Whether they strike by hijacking email accounts, hacking social handles, or infiltrating financial accounts, cyber threat actors have always relied on internet users’ trust to compromise them. Domain shadowing, a new and extremely cunning style of cyber attack that procures illegitimate admin-­level access to known, reputable web domains, is no different.

What is domain shadowing?

Domain shadowing steals account traffic from consumer traffic flowing to an existing, registered, and otherwise trustworthy web domain. Once they gain access, cyber threat actors register a large number of unauthorized subdomains, which are difficult to detect because they are associated with well­-known domains and often don’t follow any discernible pattern. Not only that, the cyber threat actors involved don’t affect the parent domain or anything hosted on that domain, making their operation all the more stealthy. The perpetrators use these fraudulent subdomains for malicious activities, including distributing malware, injecting exploit kits, or silently redirecting users to other websites that host malicious elements.

How RiskIQ web crawls detect it

Domain shadowing is not easy to detect; it takes a trained eye to find the indications of a potential compromise. In a specific case, RiskIQ surfaced the possibility of domain shadowing from one of our web crawls. As domain shadowing and exploit kits often go hand in hand, the incident identified the unmistakable existence of the RIG EK.

1 top

Fig-1 The information from our crawl inside PassiveTotal showing the characteristics of the threat

Inside PassiveTotal, we see a few different elements of the cyber threat:

● Domain Shadowing: This shows the malicious record that was added.

● Created Date: This shows that the domain is not new and will not be caught by domain age types of detections.

● Malicious IP: The new arecord (subdomain) is pointed to malicious infrastructure.

● Victim: This information tells us that the account at the registrar is compromised, and the cyber threat actor has control over this domain.

The highlighted information allows us to pivot across multiple datasets and find additional indicators-­of­-compromise (IOCs). Going over to the WhoIS record, we can trace the registrant’s email address and find one other domain they own, which they also may have compromised.

2 top

Fig-2 Subdomains inside PassiveTotal

Following this other domain reveals that it also shows subdomains that have been created—three to be exact. These subdomains are pointing to a malicious IP address that is being used to distribute the RIG exploit kit.

3 top

Fig-3 Subdomains pointing to a malicious IP address

From here, we can go one step further and check what else is pointing to the malicious IP address.

4 top

Fig-4 A pivot inside PassiveTotal shows the extent of the domain shadowing

This step demonstrates the extent of this cyber threat actor’s reach. They’ve targeted many domain owners and compromised many domains. In fact, this cyber threat actor’s cyber attack infrastructure spans thousands of web pages distributing exploit kits to potentially millions of users.

Protect yourself

By pivoting across multiple datasets, we were able to detect domain shadowing across multiple domains from one RIG EK. Without access to those data sets, we might not have the breadth of the cyber threat actors infrastructure as quickly as we did. RiskIQ will continue to pivot across datasets — PDNS, WHOIS, SSL Certs, OSINT, Host Pairs, and more — to discover the unknown cyber threat vectors in your legitimate external facing internet assets.

Learn more about RiskIQ web crawling technology here.


Connect with us
Featured Post

Full(z) House: A Digital Crime Group Using a Full Deck to Maximize Profits