This vulnerability type is an easy trap to fall into. Companies need a domain and sometimes accounts at third party providers such as payment service providers. All of these services are not free of course, they cost money and normally companies will often opt to pay yearly for these services as they get a discount. However if the payment details of the company change and they do not remember to update them, their automatic renewal will not continue. This is especially easy to forget on domains and accounts that are not often used.
The biggest risk is that a bad actor could come in and swipe up these domains and accounts, the funny thing is we recently had a very close call with this vulnerability type with one particular organisation and it was not a small one either, it was a country!
https://techcrunch.com/2021/01/15/congo-comandeered/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAGXUTd77CX3lROPQRLIRUzT9Op6EcL75x5dkasj53XTgSrZa0wPzTFmd4KN3ufvsWnUuiObF5nGnbaPg2dtaIxLuSe5mk_TYOYRufComoLQwTCLR1J8VPusRDYLoLtOsB_M5TDE-Uyqh7Dw7QAQWL_nRLSIPmDXnlKIGO8NsQFEx
There are more examples to be found and this can be a good issue type to look for, here's a strategy but make sure you design and follow your own.
First of all, you won't see this on any often used domain or obvious functionality. If you are working with a website where you can log in , try every single area and if you can't log in, try to do the same but of course you will get less results most of the time since you are working at a surface level. Look for all links you can find and while you are at it, report links that are from 3rd party providers or partners that are up for sale (for example if your local themepark links to a hotel but the hotel website does not exist anymore). Do this for every subdomain you have. If you see any links to websites that also belong to your target and if they are expired, report it and do not buy the domain.
If your target allows for testing any website that belongs to it's organisation, you can often find more links via certificate lookups with the organisational name. Any domain that has a certificate that belongs to the same organisation might be in scope but be careful, it isn't always the case as the target's certificate might just be a small part of another organisations domains.
Another really important thing we need to pay attention to is expired mail server domains. An attacker can simply buy the expired domain and analyse the incoming spam after setting up an email server to gain sensitive information like usernames. This does not only apply to our own mail servers that have a domain, it's also important to check mail servers being used by the application that are not hosted by the organisation as they might also move domains or simply stop operating. Of course gmail will not stop any time soon but smaller mail services might.
If our targets integrate with other services (like maps.google.com) and the services stops using that domain, an attacker can buy that domain and receive the communications so for testing make sure you also check any outgoing calls to a 3rd party service.
Google.com might not be our scope but if our target communicates with it, we need to know and we need to check if the domain is available for buying.
The biggest problem is that ones an attacker has bought a domain, the organisation can't do much expect for pay however much the attacker wants. The problem is that even if you did cover yourself very well and have the correct documentation it could take a while before you have the domain back. You do not want to send a mail to your users that you were hacked and they should immediately change the email address they used to sign up to every website they used your email services on, i am sure of that.
..