At the FIRST conference, James Pleger and William MacArthur from RiskIQ described a relatively new technique being used to create DNS domain names for use in phishing, spam, malware and other types of harmful Internet activity. Rather than registering their own domains, perpetrators obtain the usernames and passwords used by legitimate registrants to manage their own domains on registrars’ web portals. They can then create their own subdomains (for example badhost.realbusiness.com) and point them at the malicious hosts they control.
Subdomains registered in this way, known as “domain shadowing”, have a number advantages for the perpetrator. They may gain some credibility with potential victims from appearing to be part of a legitimate business. For incident response teams they may be harder to spot as the (original) registrant’s details are valid and the registered domain appears normal in terms of its lifecycle. RiskIO estimate that at least 27,000 registrant accounts have been compromised and used in this way. That’s a small percentage of the total number of registrants, but it seems that as much as 40% of malicious internet activity may involve shadowed domains at some stage.
Depressing to report, domain management passwords seem to be discovered in much the same ways as any others. They may be simple enough to guess, or obtained through phishing, or reused by the same person on some less secure site than a domain name registry. The password that gives control of your domain ought to be important enough to be long and complex, not reused on other sites, and only entered into websites with great care. Better yet, if your domain registry offers two-factor authentication, or other ways of validating that you are indeed the registrant when you request changes, consider taking up that offer.
