Rentable subdomains

Summary

Attackers are using rentable subdomains such as us.com and it.com. This technique essentially means that security feeds cannot gather WHOIS information on the subdomain, while the availability of these rentable subdomains (with tens of thousands of dynamic DNS providers) means attackers have an abundance of possible domains that look and feel legitimate compared to many traditional URLs.

Examples

• Example 1: Scattered Spider leverages rentable subdomains — Scattered Spider have been observed using it.com and us.com
• Example 2: Free dynamic DNS services like DuckDNS and ChangeIP used by attackers