Threat analysts at Palo Alto Networks (Unit 42) discovered that the phenomenon of ‘domain shadowing’ might be more prevalent than previously thought, uncovering 12,197 cases while scanning the web between April and June 2022.
Domain shadowing is a subcategory of DNS hijacking, where threat actors compromise the DNS of a legitimate domain to host their own subdomains for use in malicious activity but do not modify the legitimate DNS entries that already exist.
These subdomains are then used to create malicious pages on the cybercriminals’ servers while the domain owner’s site’s web pages and DNS records remain unchanged, and the owners don’t realize they have been breached.
In the meantime, the threat actors are free to host C2 (command and control) addresses, phishing sites, and malware-dropping points, abusing the good reputation of the hijacked domain to bypass security checks.
The attackers can theoretically change the DNS records to target users and owners of the compromised domains, but they typically prefer to take the stealthy path described above.
Hard to detect
Unit 42 explains that detecting real cases of domain shadowing is particularly challenging, which makes the tactic so alluring for the perpetrators.
The analysts mention that VirusTotal marked only 200 domains as malicious out of the 12,197 domains Palo Alto’s detectors uncovered.
Most (151) of the VirusTotal detections were related to a single phishing campaign using a network of 649 shadowed domains on 16 compromised websites.
Furthermore, phishing pages hosted on domains with a good reputation would appear trustworthy to a visitor, causing them to more likely to submit data on the page.
Shadowing phishing campaign
The phishing campaign discovered by Palo Alto’s researchers compromised 16 domains to create 649 subdomains, hosting bogus login pages or redirection points to phishing pages.
The subdomains that redirect to the phishing sites can easily bypass email security filters as they don’t host anything malicious and have a benign reputation.
The threat actors target Microsoft account credentials, and while the URL is clearly not related to Microsoft, it won’t trigger warnings from internet security tools.
In one case, the domain owners realized the compromise, but not before numerous subdomains had been created and facilitated malicious operations on their infrastructure.
While protection from rogue subdomains is the responsibility of domain owners, registrars, and DNS service providers, it would be prudent for users always to be wary when submitting data.
This includes the possibility that a subdomain on a well-known domain can be malicious and for users to double-check everything before they submit credentials or other sensitive information.