Earlier this year (2016), WordPress sites were attacked by a massive malvertising campaign that employed an evasion technique known as domain shadowing. Domain shadowing is becoming increasingly popular among cybercriminals who employ exploit kits because of its superior ability to avoid detection. In this post, we explain what domain shadowing is, how it’s employed, why it’s so effective, and some of the ways to counter it.
What is domain shadowing?
Domain shadowing basically refers to the cybercriminal exercise of infiltrating multiple domain registrant accounts in order to spew forth several subdomains for malicious purposes.
Cyber criminals are able to acquire login credentials to these registrant accounts through methods like phishing and keylogging. Once they’ve gained access, these malicious individuals then create a large number of subdomains. These subdomains could then allow the crooks to carry out attacks behind perfectly legitimate domains, which make the attacks both hard to detect and counter.
In the exploit kit campaign discovered by Cisco’s Talos Group during their initial encounters with domain shadowing, the hijacked subdomains were set up in two layers. The first layer of subdomains, mostly third level subdomains (e.g. letters.somedomain.com), received traffic from the malicious ads served on legitimate web pages and then redirected the traffic to the second layer.
This second group of subdomains, now mostly fourth level subdomains (e.g. abcfsaa.letters.somedomain.com), in turn hosted exploit kit landing pages. The exploit kit then scanned the victim’s system for vulnerabilities and infected it with malware that would in turn set the system up for more nefarious acts. The number of subdomains on this group is much larger than the first and are rotated rapidly.
Why domain shadowing is so effective
One of the reasons why this technique is so effective is that registrant accounts are rarely checked. Perhaps the only times they’re ever opened are when they’re created, i.e. when the owner registers his/her first domain, and when the owner adds new domains.
Thus, these accounts are only accessed by their real owners about once or twice a year. This gives the attackers ample time to create illegitimate subdomains without getting noticed.
Another reason is that when the subdomains are finally called into play in an attack, they’re rotated rapidly. In fact, each subdomain may not stay active for more than an hour, depriving security groups the time to gather enough information and come up with any meaningful analysis about the attack.
Thirdly, domain shadowing is immune to many of the countermeasures being used today. For instance, domain reputation systems, which assign scores to known domains and block or allow traffic from certain domains based on their scores, can have limitations when used against domain shadowing. If the malicious subdomains are built off of reputable domains like say cisco.com, they can easily slip through.
Some people are suggesting that since the fourth level subdomains used in domain shadowing are usually made up of random alphanumeric characters, these kind of subdomains might be used as a basis to issue red flags. Unfortunately, several cloud based services also use such random naming conventions for the subdomains they generate, so using this characteristic as a filter can cause problems with false positives.
Clearly, any effective way of countering domain shadowing would require a combination of several approaches. First of all, domain registrants’ accounts must secured. Strong authentication, preferably 2FA, must be required in order to access these accounts to prevent them from being compromised. Reputation-based systems can also help in detecting malicious subdomains but, as stated earlier, must not be the only method.
Defence Intelligence solutions can help you prevent, detect or counter domain shadowing. To learn how, contact us today.