It is impossible for all the web domains that exist so far to be active, so there are millions of domains that currently are not. Cybercriminals can take advantage of them and carry out multiple fraud attempts. But how is it possible to attack a web domain that is no longer being used? If we talk about cyber attacks, there is almost always a way to do it. This article will explain how dangerous it is to leave an abandoned domain, and what you could do to mitigate the risks of attacks.
One of the most abundant sources of information is email. Not to mention those that correspond to corporate environments. There are situations in which companies change their name, stop operating, or merge with others to create strategic alliances. In any of these cases, there is a high possibility that domains that were previously used will now stop being used. However, this does not mean that all associated information is no longer available to the next person responsible for that domain.
We know that there are “recycled” domains, that is, they are reused by other people or organizations. This happens a lot when domain names refer to everyday things or situations that are specific to each country or region. The specialized CSO Online portal highlights a test that had been performed by a computer security researcher. This test consisted of a re-registration of old domain names that had been abandoned. They belonged to law firms that had joined with others to form alliances, consequently, the original domains had been abandoned.
This investigator set up an email server and without carrying out any illegal activity, he came across data related to the abandoned domain. These include emails with confidential information: banking and financial matters, invoices, client documents from law firms and updates. Subsequently, this person took the corresponding steps to return the domain and the data to the original owner.
Abandoned domains: gateway to phishing attacks
The danger of abandoned domain names affects not only law firms, but virtually any person or organization that handles high amounts of data. Imagine an e-commerce store that has changed its name. Directly stop using the domain of the previous denomination, register a new one and from that moment, launch a renewed website. This site works correctly, there is nothing abnormal. But what happened to the previous domain?
The responsible person simply stopped using it. Lots of data that correspond to customers, products, invoices and more, are associated with that domain. If the store uses management tools such as CRM (customers) and MailChimp (e-mail marketing), cybercriminals could obtain even more information. Not only from store customers, but also from potential customers. Especially since email marketing campaigns are an important tool for attracting new customers.
In addition to accessing the data in question, there are emails sent through that domain. Some of the emails may be those that are sent to clients to reset passwords. Those same messages can be recycled and the content of them can be altered. For example, they may look like ad mailings that you have won a discount voucher and that once you enter and confirm your data (supposedly), you will receive the voucher. Which finally never happens.
What do I do if I have a domain that I no longer use?
The best thing you can do is keep it. This is the most effective cybersecurity decision in the face of multiple possibilities of attacks and infringements on millions of people because their personal data is exposed. Also, if you’re going to switch to using a different domain for whatever reason, get hold of tools that can forward all related emails from the old domain. And that, in turn, they can redirect them according to the requests made. For example, resetting passwords.
Be very careful with the subdomains
Web subdomains are as important as domains. Let’s remember that the essential structure of domains is presented like this:
elsubdominio.eldominio.com
The main risk of stopping using a subdomain and simply abandoning it is that an attack called Subdomain Hijacking can occur . This attack occurs when the person in charge of any domain stops using a subdomain and ignores the update of the DNS records of the subdomains. The result is that these records continue to point to a subdomain that is no longer in use or no longer exists.
A typical scenario for these attacks on subdomains occurs when a subdomain is created that points to a third-party service. This is especially true when integrating with services such as Github, Heroku, Shopify and others. Suppose the integration is no longer to be used and hence the subdomain is no longer required. Instead of deleting everything related to the subdomain and the third-party service, only those related to the third-party service are deleted. Let’s illustrate this case with an example.
I have a subdomain that has the denomination, as shown below. It is associated with a service that is hosted on Github and this is called “integration”.
subdominiodeintegracion.dominio.com
I no longer need this service called “integration” and I delete the corresponding Github repository. So the subdomain won’t be useful to me either. However, I did not disable the subdomain.
What could happen A cybercriminal can re-register a service of anything malicious in nature called “integration.” It takes advantage of my web server vulnerabilities and without much effort, you can perform an integration with that same subdomain but you could really count on malicious scripts for different cyberattacks. All this could happen without you realizing it.
The best thing you can do to avoid problems is to have visibility of the state of both domains and subdomains. If any of them are no longer used or are not going to be used, you must disable them. If there are important services associated with domains (or subdomains), they must also be disabled. Generally, this does not take long. There is no doubt that you will prevent various headaches and your web services will be safer.