Threat analysts at Palo Alto Networks (Unit 42) discovered that the phenomenon of “domain shadowing” may be more widespread than previously thought, uncovering 12,197 cases when scanning the web between April and June 2022 .

Domain spoofing is a subcategory of DNS hijacking, where hackers compromise the DNS of a legitimate domain to host their own subdomains to use in malicious activity, but do not modify legitimate DNS entries that already exist. .

These subdomains are then used to create malicious pages on the cyber criminals’ servers while the web pages and DNS records of the domain owner’s site remain unchanged, and the owners do not realize that they have been hacked.

In the meantime, threat actors are free to host C2 (command and control) addresses, phishing sites and malware drop-off points, abusing the good reputation of the hacked domain to circumvent security checks.

Attackers can theoretically modify DNS records to target users and owners of compromised domains, but they generally prefer to take the stealth path described above.

Difficult to detect

Unit 42 explains that detecting real instances of domain cloaking is particularly difficult, which makes the tactic so appealing to perpetrators.

Analysts mention that VirusTotal marked only 200 domains as malicious out of the 12,197 domains discovered by Palo Alto detectors.

Most (151) of VirusTotal’s detections were linked to a single phishing campaign using a network of 649 masked domains across 16 compromised websites.

Additionally, phishing pages hosted on reputable domains would appear trustworthy to a visitor, making them more likely to submit data on the page.

Spinning phishing campaign

The phishing campaign uncovered by Palo Alto researchers compromised 16 domains to create 649 subdomains, hosting fake login pages or redirect points to phishing pages.

Subdomains that redirect to phishing sites can easily bypass email security filters because they don’t host anything malicious and have a benign reputation.

Threat actors are targeting Microsoft account credentials, and although the URL is clearly not related to Microsoft, it will not trigger warnings from internet security tools.

In one instance, domain owners realized the compromise, but not before numerous subdomains were created and facilitated malicious operations on their infrastructure.

Although protecting against rogue subdomains is the responsibility of domain owners, registrars, and DNS service providers, it would be prudent for users to always be cautious when submitting data.

This includes the possibility that a subdomain of a well-known domain could be malicious and that users check everything before submitting credentials or other sensitive information.