Security researchers have detailed how shady domains are becoming increasingly popular with cybercriminals.
As reported by Bleeping Computer, analysts at Palo Alto Networks (Unit 42) revealed how they encountered more than 12,000 such incidents in just a three-month period (April to June 2022).
An offshoot of DNS hijacking, domain shadowing provides the ability to create malicious subdomains by infiltrating legitimate domains. As such, shadow domains will not have any impact on the main domain, which naturally makes them difficult to detect.
Cybercriminals can then use these subdomains to their advantage for various purposes, including phishing, malware distribution, and command and control (C2) operations.
“We conclude from these results that domain shadowing is an active threat to the enterprise, and is difficult to detect without leveraging automated machine learning algorithms that can analyze large numbers of DNS records,” Unit 42 stated.
Once threat actors have gained access, they could choose to breach the primary domain and its owners, as well as attack users of that website. However, they have been successful in attracting people through subdomains, in addition to the fact that attackers remain undetected much longer by relying on this method.
Due to the subtle nature of domain shadowing, Unit 42 mentioned that it is difficult to detect real incidents and compromised domains.
In fact, the VirusTotal platform identified only 200 malicious domains out of the 12,197 domains mentioned in the report. Most of these cases are related to a single phishing campaign using a network of 649 hidden domains across 16 compromised websites.
The phishing campaign revealed how the aforementioned subdomains displayed fake login pages or redirected users to phishing pages, which can essentially bypass email security filters.
When a user visits the subdomain, credentials for a Microsoft account are requested. Although the URL itself does not come from an official source, Internet security tools are unable to differentiate between a legitimate login page and a fake one, as no warnings are presented.
One of the cases documented by the report showed how an Australia-based training company confirmed that it was hacked for its users, but the damage was already done through subdomains. A progress bar for the rebuild process was displayed on their website.
Currently, Unit 42’s “high-precision machine learning model” has discovered hundreds of shadow domains created daily. With this in mind, always double-check the URL of any website that requests data from you, even if the address is hosted on a trusted domain.
Source : www.digitaltrends.com