• Subdomain: Subdomain takeover
• Main Domain: Root domain takeover
• Multiple Subdomains: Attack on multiple subdomains
• Wildcard: Wildcard subdomain takeover

Attack Vectors

DNS Configuration

• Misconfigured CNAME: CNAME pointing to non-existent services
• A Records: A records pointing to unused IPs
• NS Records: Misconfigured name servers
• MX Records: Abandoned mail servers
• TXT Records: TXT records with sensitive information

Third-Party Services

• Cloud Platforms: Deleted cloud services
• CDN: Content delivery networks
• Hosting: Web hosting services
• Email Services: Email services
• API Gateways: API gateways

Detection and Prevention

Detection Techniques

• DNS Scanning: DNS record analysis
• Service Verification: Validation of active services
• Continuous Monitoring: DNS change surveillance
• Automated Tools: Domain takeover scanners
• Regular Audits: Periodic reviews

Preventive Measures

• DNS Management: Proper DNS administration
• Documentation: Record of all services
• Cleanup: Removal of unused records
• Monitoring: Continuous surveillance
• Policies: Configuration standards

Tools

• DNSRecon: DNS reconnaissance
• Subdomain Takeover Tools: Specialized tools
• DNS Validators: DNS validators
• Cloud Service Checkers: Cloud service verifiers
• Automated Scanners: Automated scanners

Impact

Security

• Phishing: Legitimate-looking phishing sites
• Malware: Malware distribution
• Credential Theft: Credential theft
• Man-in-the-Middle: AitM attacks
• Reputation: Brand damage

Business

• Trust: Loss of customer trust
• Reputation: Damage to corporate image
• Compliance: Violation of regulations
• Financial: Economic losses
• Legal: Legal liability

Use Cases

Real Attacks

• Corporate Phishing: Phishing sites using legitimate domains
• Malware Distribution: Malware distribution from trusted domains
• Credential Harvesting: Credential collection
• Brand Impersonation: Brand spoofing
• Supply Chain Attacks: Supply chain attacks

Defense

• DNS Security: DNS security (DNSSEC)
• Service Management: Proper service management
• Monitoring: Continuous monitoring
• Incident Response: Incident response
• Education: Staff training

Best Practices

Prevention

• Inventory: Maintain inventory of all services
• Documentation: Document all configurations
• Cleanup: Remove unused services
• Validation: Regularly verify active services
• Monitoring: Implement continuous monitoring

Response

• Quick Detection: Identify takeovers quickly
• Containment: Isolate compromised domains
• Recovery: Restore domain control
• Analysis: Investigate attack scope
• Improvement: Learn from incident

Related Concepts

• DNS - Domain Name System
• Security Breaches - Security incidents
• AitM - Adversary-in-the-Middle
• Supply Chain Attack - Supply chain attacks
• Phishing - Spoofing attacks
• Social Engineering - Human manipulation
• Incident Response - Incident response

References

• OWASP - Subdomain Takeover
• CISA - Domain Takeover Guidance
• NIST SP 800-81 - Secure Domain Name System
• RFC 4033 - DNS Security Introduction