July 19, 2019
Domains that are used for malicious purposes often hide in plain sight. As Proofpoint’s 2019 Domain Fraud Threats Report revealed, some of the most popular registrars today play host to top fraudulent domains. Even more alarming is the fact that 1 out of 4 suspicious-looking domains possesses a valid security certificate—something quite concerning especially since many Internet users have been led to believe that sites with the “padlock” icon are legitimate and safe to visit.
Yet out of all the DNS attacks companies have experienced, one particularly vicious technique that has started to recently crop up is domain fronting.
What Is Domain Fronting?
Domain fronting is an approach cybercriminals employ to circumvent Internet censorship so they could make their traffic appear as if this was associated with that of a trusted server. Most of the time, the tactic relies on using Content Delivery Networks (CDNs) capable of hosting multiple domains. One CDN owned by a single company can, in fact, host thousands of domains.
For instance, facebook.com mainly serves content from several IP addresses that it owns, yet some of these are being provided by domains such as xxx.akamai.net. Using a circumvention tool like Psiphon allows users to route their traffic to a CDN server that then gets rerouted via the software’s domain-fronting server to reach its intended destination.
This simple redirection process can effectively mask the user’s traffic to make it seem like it is coming from a legitimate application or website hosted on the target CDN. This is the same technique utilized by APT29—one of the most sophisticated APT groups to date—for their targeted malware attacks.
The Dangers that Domain Fronting Pose
Domain fronting allows cyber threat actors to host their malicious exploits on cloud services to evade detection and blocking. They take advantage of the fact that most companies using cloud-based services trust their providers; when in reality, they are also susceptible to compromise and abuse.
Cybercriminals nowadays employ domain fronting as a means to plant backdoors into vulnerable systems so they can get access to networks and computers that belong to target organizations. Due to the nature of CDNs, censorship proxies and mobile service providers are not able to block them, as this would also unintentionally cut them off from many major domains and services.
Enhancing DNS Security with a WHOIS Database
One way to effectively identify, monitor, and stay safe from domain fronting is by using a WHOIS database or WHOIS database download, which gives you the ability to analyze domain ownership data.
A WHOIS database download service provides a comprehensive and regularly updated list of active domains. The data in a WHOIS record can reveal many things about a website such as the contact details of its owner, what organization he belongs to, their country of registration, and more. All of these details can be used to pinpoint domains that could possibly pose threats to your network and systems.
Compile your own database of suspicious-looking domains and cross-check the information with threat intelligence sources such as reports where malicious server names are indicated. You can then corroborate your suspicions and manually blacklist users from accessing your network to prevent intrusion.
Domains that are used for cybercrime abound and the continuous rise of data breaches only proves that traditional cybersecurity measures may no longer be sufficient. As cybercriminal tools improve, so should yours. This is where a WHOIS database can come in handy. Use all the information you can get your hands on to keep track of potentially harmful domains.
With the help of a WHOIS database download service, organizations can get ahead of attackers and avoid falling victim to their nefarious schemes.
Alex Francois is Senior Content Manager at www.ipify.org. He is knowledgeable about technologies that permit tracking IP addresses and other relevant data to ensure better cybersecurity protection and marketing campaigns.