Domain Shadowing
What is Domain Shadowing?
Domain ShadowingAn attack in which a criminal compromises a legitimate domain owner's registrar account and silently creates malicious subdomains beneath the trusted parent domain.
Domain shadowing exploits stolen registrar or DNS-hosting credentials. Rather than registering a fresh suspicious domain, the attacker logs into the victim owner's panel and quietly creates hundreds of subdomains such as login.acme.example.com or invoice42.acme.example.com that resolve to attacker infrastructure. Because the parent domain is old, well reputed, and not visibly modified, the subdomains inherit reputation and frequently slip past URL-reputation filters, mail gateways, and TLS warnings. Domain shadowing has been used by exploit-kit operators (Angler, RIG) and phishing crews. Defences include strong MFA on registrar accounts, registry locking, DNS change-monitoring, and outbound web filtering that decomposes hostnames and inspects newly observed subdomains.
● Examples
- 01
Cisco Talos documented Angler exploit-kit campaigns rotating thousands of shadowed subdomains.
- 02
Phishing crews use shadowed subdomains of well-known SMBs to host credential-harvesting pages.
● Frequently asked questions
What is Domain Shadowing?
An attack in which a criminal compromises a legitimate domain owner's registrar account and silently creates malicious subdomains beneath the trusted parent domain. It belongs to the Attacks & Threats category of cybersecurity.
What does Domain Shadowing mean?
An attack in which a criminal compromises a legitimate domain owner's registrar account and silently creates malicious subdomains beneath the trusted parent domain.
How does Domain Shadowing work?
Domain shadowing exploits stolen registrar or DNS-hosting credentials. Rather than registering a fresh suspicious domain, the attacker logs into the victim owner's panel and quietly creates hundreds of subdomains such as login.acme.example.com or invoice42.acme.example.com that resolve to attacker infrastructure. Because the parent domain is old, well reputed, and not visibly modified, the subdomains inherit reputation and frequently slip past URL-reputation filters, mail gateways, and TLS warnings. Domain shadowing has been used by exploit-kit operators (Angler, RIG) and phishing crews. Defences include strong MFA on registrar accounts, registry locking, DNS change-monitoring, and outbound web filtering that decomposes hostnames and inspects newly observed subdomains.
How do you defend against Domain Shadowing?
Defences for Domain Shadowing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Domain Shadowing?
Common alternative names include: Subdomain shadowing.
● Related terms
- attacks№ 407
Fast Flux
A botnet DNS technique that rapidly rotates the IP addresses behind a malicious domain across many compromised hosts to resist takedown and blocking.
- attacks№ 348
Domain Generation Algorithm (DGA)
An algorithm used by malware to deterministically generate large numbers of candidate domain names so infected hosts can find their command-and-control server.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- attacks№ 338
DNS Hijacking
An attack that redirects DNS resolution to attacker-controlled answers by modifying client settings, router configurations, resolver responses, or authoritative DNS records.
- attacks№ 1184
Typosquatting
Registering domain names or package names that are misspellings or visual look-alikes of legitimate ones, to catch users or developers who make typing or recognition errors.