Skip to content

Cybercriminals are increasingly using domain shadowing, a form of domain name system (DNS) hijacking, according to a new report from Palo Alto Networks Unit 42.

Domain shadowing is a subcategory of DNS hijacking – an attack on the system that translates domain names to IP addresses, essentially acting like a phone book for the internet. In domain shadowing, hackers compromise the DNS of a legitimate domain and insert their own subdomains, keeping the existing domains intact to prevent any suspicion from the owner of the compromised DNS.

Cybercriminals use domain shadowing to host malicious websites, such as those used in phishing attacks, scams or malware distribution. 

Original domains hosting such sites are often quickly identified as malicious, and cyber security applications, such as firewalls, can easily detect if a user is attempting to access the malicious domain. To reduce the chances of a dangerous site being flagged, hackers use the domain names of legitimate organisations to host their own content. 

The report from Palo Alto Networks detected over 12,000 shadowed domains between April and June 2022. Still, it emphasised that only 200 of these domains were previously marked as malicious by vendors on VirusTotal, demonstrating the effectiveness of using a shadowed domain to store malicious content without being detected.

Researchers shared some phishing attacks found during their research using domain shadowing, highlighting how easily a compromised domain can be used to further cybercriminals’ reach.

Researchers also noted one phishing attack used 16 compromised domains to host over 600 shadowed domains.

Example of a phishing attack using a shadowed domain. Source: https://unit42.paloaltonetworks.com/domain-shadowing/#post-125143-_h5ug1nibxin7

Because of the difficulty detecting shadowed domains, Palo Alto Networks emphasised that the phenomenon is an active threat to enterprises.

Preventions:

Domain shadowing relies on hackers having constant access to an organisation’s domain name system. Therefore, the best way to prevent your domain from being used to host malicious subdomains is to implement cyber security practices that protect your network and servers:

  • Keep access to your DNS server highly restricted. Ensure only one administrator account is used to access the DNS (and that that account is used for no other purposes), and ensure a firewall and strict network security measures are in place on your DNS server. You could also consider adding a whitelist of IP addresses that can access the DNS.
  • Immediately patch known vulnerabilities. Keep updated with your DNS server’s software and hardware provider so you know when a new security update is released.
  • Use registry lock on your domain’s account. Most domain name registries provide registry lock services (also known as client lock or change lock). Using one allows you to safeguard your domain from unauthorised modifications, preventing hackers from using your domain without you knowing.
  • Use good password hygiene and two-factor authentication. Ensure that a different random password is used to access your DNS settings, alongside two-factor authentication.

Related Links: