Protecting Against DNS Hijacking

The National Cybersecurity and Communications Integration Center (NCCIC) recently issued an alert that they were aware of a Domain Name System (“DNS”) hijacking campaign. The possibility of these types of campaigns should be a concern to financial institutions because they allow attackers to take over communications between you and your customers. This week, we will look at what DNS is, what a hijacker can do, and what you can do to protect your institution from DNS hijacking.

• What is DNS? DNS is basically the telephone directory of the Internet. Whenever someone types a URL (i.e. “www.bankname.com”) into a browser, that URL is sent to a DNS server on the Internet. The DNS server responds with the IP address (“123.124.125.1”) where the website can be found. The computer then connects the browser to that IP address. The communication with the website for the remainder of the session will be to that IP address.
  
  
• What is DNS Hijacking? DNS hijacking is when an attacker is able to change the DNS entry for a website so that it points to a different IP address, meaning that any person typing the hijacked URL into their browser will connect to the wrong system. The attacker can configure the wrong system to look just like a financial institution’s website and will often use a free SSL certificate to make the site seem secure to customers. Customers who believe they are on the correct site will enter their user names, passwords, and MFA responses. The attackers will harvest the credentials in real time and will perform transactions as the customer on the institution’s website using those credentials.
  
  
• How do Attackers Hijack DNS? There are two primary ways that DNS hijacking occurs in the current campaigns. The first is that the attacker finds the credentials that an institution uses to manage their DNS records. These are normally the credentials used to access the domain registrar for the URL. Once the attacker has logged in successfully, they simply change the IP address that the URL points to. The second primary method used to hijack DNS is to attack the domain registrar itself, allowing the attacker to change DNS entries for any website that was purchased through that registrar.
  
  
• How do I Protect Against DNS Hijacking? There are three controls recommended to guard an institution from DNS hijacking attacks.

1. The first control is to make sure that all domain registrar accounts have strong passwords and require MFA. This will help prevent an attacker from performing a DNS hijacking attack using a compromised account belonging to the institution.
   
   
2. The second control to guard against DNS hijacking attacks is to monitor changes to DNS records. There are many services available on the Internet which will allow an institution to be alerted whenever the DNS entries for the institution are changed. Subscribing to one of these services will provide an early warning when the DNS records have been hijacked so that the Institution can react quickly and minimize the impact.
   
   
3. The final control to protect against DNS hijacking is to monitor for new certificates for the institution’s domains. Because the attackers often configure free certificates for the domain after hijacking it, monitoring for these certificates can also provide an early warning to help minimize the impact of DNS hijacking. There are services that can be used to alert when a new certificate is created, and institutions should subscribe to one or more of these.
   
   

We always strive to help institutions stay ahead of threats and risks. The first way we do that is by putting articles out on our blog, like this one, that helps our readers better understand new risks and what they can do about them. The second way we do that is by working alongside them, like you see in our Risk Management CySPOT™ Module. 

Make sure you're subscribed to our newsletter to be the first to get information on new risks and threats, or for more hands-on help, check out our Risk Management CySPOT™ Module!