Cyber criminals are increasingly relying on legitimate and well-established domains to carry out their maliciousness on the internet. Because of a recent sharp increase in business email compromises (BEC), there has been a major uptick in domain hijacking as well.
What is domain hijacking and how does it affect your business? How does it occur? In our multi-part series on DNS hijacking, we answer these questions, as well as provide you with mitigations for various attack vectors.
What is Domain Hijacking?
Domain hijacking, otherwise known as Domain Name System (DNS) Infrastructure Hijacking, occurs when an attacker uses compromised credentials to modify the location where an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.
Essentially, the result is a transfer of ownership or control of a domain from its rightful owner by way of a fraudulent registrar transfer request or otherwise false change in the registration of the domain. Obviously, this sort of activity often harms the legitimate domain owner. Cybercriminals understand that your website’s domain name system is a unique, trusted protocol and that many companies don’t care to monitor their domains for malevolent activities. For this reason, they may initiate a range of attacks on the organization’s DNS — and they often get away with it.
DNS Attack Vectors
There are a number of ways a DNS hijacking attack can be executed. The four most common types of DNS hijacking attacks are as follows:
Router DNS Hijack
The DNS router is a hardware device that domain service providers use to match domain names to their corresponding IP addresses. Most routers come with preset passwords and a host of firmware vulnerabilities. Cybercriminals can take advantage of weak default passwords and the vulnerabilities to take over the router and reconfigure the DNS settings to their benefit. If they successfully overwrite the DNS router, they can easily divert the traffic to another website and jam your company’s website to make it inaccessible.
Man-In-The-Middle DNS Hijacking
This is also called DNS spoofing. In this case, the attacker targets and intercepts the communication between the website’s traffic and the site’s DNS alters the DNS settings hence directing the traffic to a malicious IP address.
Local DNS Hijack
A local DNS attack installs malware on the website user’s computer. The malware, usually a trojan malware disguised as legitimate software, gives the cyber thieves access to users’ network systems, enabling them to steal data and change DNS settings to direct the users to malicious websites.
Rogue DNS Server
In this type of DNS hijacking, the cybercriminal intercepts the DNS server and alters the DNS settings to divert traffic to fake websites.
In our next article on domain hijacking, we’ll discuss protections and mitigations for each of the above attack vectors, as well as general cybersecurity solutions proven to prevent DNS compromise.
It’s imperative that you don’t allow criminals to take control of your website. Would you want to visit the V2 Systems website, only to be redirected to a malicious one? Of course not. And we as a company definitely wouldn’t want you to, either. It’s bad for business, bad for your visitors, and – depending on what nefarious activities your domain ends up being used for — is even bad for your country.
Since 1995, Manassas Park, VA-based V2 Systems has employed local systems administrators, network engineers, security consultants, help desk technicians and partnering companies to meet a wide range of clients’ IT needs, from research, to implementation, to maintenance. Concentrate on your VISION…We’ll handle the TECHNOLOGY!
