The Threats of Domain Shadowing
As cybercrimes rise, we have seen a considerable increase in DNS hijacking attacks, specifically domain shadowing. Domain shadowing occurs when the DNS of a legitimate domain is compromised and used to host hackers’ subdomains without modifying the legitimate DNS entries. Hackers use these subdomains to create malicious pages that can be used to steal personal data, such as passwords, banking details, or distribute malware. To understand the severity of domain shadowing you must know how DNS and DNS hijacking work.
DNS stands for Domain Name System. This is a database where domain names are located and translated to IP addresses. When you type 'www.firestormcyber.com' into a browser, the DNS server maps that domain name to the corresponding IP address, connecting you to the website. This is called DNS resolution. DNS Servers are devices or programs that provide DNS resolution to translate domain names to IP addresses. There are two types of DNS servers: a recursive server and an authoritative server. The authoritative name server is the name server that oversees the domain, and all other servers are recursive. Some servers perform both functions.
There are several different types of DNS attacks, many of them falling under DNS hijacking. DNS hijacking is commonly used to redirect users to malicious websites. Hackers can use these sites to steal and sell data, like credit card information. They do this by changing the IP address that the domain name resolves to. This can occur inside and outside a network. Inside your network, malware changes the default DNS server on a computer, so that the machine's domain names are resolved to the hacker's IP. Outside a network, hackers can go through the router or up to the name server (DNS root server).
Domain shadowing is when hackers obtain access to the domain owner's account and create subdomains that can be used for malicious activities. They can obtain these domain names by stealing the domain owner's account, compromising the DNS service provider, or compromising the DNS server. The subdomains are deleted frequently to avoid detection and are not related to the victim’s domain in any way. The main site doesn’t link to the subdomains or vice versa. Users often don’t realize they are on a malicious page, as the URL displays the main domain. They may also legitimately purchase these domains. These subdomains can be used to distribute malware, scams, and phishing.
Let’s go back to the beginning. The Domain Name System is the internet’s record of names and their matching IP addresses, like a phone book. It is used to convert URLs and domain names to computer-readable names, or IP addresses. This process is called DNS resolution. When you enter a website or domain name into a browser, it sends a message (recursive query), to the network to find what IP or network address the domain corresponds with. The query is sent to a recursive DNS server that is usually managed by the ISP (internet service provider). If the server has the address the webpage will load, if not it will query these servers in the following order: SND root name servers, top-level domain servers, and authoritative servers. This only happens the first time you visit each domain, the recursive server will cache the record of the domain after that.
A URL consists of a domain name and a TLD (Top Level Domain). A domain name consists of several parts called labels, which are read from right to left, with each section being a subdivision. The final period after the domain name marks the beginning of the TLD. There are 5 types of TLDs: Generic (gTLD), Sponsored (sTLD), Country code (ccTLD), Infrastructure (ARPA), and Test (tTLD). These are used to categorize domain names by purpose, owner, or geographical location.
A DNS server or ‘Nameserver’ is a server with DNS software installed on it that companies use to manage all their hosted domains. The DNS software allows for data from DNS records to be transferred. Every web host will have its own set of Nameservers, which function like a mailroom. All traffic flows through these servers before being routed to the requested domain, with DNS records functioning as an address book. Nameservers function like a pyramid, with Root Servers being at the top. Root Servers operates in the root zone and can directly answer queries for records cached or stored within this zone. They can also send the queries to the appropriate TLD server, which is one step down on the pyramid. Finally, the Authoritative Server will find the IP address from the information given by the Root and TLD servers and send it back to your computer, loading the webpage.
Types of DNS records include: A Records, CNAME, MX Entry, TXT Records, and AAAA Records. Address mapping records (A Records) stores hostnames and corresponding IPv4 address. AAAA Records do the same function for IPv6 addresses. Canonical Name Records (CNAME) allows domains to redirect to one another. An example of this would be ‘Google.com’ redirecting to ‘www.Google.com’. Mail Exchanger Entry (MX Entry) specifies how emails should be routed. Finally, TXT Records store human-readable notes for domain administrators.
DNS attacks find and exploit vulnerabilities at all levels of the system, which has many security holes. DNS Hijacking is an extremely common attack, with many subcategories. Mainly, hijacking refers to redirecting and resolving DNS queries incorrectly. Hackers can accomplish this by gaining control of the DNS server and diverting traffic to a fake DNS server. This causes users to load a false website, usually without noticing. Other methods of Hijacking include poisoning the DNS cache with incorrect IP addresses, getting malware on the router that configures DNS settings, or enabling network access and redirecting DNS queries.
All these attacks use 1 of 4 basic DNS redirection types: Local DNS hijack, Router DNS hijack, Man in the middle, and Rogue DNS server. Local DNS hijack occurs when hackers install malware on a computer and make changes to the local DNS settings to redirect to malicious websites. A router DNS hijack takes advantage of default passwords and firmware vulnerabilities. This allows hackers to take over the router and overwrite DNS settings. This affects all users of the compromised router. Man in the middle refers to hackers intercepting traffic from DNS servers and users and changing the destination IP to malicious websites. A rogue DNS server happens when a server is hacked, and the DNS records are changed to redirect requests to malicious sites.
Domain shadowing is a popular form of DNS hijacking. This form of attack allows hackers to avoid detection by running off legitimate domains. Once hackers gain access to a domain administrators account, they create multiple subdomains within the domain which allows them to bypass deny lists. A deny list (often referred to as blocklist or blacklist) is a list of sites or programs that are not allowed to be run/visited. Gaining access to these accounts can be done through phishing or dictionary attacks, as well as other methods. Phishing lures people into providing sensitive account data by posing as a legitimate institution. This is often carried out over email, text, or phone. A dictionary attack is usually done by a computer, to systematically guess every possible password. Usually, a list of common passwords is given for the computer to try. Alternatively, hackers can purchase their own domain to use, this is called malicious registration.
The created subdomains are used, discarded, and replaced rapidly, making sure all existing records remain undisturbed to allow existing services to keep functioning to avoid detection. They are also kept separate from the victim's website, no links or references appear on the main site and nothing on the malicious site refers to the main site. This can make the owner of the domain as well as users unaware of the attack, as everything appears normal.
Hackers can use these subdomains in many ways, from theft, to distributing malware, or forwarding users to other criminal resources. Using subdomains for phishing allows hackers to steal passwords, banking information, and personal data. They can then use or sell this information. Malware distribution through these domains enables Crypto jacking, which uses the compromised device to generate cryptocurrency without the owner's knowledge. This kind of malware can infect your machine by viewing ads or solving a captcha.
Current detection and purging methods are slow and labor-intensive. Detection of shadow domains relies on the discovery of the hackers’ campaigns that used said domains. To mitigate this, Palo Alto has created a system that processes large amounts of passive DNS logs every day and uses machine learning to identify the domains. Using this system, Palo Alto was able to find almost 12,000 more shadow domains than VirusTotal which only found 200 in a one-month span.
Domain shadowing is extremely difficult to identify, so it’s best to take preventative measures. Domain owners should check for unknown subdomains in their DNS records. As a user, pay close attention to emails, texts, and phone calls. If someone is asking for personal information, always double check that they are who they say, and the website is legitimate. If texts or emails include links, go to the website yourself instead of clicking. If you still aren’t sure, contact the company and/or person through a different method, listed separately from the original message.
Understanding how DNS works can show us how things go wrong, help us identify vulnerabilities, and show us what to prepare for. Domain Shadowing is a serious form of DNS hijacking that must be taken seriously. Active security awareness can help prevent hackers from creating shadow domains, as well as making users less likely to fall victim to them. Although detecting shadow domains can be difficult, security advancements made by Palo Alto are making it harder for hackers to hide. As a user or a domain owner, everyone has a role in staying safe on the internet and not falling victim to shadow domains.