Saturday, October 1

Hackers and malware may be on your favorite website | Digital Trends Spanish

Security researchers have detailed how domain shading is becoming increasingly popular for cyber criminals.

As reported by Bleeping ComputerPalo Alto Networks analysts (Unit 42) revealed how they found more than 12,000 such incidents in just a three-month period (April to June 2022).

Getty Images

An offshoot of DNS hijacking, domain shadowing provides the ability to create malicious subdomains by infiltrating legitimate domains. As such, shadow domains will not have any impact on the main domain, which naturally makes them difficult to detect.

Cybercriminals can then use these subdomains to their advantage for various purposes, including phishingmalware distribution, and command and control (C2) operations.

“We conclude from these results that domain shadowing is an active threat to the enterprise, and is difficult to detect without leveraging automated machine learning algorithms that can analyze large numbers of DNS records,” unit 42 said.

Once access has been gained by threat actors, they could choose to breach the main domain itself and its owners, as well as target users of that website. However, they have been successful in attracting individuals via subdomains, in addition to the fact that attackers remain undetected much longer by relying on this method.

Due to the subtle nature of domain shadowing, Unit 42 mentioned how it is difficult to detect real incidents and compromised domains.

In fact, the VirusTotal platform identified only 200 malicious domains out of the 12,197 domains mentioned in the report. Most of these cases are connected to a single phishing campaign using a network of 649 shadowed domains across 16 compromised websites.

A system hacked warning alert displayed on a computer screen.
Getty Images

The phishing campaign revealed how the aforementioned subdomains displayed fake login pages or redirected users to phishing pages, which can essentially bypass email security filters.

When a user visits the subdomain, credentials for a Microsoft account are requested. Even though the URL itself is not from an official source, Internet security tools are unable to differentiate between a legitimate and fake login page, as no warnings are presented.

One of the cases documented by the report showed how an Australia-based training company confirmed that its users were hacked, but the damage was already done through subdomains. A progress bar for the rebuild process was displayed on their website.

Currently, Unit 42’s “high-precision machine learning model” has discovered hundreds of shady domains created daily. With this in mind, always check the URL of any website that requests data from you, even if the address is hosted on a trusted domain.

Publisher Recommendations

Leave a Reply

Your email address will not be published.