DNS Hijacking: What You Need to Know
The word “hijacking” inspires a host of emotions, few of which are favorable. When associated with airlines, in particular, the word can elicit feelings ranging from concern to outright terror. For infosec professionals, that same spectrum of reactions may come into play when detecting a hijack on your domain name system (DNS).
By the time word gets out that a DNS hijacking has occurred, security has already been breached and the damage is mounting. For organizations that have been victimized, such attacks can have monumental impacts. To avoid this particular pitfall, the best course of action is to know the dangers and deploy the right security mechanisms in advance to prevent hijackers from ever having the chance to strike.
Setting the Stage for DNS Hijacking
With DNS, an organization’s website name—typically a URL that is easy for customers to recall and type in—is translated into an internet protocol (IP) address. That IP address corresponds to where the site is hosted on the internet. Two parties are key to assigning domain names: Registries and registrars.
Registries essentially serve as a wholesaler of domain names for specific top-level domains (TLDs) like .com, .org, .uk and .edu, to name a few. Registries sell extensions of these TLDs, referred to as second-level domains (SLDs), to registrars (e.g., example.com). Registrars sell these SLDs to the public. Some of the best-known registrars are GoDaddy, Squarespace and Bluehost.
For registrars to purchase a name, they must have an account with a registry, which involves establishing login credentials. Similarly, for the public to purchase a domain name, they also must create an account with login credentials with a registrar.
If a company wishes to make a change to the DNS of their SLD, it does so by first logging into its account with its registrar. For example, if a company decides to change its website host, it must point its familiar URL to the new host’s IP address. For the company’s change to take effect, the registrar may also need to log in to its own account with the registry and communicate the updates; the registry then publishes the new information for all name servers so that any visitors to the company’s website are seamlessly directed to its new IP address.
When login information is compromised at any point in the company-registrar-registry communication chain—whether through the use of weak passwords, broad sharing of login credentials, falling prey to social engineering schemes or overlooking some other security gap—scammers gain a hijacking opportunity.
Maneuvering for Malicious Gain
Attackers who gain access to any account in the company-registrar-registry communication chain can do serious damage. With the ability to change where a company’s website points, attackers can intercept and direct traffic to fake servers. They may be able to lure customers into unwittingly disclosing login credentials and personal information and they may be able to do the same for employees, gaining deeper network access. They may also infect victims with malware to further compromise configurations to the hijackers’ benefit.
DNS hijackers also have the capability to take a business completely offline, bringing commercial activity to a screeching halt. Such tactics offer a clear and sudden indicator that a company’s security has been compromised and often result in frantic remedies to shore up systems.
Some hijackers may take a more subtle approach and try to remain undetected for as long as possible, particularly if they seek to glean as much customer or employee information as they can. They may shift traffic between fake servers and the legitimate site for brief intervals, timing activities to take advantage of lapses in oversight to avoid discovery.
Dire consequences for victims
DNS hijacking can have dire consequences for businesses and their clients. In most cases, security teams may not realize that a site has been hijacked until it is too late. In the time it takes teams to check systems and isolate the issue, hijackers have more than likely already made off with sensitive customer and employee data. Businesses then not only need to repair and reinforce the damage to infrastructure, but they also have the unpleasant task of communicating the breach to their clients and embarking on a long process to rebuild trust in their brand and services. Altogether, the costs are great, but they can be avoidable.
Lockout Potential Threats
Following security best practices is the first step in foiling hijacking attempts. Such practices involve keeping track of and protecting account credentials and recovery methods, ensuring that only those in need-to-know positions have access. Essential safety layers should be put in place, such as requiring multifactor authentication (MFA) for all users and enabling notifications for recent or pending actions (such as expiry dates or issuance of new SSL certificates). Additionally, security teams should regularly monitor existing critical accounts to spot and address any anomalies.
Beyond best practices, registrar and registry locks can provide additional peace of mind. A registrar lock means that any changes made to a company’s domain can only proceed once the ability to do so has been unlocked by the company. In most cases, a company’s security specialist would need to complete two-factor authentication or provide a passphrase to provide the registrar with assurance that a request is legitimate.
With a registry lock, a company’s domain cannot be modified or moved without a rigorous validation process between the registrar and the registry. Such a lock typically demands more effort to override, as manual inputs and even offline parameters must be fulfilled. Using registry locks in combination with registrar locks fully secures the company-registrar-registry communication chain.
Although registrar and registry locks can require additional time and effort for companies to make changes to their DNS, they are invaluable when it comes to thwarting hijackers and maintaining the integrity of sensitive data.
For companies seeking to maintain the safety of client and proprietary data, understanding external threats is half the battle. By implementing robust security systems and tools, an organization can return its focus to growing their business.
