Incident Response, Malware, TDR

Angler EK hijacks domain registrant credentials to create malicious pages


The Angler Exploit Kit has officially become the most advanced and best exploit kit on the market, according to Cisco researchers who have detailed the kit's newest tactic, which they call “Domain Shadowing.”

In a technique first spotted in September 2011, and most recently on Wednesday in a GoDaddy breach, the exploit kit is now hijacking domain registrant accounts and using them to create subdomains that serve up malicious content, a blog post on the threat said. Up to 10,000 subdomains have been created for this purpose. By using this method, the kit avoids detection through blacklisting of sites or IP addresses. Taking it one step further, the subdomains typically don't stay live for long, with some staying active for mere minutes after being reached a couple times.

“[This tactic] Makes it almost impossible for some of the simpler products to keep up [with detection],” said Craig Williams, security outreach manager, Talos, in an interview with “We haven't seen this used anywhere else, and we haven't even seen anyone else give it a name.”

The attackers create some subdomains for landing pages and others for redirection to the actual exploit kit page. Most are used as landing pages, which could have to do with the attackers needing to rotate out the page continuously to avoid detection.

The exploit kit is dropped through a malicious ad that directs a victim to the first subdomain, which then redirects the user to the landing page.

The researchers suspect that the attackers gained access to the majority of accounts through a phishing campaign or keylogger malware, and because most users don't frequently log into their domain registration accounts, they have no idea the subdomains are being created, Williams said.

However, users with two-factor authorization enabled will be notified if attackers attempt to access their accounts. The majority of compromised accounts belong to GoDaddy users; although the researchers noted that this most likely had to do with the company controlling a third of domains and was not the result of a data breach.

In view of their findings, the researchers warned: “At this point it's more a question of ‘when' Angler will affect you instead of ‘if.'”

UPDATE: GoDaddy provided with an emailed statement on Wednesday. In it, CISO Todd Redfoot said: "We are aware of the Angler exploit being reported. This is not a GoDaddy system vulnerability, but an industrywide attack infecting personal computers by exploiting outdated software. We are actively working to secure impacted customer accounts and remove offending subdomains." He went on to say impacted customers should reach out to the company at [email protected] for support.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.