"Domain shadowing using compromised registrant credentials is the most effective, difficult to stop, technique that threat actors have used to date. The accounts are largely random so there is no way to track which domains will be used next," said Nick Biasini.
"Additionally, the subdomains are very high volume, short lived, and random, with no discernible patterns. This makes blocking increasingly difficult. Finally, it has also hindered research. It has become progressively more difficult to get active samples from an exploit kit landing page that is active for less than an hour. This helps increase the attack window for threat actors since researchers have to increase the level of effort to gather and analyze the samples."
- Users are served malicious advertisements on the web browser.
- The malicious ad redirects the user to the first tier of subdomains known as "gate".
- First tier is responsible for the redirection of victims to a landing page that hosts the Angler Exploit Kit serving an Adobe Flash or Microsoft Silverlight exploit.
- This final page is being rotated heavily and sometimes, those pages are active only for a matter of minutes.
"The same IP is utilized across multiple subdomains for a single domain and multiple domains from a single domain account," Biasini wrote. "There are also multiple accounts with subdomains pointed to the same IP. The addresses are being rotated periodically with new addresses being used regularly. Currently more than 75 unique IPs have been seen utilizing malicious subdomains."