There have been 12,197 cases reported for domain shadowing between April 2022 and June 2022.

Domain Shadowing is a subdomain of DNS hijacking. In domain shadowing, the hijacker compromises the DNS of a legitimate domain to use in malicious activities but will never compromise the legitimate DNS that already exists.  The attacker uses these subdomains in malicious activities and the owner will never realize that their page has been hijacked as there will be no changes in DNS records and the main page of the website.

The Hijacker can have access to C2 (control and command) addresses, malware-drop shipping points, and phishing sites. This way the attacker can ruin the reputation of the hijacked website. The attacker also gets access to change DNS records to target owners and other users, but they prefer to stay hidden.

It’s hard to detect the perpetrator. Therefore, this method is very attractive to attackers. According to analysts, VirusTotal detected only 200 out of 12,197 cases. 151 cases were related to a single phishing campaign that was using 649 domains by compromising 16 websites.

Unit 42 explained that domain shadowing is a threat to companies as it is hard to detect the attack without leveraging automated machine algorithms as this is the only way to analyze large DNS logs. This way the users submit their data to the website as such pages look trustworthy to users. In this way, the site will direct users to phishing sites without email security detecting any errors. Attackers get access to Microsoft credentials without any warnings to users.

Though it is the responsibility of DNS providers, owner registrar, and service providers to facilitate the users, but users should take precautions before submitting their data to any website. Domain phishing makes it possible that a well-reputed website’s subdomain is under attack and can direct users to phishing websites. So, users should double-check before submitting data.