Domain shadowing is a new type of attack. It is the latest evolution of online crime and is set up to endanger websites before security researchers and system administrators can react.
Cisco security researcher Nick Biasini reports that "massive" and ongoing attacks that use Adobe Flash and Microsoft's Silverlight were launched in December, compared to the small, sporadic campaigns of 2011. Here's his breakdown:
"To Domain shadowing uses stolen registrant credentials, which are the most effective, difficult to exclude, with techniques used to date. Accounts are largely random, so there is no way of detection that will mislead the next victim domain.
In addition, subdomains are very popular, short-lived, and random, with no discernible patterns. This fact makes locking them increasingly difficult. Finally, the research. It's getting progressively harder to get active samples from the page set up by an exploit kit after it's been active for less than an hour.”
Ο Biasini αναφέρει ότι οι επιθέσεις ξεκινούν με phishing emails which are supposed to come from the targeted registrar and are effective because most people don't regularly monitor their domain accounts.
Rotation speed (Fast Flux versus Domain Shadowing) is a new form of rapid flow that keeps emerging exploits out of the eyes of security researchers. Biasini says it is the new "industrialization of hacking."
One third of the 10.000 dummy domains used come from GoDaddy.
The first series of individual domains is generally used to redirect victims to sub-level landing pages that host the Angler exploit kit.
You can read more about the new type of attack in the researcher's publication.