CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

Content Delivery Exploit Opens Websites to Brand Hijacking

Dark Reading Archived May 21, 2026 ✓ Full text saved

The Underminr domain-fronting attack allows threat actors to modify Web requests and leverage trusted websites to cloak malicious activity.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBER RISK CYBERSECURITY OPERATIONS VULNERABILITIES & THREATS СLOUD SECURITY NEWS Content Delivery Exploit Opens Websites to Brand Hijacking The Underminr domain-fronting attack allows threat actors to modify Web requests and leverage trusted websites to cloak malicious activity. Nate Nelson,Contributing Writer May 21, 2026 5 Min Read SOURCE: HERNANDEZ JOSE MARIA VIA ALAMY STOCK PHOTO Researchers are sounding the alarm on a class of exploit inherent in Internet infrastructure itself for which there is no simple fix and nearly half of all websites globally are at risk. Conceptually, the issue is a successor to "domain fronting," a trivial Internet routing sleight of hand popular in the mid-2010s. Domain fronting allowed Web surfers to announce to domain name system (DNS) and content delivery network (CDN) providers that they were visiting one website, while in fact being directed to another, simply by switching one field — the HTTP Host header — in their Web requests. It caught enough attention back in 2018 that CDNs have largely mitigated it. The new issue, deemed "Underminr," works around those mitigations and has the very same effect. Although domain fronting is often associated with censorship bypass, the analysts at ADAMnetworks point out its more nefarious use: allowing attackers to conceal their malicious activity online by hijacking the brand reputations of legitimate websites. Related:What It'll Take to Make AI BOMs Usable in a Modern Security Program Hackers are already exploiting Underminr, they report, and your website is very likely available for their pleasure. ADAMnetworks found that 42% of websites are vulnerable, and in the US, that number climbs to 51%. Understanding Underminr Think back to school, YouTube explainers, or wherever you first learned about how the Internet works. Back then, you learned that when you request to visit a specific website — say, darkreading.com — that request travels to a Domain Name System (DNS) server, which resolves that human-readable domain to an IP address, like 104.16.224.171, associated with the website's server. Today, the picture is a degree more complicated. Like many websites today, darkreading.com sits behind a massive content delivery network (CDN) — in its case, Cloudflare. Cloudflare groups lots of domains behind the edge IP address 104.16.224.171. If you attempt to visit darkreading.com, it hits 104.16.224.171, then Cloudflare determines which site you intended to visit using two other fields contained in your request: the Server Name Identification (SNI) that belongs to the Transport Layer Security (TLS) handshake process, and the HTTP Host header inside of the encrypted part of the request that follows. The problem that ADAMnetworks identified rests on two weaknesses in this picture. First, DNS and CDN systems operate in relative silos: the former does its job, then passes the buck to the latter, and they don't cross-reference. Second, CDNs often group relatively established and trusted domains with relatively new and untrusted ones, all behind the same edge IPs. Related:Is 2026 the Year AI Bills of Materials Get Real? That allows an attacker to perform a DNS lookup for a perfectly trusted domain, like darkreading.com, at 104.16.224.171. Any Protective DNS filter will see the request as perfectly legitimate, and wave it on through. Next up, in the fields read by the CDN, the attacker can indicate that they wish to visit an entirely different website hosted at that same edge IP address. Neither the DNS or CDN providers will see that the other interpreted the same request differently. And even if the swapped website is malicious, large CDNs can't often suss that out, avoiding any red flag or alert. In the end, the attacker can filter traffic to a malicious site through a trusted one, like a shield. From there they can do anything — run scams, perform malicious command-and-control (C2) operations, exfiltrate data from victims — while leveraging the trusted domain to evade DNS-, signature-, and behavior-based detection. On the flip side, by being associated with malicious cyber activity, the trusted site faces loss of brand reputation, and any number of other business, legal, and logistical headaches therein. CDN Architecture Determines Underminr Risk To gauge Underminr's blast radius, ADAMnetworks scanned the top five million domains on the Web. The result: nearly half of all websites are exposed. Related:The Boring Stuff Is Dangerous Now Those websites aren't evenly distributed, though. In the US, around half of all sites are at risk. In Eastern Europe, one-third. In China's ultra-regulated Internet, less than 9%. That disparity betrays that Underminr is not an inescapable reality of the Internet; it's a design flaw. One need not dig all the way to China for a CDN that protects the integrity of one's website, though. Boutique, security-focused providers that don't serve armies of anonymous clientele eliminate the risk. And for a model of what larger providers can do to protect their customers, one might look to Fastly. "They were late to the game of fixing the domain fronting problem that existed 10 years ago," recalls ADAMnetworks CEO David Redekop. Though slow out of the blocks, he says, "they fixed it the best by creating grades of customers, or what I like to call 'bucketizing.'" Bucketizing — Redekop's own term for a phenomenon without an official name — is a practice where a CDN like Fastly intentionally groups domains together according to their reputations. "Fastly said: 'You know what? The New York Times and The Guardian: let's put them together in a bucket. But if you have some new domain name that's buying Fastly CDN services, let's put it together with the other new domain names," Redekop explains. In bucketizing domains by reputation, Fastly vastly reduced the risk that the same IP would host, say, The New York Times homepage and a malicious C2 server. That didn't technically prevent domain fronting, but it sure sucked all the appeal out of it. And since domain fronting and Underminr are almost exactly the same issue, with one minor distinction — instead of disagreeing SNI and HTTP Host fields, the fields that disagree are SNI and DNS — it had the same effect for Underminr. Every single Fastly customer today is at risk of Underminr, but does it matter if all they can do is swap nytimes.com for theguardian.com? Redekop emphasizes that if organizations want to protect their sites, they really only have one course of action. "If they want to do something about their own domain name," he says, "what they could do is move it off of the content delivery network that enables the Underminr." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media. He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify. He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure AI-Powered Cybersecurity for Resource-Constrained Organizations How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST AI-Powered Cybersecurity for Resource-Constrained Organizations THURS, JUNE 18, 2026, AT 1PM EST How Security Teams should apply Threat Intelligence into their Defenses THURS, JUNE 11, 2026 AT 1PM EST Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗