Dropbox Sign Breach Exposes Customer Data
Cloud storage giant Dropbox has recently disclosed a data breach affecting its eSignature service, Dropbox Sign (formerly HelloSign). The incident highlights the ongoing risks businesses…
Hackers Using Domain Shadowing to Host Malicious Websites
Cybercriminals are increasingly using domain shadowing, a form of domain name system (DNS) hijacking, according to a new report from Palo Alto Networks Unit 42.
Domain shadowing is a subcategory of DNS hijacking – an attack on the system that translates domain names to IP addresses, essentially acting like a phone book for the internet. In domain shadowing, hackers compromise the DNS of a legitimate domain and insert their own subdomains, keeping the existing domains intact to prevent any suspicion from the owner of the compromised DNS.
Cybercriminals use domain shadowing to host malicious websites, such as those used in phishing attacks, scams or malware distribution.
Original domains hosting such sites are often quickly identified as malicious, and cyber security applications, such as firewalls, can easily detect if a user is attempting to access the malicious domain. To reduce the chances of a dangerous site being flagged, hackers use the domain names of legitimate organisations to host their own content.
The report from Palo Alto Networks detected over 12,000 shadowed domains between April and June 2022. Still, it emphasised that only 200 of these domains were previously marked as malicious by vendors on VirusTotal, demonstrating the effectiveness of using a shadowed domain to store malicious content without being detected.
Researchers shared some phishing attacks found during their research using domain shadowing, highlighting how easily a compromised domain can be used to further cybercriminals’ reach.
Researchers also noted one phishing attack used 16 compromised domains to host over 600 shadowed domains.
Because of the difficulty detecting shadowed domains, Palo Alto Networks emphasised that the phenomenon is an active threat to enterprises.
Preventions:
Domain shadowing relies on hackers having constant access to an organisation’s domain name system. Therefore, the best way to prevent your domain from being used to host malicious subdomains is to implement cyber security practices that protect your network and servers:
- Keep access to your DNS server highly restricted. Ensure only one administrator account is used to access the DNS (and that that account is used for no other purposes), and ensure a firewall and strict network security measures are in place on your DNS server. You could also consider adding a whitelist of IP addresses that can access the DNS.
- Immediately patch known vulnerabilities. Keep updated with your DNS server’s software and hardware provider so you know when a new security update is released.
- Use registry lock on your domain’s account. Most domain name registries provide registry lock services (also known as client lock or change lock). Using one allows you to safeguard your domain from unauthorised modifications, preventing hackers from using your domain without you knowing.
- Use good password hygiene and two-factor authentication. Ensure that a different random password is used to access your DNS settings, alongside two-factor authentication.
Related Links:
https://unit42.paloaltonetworks.com/domain-shadowing/ – Published September 21st
Related articles
Social Media Fraud: The Evolving Threat and How to Defend Yourself
Social media platforms offer connection and entertainment, but they’ve also become a hunting ground for sophisticated scammers. These criminals are increasingly turning to a combination…
DarkGate Malware: Threat Exploiting AutoHotkey
The DarkGate malware family, a persistent threat since 2018, has recently resurfaced in a sophisticated global campaign. This Remote Access Trojan (RAT), built using the…