Massive network of 30,000 websites filters victims before delivering scams or malware
Security researchers at Infoblox have uncovered a massive network of 30,000 unique website addresses across 584 top-level domains, such as .com. These websites contain no malware or scams themselves, yet they serve as part of a massive delivery system for scams and information stealers.
How? Well, once in a while, they redirect visitors using a hidden, sophisticated command-and-control system.
Particularly novel is their use of a hidden command-and-control system based on DNS (Domain Name System) that decides which visitors are redirected to what malicious content. Normally, DNS translates website addresses to IP addresses for browsers or other apps. However, the hackers figured they could use DNS queries to deliver malicious instructions between their servers. Attackers control their DNS server, which then decides what content to serve on which websites for which user.
This also misleads network defenders, because they can’t find malware or any malicious content on the websites themselves, and it is hard to reproduce malicious redirections. Many of these websites remain compromised for months or over a year. Attackers use modified DNS queries, which are just a simple text file. DNS acts as both a command channel and a delivery mechanism.
Here’s how the simplified attack chain usually works in practice:
- The victim visits one of the thousands of compromised websites
- The compromised website sends the DNS queries with user information: IP, device type, and a random string for identification
- Attacker-controlled DNS server responds with a text record containing a command and a link. Responses are obfuscated using Base64
- The web server then fetches the net stage payload and relays the output to the user.
Read the complete article here
-–
Apply for our next conference in Kuala Lumpur on December 9th and 10th, 2025 at Rise Malaysia with the passcode: “6f&%dX”, no quotes.