NormShield Blog

Domain Shadowing

Domain Shadowing

What is Domain Shadowing? The concept of domain shadowing has first appeared in 2011, and domain shadowing attack is defined as the creating new subdomains to intervene in traffic flow by attackers. Domain shadowing is the process of creating subdomains by domain owners using credentials. Subdomains are created for legitimate domains. For cyber criminals, domain shadowing is creating  thousands of subdomains by generally capturing user information with phishing.

The number of uniquely produced domains may be almost unlimited, because many users have multiple domains. Thus, it’s shown as a way to prevent classical detection methods like IP or websites blocking.

Another IP blocking and blacklist detection escape method is fast-flux. This technique quickly converts a domain or DNS entry to a wide IP address list. When shadowing is utilized, subdomains associated with a single domain are rotated. Based on recent data, one-third of the perceived 10,000 fake subdomains were linked to GoDaddy. This indicates that GoDaddy users are at risk.

Domain Shadowing; How Does It Work?

Domain shadowing attack is redirecting a victim with his credentials to subdomains containing malware. Technical steps are as follows:

  • Initially, domain owners’ identity information is captured by phishing or keylogging methods.
  • Without the knowledge of the domain owner, the subdomains that direct traffic to malicious servers is created. The names of secondary subdomains consist of random characters. The Angler Exploit Kit is usually used at this stage.
  • The work of Angler Exploit Kit begins here. The work is designed to redirect victims to an attacker-controlled webpage hosted on the first tier of subdomains.
  • From these subdomains, users are redirected to the exploit kit landing pages hosted on the second tier of subdomains

According to the researchers in Cisco, the subdomain analyses should be like the following.

  • The first tier is responsible for the redirection to the actual exploit kit landing page. So far, there has not been any overlap between the domains utilized for the first tier and the exploit tier. Also there has not been any overlap in the domain accounts that are utilized.
  • A number of subdomains being utilized for landing pages and exploits are greater than those used for redirection, by a factor of five. This could be related to the chain of events leading to compromise. The user browses to a web page that is hosting a malicious ad. The malicious ad redirects the user to the first tier of subdomains (commonly referred to as a “gate”). This page then redirects to the actual landing page serving exploits. This final page is being rotated at a rapid pace. Some of the subdomains are only active for a matter of minutes and only are reached a couple of times[1].

Angler Exploit Kit

The Angler exploit kit is now one of the best exploit kits on the market. With Zero Day, it offers the ability to quickly and effectively integrate many emerging abuses such as Adobe Flash Player zero-days and Internet Explorer exploits.

In domain shadowing attacks, domain accounts that have been compromised are being used to serve malicious content. According to researchers, Angler Exploit Kit the most advanced, most widely used and it is among the most dangerous 5 kits.

How to Detect Domain Shadowing?

Domain users are rarely controlling user accounts is why domain shadowing attack is so effective. This means too much time for the attackers not to be noticed. Detection is not easy because IP and subdomain usage are constantly changing. So, antiviruses may not be enough. The solution can be next generation intrusion prevention system and heuristic based malware detection. One of the other detection methods is looking for random string subdomains but this method may produce false positives.

How to Detect Domain Shadowing Using NormShield CTI?

Information about the customer domain periodically passes through the relevant scans on NormShield. If a threat is detected when the results are analyzed, an alarm is generated. A sample alarm is shown in the following of the report.


As you can see, cyber attackers are constantly finding new ways to escape cyber attack detection. Here, the importance of defense is becoming clearer.

A strong password should be preferred because the attack is based on capturing domain users credentials. If possible, two factor authentication should be enabled during account access.