Domain services

Hackers turn to domain observation for stealth attacks, here’s how it works

According to a threat analysis by Palo Alto Networks Unit 42, a deceptive phishing technique called domain shadowing is on the rise. It may even be more widespread than previously assumed by information security experts. Between April 25 and June 27, 2022, the company discovered that 12,197 domains were hidden to provide malicious content.

A phantom domain is usually a surreptitiously added subdomain to a generally reputable domain that will represent something that might appear legitimate when it is not. So, for example, if you were to access something like “yourbank[.]com” and you are asked to log in to your account, you may not think anything about it. However, hidden domains can present this problem[.]your bank[.]com. This page can be used to steal your login information with end result similar to fake steam connection browsers we recently talked about.

The report goes on to point out that detecting hidden domains is quite difficult to do. In many cases, subdomains are often easily and quickly set up, and usually intentionally. For example, web design companies will intentionally request a subdomain if their client needs a redesign to use for testing. In other cases, it may be a legitimately added service that is hacked. The method used for automatic detection from unit 42 involves several conditions to be fulfilled. It checks for conditions such as checking whether the subdomains match the patterns of other subdomains in the domain, whether the IP address the subdomain points to is significantly different from the original, how long the subdomain is active, etc.


Screenshot of fake login shown from hidden domain

There are several ways to find phantom domains yourself. If you own a domain, you can check if you have any subdomains that you don’t recognize in your DNS records. If you do, change your password and, in some cases, your security access, then delete those subdomains. If you’re a general user, be very careful which address you follow a link to if it’s in your email, and be very careful who actually sent the message. Also, if you are prompted to sign in, check the address bar. If you don’t fully know the full domain name, including the subdomain, don’t log in. You can even contact the institute you are in. trying to access their website to confirm the details on your own. For example, if this is your bank, call your bank using the number on your statements. You can read the full Unit 42 report at click here.