In the world of cyber crime, the news never seems to cease. In fact, two recent news stories detail domain name system (DNS) hijacking. One article focuses on a global campaign aimed at hijacking DNS at an unprecedented scale1, the other, another massive scam manipulating domain names using a major retail registrar’s managed DNS services2. The articles highlight specific techniques the attackers used to intercept and manipulate legitimate traffic, harvest information (like credentials or emails), or cause a range of other malicious activities, such as phishing. In some cases, low validation (and often free) digital security certificates issued by some providers were used to increase the credibility of the scams, compounding the issue for brands and customers.
DNS hijacking is not a new threat. It’s been used countless times by hacktivists and others to cause destruction or raise awareness to a cause3. However, cyber criminals have recently begun leveraging the tactic to sabotage financial institutions4 and cryptocurrency providers for monetary gain5. These latest examples prove that cyber criminals are using DNS hijacking to access companies’ DNS and reroute traffic to fraudulent sites. Additionally, they are conducting phishing campaigns to steal money or data, and in some extreme cases, even government property.
This serves as an important reminder to organizations: you should ensure you are collaborating with corporate providers focused on security that also possess the agility to deal with evolving threats. To mitigate these types of attacks, your provider should:
- Mandate two-factor authentication on their domain management and DNS systems
- Offer authentication options, such as IP validation and federated identity
- Offer registry and registrar locks on your business-critical domains
- Offer ongoing monitoring of your domain portfolio to identify security blind spots around access permissions, DNS, and digital certificates
Within DNS, there are also steps that can make you―the brand owner―a far less attractive target and reduce the impact of an attack, including:
- CAA records―The addition of Certificate Authority Authorization records for certificate validation can reduce the impact of an attacker adding their own certificate to a hijacked domain.
- DNSSEC―Domain Name System Security Extensions will provide an additional hurdle for the attacker trying to re-sign the zone with their own changes.
- Zone restore function―This additional tactic may help with a swift return to business as usual.
At CSC, we employ a number of protocols in addition to those listed above to secure our systems and protect our customers’ domains from unauthorized access, including:
- Security first training
- Phishing awareness training with companywide phishing testing
- Social engineering training
- A mandated “clear desk” policy
- Mandatory written requests (never via phone)
- An enforced Authorized Contact Policy, requiring any requests to come from an authorized account contact before changes are made
1fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
2krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/
3theregister.co.uk/2018/12/07/linuxorg_hacked/
4wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/
5techcrunch.com/2018/04/24/myetherwallet-hit-by-dns-attack/