Domain shadowing provides the cybercriminal a series of methodologies to manipulate a genuine domain registrant account allowing the creation of fake subdomains and disrupting DNS configurations for malicious purposes.
Our resources show that domain shadowing has now become a greater challenge amongst our client’s and their peers over the previous 12 months.
This is a disturbing trend that concerns all businesses and is highly attractive to the criminal to attempt to exploit trusted brands to essentially launch a new wave of phishing / pharming attacks.
Domain shadowing has a phishing component – the unsuspecting end user client is being directed to a fake and malicious site/URL, that looks and feels like the genuine content, and is being prompted for authentication passwords, codes etc. Domain shadowing also has a pharming component – the legitimate domain DNS has also been compromised, whereby the user is being re-directed to an alternate and unknown URL – whilst being on the genuine domain!!
This type of attack affords the criminal the opportunity and resource to secure a disposable source of sub domains which can be used to launch a fast flux domain name attack. As all these new sub domains are being sourced from a genuine and unsuspecting domain name, the IP address is unlikely to be on a noted IP blacklist, for the time being at least.
This type of threat even affects government agencies, we recently saw with a US State Reserve Agency. Attackers gained access to the DNS servers and added a subdomain on a foreign server where they gathered login credentials from researchers. While gathering researchers credentials may not seem frightening, there is potential that these credentials could have been leveraged to access more financially relevant systems.
Incidents like these highlight the need for the business to employ a multi-layered threat protection that externally monitors domains and DNS to ensure the end user is only accessing the legitimate and authorized content and location.