179/68 Monday, May 19, 2025
Dynamic DNS (DDNS) services, originally designed to conveniently map frequently changing IP addresses to domain names, are increasingly being exploited by cybercriminal groups such as Scattered Spider and various phishing actors. These groups use rented subdomains from DDNS providers to disguise malicious activity and spoof identities, making detection and tracking significantly more difficult. This trend has raised concerns among cybersecurity experts, especially as the underground market for “subdomain rental” continues to expand.
A report by threat intelligence firm Silent Push highlights that Scattered Spider has shifted tactics to use rented subdomains from DDNS providers—most notably it[.]com Domains LLC—as part of its infrastructure in 2025. One example involves the spoofed subdomain klv1.it[.]com, which was created to impersonate klv1[.]io, a legitimate domain belonging to marketing automation company Klaviyo. This spoofed domain was detected by only a few antivirus engines on VirusTotal. Dan Green, a researcher from Push Security, added that these subdomains often appear highly legitimate due to the use of familiar .com domains and can be rented cheaply with minimal verification, making them effective tools for impersonation.
In addition to it[.]com Domains, other DDNS providers such as Duck DNS, ChangeIP, and No-IP have also been misused for similar purposes.
Although it[.]com Domains stated that they enforce anti-abuse policies and have taken down malicious subdomains used by Scattered Spider within one to two weeks of registration, cybersecurity expert Zach Edwards from Silent Push argues that this response time is far too slow. Threat actors typically utilize these subdomains for only a few hours or days, making DDNS “the perfect architecture” for short-lived attacks that don’t aim to rank on Google or trigger conventional domain monitoring systems.
As a result, organizations are being urged to broaden their threat detection strategies to include suspicious subdomain usage, not just newly registered top-level domains. Proactive measures are increasingly critical as the abuse of DDNS and subdomain rental services is expected to grow significantly in the near future.
Source https://www.darkreading.com/threat-intelligence/dynamic-dns-cyberattack-facilitator
