Cybersecurity researchers uncovered that between April and June this year, the domain shadowing technique had become one of the most prevalent malicious techniques propagated in the wild. About 12,197 domain shadowing cases were found based on a recent web scan.
By definition, domain shadowing is a malicious technique that hackers use to avoid being detected by security analysis.
It is also a subcategory of DNS hijacking, where the hackers steal a domain admin’s account to create multiple subdomains to conceal the subsequent malicious activities they are about to deploy. This technique highlights that the hackers do not need to modify the real DNS entries in the system, ultimately helping them hide their movements and breach a victim’s server furtively.
The threat actors could execute several other attack methods using domain shadowing.
Aside from hiding their activities, threat actors could also host their C2 servers, phishing sites, and malware-dropping locations on the impacted servers. For researchers, spotting these domain shadowing attacks is a real challenge because of their nature, making hackers more interested in implementing the method for their cybercriminal campaigns.
Furthermore, after the recent web scanning conducted by researchers to detect these malicious domains, they concluded that domain shadowing had become an active threat to organisations. Researchers also consider how challenging it is to detect malicious servers without using automated machine learning algorithms to help analyse massive numbers of DNS logs.
For phishing attacks, threat actors become more confident that domain shadowing would help lure more victims who trust websites with good reputations. There are about 16 compromised domains detected by security experts in a separate study, which were used to create about 600 subdomains to host fake login pages or redirection points to phishing sites.
Additionally, since these subdomains are hosted on servers with a good reputation, phishing sites can easily evade email security protections. And even if the domain owners notice that they have been compromised, it might be too late as numerous subdomains have already been created to host malicious operations within their infrastructure.
Security experts note that domain owners and users are responsible for ensuring their safety in the cyber landscape. Domain owners must establish strong security measures to protect their environment from hackers. On the other hand, users are advised to stay cautious against phishing attempts intending to steal their data.