Subdomain Takeover via Dangling Redirect

Unclaimed destination domain permits full content control over a production subdomain.

Attack Chain
01 — Recon
DNS Enumeration
Subdomain discovered via passive reconnaissance. A record resolves to shared hosting at 143.95.230.101.
02 — Identify
Dangling Redirect
HTTP probe reveals WordPress 301 redirect to aaohs.co.za — a domain with no active registration.
03 — Acquire
Domain Registration
Destination domain registered by assessment team. Web server configured to serve controlled content.
04 — Takeover
Content Control
Any visitor to the legitimate subdomain is now permanently redirected to attacker-controlled infrastructure.
Impact Assessment
🔒

Credential Harvesting

Attacker hosts a cloned login portal. Victims trust the parent domain and submit credentials willingly.

🎲

Malware Delivery

Serve drive-by downloads or exploit kits under the brand's trusted subdomain origin.

🎫

Session & Cookie Theft

If cookies are scoped to .asianpaintsnepal.com, the attacker domain inherits read access to auth tokens.

📈

Brand & Trust Erosion

Public-facing subdomain serving attacker content undermines customer confidence and regulatory posture.

Recommended Remediation
  1. Remove the stale DNS A record for beta.bathsense.asianpaintsnepal.com or update it to point to active infrastructure.
  2. Audit the WordPress instance at 143.95.230.101 — remove or reconfigure the siteurl / home values that trigger the 301 redirect.
  3. Conduct a full DNS hygiene sweep across all *.asianpaintsnepal.com subdomains to identify additional dangling records.
  4. Implement monitoring — set up alerts for DNS record changes and periodically validate that all subdomain destinations resolve to owned assets.