Domain name hijacking – what it is, and how you can stop your company being the next victim

Graham Cluley

October 14, 2016

Domain name hijacking – what it is, and how you can stop your company being the next victim

How do you think your customers would feel if they visited your business’s website one day and were greeted with an offensive image, malicious code, religious propaganda or a form designed to steal their passwords?

My guess is that you wouldn’t be happy, and your customers would be concerned that your website might have been hacked and that their personal information could have fallen into the hands of criminals.

So how would you feel knowing that hackers could pull off an attack like this without changing a single byte of your website’s code?  Without even having to access the content on your web server.

Welcome to domain hijacking.

The first thing to realise is that the internet is built on numbers. 

Although you might know websites like google.com, ebay.com or bitdefender.com by their names, that’s just a convenient shorthand to make it easier to remember how to visit your favourite sites.

When you browse to a website by entering a URL – icann.org, for instance – your request is converted into a sequence of numbers understandable by the internet, known as an IP (Internet Protocol) address.

Internet ‘telephone directories’, known as DNS (Domain Name System) records, match names to IP addresses, meaning that your request to visit icann.org tells your browser to visit a web server hosted at the IP address of 192.0.32.7.

So far, so simple.

But, imagine what can happen if a malicious hacker manages to alter the DNS records for your website, held at a third-party registrar.  That could mean that anyone trying to get to your website via its human-readable name, could instead be taken to an IP address under the control of a malicious hacker, rather than your company.

avg-pwned.jpeg

Just such attacks have happened in the past against well-known sites  including WhatsApp, anti-virus firms AVG and Avira, and this week managed to take down Blockchain.info, the world's most popular Bitcoin wallet service.

It’s important to emphasise that the websites themselves have not been hacked, and user information has not been exposed.  Instead, criminals are simply redirecting legitimate visits to the website to go to sites under their control instead.

And, in the case of Blockchain.info that meant that some eight million Bitcoin wallets were inaccessible to their owners – at least until the issue was resolved.

Blockchain.info issued a statement, explaining it was working on a fix:

"Earlier today, we discovered our DNS registrar had been compromised. We took immediate action to resolve the issue. To be abundantly cautious, we’re waiting for the DNS to propagate universally across the web before bringing our services back. Once DNS has propagated, we expect to restore services ASAP. Our sincerest apologies for any inconvenience."

Blockchain.info is now accessible to the world again, and customers can access their Bitcoin wallets.  But it’s easy to imagine how just such an attack could have panicked users, or could have attempted to steal login credentials.

Furthermore, it’s not just website traffic which can be re-routed via a DNS attack.  The attackers could also start receiving a targeted domain’s email traffic too – opening opportunities for criminals to commit all manner of other crimes based on the information they receive.

So how can you stop your website domain from suffering a DNS hijack?

You typically make changes to your website’s DNS entry by communicating with your registrar via email, their website or a telephone support call.

And that’s where a hacker could potentially strike.  If they manage to access your account at your DNS registrar (perhaps because you foolishly reused a password, or had not enabled two-factor authentication) then they have carte blanche to make whatever changes they wish to your entries and hijack traffic supposed to go to your website.

Similarly, if your email account is not properly locked down with decent security (again, two-factor authentication can play a part here) then they could trick your domain registrar into changing your website’s DNS entry.

Finally, good old fashioned social engineering could see a bold attacker phoning up your domain registrar and pretending to be you in order to request a password reset, and then make additional changes to your DNS entries.

My recommendation is that you enable two-factor authentication.  Even if an attacker manages to get their hands on your credentials, a password alone is not going to grant them access to your account so their job will be much harder.

Secondly, ask your domain registrar to phone you in the future, to confirm that you really want to make a change to your website’s critical DNS records.  It may be your last chance to stop a malicious attacker meddling with a vital tool of your business.

And finally, of course, make sure that your domain name records are protected by a decent password.  That means a password that you’re not reusing anywhere else, a password that you haven’t shared with others, a password that is strong, complex and impossible to guess. 

 Contact an expert


 

tags


Author


Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like

Bookmarks


loader