Thursday, 5 March 2015

Hackers Targets Subdomains Of GoDaddy Customers

Hackers Targets Subdomains Of GoDaddy Customers
Cisco’s Talos intelligence team has identified an Angler Exploit Kit campaign that's using subdomains of GoDaddy customers to serve malwares or redirect victims to attack sites. Researchers says the Angler campaign is using a technique called "Domain Shadowing" to carry-out the malicious activities.

DOMAIN SHADOWING

Domain shadowing is the process of using users domain registration logins (stolen domain registration logins ) to create subdomains. Since the domain owners rarely monitor their domain registration credentials, the attackers are able to create massive list of malicious subdomains.
Cisco said, "We have identified close to 10K unique subdomains being utilized. This behaviour has shown to be an effective way to avoid typical detection techniques like blacklisting of sites or IP addresses. Since this campaign has done an exceptional job of rotation not only the subdomains, but also the IP addresses associated with the campaign."

"These subdomains are being rotated quickly minimizing the time the exploits are active, further hindering both block list effectiveness and analysis. This is all done with the users already registered domains.  No additional domain registration was found," they added.

Talos first spotted domain shadowing in September 2011. In May 2014, a new campaign started that was part of a browser lock campaign. The commonality of this campaign was the creation of police and alertpolice subdomains. These subdomains were created to serve the notification to compromised systems and provide payment details.

SUBDOMAIN ANALYSIS

The attackers creates multiple tiers of malicious subdomains including the tier responsible for the redirection to the actual exploit kit landing page.


Nick Biasini , threat researcher at Talos said, "The amount of subdomains being utilized for landing pages and exploits are greater than those used for redirection, by a factor of five. This could be related to the chain of events leading to compromise."

"From an IP address perspective the same IP is utilized across multiple subdomains for a single domain and multiple domains from a single domain account. There are also multiple accounts with subdomains pointed to the same IP. The addresses are being rotated periodically with new addresses being used regularly. Currently more than 75 unique IP’s have been seen utilizing malicious subdomains," he added.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)