DNS hijacking describes a kind of cyber attack which sends unwitting victims to malicious websites as part of sophisticated information-stealing campaigns. DNS hijacking targets the very fabric of the internet, and has transformed the cyber world over the past few years. So how do these attacks work, and what kind of effects do they have on organizations?

How does DNS hijacking work?

The Domain Name System (DNS) converts the domain names users enter to reach websites, apps, and connected machines into the IP addresses which computing systems use to connect to each other. Without the DNS, using the internet would be considerably more difficult. As it’s a critical part of global internet infrastructure, organizations everywhere face difficulties if the DNS is undermined.

However, because it’s so globally dispersed, the DNS has a large attack surface and, designed decades ago when the cyber world was less evolved, it is vulnerable to exploitation. One technique that’s becoming increasingly popular with modern-day cyber criminals is DNS hijacking, which intercepts data passing between user and nameserver to covertly redirect victims to identical-looking but malicious sites.

Many of the attacks we have seen in recent years are due to rogue DNS server tactics, in which attackers compromise a DNS server and change the records stored on it to redirect DNS requests to malicious sites. Notable DNS hijacks in recent years include the DNSpionage attack, affecting over 50 Middle Eastern countries, the Sea Turtle state-sponsored campaign and the 2014 Syrian Electronic Army (SEA) hijack.

What are the effects?

A DNS hijack intercepts data passing between user and nameserver, redirecting to identical-looking but malicious sites. Seeing as these sites usually require users to input personal data, attackers are able to steal information and cause a major data breach. A breach of this scale can result in:

• Lost customers and a lack of trust for remaining customers.
• Brand damage
• Loss of competitive advantage
• Legal costs
• Decline in share price

Government intervention

Following these DNS hijacking campaigns, both the US and UK governments have issued alerts for public and private sector organizations. The UK’s National Cyber Security Centre (NCSC) posted two security notices in just a few months, warning DNS server operators of the growing threat. Meanwhile, the US government introduced a DotGov initiative to protect its .gov domains from attacks. It’s important that all DNS stakeholders protect themselves and their customers, particularly those who are responsible for the security of multiple organizations’ DNS services.

Staying safe with Nominet

All DNS stakeholders need to be taking steps to protect themselves and their customers from attacks. Nominet helps prevent DNS hijacking by analyzing the changes in DNS records that may indicate a potential hijack. This is in addition to the capabilities of NTX in network detection and response by analyzing DNS traffic to identify and eliminate both known and unknown threats, using our machine learned algorithms. This provides visibility and control of the network, be it on premises, in the cloud or a hybrid approach, and in turn reduces the window of compromise from malicious activity.