Full Report
Unit 42 probes network abuses around events like the Olympics, featuring case studies of scams and phishing through domain registrations and more. The post Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams appeared first on Unit 42.
Analysis Summary
This article describes a **threat trend** related to the exploitation of global sporting events for cyberattacks, focusing on the discovery and mitigation of associated malicious domain usage rather than a specific piece of malware or tool.
# Tool/Technique: Event-Related Domain Abuse Campaigns (Example: 2024 Summer Olympics)
## Overview
Threat actors leverage trending global sporting events (like the 2024 Summer Olympics in Paris) to launch various attacks, primarily through the registration and use of domains containing event-specific keywords or phrases (domain abuse campaigns). These campaigns are monitored via analysis of domain registration, DNS traffic, and URL traffic patterns.
## Technical Details
- Type: Technique (Trend Monitoring/Malicious Domain Registration)
- Platform: Internet Infrastructure (DNS/Web)
- Capabilities: Registration of newly created domains mimicking or using event keywords for phishing or scams.
- First Seen: Ongoing trend around major global events.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1568 - Dynamic Resolution
- T1568.002 - Domain Generation Algorithms (Though this focuses on static registration mimicking the event, it relates to infrastructure setup)
## Functionality
### Core Capabilities
- Domain registrations leveraging event-specific keywords or phrases (e.g., "Olympics," "Paris 2024").
- Analysis of associated DNS and URL traffic to identify malicious usage.
### Advanced Features
- Monitoring of verdict change requests, indicating actors testing or rotating malicious infrastructure.
- Textual pattern analysis of newly registered domains.
## Indicators of Compromise
- File Hashes: N/A (Focus is on network indicators)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Newly registered domains containing event keywords (specific examples not provided in the summary).
- Behavioral Indicators: High volume of DNS queries or URL requests to newly registered, event-themed domains.
## Associated Threat Actors
- Unspecified threat actors exploiting trending events for financial gain or credential theft (typical goals of phishing/scams launched via newly registered domains).
## Detection Methods
- **Signature-based detection:** Not directly applicable, as detection relies on pattern matching of domain registration trends.
- **Behavioral detection:** Monitoring for sudden surges in domain registrations correlating with event timelines, or unusual DNS/URL traffic patterns associated with these new domains.
- **YARA rules:** Not applicable.
## Mitigation Strategies
- Proactive monitoring of event-related domain abuse.
- Utilizing cloud-delivered security services:
- Advanced DNS Security
- Advanced URL Filtering
- Advanced WildFire
## Related Tools/Techniques
- Phishing campaigns (using these domains).
- Infrastructure setup for drive-by downloads or malware distribution.