How Anti-Phishing Software Stops Domain Fronting

This is why we can’t have nice things.

Domain fronting started out with the best of intentions, developed as a way for political activists and human rights advocates living under repressive regimes to circumvent heavy censorship and surveillance in their home countries to get their message out. However, it quickly became another way for cybercriminals to infiltrate computers with malware. Here’s how domain fronting went from good to bad, and how anti-phishing software can protect you.

Domain Fronting: A Brief History

Ten or so years ago, people seeking to avoid censorship could communicate and access government-restricted websites through a proxy server, but as technology evolved, it became easier to detect traffic employing that tactic. So, people turned to The Onion Router (TOR), free and open-source software for enabling anonymous communication, but that method of communication was eventually cracked by governments. Next, people utilized a Virtual Private Network (VPN) for encryption. But, in an effort to keep an eye on what its citizens were doing, many countries began banning or restricting VPNs. That left people with one option: domain fronting.

Without getting too technical, domain fronting is the process of changing the destination of an internet connection midway using encryption. There are a number of apps used for domain fronting. These apps enable users to access restricted websites banned in their country by altering the code in the header of host websites. So, to the government or internet service provider, it will look like a user is connecting to a harmless website, when the connection has, in fact, been re-routed to another banned or restricted website.

Anti-Censorship Domain Fronting

In the United States, censorship is viewed as un-American, but in other countries, it’s an everyday occurrence. People in these countries have taken to using popular domain fronting apps to avoid government interference. Popular apps include Telegram, a chatting app banned by Russia and other countries, and Signal, a messenger app used in heavily censored regions like Egypt, Oman, Qatar, and the United Arab Emirates despite government efforts to block it.

In Africa, where many governments have a monopoly over the provision of cellular and internet services, these apps can provide a “lifeline” for internet users. During tumultuous times, such as elections and political campaigning, African governments have been known to impose shutdowns—and domain fronting offers a communications work-around.

Phishing Domain Fronting

Despite its honorable origins, domain fronting was quickly exploited by cybercriminals as a way to gather web resources otherwise blocked by network security measures and deliver malware by misleading users. Using similar techniques as the apps that help individuals access restricted sites to avoid censorship, hackers use domain fronting to bypass security measures and reach their command and control (C2) infrastructure hosted by content delivery networks (CDN) such as Amazon Web Services and Google.

While some CDN providers have begun to change their network policies to include domain fronting phishing prevention, phishing methods are always evolving and, in time, it’s likely they’ll find another way in the backdoor. In addition, domain fronting attacks are still possible through a number of lesser CDN hosts (it’s important to note that for a hacker to pull off a domain fronting scam, the malicious site and the legitimate site must both be hosted by the same CDN). While this phishing scam once seemed reserved for political gain (Cozy Bear, the Russian threat actors that hacked the Democratic National Committee in 2016, used a domain fronting tactic involving unsafe URLs), today’s businesses are dealing with phishing and malware attacks enabled by domain fronting as well.

Anti-Phishing Software for Domain Fronting

Phishing scams relying on domain fronting often come through the inbox. Individuals receive an email asking them to click on a link designed to look like a legitimate site. Of course, this tactic uses domain fronting to re-route to another unsafe site in which hackers hope to steal sensitive information or compromise credentials.

With reputable anti-phishing software in place, links will be checked against a blacklist or whitelist of domain names and unsafe URLs, and will be scrutinized further to determine if the link matches the actual URL. That’s not all. Using artificial intelligence (AI) technology, phishing prevention software can create a business trust graph to work as an organizational communications model. The trust graph validates incoming and outgoing email and messenger communications (such as Slack) to assess risk, looking closely at:

  • Frequencies and behaviors of sender and recipient communications
  • Changes to email addresses and hyperlinks
  • Coding changes that are hidden within each email’s metadata.

If you’re interested in anti-phishing software, look no further than Clearedin. We can provide protection from every type of phishing technique, including domain fronting attacks. Keep your business and your employees protected by contacting us today.

New call-to-action

Is Your Office 365 Secure ...

Subscribe for updates

Get weekly updates on phishing and other web attacks