{"id":3642,"date":"2022-11-29T07:09:04","date_gmt":"2022-11-29T07:09:04","guid":{"rendered":"https:\/\/shreshtait.com\/blog\/?p=3642"},"modified":"2024-02-24T18:47:34","modified_gmt":"2024-02-24T13:17:34","slug":"lk-domain-name","status":"publish","type":"post","link":"https:\/\/shreshtait.com\/blog\/2022\/11\/lk-domain-name\/","title":{"rendered":"LK domain name abused by threat actors"},"content":{"rendered":"\n

Before we deep dive into how attackers target .lk domains using domain shadowing attack, first, a primer on registration of a domain name under .lk namespace. <\/p>\n\n\n\n

tl;dr registration of a domain name under .lk namespace is regulated<\/p>\n\n\n\n

The domain registration policy<\/a> says the LK registry may ask for documents supporting the request for a domain name registration. Depending on the category the domain registration would fall under, the list of documents would vary,<\/p>\n\n\n\n

\"LK<\/figure>\n\n\n\n

Figure 1: Screenshot of LK domain registration supporting documents list<\/p>\n\n\n\n

The regulation makes it extremely hard for attackers to register a domain name for malicious purposes. Without the supporting documentation, the LK registry will not add the domain name in the .lk ccTLD.<\/p>\n\n\n\n

That does not stop the attackers from abusing domain names under .lk. Attackers use innovative<\/a> methods<\/a> to target users. <\/p>\n\n\n\n

Shreshta threat intelligence<\/a> has uncovered attackers targeting .lk domains using domain shadowing attack. <\/p>\n\n\n\n

For a detailed insight into domain shadowing, see our blog post<\/a><\/p>\n\n\n\n

\"Domain<\/figure>\n\n\n\n

Figure 2: Screenshot of a opendir page accessible via a subdomain<\/p>\n\n\n\n

\"Domain<\/figure>\n\n\n\n

Figure 3: Screenshot of AOL phishing page under a benign domain name<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"Phishing<\/figure>\n\n\n\n

Figure 4: Screenshot of www.bethpagefcu.com phishing page under a benign domain name<\/p>\n\n\n\n

\"Phishing<\/figure>\n\n\n\n

Figure 5: Screenshot of www.maerkische-stanz-partner.de phishing page under a benign domain name<\/p>\n\n\n\n

\"Phishing<\/figure>\n\n\n\n

Figure 6: Screenshot of www.moncheflafee.fr phishing page under a benign domain name<\/p>\n\n\n\n

Conclusion<\/strong><\/p>\n\n\n\n

How is this happening?<\/strong><\/p>\n\n\n\n

Our hypothesis for the most likely scenario is that the attackers use brute force on the registrants’ domain name control panel. Once successful, stealthy create subdomains under legitimate domain names, which point to the attackers’ infrastructure.<\/p>\n\n\n\n

As a domain name registrant, here are a few things that you can do to stop a domain shadowing attack, <\/p>\n\n\n\n