Blue Coat researchers analyzed more than 660 million unique hostnames requested by 75 million global users over a 90-day period. They found that 71 percent of the hostnames, or 470 million, were “One Day Wonders,” sites that appeared only for a single day.
The largest generators of these sites include organizations that have a substantial Internet presence, such as Google, Amazon and Yahoo, as well as Web optimization companies that help accelerate the delivery of content.
Of the top 50 parent domains that most frequently used One-Day Wonders, 22 percent were malicious. These domains use short-lived sites to facilitate attacks and manage botnets, taking advantage of the site being “new and unknown” to evade security solutions.
For example, these sites can be used to build dynamic command and control architectures that are scalable, difficult to track and easy to implement. Alternatively, they can be used to create a unique subdomain for each spam email to avoid detection by spam or web filters.
“While most One-Day Wonders are essential to legitimate Internet practices and aren’t malicious, the sheer volume of them creates the perfect environment for malicious activity,” said Tim van der Horst, senior threat researcher for Blue Coat Systems. “The rapid building up and tearing down of new and unknown sites destabilizes many existing security controls. Understanding what these sites are and how they are used is a key to building a better security posture.”
One-Day Wonders are particularly popular with cyber criminals because they:
Keep security solutions guessing: Dynamic domains are harder to thwart than static domains.
Overwhelm security solutions: Generating a high volume of domains increases the chances that some percentage will be missed by security controls.
Hide from security solutions: By simply combining One-Day Wonders with encryption and running incoming malware and/or outgoing data theft over SSL, organizations are typically blind to the attack, impacting their ability to prevent, detect and respond. As organizations continue to fight ongoing battles against cyber attacks, they can draw key lessons from this research to inform and fortify their security posture, including:
Security controls must be informed by automated, real-time intelligence that can identify and assign risk levels to these sites. Static or slow-moving defenses do not suffice to protect users and corporate data. Policy-based security controls must be able to act on real-time intelligence to block malicious attacks.
Mark Sparshott, EMEA Director at Proofpoint said: “One-Day Wonder sites are an essential tool for legitimate Content Delivery Networks (CDNs) to accelerate and optimise content delivery and enable individual visitor tracking. CDNs often create a unique sub-sub-domain per user so their site visit can be tracked for marketing purposes. Cybercriminals have copied the CDN approach, as well as other database marketing techniques such as IP, Sender Address and content rotation, to enable their malicious attacks to fly under the radar of the reputation systems used by email and web security solutions.
“Proofpoint’s researchers regularly see these techniques used in so called “longlining” email attacks where that deliver targeted emails to 10,000s of staff across 100s of companies within 1 or 2 hours. The emails contain a message that is personally relevant to most recipients resulting in 1 in 10 people clicking on a link in the email that goes to a malicious website which is often a “one-day wonder site” that looks harmless but can have total control over their PC in less than 5 seconds without them or their company’s security software noticing anything is wrong.”