Domain shadowing involves the assailant yielding a parent arena and creating sixfold subdomains to be victimised during the attacks. Orbit following is the outgrowth of using hijacked users’ land enrollment logins to create galore subdomains to be misused by the cybercriminals.
The Cisco section explore aggroup, Talos Info Meet, initiate inform of orbit pursuit conduct in Sept 2011 when they observed a set of incidental domains creating galore subdomains. In the motion of 45 days, approximately 15% of the unit identified subdomains were created. Most of the subdomains were acrobatic for less than a day and saw less than ten hits. The subdomains were constructed using haphazardly generated section.
This is an increasingly competent knock transmitter since most individuals do not varan their land registrant accounts regularly. These accounts are typically compromised through phishing. Cybercriminals then log in with their credentials and make largest amounts of subdomains. Galore users have sextuple domains, which can give a nearly endless distribute of domains, providing the cybercriminals a large wares of URLs that they can rhythm through and abandonment after use.
The Talos Word Gather has saved individual 100 accounts that get been compromised that bed command of thousands of unique domains. The meet identified enveloping to 10,000 unequaled subdomains beingness utilized. This action has proven to be an effectual way to desist veritable perception techniques, such as blacklisting of web sites or IP addresses.
HTTP 302 cushioning and region chase are oftentimes victimized together by danger actors. For representation, an tap round oscillation typically follows this ordering:
- Compromised websites
- HTTP 302 cushioning
- Domain shadowing
- Exploit kit landing page
- Malware payload
Countermeasures to domain shadowing attacks include the following:
- Ensure that all the domain registrants’ accounts are secured. Strong authentication, preferably two-factor authentication, must be required in order to access these accounts to prevent them from being compromised.
- Require domain owners to periodically verify their domain registrant accounts, and check for any fraudulent subdomains created.
- Use a service such as Cisco OpenDNS to block the users from accessing malicious web sites.
- Deploy a web proxy security solution, such as the Cisco Web Security Appliance or the Cisco Cloud Web Security, to block users from accessing malicious web sites.
In the figure below, the hijacked domain registrant account is example.com with a list of subdomains that have been created by the cyber-criminals.