Domain shadowing is a cybercriminal technique for avoiding detection of malicious pages by hacking a domain administrator’s account and creating multiple subdomains in the domain so as to bypass denylists.
How domain shadowing works
First, cybercriminals gain access to the domain owner’s account through phishing, a dictionary attack, or another method. Next, they create a huge number of subdomains that can be used one by one for malicious actions and then discarded. In many cases, used addresses are replaced automatically to speed up their rotation and thus avoid detection.
The malicious pages linked to the URLs are hosted on the cybercriminals’ servers and are in no way associated with the victim’s Web resource; they do not link to any pages on the main site, nor does the main site link to the subdomains. In turn, users may not realize they are on a suspicious site, because the address bar displays the main domain, which has a good reputation. The domain owner may also be unaware of the account compromise and malicious subdomains.
Attackers can use subdomains to:
- Host phishing pages to steal bank details, passwords, and personal data;
- Distribute malware and carry out cryptojacking;
- Redirect the user to another criminal resource.
Protection from domain shadowing
For the owner of the domain the existence of hidden subdomains may be hard to detect because the cybercriminals avoid interfering with the victim’s website or server. Aside from regular checks, the only ways the hacking is likely to become apparent is through user complaints or by the domain being blocked (because of associated malicious activity). Therefore, for domain owners, the main remedy against domain-shadowing attacks is to ensure account security by using strong passwords with two-factor authentication and observing all rules of digital hygiene, thus preventing abuse by outsiders.