External Threat Management

Domain Shadowing: When Good Domains Go Bad

Whether they strike by hijacking email accounts, hacking social handles, or infiltrating financial accounts, cyber threat actors have always relied on internet users’ trust to compromise them. Domain shadowing, a new and extremely cunning style of cyber attack that procures illegitimate admin-u00adlevel access to known, reputable web domains, is no different.

What is domain shadowing?

Domain shadowing steals account traffic from consumer traffic flowing to an existing, registered, and otherwise trustworthy web domain. Once they gain access, cyber threat actors register a large number of unauthorized subdomains, which are difficult to detect because they are associated with wellu00ad-known domains and often don’t follow any discernible pattern. Not only that, the cyber threat actors involved don’t affect the parent domain or anything hosted on that domain, making their operation all the more stealthy. The perpetrators use these fraudulent subdomains for malicious activities, including distributing malware, injecting exploit kits, or silently redirecting users to other websites that host malicious elements.

How RiskIQ web crawls detect it

Domain shadowing is not easy to detect; it takes a trained eye to find the indications of a potential compromise. In a specific case, RiskIQ surfaced the possibility of domain shadowing from one of our web crawls. As domain shadowing and exploit kits often go hand in hand, the incident identified the unmistakable existence of the RIG EK.

1 top

Inside PassiveTotal, we see a few different elements of the cyber threat:

u25cf Domain Shadowing: This shows the malicious record that was added.

u25cf Created Date: This shows that the domain is not new and will not be caught by domain age types of detections.

u25cf Malicious IP: The new arecord (subdomain) is pointed to malicious infrastructure.

u25cf Victim: This information tells us that the account at the registrar is compromised, and the cyber threat actor has control over this domain.

The highlighted information allows us to pivot across multiple datasets and find additional indicators-u00adofu00ad-compromise (IOCs). Going over to the WhoIS record, we can trace the registrant’s email address and find one other domain they own, which they also may have compromised.

2 top

Following this other domain reveals that it also shows subdomains that have been created—three to be exact. These subdomains are pointing to a malicious IP address that is being used to distribute the RIG exploit kit.

3 top

From here, we can go one step further and check what else is pointing to the malicious IP address.

4 top

This step demonstrates the extent of this cyber threat actor’s reach. They've targeted many domain owners and compromised many domains. In fact, this cyber threat actor’s cyber attack infrastructure spans thousands of web pages distributing exploit kits to potentially millions of users.

Protect yourself

By pivoting across multiple datasets, we were able to detect domain shadowing across multiple domains from one RIG EK. Without access to those data sets, we might not have the breadth of the cyber threat actors infrastructure as quickly as we did. RiskIQ will continue to pivot across datasets — PDNS, WHOIS, SSL Certs, OSINT, Host Pairs, and more — to discover the unknown cyber threat vectors in your legitimate external facing internet assets.

Learn more about RiskIQ web crawling technology here.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor