DNS Hijacking

DNS based attack is not something the average Internet surfer would know about but this can be a serious online threat. To learn about DNS hijacking or redirecting you first need to understand what DNS is and what it does

How DNS works

DNS "Domain Name System" functions as an interpreter between humans, (who communicate with words) And computers (who communicate with numbers). When you type in a Domain Name such as "rshweb.com" your Computer needs the IP (199.223.232.0) to actually find it and route you there. It does this by sending a query to a DNS Server That stores a database of IP addresses and their associated hostnames or domain names

What makes DNS vulnerable?

DNS was created in 1985. The Internet was just starting to grow and everyone trusted everyone else. As the Web grew, DNS grew with it. Unfortunately Hackers have become much more sophisticated since the DNS system was created. Compromised or malicious DNS Servers opens the system up for exploitation

How does DNS Hijacking or Redirecting work

DNS is highly decentralized. No single DNS Server holds all the IP addresses and Domains for the whole Internet. Your request will travel along a multitude of DNS Servers before you get your result. DNS hijacking is the practice of redirecting DNS queries. You send out a query but a third party steers the query the wrong way. As a result, you get a false IP address, and the wrong page loads on your screen. A different website is loaded that looks exactly like the homepage you wanted. This is a known phishing scam when hackers create fake copies of a website to extract critical information

In most cases, DNS Redirecting is more annoying than harmless. When you type the Domain of a website that does not exist you should get an 404 error message

How does your DNS get Hijacked?

A DNS hack can happen at any place in the chain of DNS queries. Here’s how:

Malware

Your computer or device can be infected with malware that rewrites the configuration of DNS settings. As a result, your device queries a rogue DNS server that serves you fake IP addresses. One famous malware was called "DNSChanger", which created havoc on the Internet until it was stopped in 2012. It infected computers and changed their DNS configurations, pointing them to rogue servers operated by hackers. These Servers replaced advertising on websites with ads sold by the Hackers making almost $14 million in profit. In total more than four million computers were infected. People had no idea they were seeing ads placed by hackers who had corrupted their systems

A more malicious malware could redirect you through hacke controlled open web proxies and get access to all your traffic (and any sensitive data you send). You could also be directed to a dummy website that extracts your passwords and usernames through fake login procedures, such as a PayPal look alike website. The worst part of this type of attack is that you would have no idea until the damage is done

Compromised DNS Server

In a DNS Server hack, your query is redirected to a wrong destination by a DNS Server under a hacker’s control. This attack is even more cunning because once your query leaves your device, you would have no control over the direction where you wind up at. Hacking a DNS Server in this way is much more difficult but not impossible

Internet Service Providers

Some ISP's use DNS hijacking on their own customers to display ads or collect statistics. They do this by hijacking the NXDOMAIN response. NXDOMAIN is the response you get if you type in a Domain Name that does not exist. Example could be if you typed in “drshsrwebfadsfdgfaaf.com” into your browser, you would get the NXDOMAIN response: “Server Not Found” or a similar error message. When an Internet Service Provider hijacks the NXDOMAIN response, they replace the error message with a fake website set up by the ISP to show you ads or collect your data. Just a cheap way to get advertizing money

DNS Hijacking Cases

Listing a few of the most famous DNS hijacking cases

DNSpionage Targeted Middle East

In late 2018 a huge DNS hijacking campaign dubbed DNSpionage was uncovered and reported by Cisco Talos. The attackers were stealing credentials from government and private sector employees in the Middle East and North Africa by hijacking their DNS servers
Krebs on Security did extensive research on the case, going so far as to share how SecurityTrails Passive DNS API was used to pinpoint changes to DNS records of domains that were tied to the campaign. This is also a very good read if looking for more research information

WikiLeaks

Anyone who tried to visit Wikileaks.org on August 30, 2017 saw an ominous message claiming that the website, famous for storing and publishing classified and secret information, had been hacked. A hacker group called OurMine took credit. “Wikileaks, remember when you challenged us to hack you?” they taunted them right on their Website. From a visitor’s standpoint, it appeared that Wikileaks was under total hacker control
That was not the case
Wikileaks was up and running and its servers were secure. If you knew the IP address, you could reach and browse the website without any hassle. In reality, the hackers had hijacked one of the DNS servers that directed visitors to wikileaks.org and sent users fake DNS information

Brazilian Banks

For about five hours on October 22, 2016, Hackers had control over the Domain of a major Brazilian bank with hundreds of branches, over 5 million customers, and $27 billion in assets. The attackers launched the attack by compromising the DNS server of Registro.br, which is the registrar for the top-level domain .br and manages the DNS for the Brazilian bank (its name was not disclosed by the researchers who discovered the hack). The hackers redirected users to their own Servers that looked exactly like the bank’s homepage, but were, in fact, fakes meant to extract user login credentials. Users, directed to the fake sites, handed their user-names and passwords to the hackers and were infected with malware

New York Times

In 2013, the Syrian Electronic Army hacker group compromised the website of the Melbourne IT Domain Registrar and changed the records of Melbourne IT customers. One such customer was The New York Times, whose website was replaced with the logo of the Syrian Electronic Army. The Syrian Electronic Army used the same vulnerability to disrupt Twitter in the UK and HuffingtonPost

How to prevent DNS hijacking

The most common way in which DNS Hijacking is through "Malware Attacks", How to protect yourself are very similar to those used to guard against any other form of attack. Do all the basic things that (we hope) you are already doing to protect yourself online

Always updated Security Software, and make sure that security patches and updates are installed on all your devices as soon as they are available

NEVER click on suspicious links in emails or on Social Media

Be wary of sites that you are not familiar with or that just look untrustworthy

Protecting your Router is also very important. Make sure that your change the default admin username and password for the router. Every Hacker knows the default ones!

Use reliable antivirus software and update whenever patches come out

Use a VPN, which encrypts your traffic and DNS settings and prevents hackers from intercepting and snooping your sensitive information. A VPN is especially useful if you frequently use public Wi-Fi, which is often unsafe due to poor router configuration and weak passwords

Be wary especially if a Website you are familiar with acts different (different pop-ups, screens, shows different landing pages...)

Alertness is key since there is no foolproof protection against the types of hijacking attacks that targeted The New York Times or WikiLeaks. In those cases, authoritative DNS servers, which hold actual records, were corrupted

---

Related Articles