Hackers Use Transient Websites To Facilitate Attacks

Research by security vendor Blue Coat suggests the majority of web pages that appear online on any given day exist for less than 24 hours.

Most of these ‘One-Day Wonders’ are created by organisations that have become a part of the fabric of the Internet, such as Google, Amazon and Yahoo. However, approximately one in five domains hosting such content are also employed by cyber criminals, who use the sheer volume of new websites and the lack of information about them as a shield.

Temporary trouble

Blue Coat analysed more than 660 million unique hostnames requested by 75 million users over a 90-day period in 2014. The company found that 71 percent, or 470 million, were One-Day Wonders, sites that appeared only for a single day.

In the majority of cases, such pages are set up automatically to create, share and deliver content. But researchers discovered that 22 percent of the top 50 domains used to host One-Day Wonders were malicious. These domains use short-lived sites to facilitate attacks and manage botnets, among other things.

Blue Coat said such sites were favoured by cyber criminals since using them wouldn’t set off any alarms, while a high volume of domains increased the chances that some percentage would be missed by security solutions. By combining One-Day Wonders with encryption, hackers could effectively blind the organisation to the attack.

The company added that such techniques could be used to build dynamic Command and Control (C&C) architectures that are scalable, difficult to track and easy to implement. During the analysis, the most popular malicious domain was seen using One-Day Wonders to hide a C&C server for a Trojan dialer among its 1.3 million subdomains.

The same techniques can be used to create a unique subdomain for each spam email to avoid detection by spam or web filters.

“While most One-Day Wonders are essential to legitimate Internet practices and aren’t malicious, the sheer volume of them creates the perfect environment for malicious activity,” said Tim van der Horst, senior threat researcher for Blue Coat Systems.

“The rapid building up and tearing down of new and unknown sites destabilizes many existing security controls. Understanding what these sites are and how they are used is a key to building a better security posture.”

In order to protect against the attacks that rely on One-Day Wonders, Blue Coat advises organisations to implement policy-based security controls informed by automated, real-time intelligence.

How well do you know network security? Try our quiz and find out!