Question: What are the risks of letting domains and subdomains expire? How do attackers hijack them?

Answer: It's ridiculous how easy it is to find and take over an abandoned domain, says Jossef Harush Kadouri, head of software supply chain at Checkmarx.

Subdomain hijacking is a type of cyberattack in which an attacker takes control of a subdomain of a legitimate domain and uses it to host their malicious content or to launch further attacks.

Here is an example: CocoaPods is a popular dependency manager for iOS and MacOS projects that developers use to add third-party code to their applications. The company had a subdomain, cdn2.cocoapods.org, which had been used years ago but was no longer in use. However, the DNS records for the subdomain still pointed to GitHub Pages, where presumably the pages for this subdomain had been hosted at one point.

Since this subdomain was no longer linked to a GitHub Pages project, attackers were able to create their own project — a casino site — and the existing DNS record meant users looking for that subdomain were directed to that fishy-looking site. This kind of subdomain hijacking works as long as the subdomain is unoccupied by another GitHub Pages project, Kadouri says.

When an organization no longer needs a subdomain or domain, it is not enough to take the relevant pages down. There needs to be an action item to delete the subdomain records from DNS. In short, the DNS entry needs to reflect the fact that example.com and a.example.com are still in use, but that b.example.com is not.