Hackers are abusing trusted domain names, and getting away with it
1 min read
Hackers and cyber-criminals are exploiting a loophole in the domain name registration process to infect visitors to legitimate websites and increase the life cycle of cyber-attacks.
The warning comes from secure web gateway products developer Finjan, which says that attacks using this method typically involve a copycat domain name that is very similar in spelling to legitimate and frequently used site domains.
Finjan CTO Yuval Ben-Itzhak says that it is this similarity to legitimate trusted domain names that enables these attacks to go unnoticed by webmasters and security solution providers.
In particular, the abuse of trusted domain names attack vector was spotted during October by Finjan’s Malicious Code Research Centre (MCRC) when searching for popular services with a slight change of the top level domain.
When Finjan’s MCRC investigated http://go*gle-stat******.org, it was found that it took advantage of a domain name similar to a legitimate popular service, which contains malicious code designed to download and execute a Trojan on the visitor’s machine. The malicious code itself is located on the abused domain name.
What’s more, when Finjan researched where the domain name hosting the malicious site was located, it came across another interesting finding. The code was located on a trusted controlled IP address. Shortly after contacting the security team of that domain, Finjan was notified that the necessary action had been taken.
A subsequent check showed that, indeed, the malicious code is no longer available on the hosting servers. Since registering a domain name is not a process that is being adequately policed and scrutinized, cyber criminals can potentially create a malicious website using any domain name they like, observes Ben-Itzhak.
“In today’s dynamic web environment, it is becoming increasingly difficult to keep track of the malicious content by maintaining lists of malicious domain names or URLs,” he says. “In order to safeguard users from these malicious web threats, businesses should adopt real-time inspection technologies that analyze each piece of web content regardless of its URL or IP address.
“Attempts to pattern malicious code and create signatures, or to categorize known malicious sites, are sometimes too little, too late when it comes to providing adequate protection to today’s dynamic and evasive web threats. The way to detect modern malicious code is to be able to understand in real-time what the code intends to do, before it does it.”
