Hackers Are Abusing Trusted Domain Names

Finjan found out that hackers and cyber-criminals are exploiting a loophole in the domain name registration process to infect visitors to legitimate websites and increase the life cycle of cyber-attacks.

Attacks using this method typically involve a “copycat” domain name that is strikingly similar in spelling to the domains of legitimate sites.

Leveraging the similarity to legitimate and frequently used domain names enables these attacks to go unnoticed by webmasters and security solution providers.

The abuse of trusted domain names attack vector was spotted during October by Finjan’s Malicious Code Research Center (MCRC) when searching for popular services with a slight change of the top level domain.

When Finjan’s MCRC investigated (http://go*gle-stat******.org/ where * has obscured some of the characters of the domain) it was found that it took advantage of a domain name similar to a legitimate popular service, which contains malicious code that is designed to download and execute a Trojan on the visitor’s machine. The malicious code itself is located on the abused domain name.

When Finjan researched where the domain name hosting the malicious site was located, it came across another interesting finding. The code was located on a trusted controlled IP address.

Shortly after contacting the security team of that domain, Finjan was notified that the necessary action had been taken.

A subsequent check showed that, indeed, the malicious code is no longer available on the hosting servers.

Since registering a domain name is not a process that is being adequately policed and scrutinized, cybercriminals can potentially create a malicious website using any domain name they like (provided it isn’t already taken).

Finjan’s research indicates that criminals have taken advantage of this loophole to create “copycat” sites intended to host web-based attacks, using intentionally misleading domain names.

When using URL classification or reputation as a security solution, requests to URLs or domains known to be malicious can be blocked regardless of the content on the page; however the effectiveness of blocking requests to known malicious domains relies on maintaining an up-to date list of such sites.

Due to the rapid growth and volume of malware hosted online, gathering sufficient data as quickly as malicious domains appear (and disappear) on the web is almost impossible.

As website content is becoming more volatile, and domain names can be set up for brief periods of time, the task of “keeping track” of malicious content on the Web is becoming ever more difficult.

When attacks involve a domain name that is strikingly similar in spelling to the domains of legitimate sites and hosted on trusted IP addresses, the similarity to legitimate and frequently used domain names enables them to go unnoticed by most webmasters.

Combined with code obfuscation and other evasive techniques, these scripts trigger attacks that result in malicious code – typically crimeware Trojans - being downloaded to the user’s machine.

It is important for attacks to be detected in real-time without the reliance on the host IP address reputation or domain name.