Phishing Attacks via Domain Shadowing Techniques
For a lot of organizations, phishing attacks occur daily, coming in waves via predictable patterns of attack and leveraging legitimate websites that have been taken over and used to host phishing, malware driving or ransomware schemes. Sometimes these attacks use domain based deception to confuse targets. Cyber-criminals nowadays have moved away from static domain name generation to more dynamic, fluid methods. Their aim is to produce and test candidate domains before hand in order to better evade blacklisting and counter-measures. Enter DGAs (Domain Generation Algorithms). One clever way of targeting specific groups or organizations is by  detecting and generating domain names in "tune" with what individuals in that domain would be used to seeing daily. Once candidate domains have been identified, a DGA is used to create pseudo random sub-domains resembling non-malicious domains. It is a vicious circle where attackers could be gaining control of domain registration accounts perhaps through phishing of their legitimate owners. Once they get these building blocks, they create any number of sub-domains, which they could then use in exploit kits or phishing/spam campaigns. DGAs have evolved so rapidly and are being heavily leveraged for malicious purposes. In cases like the one below, the domain generation seems to use semantic and natural language processing techniques to detect names that can be used to obtain shadow domains.
What is being exploited? First, the ability to generate DNS names non restrictively. DNS is not sophisticated enough to verify if what is being generated is for a malicious intent. Second, domain ownership cooperation to participate in the shadow domain generation scheme. Third, the method by which humans evaluate text, at least in western cultures. Western patterns of writing evaluate text from left to right but DNS is technically evaluated from right to left in order to obtain the proper DNS hosting information. If the DNS name is long enough, a non-technically savvy person will miss the information required to properly ascertain the nature of the domain hosting a particular name.
How it happens:
1) Attack is assembled using a DGA generated domain name closely resembling a legitimate website such as this from a recent attack :
  Legitimate site:
DGA generated:
2) Send socially engineered emails to intended targets containing the bogus DNS name hosting the attack (phishing, malware driving ransomware).
As you can see above, both URLs are quite similar but for an individual not acquainted with precise URL formatting, this would very closely resemble the legitimate site. The recipient would be highly inclined to trust the link and visit it. Once there, the page would look precisely like the original page, down to using the same sources as the legit page to obtain CSS, images and scripts to properly format appearance. The only difference between the legitimate web page and the malicious one lies within the form section of the page handling the login process once submitted, in this case a PHP script set as the form-action:
The body of the email reveals the true nature of the socially engineered link:
Whois information about the hosting domain reveals the true owners of the bogus site:
















