Skip to main content

Hackers may be hiding in plain sight on your favorite website

Security researchers have detailed how domain shadowing is becoming increasingly popular for cybercriminals.

As reported by Bleeping Computer, analysts from Palo Alto Networks (Unit 42) revealed how they came across over 12,000 such incidents over just a three-month period (April to June, 2022).

A depiction of a hacked computer sitting in an office full of PCs.
Getty Images

An offshoot of DNS hijacking, domain shadowing provides the ability to create malicious subdomains by infiltrating legitimate domains. As such, shadowed domains won’t have any impact on the parent domain, which naturally makes them difficult to detect.

Recommended Videos

Cybercriminals can subsequently use these subdomains to their advantage for various purposes, including phishing, malware distribution, and command and control (C2) operations.

“We conclude from these results that domain shadowing is an active threat to the enterprise, and it is hard to detect without leveraging automated machine learning algorithms that can analyze large amounts of DNS logs,” Unit 42 stated.

Once access has been obtained by threat actors, they could opt to breach the main domain itself and its owners, as well as target users from that website. However, they’ve had success by luring in individuals via the subdomains instead, in addition to the fact that the attackers remain undetected for much longer by relying on this method.

Due to the subtle nature of domain shadowing, Unit 42 mentioned how detecting actual incidents and compromised domains is difficult.

In fact, the VirusTotal platform identified just 200 malicious domains out of the 12,197 domains mentioned in the report. The majority of these cases are connected to an individual phishing campaign that uses a network of 649 shadowed domains via 16 compromised websites.

A system hacked warning alert being displayed on a computer screen.
Getty Images

The phishing campaign revealed how the aforementioned subdomains displayed fake login pages or redirected users to phishing pages, which can essentially circumvent email security filters.

When the subdomain is visited by a user, credentials are requested for a Microsoft account. Even though the URL itself isn’t from an official source, internet security tools aren’t capable of differentiating between a legitimate and fake login page as no warnings are presented.

One of the cases documented by the report showed how an Australian-based training company confirmed it was hacked to its users, but the damage was already done through the subdomains. A progress bar for the rebuild process was showcased on its website.

Currently, Unit 42’s “high-precision machine learning model” has discovered hundreds of shadowed domains created on a daily basis. With this in mind, always double-check the URL of any website that requests data from you, even if the address is hosted on a trusted domain.

Zak Islam
Former Computing Writer
Zak Islam was a freelance writer at Digital Trends covering the latest news in the technology world, particularly the…
Hackers targeted 1Password after Okta breach, but your logins are safe
A dark mystery hand typing on a laptop computer at night.

Security credentials like usernames and passwords are a tempting target for hackers, and even the best password managers can come under threat from time to time. That was the case recently with the popular password manager 1Password, which recently disclosed (via Bleeping Computer) that its Okta support system was breached by malicious hackers.

Fortunately, it doesn’t appear that any customer data was stolen, so if you use 1Password, your login info should be safe for now. However, it’s always good to regularly update your passwords (or use passkeys) just in case they fall into the wrong hands.

Read more
Hackers are using this incredibly sneaky trick to hide malware
A hacker typing on an Apple MacBook laptop, which shows code on its screen.

One of the most important things you can do to protect your online security is install one of the best password managers, but a recent cyberattack proves that you have to be careful even when doing that. Thanks to some sneaky malware hidden in Google Ads, you could end up with viruses riddling your PC.

The issue affects popular password manager KeePass -- or rather, it attempts to impersonate KeePass by using misleading Google Ads. First spotted by Malwarebytes, the nefarious link appears at the top of search results, meaning you’ll likely see it before the legitimate websites that follow beneath it.

Read more
Bing Chat just beat a security check to stop hackers and spammers
A depiction of a hacker breaking into a system via the use of code.

Bing Chat is no stranger to controversy -- in fact, sometimes it feels like there’s a never-ending stream of scandals surrounding it and tools like ChatGPT -- and now the artificial intelligence (AI) chatbot has found itself in hot water over its ability to defeat a common cybersecurity measure.

According to Denis Shiryaev, the CEO of AI startup Neural.love, chatbots like Bing Chat and ChatGPT can potentially be used to bypass a CAPTCHA code if you just ask them the right set of questions. If this turns out to be a widespread issue, it could have worrying implications for everyone’s online security.

Read more