Home / Industry

Strengthening Brand Protection with Subdomain Lookups: A Short Study

Threat actors usually ride on a brand's popularity to make phishing campaigns believable. A common approach involves registering typosquatting domains that closely resemble those of the legitimate owners. Yet monitoring typosquatting domains may just be the tip of the iceberg in the fight against phishing.

Organizations should also stay on the lookout for subdomains that contain their brand names, as these could be used to tarnish their image. To illustrate, we compiled a list of 4,330 subdomains that contain the string "eBay" and analyzed them. Below are our key findings.

1. Malicious Lookalike Subdomains

eBay is one of the most spoofed brands in the world. Take the phishing email below as an example. It asks users to update their account information or face account suspension.

Image source: social-engineer.org

Note the URL that starts with the subdomain "signin.ebay," which is consistent with the e-commerce website's login page shown below.

In our sample, we found 77 subdomains that start with "signin.ebay," which could prompt users to attempt to sign in and reveal their credentials in the process. Some of the subdomains were tagged "malicious" by multiple engines on VirusTotal.

  • signin[.]ebay[.]de-ws[.]itm2108445557[.]icu
  • signin[.]ebay[.]de-ws[.]1i1i[.]icu
  • signin[.]ebay[.]co[.]uk-wsebayisapidllsigninrucpsess431608060754354[.]chidospr[.]com
  • signin[.]ebay[.]co[.]uk[.]ebayisapi[.]dll[.]permakultur[.]jetzt

Other commonly found words in the subdomains (along with "eBay") include:

  • mail
  • payment
  • secure
  • online
  • reply
  • store
  • shop

2. Majority of the Subdomains Are Not Owned by eBay

Of the 4,330 subdomains, only 681 or 17% appeared to be owned by eBay. These include subdomains that use the following eBay-owned domains (that is, domains whose WHOIS records indicate eBay, Inc. as registrant company):

  • ebay[.]com (627 subdomains)
  • ebay[.]co[.]uk (11 subdomains)
  • ebay[.]com[.]au (10 subdomains)
  • ebay[.]co[.]kr (7 subdomains)
  • ebay[.]com[.]hk (6 subdomains)

Other domains owned by eBay, such as ebay[.]us and ebay[.]jp, are not found on the list. The rest of the subdomains, on the other hand, only contain the word "eBay" but use unrelated root domains likely owned by someone else. Some examples are:

  • pctdev1[.]corp[.]ebay[.]com[.]secure-log[.]in
  • payments[.]www[.]ebay[.]com[.]breakpoint[.]xyz
  • signin[.]ebay[.]it[.]izarbrokers[.]com
  • signin[.]ebay[.]com[.]ws[.]ebayisapi[.]dll[.]signin[.]mcleodsorganicfertiliser[.]com
  • signin[.]ebay[.]it[.]ahqfood[.]com
  • www[.]signin[.]ebay[.]it[.]beach420[.]com # 3. Dedicated versus Shared IP Addresses and eBay Ownership

Another finding is that eBay's subdomains resolve to dedicated IP addresses, while the lookalikes point to shared ones. For instance, below are 25 subdomains not owned by eBay along with the IP addresses they resolved to and the number of domains and subdomains that shared them.

By contrast, legitimate eBay subdomains, as revealed by Subdomains Lookup, only share IP addresses with other eBay subdomains.

To illustrate, consider the subdomain payments[.]ebay[.]es[.]g[.]ebay[.]com. On 21 August, it resolved to 66[.]135[.]204[.]244, 66[.]211[.]185[.]22, and 66[.]211[.]185[.]28. A reverse IP lookup tells us that these IP addresses are not associated with non-eBay-owned domains. Below are other subdomains owned by eBay with the number of domains that use their IP addresses.


This case study on subdomains that contain the word "eBay" shows that threat actors are likely to abuse subdomains and even use them maliciously as part of phishing and other schemes. As such, performing subdomain lookups and other audits could be a vital part of a company's brand protection strategies.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byIPv4.Global

Brand Protection

Sponsored byAppdetex

DNS Security

Sponsored byAfilias

Whois

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform