Hackers may be hiding in plain sight on your favorite website

Security researchers have detailed how domain shadowing is becoming increasingly popular for cybercriminals.

As reported by Bleeping ComputerPalo Alto Networks analysts (Unit 42) revealed how they encountered over 12,000 such incidents in a period of just three months (April to June 2022).

Getty Images

Derived from DNS hijacking, domain watching provides the ability to create malicious subdomains by infiltrating legitimate domains. As such, hidden domains will have no impact on the parent domain, which naturally makes them difficult to detect.

Cybercriminals can then use these subdomains to their advantage for a variety of purposes, including phishing, malware distribution, and command and control (C2) operations.

“We conclude from these results that domain snooping is an active threat to the business, and it is difficult to detect without leveraging machine learning algorithms capable of analyzing large amounts of DNS logs,” said Unit 42.

Once the threat actors gain access, they might choose to breach the main domain itself and its owners, as well as the target users of that website. However, they managed to lure individuals through the subdomains instead, in addition to attackers remaining undetected for much longer by relying on this method.

Due to the subtle nature of domain observation, Unit 42 mentioned how difficult it is to detect real incidents and compromised domains.

In fact, the VirusTotal platform only identified 200 malicious domains out of the 12,197 domains mentioned in the report. The majority of these cases are linked to an individual phishing campaign that uses a network of 649 masked domains across 16 compromised websites.

A system hack warning alert is displayed on a computer screen.
Getty Images

The phishing campaign revealed how the aforementioned subdomains displayed fake login pages or redirected users to phishing pages, which can essentially bypass email security filters.

When the subdomain is visited by a user, credentials are requested for a Microsoft account. Even if the URL itself is not from an official source, internet security tools are not able to tell the difference between a legitimate and fake login page because no warning is presented.

One of the cases documented by the report showed how an Australian-based training company confirmed that it had been hacked for its users, but the damage had already been done to subdomains. A progress bar for the rebuilding process was featured on its website.

Currently, Unit 42’s “high-precision machine learning model” has discovered hundreds of hidden domains created daily. With this in mind, always check the URL of any website that requests data from you, even if the address is hosted on a trusted domain.

Editors’ Recommendations

Sherry J. Basler