DNS Data Indicates Increased Malicious Domain Activity, Phishing Toolkit Reuse

A new study from cybersecurity vendor Akamai found that 12.3% of monitored devices communicated with domains associated with malware or ransomware at least once during the second quarter of 2022. This represents a 3% increase from compared to the first quarter of 2022, the company said, with phishing toolkits. play a key role in malicious activities related to the domain. Results are based on DNS data and Akamai’s visibility into carrier and enterprise traffic across different industries and geographies.

Increase in malware, phishing and C2 domain activity detected in Q2 2022

In a blog post detailing his research, Akamai said that in addition to the devices it detected communicating with malware/ransomware-associated domains, an additional 6.2% of devices accessed phishing domains, with 0.8% accessing domains associated with command and control (C2) (these two small increases on Q1 2022). “While that number may seem insignificant, the scale here is in the millions of devices,” the firm wrote. “When this is taken into account, with C2 being the most malignant threat, it’s not just significant, it’s cardinal.”

Among potentially compromised devices and different threat categories, 63% of devices were exposed to threats associated with malware activity, 32% phishing and 5% C2, Akamai added. “Access to domains associated with malware does not guarantee that these devices have actually been compromised, but provides a strong indication of increased potential risk if the threat is not properly mitigated. On the other hand, accessing the domains associated with C2 indicates that the device is most likely compromised and communicating with the C2 server. This can often explain why the incidence of C2 is lower compared to the number of malware. »

High-tech financial brands most targeted, imitated by malicious domain activity

Akamai said tech and financial brands were the most targeted, abused, and mimicked by malicious domain activity during the second quarter of 2022. In terms of attack categorization, while the vast majority (80, 7%) of campaigns were aimed at consumers, Akamai warned that the 19.3% of attacks against business accounts should not be considered marginal.

“These types of attacks are generally more targeted with a greater potential for significant damage,” the researchers wrote. “Attacks that target corporate accounts can lead to a company’s network being compromised by malware or ransomware, or leaking confidential information. An attack that begins with an employee clicking a link in a phishing email can end in significant financial and reputational damage to the company.

Phishing kits influencing increase in malicious domain activity

Akamai’s research found that phishing kits played a key role in the malicious domain activity analyzed. It tracked 290 different phishing toolkits in use in the wild in Q2 2022, with 1.9% reused over at least 72 separate days. “Additionally, 49.6% of kits were reused for at least five days, and looking at all tracked kits, we can see that they were all reused on no less than three separate days during the second trimester,” the company wrote.

The industrial creation and sale/sharing of phishing kits that mimic well-known brands is a driving force behind kit reuse, Akamai said. “Kits are getting easier to develop and deploy, and the web is full of abandoned websites ready to be abused, as well as vulnerable servers and services. The growing industrial nature of phishing kit development and sales, where new kits are developed and released within hours, and the clear separation between creators and users, means this threat is not going anywhere anytime soon.

The Kr3pto toolkit was identified as the most frequently used in the second quarter of 2022, associated with more than 500 domains. Although it is estimated to have been established over three years ago, Kr3pto is still very active and effective, Akamai said. Webmail_423, Microsoft_530 and sfexpress_93 were the other most frequently used phishing toolkits.

Malicious domains pose a significant threat to businesses

Malicious domains expose businesses to threats, and security teams should consider options to help address the associated risks, Alex Applegate, senior threat researcher at DNSFilter, told CSO. “By opening a malicious website, a user can initiate a wide range of malicious activity. Most of these malicious activities often center around executing some sort of code on the victim’s machine, including installing a malicious executable or launching a script on the website that takes malicious measures against the victim’s machine,” he says.

Once successfully installed, the capabilities of this malicious code are unlimited, putting sensitive information at risk of being stolen or damaged, he adds. “The victim machine could then be used as a waypoint to move laterally from the network or to access more secure resources (e.g., compromising an external contractor’s system to gain access to a Fortune Company’s network 500),” Applegate says.

To mitigate malicious domain risks, security teams must first ensure that secure web connections are in place, along with effective education of end users on the threats of clicking a link or visiting a URL. from an unreliable or unsolicited source. “In addition, there are several well-known domains run by third-party companies that can automatically check for misspellings, character substitutions, and other homoglyphs, as well as cyber threat intelligence services, both open source and commercial. , which distribute lists of websites used for phishing, work email compromise, and other malicious activity,” says Applegate.

Beyond the URL itself, a healthy network and endpoint monitoring plan can detect many of the most troublesome threats, Applegate says. “It is important that checking for process injection, permission escalation, opening network ports, writing to system files, exfiltration of large files, and unexpected copying of files across multiple systems are all captured and audited – and of course always maintain and verify off-site backups of all critical data.

Regarding the reuse of the phishing toolkit highlighted in Akamai’s research, Or Katz, principal security researcher at Akamai, tells the CSO that more action is needed to better track emerging campaigns and eliminate them quickly and effectively, “using the continuous threat intelligence associated with IP addresses or ASN reputation, new domains being registered or seen in the wild.

Copyright © 2022 IDG Communications, Inc.