Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Domain Shadowing, a technique in which attackers steal domain account credentials from their owners for the purpose of creating subdomains directed at malicious servers, has been one of the most common components of attacker infrastructure over the last year—and gaining momentum since 2010.
In this article, we’ll go over the evolution of Domain Name System (DNS) abuse and shine a light on the Domain Shadowing problem. While this topic has been covered by other researchers, much of their information has only touched on specific campaigns or techniques. However, RiskIQ believes that this persistent problem needs to be solved, and without community efforts, it will continue to be an issue. In the coming weeks, we’ll do technical deep dives into Domain Shadowing campaigns and analyze specific indicators that have been observed by RiskIQ.
To understand what Domain Shadowing is, we must go back in time a few years and find out why attackers abuse DNS services.
Initially, many attackers hard coded IP addresses as command and control servers in addition to the initial delivery mechanism. As this technique became common, many savvy sysadmins and security professionals started to block these IPs. It was very obvious what the IPs were used for, and because they were hardcoded, once they were blocked, attackers would often lose the ability to manage the compromised hosts. Attackers (and everyone else started to use DNS to ensure there was a degree of resiliency to their infrastructure and that the hosts could continue to communicate after an IP address changed. This caused a noticeable increase in the effectiveness as well as the effective length of their campaigns.
Around this time, firewalls were the primary security device used to stop attacks, and most of the firewalls available only operated on IP addresses. Attackers soon realized that the quicker they could change IP addresses, the more likely they were to have a successful campaign at this time, web filtering, or layer 7 inspection, was the exception, not the rule. This climate of rapidly changing IP addresses nurtured a perfect storm attackers exploited to get around the blocks and blacklists that were common at the time. As attackers changed the DNS records hundreds or thousands of times per hour, the Fast Flux problem was born.
By and by, more scrutiny was placed on these new attack components and folks had to find new techniques to combat the cyber threat. Web-filtering and security companies started to find common elements they could key off of to identify additional infrastructure—things such as when the domain was registered, who registered it, and contact information associated with it could be used to determine the domain’s relative risk. The community came together and took action against hosting providers and registrars that were complicit in this activity. Suspect domains, nameservers, and even hosting providers were identified, and appropriate actions were taken against the offending services. As the community became more effective at identifying and acting on these cyber threats, the internet seemed to breathe a sigh of relief.
Domain Shadowing can be summed up as compromising existing domains and using their DNS as a piece of attack infrastructure. Often, registrars provide free DNS to domains that are registered through them, and attackers use this DNS, hosted elsewhere, to point to their malicious hosts. Attackers do this by hijacking access to the domain management system and injecting rogue A records alongside the domain holder’s own legitimate resolution records. Using the domains’ good reputation and existing registration history, attackers can easily sneak these malicious DNS records in to get around filtering.
This loophole undermines the effectiveness that many security products use to block these attacks. By destroying the trust of existing domains, it becomes a nearly impossible task to establish reputation based on domain history or previous content.
While the term “Domain Shadowing” may be new (it was coined in 2015), we have been observing this activity for several years. Other researchers have been observing this activity in live attack campaigns as far back as 2010 and our direct observations go back nearly as far.
Not much is known about the exact initial attack vector by which attackers gain access to domain holder accounts, but it’s obvious that the attackers have specific tools and automation in place that help them continually change records. These malicious record sets are created and managed within brief periods of time, with requests originating from disparate sources believed to be proxies. These attackers also leverage other infrastructure that masks the access origin and adds source diversity, which can make it more difficult for the malicious activity to be blocked at the registrar level.
It is also important to bring up a known fact found in the comments in past articles—affected registrars and DNS providers don’t seem to recognize the complete scope and impact of this problem, and don’t know how to respond to it properly. Their response has mostly been to play the “whack-a-mole” game and deal with accounts as they are reported. No signs point to a proactive or organized effort to stop the Domain Shadowing by addressing the underlying cause of large-scale domain hijacking.
This oversight begs a few important questions on the topic.
Answers to these questions are not clear at this time, and relatively few people are talking about the large-scale ramifications of Domain Shadowing.
What’s in a #malvertisement? We found more #magecart and a 186% spike in drive-by delivery https://t.co/rsl9GGiRUZ
.@TechCrunch's @zackwhittaker found that thousands of MoviePass customer card numbers were exposed because a critical server was left unsecured. With @ydklijnsma and RiskIQ data in @passivetotal, he discovered the exposure began all the way back in May https://t.co/blde3p21dU
Can you spot the phish? In tomorrow's PassiveTotal Thursday, we’ll take a real-life #phishing page targeting a popular brand and break it down to show how it differs from the genuine. Register today: https://t.co/EP2q6On5vE #ThreatHunting
We're thrilled to welcome Dean Ćoza, who will lead our product and technology teams as RiskIQ Chief Product Officer. Read more about Dean's appointment here:
Check out the brand new @RiskIQ Threat Hunting course on @CybraryIT
Manage Your Attack Surface Management using the "Mark of the Web"
https://t.co/ZGDBGyecJr #cybersecurity #magecart #course #cybrary