Content Delivery Exploit Opens Websites to Brand Hijacking TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadCybersecurity OperationsInterpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle EastInterpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle EastbyRobert LemosMay 20, 20264 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyber RiskCybersecurity OperationsVulnerabilities & ThreatsСloud SecurityNewsContent Delivery Exploit Opens Websites to Brand HijackingThe Underminr domain-fronting attack allows threat actors to modify Web requests and leverage trusted websites to cloak malicious activity.Nate Nelson,Contributing WriterMay 21, 20265 Min ReadSource: hernandez jose maria via Alamy Stock PhotoResearchers are sounding the alarm on a class of exploit inherent in Internet infrastructure itself for which there is no simple fix and nearly half of all websites globally are at risk.Conceptually, the issue is a successor to "domain fronting," a trivial Internet routing sleight of hand popular in the mid-2010s. Domain fronting allowed Web surfers to announce to domain name system (DNS) and content delivery network (CDN) providers that they were visiting one website, while in fact being directed to another, simply by switching one field — the HTTP Host header — in their Web requests. It caught enough attention back in 2018 that CDNs have largely mitigated it.The new issue, deemed "Underminr," works around those mitigations and has the very same effect. Although domain fronting is often associated with censorship bypass, the analysts at ADAMnetworks point out its more nefarious use: allowing attackers to conceal their malicious activity online by hijacking the brand reputations of legitimate websites.Related:What It'll Take to Make AI BOMs Usable in a Modern Security ProgramHackers are already exploiting Underminr, they report, and your website is very likely available for their pleasure. ADAMnetworks found that 42% of websites are vulnerable, and in the US, that number climbs to 51%.Understanding UnderminrThink back to school, YouTube explainers, or wherever you first learned about how the Internet works. Back then, you learned that when you request to visit a specific website — say, darkreading.com — that request travels to a Domain Name System (DNS) server, which resolves that human-readable domain to an IP address, like 104.16.224.171, associated with the website's server.Today, the picture is a degree more complicated. Like many websites today, darkreading.com sits behind a massive content delivery network (CDN) — in its case, Cloudflare. Cloudflare groups lots of domains behind the edge IP address 104.16.224.171. If you attempt to visit darkreading.com, it hits 104.16.224.171, then Cloudflare determines which site you intended to visit using two other fields contained in your request: the Server Name Identification (SNI) that belongs to the Transport Layer Security (TLS) handshake process, and the HTTP Host header inside of the encrypted part of the request that follows.The problem that ADAMnetworks identified rests on two weaknesses in this picture. First, DNS and CDN systems operate in relative silos: the former does its job, then passes the buck to the latter, and they don't cross-reference. Second, CDNs often group relatively established and trusted domains with relatively new and untrusted ones, all behind the same edge IPs.Related:Is 2026 the Year AI Bills of Materials Get Real?That allows an attacker to perform a DNS lookup for a perfectly trusted domain, like darkreading.com, at 104.16.224.171. Any Protective DNS filter will see the request as perfectly legitimate, and wave it on through. Next up, in the fields read by the CDN, the attacker can indicate that they wish to visit an entirely different website hosted at that same edge IP address. Neither the DNS or CDN providers will see that the other interpreted the same request differently. And even if the swapped website is malicious, large CDNs can't often suss that out, avoiding any red flag or alert.In the end, the attacker can filter traffic to a malicious site through a trusted one, like a shield. From there they can do anything — run scams, perform malicious command-and-control (C2) operations, exfiltrate data from victims — while leveraging the trusted domain to evade DNS-, signature-, and behavior-based detection. On the flip side, by being associated with malicious cyber activity, the trusted site faces loss of brand reputation, and any number of other business, legal, and logistical headaches therein.CDN Architecture Determines Underminr RiskTo gauge Underminr's blast radius, ADAMnetworks scanned the top five million domains on the Web. The result: nearly half of all websites are exposed.Related:The Boring Stuff Is Dangerous NowThose websites aren't evenly distributed, though. In the US, around half of all sites are at risk. In Eastern Europe, one-third. In China's ultra-regulated Internet, less than 9%. That disparity betrays that Underminr is not an inescapable reality of the Internet; it's a design flaw.One need not dig all the way to China for a CDN that protects the integrity of one's website, though. Boutique, security-focused providers that don't serve armies of anonymous clientele eliminate the risk. And for a model of what larger providers can do to protect their customers, one might look to Fastly. "They were late to the game of fixing the domain fronting problem that existed 10 years ago," recalls ADAMnetworks CEO David Redekop. Though slow out of the blocks, he says, "they fixed it the best by creating grades of customers, or what I like to call 'bucketizing.'"Bucketizing — Redekop's own term for a phenomenon without an official name — is a practice where a CDN like Fastly intentionally groups domains together according to their reputations. "Fastly said: 'You know what? The New York Times and The Guardian: let's put them together in a bucket. But if you have some new domain name that's buying Fastly CDN services, let's put it together with the other new domain names," Redekop explains.In bucketizing domains by reputation, Fastly vastly reduced the risk that the same IP would host, say, The New York Times homepage and a malicious C2 server. That didn't technically prevent domain fronting, but it sure sucked all the appeal out of it. And since domain fronting and Underminr are almost exactly the same issue, with one minor distinction — instead of disagreeing SNI and HTTP Host fields, the fields that disagree are SNI and DNS — it had the same effect for Underminr. Every single Fastly customer today is at risk of Underminr, but does it matter if all they can do is swap nytimes.com for theguardian.com?Redekop emphasizes that if organizations want to protect their sites, they really only have one course of action. "If they want to do something about their own domain name," he says, "what they could do is move it off of the content delivery network that enables the Underminr."About the AuthorNate NelsonContributing WriterNate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media.He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify.He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsBuilding SecOps That Make the Most of Every DollarAI-Powered Credential Security: Intelligence Without ExposureAI-Powered Cybersecurity for Resource-Constrained OrganizationsHow Security Teams should apply Threat Intelligence into their DefensesYour Guide to Securing AI Adoption in Your OrganizationMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTHow Security Teams should apply Threat Intelligence into their DefensesThurs, June 11, 2026 at 1pm ESTYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The Underminr attack exploits inherent weaknesses in the Internet's infrastructure, creating a class of vulnerability affecting nearly half of all websites globally. Conceptually, this exploit is a successor to domain fronting, a previous technique that allowed users to route web traffic to a destination other than the intended one by manipulating the HTTP Host header within web requests. While domain fronting was often associated with censorship bypass, the vulnerability identified by ADAMnetworks, termed Underminr, is more insidious; it permits threat actors to conceal malicious activity online by hijacking the brand reputations of legitimate websites.

The mechanism hinges on the interaction between Domain Name System (DNS) and Content Delivery Network (CDN) systems. When a user requests a website, the request first resolves the domain name to an IP address via DNS. Subsequently, if the website is hosted on a CDN, the CDN layers on additional information during the request processing, including the Server Name Identification (SNI) during the Transport Layer Security handshake and the HTTP Host header within the encrypted request payload. The flaw resides in the fact that DNS and CDN systems operate in relative silos, lacking cross-referencing capabilities. Furthermore, CDNs frequently group established and trusted domains with newer or untrusted ones behind the same edge IP addresses, which exacerbates the risk.

An attacker leverages this silo structure by performing a DNS lookup for a perfectly trusted domain, allowing protective DNS filters to pass the request unimpeded. The attacker then manipulates the subsequent fields read by the CDN—SNI and the HTTP Host header—to indicate that traffic should be directed toward a malicious website hosted on the same edge IP address. Since DNS and CDN providers do not correlate these swapped fields, they do not recognize the discrepancy. This allows the attacker to filter traffic through a trusted website, enabling them to conduct malicious activities such as running scams, executing command-and-control operations, or exfiltrating data while leveraging the reputation of the trusted domain to evade detection mechanisms based on DNS, signature, or behavioral analysis.

The extent of this risk is significant, as scanning the top five million domains revealed that nearly half are exposed, with the percentage rising to fifty-one percent in the United States. This exposure is not universal; the distribution varies significantly by region, for instance, being less than nine percent in China's highly regulated internet. This variance suggests that Underminr is largely a design flaw within the architecture rather than an inescapable reality of the internet.

To mitigate this increased risk, organizations must consider how CDN architecture determines the blast radius of Underminr. Security-focused providers, such as Fastly, have addressed this by implementing a practice known as bucketizing. This method involves intentionally grouping domains based on their reputation. For example, recognized domains like The New York Times and The Guardian are grouped together, while newer domains are grouped separately. This practice reduces the risk that a single IP address hosts both a high-profile legitimate site and a malicious command-and-control server. Although bucketizing does not technically prevent domain fronting, it significantly diminishes the appeal and utility of the exploit. Ultimately, the authors suggest that if organizations are to protect their domains, the most effective course of action is to move the domain off the content delivery network that enables the Underminr vulnerability.