Threat analysts at Palo Alto Networks (Unit 42) discovered that the phenomenon of 'domain shadowing' might be more prevalent than previously thought,

Domain shadowing becoming more popular among cybercriminals

submited by
Style Pass
2022-09-22 10:00:06

Threat analysts at Palo Alto Networks (Unit 42) discovered that the phenomenon of 'domain shadowing' might be more prevalent than previously thought, uncovering 12,197 cases while scanning the web between April and June 2022.

Domain shadowing is a subcategory of DNS hijacking, where threat actors compromise the DNS of a legitimate domain to host their own subdomains for use in malicious activity but do not modify the legitimate DNS entries that already exist.

These subdomains are then used to create malicious pages on the cybercriminals' servers while the domain owner's site's web pages and DNS records remain unchanged, and the owners don't realize they have been breached.

In the meantime, the threat actors are free to host C2 (command and control) addresses, phishing sites, and malware-dropping points, abusing the good reputation of the hijacked domain to bypass security checks.

The attackers can theoretically change the DNS records to target users and owners of the compromised domains, but they typically prefer to take the stealthy path described above.

Leave a Comment