How Phishing Attacks Exploit Subdomains to Deceive Users

How Subdomains Are Used in Phishing Attacks

Phishing is one of the most common cyber threats — and attackers are constantly finding new ways to make their scams look legitimate. One sneaky tactic they use is abusing subdomains to trick users into trusting malicious websites.

Look at the text on the bottom-left. People read from left-to-right. While skimming, it’s very easy to mistake this link for coinbase.com.

However the actual domain is com-phishing.xyz which is definitely not a part of coinbase.

What Is a Subdomain?

A subdomain is a prefix added to the beginning of a domain name. For example:

• In the following URL: coinbase-1.com-phishing.xyz

  • the subdomain is coinbase-1

  • the actual domain is com-phishing.xyz

This is one way subdomains can be used to trick users into believing they’re legitimate websites.

The Solution

To help prevent this kind of deception, I built a Chrome extension called Antiphish. Instead of showing the full URL, it highlights only the actual domain name — making it much clearer whether a link is legitimate or not.

This makes it pretty much impossible for subdomains to trick you.

Antiphish is currently pending approval and will be available soon.

Using a password manager is also an excellent solution. As it won’t autofill your credentials on non-registered domains. However, there is a technical learning curve and it does require the correct setup. That said, it can be used in conjunction with Antiphish for an extra layer of defence. As you can still choose to fill in your credentials with a password manager on fake websites.