Home / Industry

Attack Surface Analysis of 3 Social Media Giants

Cybercrime is first and foremost financially motivated. Cybercriminals look for lucrative targets, including social media networks with hundreds of millions of monthly active users. We put this perspective to the test by analyzing the domain attack surface of three of today's largest social media platforms.

In total, our Attack Surface Management (ASM) Solutions found 22,785 subdomains that could be used as attack vectors, as they contain the strings "linkedin," "youtube," and "facebook." We analyzed this data and present our main findings in this post.

Legitimate versus Suspicious Ownership

One of the first steps in an attack surface analysis is to distinguish between domains that are under the organization's control and those that are not. For this study, we ran the 22,785 subdomains on a bulk WHOIS lookup tool to see if there are records that match the WHOIS details of Facebook, LinkedIn, and YouTube.

Registrant NameNumber of Domains FoundPercentage of the Total Number of Subdomains
Others22,74699.83%
Google LLC (YouTube)360.16%
Facebook, Inc.30.01%
LinkedIn Corporation00%

We found that only 39 domains were owned by the social media companies, comprising only 0.17% of the whole sample size. That means that only a small number of the subdomains are owned and under the control of the social media giants. The rest may be used by other entities as they please, which could be a problem, as they make use of the companies' brand names.

Terms Appearing alongside the Brand Names

Alongside the brand names, we found that about 20% of the subdomains in our sample contain the word "blog." Some also contained other text strings that could be used to lure social media users into clicking a link or downloading an email attachment.

Terms such as "download," "login," "signin," and "free" could make message recipients think a subdomain is legitimate. The terms "advert," "advertise," or "advertising," on the other hand, could be used to target small businesses.

The chart below shows the breakdown of 10 of the commonly used terms in the subdomains.

Frequency of Commonly Used Terms

Malicious Domains and Subdomains Found

A more in-depth attack surface analysis found three malicious root domains that were repetitively used with subdomains containing strings related to the three social media platforms.

Malicious Root DomainNumber of Subdomains Found with Branded Strings
shnpoc[.]net343
duckdns[.]org103
serveo[.]net48

These were all cited for phishing and other malicious activities on VirusTotal. Shnpoc[.]net, for one, was seen trying to phish a bank, according to this tweet and other reports:

Aside from the three domains above, others with subdomains included in our attack surface analysis may also require further investigation, such as:

  • foxmos[.]com: 42 subdomains
  • novaposhta[.]me: 10 subdomains
  • dmoz[.]website: 8 subdomains
  • winmonitor[.]com[.]br: 7 subdomains
  • kamalharmoni[.]com: 2 subdomains
  • ach[.]cl: 2 subdomains

Some subdomains in the list have also been reported "malicious," which means they already likely figured in cyber attacks. Even so, certain subdomains remain active and could be reused in other malicious campaigns.


While this post focused only on the hidden domain footprints of three social media platforms, it does show that attack surface analysis is a crucial cybersecurity practice for any organization. You can learn more about it and our Attack Surface Management (ASM) Solutions here.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Brand Protection

Sponsored byAppdetex

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias

Whois

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byIPv4.Global