← Back to detection methods

Subdomain Squatting

Detection of malicious domains that use your brand name as a subdomain to appear legitimate.

What is Subdomain Squatting?

Subdomain squatting is a deceptive technique where attackers register domains and create subdomains that incorporate legitimate brand names. By placing your brand name as a subdomain, they create URLs that appear official and trustworthy to unsuspecting users.

This technique is particularly effective because many users don't fully understand how domain hierarchies work, and the presence of a familiar brand name in the URL creates a false sense of legitimacy.

How We Detect It

Our subdomain squatting detection analyzes the complete domain structure by:

  • Parsing full domain names including all subdomain levels
  • Checking if any subdomain component matches your monitored keywords
  • Analyzing common subdomain patterns used in phishing attacks
  • Identifying suspicious base domains hosting brand-name subdomains

Real-World Examples

Service Impersonation

High Risk
paypal.secure-login-verification.com

Uses "paypal" as a subdomain with a convincing base domain to impersonate login pages.

Support Page Spoofing

High Risk
microsoft-support.helpdesk-assistance.org

Creates fake technical support pages by using the brand name in the subdomain.

Account Verification Scam

High Risk
amazon-account-verification.security-check.net

Targets users with account security concerns by mimicking official verification processes.

App Download Trap

Medium Risk
whatsapp-download.mobile-apps-store.com

Tricks users into downloading malicious apps by appearing as official app stores.

Common Subdomain Patterns

Attackers typically use these subdomain structures to maximize deception:

Service-Specific Subdomains

Using brand names with service-related terms to appear like official subservices.

apple-support.*, google-login.*, facebook-security.*

Geographic Targeting

Combining brand names with location indicators to appear like regional services.

paypal-us.*, amazon-uk.*, netflix-canada.*

Security-Themed Subdomains

Exploiting security concerns by using brand names with security-related terms.

microsoft-security.*, gmail-verify.*, instagram-protect.*

Multi-Level Subdomains

Using complex subdomain structures to increase perceived legitimacy.

login.paypal.secure-banking.*, support.microsoft.helpdesk.*

Why Subdomain Squatting Works

  • Brand recognition: Users see familiar brand names and assume legitimacy
  • SSL certificates: Subdomains can have valid HTTPS certificates
  • Domain hierarchy confusion: Many users don't understand subdomain vs domain ownership
  • Search engine presence: Malicious subdomains can appear in search results

Technical Detection Challenges

Subdomain squatting presents unique detection challenges that our system addresses:

  • Dynamic creation: Subdomains can be created without new DNS registrations
  • Certificate transparency: We monitor CT logs for all subdomain certificates
  • Wildcard certificates: Single certificates can enable unlimited subdomains
  • Passive DNS analysis: We analyze DNS query patterns and responses

Risk Assessment Factors

We evaluate subdomain squatting threats based on several key factors:

High Risk Indicators

  • • Brand name + security/login/verify keywords
  • • Recently registered base domains
  • • Suspicious TLD or registrar
  • • Multiple brand subdomains on same base domain

Medium Risk Indicators

  • • Brand name + geographic indicators
  • • Established domains with new suspicious subdomains
  • • Common service terms (support, help, download)

Lower Risk Indicators

  • • Brand name in legitimate business context
  • • Established domains with good reputation
  • • Clear legitimate business purpose

Protection and Response

When subdomain squatting is detected, consider these response strategies:

  • Content investigation: Analyze what content is hosted on the malicious subdomain
  • Abuse reporting: Report to hosting providers and domain registrars
  • Legal action: Pursue trademark infringement claims when applicable
  • User education: Warn users about suspicious subdomains in security communications
  • Brand monitoring: Continuous monitoring for new subdomain variations

Prevention Best Practices

  • Official domain communication: Always communicate your official domains to users
  • SSL certificate monitoring: Monitor certificate transparency logs for your brand
  • Brand protection services: Use comprehensive monitoring across all subdomain levels
  • User awareness: Educate users about domain structure and verification methods

Learn More

Explore our other detection methods to understand how we provide comprehensive brand protection:

TLD Squatting →Hyphenation →Bitsquatting →