Domain shadowing is when a hacker gets access to your domain registration account, like at GoDaddy, and creates subdomains under your domain.
For example amazon.com has kdp.amazon.com and other subdomains. kdp would be considered a shadow if a Amazon does not know that that domain has been created.
Legitimate uses of subdomains including instructing CDN (content distribution networks) and routers where to send traffic. For examples “sales.” is serviced by a different system than “customers.” so let the network decide where to send the traffic instead of the web server handling that extra step.
The danger with shadow domains is that it makes the work of cybercriminals look legitimate. For example, if a user put their malware at games.sony.com then someone is likely to trust that without giving it a thought, because it looks like it came from SONY. So even people who are careful not to click on phishing links probably would be fooled by that.
Another danger is the domain owner usually never hears about this unless the domain registrar tells them. (In GoDaddy, I was able to change my email to a new address and GoDaddy did not notify me for more than 10 minutes. So a hacker can do this and steal your domain and you might not find out for it for up to a year when you log into to renew your domain.)
Bluehost and other companies can be blamed for some of this because the cpanel interface, which is very popular with hosting companies, does not yet support two-factor authentication. (In writing this article I was able to set up TFA for one of my domains on GoDaddy. But I could not generate a backup code as the SMS text message feature did not work sending to the foreign country where I live, Chile. It is also strange that they would want the code to be a text message. Because you need the backup code when you lose your phone. If you have lose the Google Authentication app because you lost your phone then you obviously cannot get an SMS message either. So the backup codes should be text codes. There are all good questions for GoDaddy support. In the meantime I am sure you can call them in case you lose your phone and they will verify you some other way.)
In a typical configuration the domain records are maintained at the hosting company and the name record is maintained with the registrar, like GoDaddy.
For example, here are name server records for a domain registered with GoDaddy. It points to name servers at bluehost. Bluehost then is where DNS servers go to look up MX, A, and other domain records.
Here is the GoDaddy screen where you enabled TFA,
So, today, right away set up TFA on your domain so that someone cannot hijack that.
Walker Rowe is an American freelance tech writer and programmer living in Chile. He specializes in big data analytics, cybersecurity, and IoT and publishes the website SouthernPacificReview.com.
Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.
Be Informed. Stay One Step Ahead.
Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies