Just a few years ago, a major Brazilian bank woke to a disastrous surprise. All clients attempting to do business on any of their 36 domains were being rerouted to a lookalike site, where they logged in as usual with valid account holder credentials. During that transaction, their credentials were scraped by cyber thieves who then delivered malware to their devices. This attack allowed criminals to lift credentials and continue unfettered for 6 hours straight. This scenario was eye opening for many. Attacks like these pose a threat greater than just brand disaster and loss of customer confidence, which are bad enough on their own. DNS attacks can also result in massive profit loss. The fact is, your DNS is an attractive target to attackers, and you need ongoing assurance that it’s secure. We are going to explore several common types of DNS attacks, as well as what you can do to catch them.
How Your DNS Works
DNS, or domain name system, is a system of connected but decentralized servers. Anytime you query a particular website, your query will travel through a few stops before the website is delivered in your browser. First your query will hit a DNS resolver, a special server on the internet whose sole purpose is to map your machine’s IP address to the unique IP address of the website you are trying to reach. You may wonder, how does my machine know which resolver to use? These are assigned either through your machine’s configurations or by your internet service provider (ISP). Once the resolver receives your query, it keeps pinging servers in the system until the right IP address is found. Then, the DNS returns the website to your browser. Voila. So, just as you submit a query to reach the right location in someone else’s DNS, the intended web page, your own site users submit queries in an attempt to reach your organization’s web pages. What would happen if an attacker could alter the process and change where people end up?
DNS Hijacking Defined
A DNS hijack is a disruption to the typical query-answer process in a domain name server where an end user intends to navigate to a trusted domain, but is taken to a look-alike. Instead of delivering the anticipated result, this kind of DNS attack interrupts the process by delivering a different result to the end user, based on changes made to your DNS zone records.
Why do hijackers want access to your zone records?
A DNS zone is essentially just one portion of your DNS that is managed differently from other portions. By designating zones, you can differentiate and administrate different areas of the domain according to their use. One example of something you would want to manage at a more granular level than other areas of your DNS would be an authoritative nameserver. Zones allow you to delegate control for that nameserver individually. Within each zone, you also have different kinds of records, such as mail exchange, CNAME, text, etc. Each organization is responsible for securing their own zone records. In a DNS hijack, attackers gain access and make changes to your zone records, proxying all of your emails through their servers first. In this kind of attack, all your users’ credentials can be scraped, exposing email accounts that contain intimate information about your organization, your partners, and clients. Further, any credentials that have been reused within your organization across email accounts and other applications are now in the hands of people who make a living stealing from organizations like yours. You are now vulnerable to any number of attacks.
How can you catch a DNS hijack?
The way you would identify this kind of attack early, before you start seeing other signs of nefarious activity, would be to detect a change to your zone records, or DNS lookups. The person on your team who manages your organization’s DNS has access to this information, and they may even have security controls in place, but changes need to be detected very quickly if you want to catch an attack. The problem here is not necessarily that your teams aren’t doing what they need to in managing your DNS. It’s a simple lack of time and resources. Who has time to sit in front of your DNS information 24/7/365, ignoring all else? (Because as we know, cyber criminals don’t follow the rules and only level attacks when you are at your desk 8-5pm, M-F.)
Domain Spoofing and Typosquatting
Sometimes, in an attempt to elude detection, attackers will stay out of your actual DNS altogether. Instead of rerouting, attackers will set traps for the falloff traffic – people who misspell your domain name. Such user typos are fairly common, especially on a hand-held mobile device. So, attackers will buy domains that are just 1-2 letters or a single syllable different from their attack target’s domain. Since most users are in a hurry and will proceed as soon as they see the right logo, criminals use the same branding and visual design as your legitimate website. However, when they enter their information into iframes on the site, they are giving their credentials to thieves instead of logging into your legitimate site. This kind of attack is called typosquatting and can be just as disastrous for your users as a hijack, and potentially harder for you to detect. Imagine all the possible permutations that could be created to stay ahead of you. Even if you proactively buy variations when you launch a new domain, all attackers have to do is change a different letter, launch the site, and you’re back to playing whack-a-mole.
There are ways for you to find out all the variations of your domain that have been registered, but you will have a few hurdles to clear before you can make that information meaningful. First, open source tools you can use to identify new domain and email server registrations return a comprehensive list. Once you determine which are legitimate, you have to start over and go back through that whole list again the next time to figure out which ones are new. What you want is not just a list of every registered domain name that is similar to yours at a single point in time, but when there is a change to that list. You need a way to execute smart searches throughout the day, quickly identify changes, and receive alerts only when it’s time to investigate further.
Enter TrueXDR. Not only do you get the same exceptional endpoint monitoring and remediation capabilities of TrueMDR, as well as expansion into your Microsoft/Office 365 environment, but you also get DNS monitoring. Certified analysts in our US-based Security Operations Center will manage DNS monitoring for you throughout the day, every day, all year long – and yes, even at night, on weekends, and holidays. So, you and your teams can focus on everything else you have to do. Maybe – just maybe – you’ll even catch a wink of sleep at night knowing your DNS is being watched for you. To learn more about all the ways TrueXDR can stop attacks, you can request a consultation to chat with one of our experts. We’re here to help!
