The cyber attack targeting Toyota’s top-tier supplier in February led to the loss of about 13,000 cars in production output. Aside from the quantified damage, the supply chain attack highlights how massive and scattered threat vectors can be. Covering all bases requires looking at every possible source of risk, including the Domain Name System (DNS).
In line with this, WhoisXML API researchers explored domains and subdomains bearing the names of leading car manufacturers. These digital properties could be vehicles for attack vectors, such as third-party phishing and business email compromise (BEC) scams. Our analysis uncovered:
- More than 10,000 domains and subdomains containing top car manufacturers’ brand names that have been added since 1 February 2022
- Almost all uncovered cyber resources are not publicly attributable to the respective companies whose names appear in them
- Several domains and subdomains have been flagged as malicious
Feel free to download the complete list of properties and relevant data points from our website. We’ll discuss our analysis and research below.
10,000+ Car Manufacturing-Related Domains and Subdomains
This research focuses on seven car companies named by Forbes as the top 10 cars and best brands of 2021. These are Toyota, Mazda, Subaru, Kia, Honda, Lexus, and Tesla. Since Toyota’s supply chain attack occurred on 28 February 2022, we limited the properties to only those added since 1 February 2022.
We uncovered 4,972 domains and 5,148 subdomains, totaling 10,120 properties. The chart below shows the distribution of these cyber resources among the companies included in this study.
Possibly Rogue Digital Properties
Distinguishing properties added by the companies themselves is an essential part of this study. If the legitimate company owns the domains and subdomains, they have control over these assets. Otherwise, the digital properties can be considered rogue that can be potentially used in brand abuse, phishing campaigns, and other malicious activities.
While companies can register domains using different registrant details, most large corporations, like the ones in this research, often use the same registrant email address and privacy protection service. As such, the registrant email addresses of the car companies’ official domains can help identify potentially rogue properties.
We discovered only 10 domains that are publicly attributable to the top brands, all of which belong to Toyota. It’s important to note that Mazda and Honda had redacted or privacy-protected registrant details. Even then, none of the domains and subdomains share the same attributes, such as the combined use of privacy protection companies, nameservers, and registrant countries.
Below are some examples of the potentially rogue cyber resources for each brand. You may download the complete list from our website.
Brand Name | Domains | Subdomains |
---|---|---|
Toyota | • toyota[.]xn—fiqz9s • toyota[.]bar • etoyota[.]ir |
• toyota[.]grupolagrajera[.]com • toyota[.]e-mobilio[.]de • toyotadpeer[.]toyotadnet[.]toyota[.]blockedge[.]dev |
Mazda | • mazda[.]tk • armazda[.]ir • mazdausa[.]ca |
• mazda-cx-50[.]devonline[.]me • mazdacarsmy[.]toyotaalphard[.]com[.]my • 2010-mazda3[.]blogspot[.]com |
Subaru | • sportsubarucares[.]com • clearshiftsubaru[.]com • tellhaddadsubaru[.]com |
• wyattjohnsonsubaru[.]dsi360[.]com • subarurussia[.]users[.]photofile[.]ru • www-carrsubaru-com[.]translate[.]goog |
Kia | • gkia[.]shop • komkia[.]vg • vlgkia[.]ru |
• www[.]cowboykia[.]phpup[.]fzinternal[.]com • kia[.]boravto-vrz[.]mss[.]7apps[.]ru • tutkia[.]plat-xxxx[.]dev[.]plattan[.]fi |
Honda | • hondacars-kitachiba-newstepwgn-teaser[.]com • hondausedcrossovers[.]com • hondahonda1739[.]com |
• honda[.]simpelink[.]com • honda[.]yasu[.]name • honda[.]demowebku[.]xyz |
Lexus | • lexus[.]fo • elexus[.]ph • toyotalexusfinancialservices[.]lu |
• autorepairyorbalindaplac entiaanaheimtoyota hondaacuralexusvw[.]spb[.]ru • lexus[.]retehk[.]com • lexus[.]oempartsonline[.]com |
Tesla | • teslainvestment[.]international • teslatechsolucoeseletricas[.]com • tourismehauteslaurentides[.]com |
• ps-st-3344[.]schneider[.]tesla[.]aristos[.]pw • loving-tesla[.]74-208-187-83[.]plesk[.]page • tesla[.]vishwabhartiprojects[.]com |
Malicious Domains Alert
There could be legitimate reasons behind the rogue domains and subdomains. For instance, car dealerships, used car dealers, and brand enthusiasts could find it necessary to register them.
However, that doesn’t discount the possibility of threat actors using the domains for malicious campaigns. In fact, we already found dozens of malicious properties despite them being newly added.
While some of the malicious domains and subdomains have already been taken down, others still hosted live content. Here are some examples of malicious domains encouraging visitors to take part in an Elon Musk project and earn US$4,000 per month.
Monitoring the DNS for rogue domains and subdomains can help security teams take timely actions before they are put to use by threat actors. Early detection can help protect third parties, customers, and the general public.
If you’re interested in the domains and subdomains related to the car manufacturing sector discussed in this post, you can download the research materials here. You may also contact us for research collaboration.