Domain Attack Surfaces: What Are They? How Big Are They?

Posted on by Jonathan Zhang

 Understanding attack surfaces is a pivotal cybersecurity activity—and reasonably so. In 2019, a sample of 115 organizations revealed a total of 123,454 vulnerabilities, with 91% rated “medium” to “critical.” What’s more, it takes an average of 121 days for large organizations to discover a data breach, compared to a 102-day average for small organizations.

The term “attack surface” is a broad one, however. Among the threat vectors that make up a target’s overall attack surface are domain names and subdomains. Collectively, they comprise the “domain attack surface” that could serve in phishing, malware and spam campaigns, among other cyberattack types.

What Does a Domain Attack Surface Look Like?

To provide some perspective on domain attack surfaces, let us take a look at two subdomains that have been flagged for phishing activity on PhishTank:

  • secure[.]bankofamerica[.]com-login-sign-in-signonv2screen[.]go[.]suzukihaiphong[.]com[.]vn
  • microsoftonlineservices[.]com[.]ru

The first subdomain contains in its name the exact string (i.e., “secure[.]bankofamerica”) used in a phishing email targeting Bank of America clients. The domain microsoftonlineservices[.]com[.]ru, on the other hand, was seen in a spear-phishing campaign.

What Are the Key Characteristics of Domain Attack Surfaces?

In a recent study, we analyzed the domain attack surfaces of ten of the most commonly spoofed brands—namely Amazon, Apple, Bank of America, CIBC, Desjardins, Facebook, Microsoft, Netflix, PayPal and WhatsApp. Below are our key findings.

1. Lack of public attribution and divergent WHOIS details

While not an absolute practice, it is quite common for established brands to keep the WHOIS records of their root domains public. That allows for attribution of domain ownership through, for example, the registrant organization’s name or its email address. In contrast, domain names with records containing divergent details cannot be publicly attributed, leading to uncertainty about their real owners.

We found the lack of attribution and divergent details to be prevalent for the ten brands studied as only an average of 0.17% share the same registrant email address of the brands’ official domains. Who holds control over the remaining 99.83% that are non-attributable domains is unclear. Some of these root domains or subdomain variants could credibly figure in phishing attacks and make users believe that an email or a website is legitimate.

2. Large, sometimes very large, surfaces

Our research uncovered large domain surfaces for top-spoofed brands using passive Domain Name System (DNS) technology that provides historical data on DNS connections, including IP resolutions. This process enabled us to see large numbers of domain names and the IP addresses they resolved to in the past.

Overall, the ten brands' total domain attack surface size comprised 177,734 domains and subdomains—averaging 17,734 per brand, though with some variance among them. For Apple, as many as 54,187 domains and subdomains contained the text string “apple” in some part of the subdomain/root domain. Meanwhile, the smallest domain attack surface size was that of CIBC with roughly 1,000 domains and subdomains.

The passive DNS sample typically contains fully qualified domain names, and the containment of brand-related search strings was very frequent not only in the second-level domain name but also at the lower levels. This means that focusing on domains up to the second level would reveal only a small portion of the domain surface.

3. Undocumented and possibly malicious

From the domain surfaces studied, only a portion—14,791 domains and subdomains, or 8.34% of the sample—appeared in PhishTank’s verified phishing URLs for 1 June–16 October 2020. That leaves almost 92% of potentially suspicious subdomains undocumented and possibly active in cyberattacks at some point.

Of the ten brands, PayPal had the smallest ratio of domains found on PhishTank against the undocumented suspicious domains (44.14%). It was followed by WhatsApp, Bank of America and Netflix with 74.6%, 84.52% and 89.59% undocumented suspicious domains. The other brands had more than 93% unreported assets.




The domains and subdomains that make up the potential domain attack surface of a particular brand can look very similar to its attributable digital footprint—and this creates risk from a cybersecurity standpoint. While WHOIS’ redaction is not proof of foul play (a debate that goes well beyond this post in light of privacy benefits), it does create opacity. In addition, while WHOIS reveals the ownership of the second-level domains, our research shows that the relevance of the subdomains at the lower levels of hierarchy should not be overlooked.

Jonathan Zhang

Founder and CEO , WhoisXML API

Hackers & Threats

hackers & threats exploit of vulnerability phishing anti-malware

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs