Based on recent data, one-third of the perceived 10,000 fake subdomains were linked to GoDaddy. This indicates that GoDaddy users are at risk.
How Does It Work?
Domain shadowing attack is redirecting a victim with his credentials to subdomains containing malware. Technical steps are as follows:
- Initially, domain owners’ identity information is captured by phishing or keylogging methods.
- Without the knowledge of the domain owner, the subdomains that direct traffic to malicious servers is created. The names of secondary subdomains consist of random characters. The Angler Exploit Kit is usually used at this stage.
- The work of Angler Exploit Kit begins here. The work is designed to redirect victims to an attacker-controlled webpage hosted on the first tier of subdomains.
- From these subdomains, users are redirected to the exploit kit landing pages hosted on the second tier of subdomains.
- The first tier is responsible for the redirection to the actual exploit kit landing page. So far, there has not been any overlap between the domains utilized for the first tier and the exploit tier. Also there has not been any overlap in the domain accounts that are utilized.
- A number of subdomains being utilized for landing pages and exploits are greater than those used for redirection, by a factor of five. This could be related to the chain of events leading to compromise. The user browses to a web page that is hosting a malicious ad. The malicious ad redirects the user to the first tier of subdomains (commonly referred to as a “gate”). This page then redirects to the actual landing page serving exploits. This final page is being rotated at a rapid pace. Some of the subdomains are only active for a matter of minutes and only are reached a couple of times.
How to Detect Domain Shadowing?
One of the other detection methods is looking for random string subdomains but this method may produce false positives.
How to Detect Domain Shadowing Using NormShield CTI?
A sample alarm is shown in the following of the report.
A strong password should be preferred because the attack is based on capturing domain users credentials. If possible, two factor authentication should be enabled during account access.