Canva dodged it, but dozens of Australian government sites are still wide open to subdomain hijacks

In several cases, these subdomains are pointing to services no longer in use - a setup that creates the perfect conditions for hijacking, where attackers can claim the underlying hosting and serve malicious content under a trusted government banner. There’s no breach required. Just a broken link between DNS and forgotten infrastructure.

Attackers know where to look

Subdomain hijacking isn’t a new tactic, but it’s become more methodical. Tools for discovering dangling DNS records are widely available, and attackers know exactly what to look for: forgotten links between a live domain and a decommissioned service. When a government department retires an app or vendor site without fully cleaning up the DNS, the subdomain often remains active, just waiting to be reclaimed.

The real danger lies in perception. A functioning subdomain on a *.gov.au address carries weight. If it loads a phishing page, most users won’t question its legitimacy. Even browser-level trust signals, like HTTPS and a valid certificate, can remain in place. To the average citizen, it’s indistinguishable from a real government site.
Researchers analysing the DNS configurations of regional councils in Victoria and New South Wales have found subdomains linked to platforms like WordPress, NationBuilder, and various third-party survey and CRM tools, all pointing to infrastructure that no longer exists. While not all are actively hijacked, many meet the exact conditions required for takeover.

These findings echo earlier reports from the private sector, most notably Canva’s brush with a similar issue. The company’s press.canva.com subdomain was discovered to be pointing to an unused AWS bucket. Had it been claimed by an attacker, it could have served malware or hosted credential-harvesting pages under the Canva brand, all without triggering immediate detection.

VIEW ALL

Subdomain hijacks rarely make noise

One of the reasons these vulnerabilities persist is their silence. A hijacked subdomain doesn’t announce itself. It often sits undisturbed, used for highly targeted attacks or embedded quietly in phishing kits. Because the core domain isn’t compromised, defenders may never see an alert. Traffic to the subdomain might not even be monitored.
This makes it an ideal tool for attackers looking to exploit public trust. Subdomain hijacking has been used in real-world campaigns to mimic login pages, distribute fake tax tools, and collect personal data. In some cases, compromised subdomains have even been indexed by Google, giving malicious sites organic traffic through search.

Despite this, domain and DNS hygiene remains an overlooked aspect of cybersecurity planning, particularly in organisations with large, distributed digital footprints. Government agencies, councils, and even schools often rely on external developers or platform vendors to manage web infrastructure. When those relationships end, legacy records are rarely reviewed.

The overlooked layer in digital asset management

This is where the security conversation starts to overlap with what’s often treated as routine admin. Subdomain management, DNS visibility, and business domain registration are all part of the same surface area — but they're frequently split across departments or outsourced completely.

In many cases, the organisation that owns the domain no longer has full visibility into where its subdomains point, or whether they're still connected to active services. Without central control and regular auditing, it’s easy for these entry points to multiply unnoticed.

That’s starting to shift. Some providers now offer tools that alert users when DNS records change, subdomains return errors, or assets are misconfigured — giving businesses a clearer picture of what infrastructure is still exposed. Built-in expiry tracking, change notifications, and domain-level locking are becoming more common, especially among Australian-based registrars focused on long-term account security.

Analysts say this blind spot is increasingly being targeted because it's easy to exploit and hard to detect. A quick scan of public DNS records can reveal hundreds of potentially vulnerable subdomains. Only a fraction are being monitored closely.

Who’s responsible for cleaning this up?

The problem is rarely about malicious intent — it’s almost always operational oversight. Projects get shelved, teams change, vendors move on. But the DNS entries linger, and so does the risk.

Security teams tasked with defending core systems are often unaware that ghost infrastructure even exists. In the public sector, website management is frequently decentralised, especially across smaller councils and regional agencies. That makes coordinated reviews difficult, even when vulnerabilities are reported.

There are tools designed to detect dangling DNS records and subdomain vulnerabilities, but uptake remains low outside of large enterprises. For most organisations, the cost of inaction isn’t visible, until something goes wrong.

A quiet but growing risk

As more government services go online and more campaigns rely on third-party platforms, the number of subdomains continues to grow. Not all of them are cleaned up. Not all of them are checked. And in a threat landscape where trust is currency, that’s a dangerous gap.

Researchers who have flagged these issues aren’t calling for restrictions on domain use or tighter controls on digital expansion, just more awareness. Regular DNS audits. Centralised visibility. And clear offboarding processes for web infrastructure.

The tools exist. The vulnerabilities are predictable. What’s missing is attention.