Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Whether they strike by hijacking email accounts, hacking social handles, or infiltrating financial accounts, cyber threat actors have always relied on internet users’ trust to compromise them. Domain shadowing, a new and extremely cunning style of cyber attack that procures illegitimate admin-level access to known, reputable web domains, is no different.
What is domain shadowing?
Domain shadowing steals account traffic from consumer traffic flowing to an existing, registered, and otherwise trustworthy web domain. Once they gain access, cyber threat actors register a large number of unauthorized subdomains, which are difficult to detect because they are associated with well-known domains and often don’t follow any discernible pattern. Not only that, the cyber threat actors involved don’t affect the parent domain or anything hosted on that domain, making their operation all the more stealthy. The perpetrators use these fraudulent subdomains for malicious activities, including distributing malware, injecting exploit kits, or silently redirecting users to other websites that host malicious elements.
How RiskIQ web crawls detect it
Domain shadowing is not easy to detect; it takes a trained eye to find the indications of a potential compromise. In a specific case, RiskIQ surfaced the possibility of domain shadowing from one of our web crawls. As domain shadowing and exploit kits often go hand in hand, the incident identified the unmistakable existence of the RIG EK.
Fig-1 The information from our crawl inside PassiveTotal showing the characteristics of the threat
Inside PassiveTotal, we see a few different elements of the cyber threat:
● Domain Shadowing: This shows the malicious record that was added.
● Created Date: This shows that the domain is not new and will not be caught by domain age types of detections.
● Malicious IP: The new arecord (subdomain) is pointed to malicious infrastructure.
● Victim: This information tells us that the account at the registrar is compromised, and the cyber threat actor has control over this domain.
The highlighted information allows us to pivot across multiple datasets and find additional indicators-of-compromise (IOCs). Going over to the WhoIS record, we can trace the registrant’s email address and find one other domain they own, which they also may have compromised.
Fig-2 Subdomains inside PassiveTotal
Following this other domain reveals that it also shows subdomains that have been created—three to be exact. These subdomains are pointing to a malicious IP address that is being used to distribute the RIG exploit kit.
Fig-3 Subdomains pointing to a malicious IP address
From here, we can go one step further and check what else is pointing to the malicious IP address.
Fig-4 A pivot inside PassiveTotal shows the extent of the domain shadowing
This step demonstrates the extent of this cyber threat actor’s reach. They’ve targeted many domain owners and compromised many domains. In fact, this cyber threat actor’s cyber attack infrastructure spans thousands of web pages distributing exploit kits to potentially millions of users.
By pivoting across multiple datasets, we were able to detect domain shadowing across multiple domains from one RIG EK. Without access to those data sets, we might not have the breadth of the cyber threat actors infrastructure as quickly as we did. RiskIQ will continue to pivot across datasets — PDNS, WHOIS, SSL Certs, OSINT, Host Pairs, and more — to discover the unknown cyber threat vectors in your legitimate external facing internet assets.
Learn more about RiskIQ web crawling technology here.
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK
The theme of this year's @cctxcanada 4th annual collaboration event is "Give and Take: Why helping others drives our success." RiskIQ's Geoff Roote explains the modern Internet Attack Surface and why defending the web is a collaborative community effort.
State-sponsored social engineering: how you can protect your business from Iranian #CyberThreats https://t.co/uoI0wG2Pje #ThreatIntelligence