Researchers from Palo Alto Networks uncovered 12,197 instances in which threat actors used “domain shadowing” in cyberattacks.
Domain shadowing is a subcategory of DNS hijacking. It involves threat actors compromising the DNS of a legitimate domain to host their own subdomains for use in malicious activities.
The subdomains are used to create malicious pages on the servers of the cyber criminals, while the websites and DNS records of the domain owner remain unchanged, and the owners do not realize that they have been breached.
According to the researchers, the tactic is lucrative for hackers because it is difficult to detect genuine cases of domain shadowing. Of the 12,197 domains detected, only 200 are marked as malicious, and most of the discoveries related to a single phishing campaign that used a network of 649 shadowed domains on 16 compromised websites.
Although protection against rogue subdomains is the responsibility of domain owners, registrars and DNS service providers, it is important that users remain cautious when submitting data. They are advised to double-check everything before submitting credentials or other sensitive information.
The sources for this piece include an article in BleepingComputer.