Table of Contents:
Within the hierarchy of the Domain Name System (DNS), a subdomain is a subdivision of a domain that is dependent on, and subordinate to, a main domain name. For online businesses, subdomains are important because they allow you to separate and organize content for various functions.
However, subdomains can also be used against your business by digital scammers and bad actors. Subdomains created, or co-opted, by fraudsters can infringe your brand’s identity when they contain stolen or malicious content that targets consumers. To tackle this issue brands can use a variety of methods to detect subdomain activity. However, there are limitations to these subdomain detection methods which may impact your ability to protect your brand online.
In this blog, we explore the world of subdomain detection by highlighting a number of key topics, including:
A subdomain is a subordinate, dependent part of a domain. A subdomain cannot exist without a domain and any major changes to the domain will affect the subdomain. In writing, a subdomain is like a website prefix.
In the world of domain management, subdomain detection is the process of searching for and identifying subdomains that may have been created for malicious purposes. However, subdomain detection is not straightforward. Subdomains are unregistered and created quickly making them difficult for brands to detect before they cause harm.
Malicious subdomains can cause a variety of harm to online brands and consumers. For example, subdomains can be used for phishing purposes or to distribute malware designed to steal sensitive information and damage the image of a particular brand. Ideally, subdomain detection would be used to identify these incidents before they have any impact.
Bad actors sometimes use subdomains to conduct fraudulent activities that infringe the intellectual property (IP) rights of legitimate businesses. Unfortunately, it is difficult to detect subdomains that have been created specifically for malicious purposes.
However, there are a few common ways to find subdomains that are important to learn about when designing a subdomain detection strategy.
A DNS cache (also referred to as a DNS resolver cache) is a temporary information storage space that keeps information about previous DNS searches on a device or operating system (OS).
By performing a lookup in the DNS cache it is possible to see the DNS records for a domain. While it is not possible to pull a complete list of subdomains related to a domain you will be able to reveal requests for domains that have been processed by the DNS server. This information may help you learn more about the presence of potentially malicious subdomains.
Just the most technically advanced users can perform a DNS cache lookup, which has several limitations. Only a subset of data is available and one queries a known domain for subdomains, instead of searching for subdomains that are similar to a brand name across all domains.
Domains are often registered publicly and are therefore indexed by search engines. Subdomains related to their registered domain names can be found using tools accessible via search engines.
For example, Google supports advanced search operators which will allow you to refine your search to find information that isn’t readily available such as the various subdomains that are related to a domain.
There are also dedicated online tools that allow you to search for a domain and reveal a list of subdomains for that domain. These lists may include timestamps for the first time and the last time that the subdomain was seen and recorded.
These tools may be useful to discover attack entry points on your own domains but they may not necessarily help you detect subdomains that are being used by scammers to infringe your IP and take advantage of consumers.
Unlike domains, most subdomains are not registered publicly and therefore may not be indexed by search engines. This makes it easier for bad actors to execute their scams and violate IP rights without being detected.
Subdomains can prevent indexing by search engines which allow them to remain undetected for long periods of time. Without public and accessible registration, it is difficult for businesses to find and pursue damaging subdomains with any accuracy or efficiency.
Attempts to find infringing subdomains are often inaccurate. There is not an accessible public list of subdomains to browse and they can be moved around as swiftly as they can be created.
Be wary of any service that claims to be able to detect suspicious subdomains with 100% accuracy because at the moment this is simply not possible. The infringing artifact (e.g. the trademark) is often embedded within the subdomain and not the main domain, so it is almost impossible to tell from the outside whether there is infringing content.
Subdomains are often created just moments before launching malware or phishing campaigns. Unlike domains, subdomains are easy to create, delete and move. Within moments malicious actors can modify and move their infringing subdomains and evade detection.
Even if you are able to find a suspicious subdomain, its dynamic nature means that it will be difficult to gather evidence and shut down, especially if the scammers are alerted to your presence.
There are naturally more subdomains than domains. Most domains contain multiple subdomains that are created at various times throughout the main domain’s lifecycle. Considering there are around 30,000 new domains registered every day, the sheer scale of detecting subdomains presents an insurmountable challenge.
Due to their prevalence and always-changing nature, subdomains pose scaling challenges. It can be difficult for businesses to attempt to pin down specific incidents of infringing subdomains when there are so many popping up every day. If you are operating alone, trying to detect and enforce against subdomains can quickly become a costly and time-consuming pursuit.
While the challenge of detecting subdomains is large, you can still be proactive and effective in the way you tackle the subdomain issue. This is where Red Points can help.
Red Points can improve your subdomain detection strategy by enhancing your ability to enforce against infringers. When we become aware of a subdomain infringing against your IP we will begin the enforcement process.
We will gather as much evidence on the infringers as possible including screenshots, correspondence, contact information, and IP addresses. We will also encourage those within your organization who may have detected infringing subdomains to share the full URL and any other information through our platform.
We will contact the host and the registrar of the domain. Whether the host or registrar will take action against the whole domain or just the subdomain will depend on their policies. Nevertheless, we will provide them with all the evidence we have to hand including the URL addresses of the infringing subdomains.
There is no straightforward, all-encompassing solution to detect subdomains. However, by using robust enforcement measures you can mitigate the impact of IP infringements and try to safeguard your customers.
At the moment there are significant limitations to subdomain detection. Bad actors who are using subdomains for malicious purposes can evade detection by working dynamically and discreetly. For many businesses, this will be difficult to counter.
Red Points’ Domain Management Solution is one tool that you can use to help your business address the limitations of subdomain detection. While detection is difficult for everyone within the industry, Red Points can still act on subdomains at an enforcement level. Our vigilant approach to domain management will help you protect your brand and your customers from scammers.
To learn more about how Red Points can help your subdomain detection strategy, request a demo here.