Home / Blogs

A Brief Look at the Domain Attack Surface of Streaming Media Companies

The term "attack surface" is often heard in cybersecurity conversations. It refers to the sum of all possible attack vectors or the vulnerabilities that threat actors can exploit to penetrate a target network or damage an organization somehow. An unused and forgotten subdomain, for instance, can become an attack vector when taken over.

Certain categories of companies have very large attack surfaces. Such is the case of streaming media businesses like Netflix and HBO Max. Netflix has around 195 million users worldwide, while HBO Max recently hit 28.7 million subscribers. Such user bases make them lucrative targets.

For illustration purposes, we decided to analyze the potential joint attack surface of those two companies using our attack surface management system. Here are our main findings.

Studying the Attack Surface of Streaming Media Companies

In total, we found 2,708 domains and subdomains that contain the strings "netflix" and "hbomax" and these didn't seem to be owned by the brands. In fact, we ran a bulk WHOIS lookup on all of the subdomains and compared their WHOIS record details with those of the legitimate companies. None of them had "Netflix, Inc." or "Home Box Office, Inc." as a registrant organization. Also, the subdomains' WHOIS records didn't match any other registrant detail indicated by the streaming companies.

Terms Used along with the Brand Names

Apart from the brand names, the subdomains also contained other text strings that could trick subscribers into clicking them. These include "account," "login," "update," "app," "secure," "info," "help," "center," "service," and "hostmaster." About 44% of the subdomains used these terms, as shown in the chart (Fig. 1).

Fig. 1 – Percentage of terms used along with brand names.

When used alongside Netflix and HBO Max, these terms could make users believe that they are visiting the official web pages of the streaming companies. Subdomains that contain these text strings could successfully be used in phishing campaigns.

Top-Level Domain Distribution of Subdomains

The subdomains related to Netflix and HBO Max were spread over several top-level domains (TLDs). However, more than half belonged to the .com space. Some 15% fell under the .net TLD, while .live and .org were used by 7% of the subdomains. The chart below shows the top 10 TLDs used for the subdomains.

Fig. 2 – Top 10 TLDs used for the subdomains related to Netflix and HBO Max.

Are These Subdomains Dangerous?

The subdomains identified in this study are a cause for concern from a cybersecurity standpoint. We were able to track down multiple cases that were already identified as malicious. Here is an example of a Netflix-related subdomain — billing[.]netflix[.]user[.]solution[.]id2[.]client-redirection[.]com — that has been flagged by five engines on VirusTotal:

Fig. 3 – Example of a Netflix-related flagged by five engines. (Source: VirusTotal)

Source: VirusTotal

Interestingly, we found far more suspicious instances that were not flagged by any engine. Such was the case of these subdomains (among many others):

  • security[.]netflix[.]com[.]userid[.]874585[.]compraycambia[.]com
  • dash[.]pro42[.]lv3[.]cdn[.]hbomax[.]com[.]c[.]footprint[.]net
  • hbomaxdash[.]s[.]llnwi[.]net

While we can't say for sure why subdomains like these were created, it's hard to think of a plausible legitimate reason why a root domain such as "compraycambia[.]com" would need subdomains containing strings like "security" or "userid." It is possible that these subdomains have yet to be used in cyberattacks and so have not been identified as indicators of compromise (IoCs).

The subdomains might also pertain to a much larger attack infrastructure, only a small part of which will ever be used in a phishing or other cyber attack.

Still, knowing about the entire scope of risky subdomains can fuel a more informed perspective on active and dormant threats.

By Jonathan Zhang, Founder and CEO of WhoisXMLAPI & ThreatIntelligencePlatform.com

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

I'm not sure it's fair to consider By Todd Knarr  –  Oct 30, 2020 11:22 am PST

I'm not sure it's fair to consider those hostnamess part of the attack surface of the streaming media company they're trying to impersonate. They can't be used to gain any access to the company's infrastructure, and there's absolutely nothing the company can do about them since they belong to completely different domains the company doesn't control.

I would consider them part of the user's attack surface, though. The hostnames work by tricking the user into giving their info to someone other than the streaming media company. That lets the attackers access that user's account, but not to gain any access to the media company's infrastructure beyond what the user has normally.

You raise two important points in your By Jonathan Zhang  –  Nov 02, 2020 11:02 am PST

You raise two important points in your comment—control and who the potential victims are.

Control over such (sub)domains is indeed problematic. External entities set them up and the impersonated organizations can't take them down immediately. It doesn't mean that the affected brands are totally powerless though. Let's consider the case where the root domain of the suspicious/malicious subdomain is owned by a legitimate domain owner/business whose domain has been hijacked. A representative of the mimicked brand in this situation can still reach out to the domain owner and inform him that his property is being misused without his knowledge/consent. Surely, the domain owner would be motivated to take it down quickly. If the domain in question does belong to a perpetrator, the legitimate brand owner can report the domain to the registrar for abuse and list it on OSINT sharing communities.

Considering the potential victims, users are indeed likely to be the common targets (in line with your description of the user's attack surface). That said, perpetrators could also use the subdomains to fool third parties that may hold confidential information about the brand in question and do not have the strictest cybersecurity measures in place.

I'd be happy to continue this conversation. Is there a way I could reach out? Here is my LinkedIn profile: https://www.linkedin.com/in/jonathanmzhang/

My email's tknarr@silverglass.org By Todd Knarr  –  Nov 04, 2020 9:57 pm PST

My email's tknarr@silverglass.org

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Brand Protection

Sponsored byAppdetex

New TLDs

Sponsored byAfilias

Whois

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

IP Addressing

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign