… And how Domain Name Server Hijacking (DNS) works?
Basically, DNS hijacking (or DNS redirection) is a direct attack that cybercriminals execute to the Domain Name Server to misconfigure your traffic consults, sending you or the requester to a malicious landing page/website.
While your browser solves the wanted URL, a fake server will fix your IP address with a new one, with the hope of driving you to undesired lands.
Let’s say Mike (business person) offers online consultation to its clients. One day, he turns on the computer and jumps to download software that could improve his services.
Following that day, as if nothing wrong happened, he tries to access his online banking account platform with the login credentials, but the server shows an unexpected error.
Mike doesn’t have time to seek answers now, so he tries once again a couple of hours later.
The same error showed up.
Angry, he calls the bank’s client support to ask “What’s going on with the platform?”. Which they confirm there haven’t been any problems whatsoever with the servers in past days.
They only suggest to be cautious and change the password of his account. Clearly, there was a problem. But he didn’t know the problem was only his side.
A couple of hours later (inside that 48 hours period) he found that he was receiving all types of receipts for internationals movements that he didn’t apply for.
Mike got his login credentials stolen due to a hijack on his Domain Name Server (DNS)
Some vicious hackers used the software he downloaded online to exploit the address.
This happens very frequently, mostly on sites that carry valuable information.
Why is Domain Name Server (DNS) Hijacking so Popular?
Clearly, cyberattacks won’t stop until it keeps bringing dirty revenue to hackers.
DNS hijacking is one of those tools they use to boost other hacking methods, guaranteeing payday.
A) Pharming: Both attacks are pretty much the same thing. Pharmers set up malicious websites that share similarities to those that users visit frequently. Pharming traps need a change on the Host archives or on the DNS server to work successfully.
B) Phishing: Pharming and DNS hijacking gets along pretty well. Hackers disguise themselves to manipulate users into accessing seemingly non-suspicious but malicious sites (once they click a link on an email, they’re redirected to the trap).
This is nothing new. Internet Service Providers have been “hijacking” (more like compiling) your DNS’ data to show ads to sites that might not exist (at least not anymore).
While it is not 100% ethical, it isn’t illegal either. They don’t drive to script-infected websites (at least not them, but hackers can exploit this as well to do so).
Just what happened with Tom.
Different Types of Domain Name Server (DNS) Hijacking
DNS hijacks can be categorized into four different types:
- Local DNS Hijack: Hackers inject trojan malware right into your computer to redirect you to their trap by changing your local DNS configuration. This is simple to execute, and to detect/get rid of, as well. Just use the “ncpa.cpl” to access Windows Network Configuration, and see the state of DNS servers.
- DNS Router Hijack: As the name indicates, these attacks focus on individual routers to harm everyone who’s connected to it. Take into account that several steps must be taken before the DNS servers consultation takes place. Every web search/request will drive to the server hackers want it to if the attack is achieved.
- Rouge DNS Hijack: Things get heavy when they scale this way. Once the DNS server on a website gets hijacked, they’re capable of re-directing entire streams of traffic right into the malicious web (trap). Luckily, there are accessible solutions to it on the market (as Cloudflare) that follow high-standard security.
- Man-in-the-Middle DNS Hijack: In this case, the real DNS server doesn’t even get the connection request, because hackers intercept it before it happens. It stays in the middle and catches the petition to redirect it.
All of it seems dangerous and complex. If you aren’t into IT, Cybersecurity, or even Technology itself… How can you know if you’re a victim of DNS hijacking?
How to Detect Hijacking of your Domain Name Server (DNS)
The following signs appear frequently after a DNS hijacking takes place. So be aware of it:
- Slow-loading web pages.
- Random unwanted Ads appearances (see more on Adware/Malvertising).
- Random, unstopping alerts/pop-ups that notify you have been infected.
While there also have been times where Domain Name Servers are hijacked but don’t show any clear signs whatsoever (on purpose), you can still use some tools that identify and treat the hijack
- Ping Command – The easiest way to identify it is by pinging a non-existing domain with your own terminal. If the IP doesn’t exist, you are safe. If it accepts the request from the fake one, your DNS is clearly hijacked.
- Router Verification – Router Checker (made by F-Secure labs) is a tool you can use to verify if the DNS configuration of your router has been compromised. Visit the site and click on “Check your Router”. You’ll see a positive or negative answer after a few seconds.
- WhoIsMyDNS.com – This one available online will expose which server is truly sending requests at your name. You know you have been hijacked if it shows a DNS that’s not yours
No one wants to be a victim of it. Especially you.
So, is there any way to protect from DNS Hijacking?…
How to Protect from DNS Hijacking
There is a way (actually, several ways) to protect yourself from DNS hijacking methods.
Consider applying before or right after you start receiving the “scary signs”:
- Change your Router ‘s Access Data: This includes both the username and password you use to manage it. Change both username and passwords (if it doesn’t let you, you can try with “Admin” as username). Updates its firmware as soon as possible.
- Set-up an Antivirus Software & Firewall: You should always have a reputable software program able to analyze not only files, but recent network/internet activity, and upcoming traffic.
- Use a VPN: Have one ready to be activated (hopefully Premium) to hide the entire funnel between yours and your server’s connection. I also recommend using only safe security protocols (which encrypt requests with peer-to-peer technology)
DNS Hijacking happened a lot in the past… But it seems to be back in 2020.
Of course, hackers/hijackers will always seek new ways to access your network and devices, if that’s where they get profits from.
Awareness seems to be the possible only solution. As well as following “cyber hygiene” practices. But there’s always a chance to get affected by it.
Don’t you like to read that, right?
I don’t like to say it either.
.I’ll rather change it to Let us protect your back. And that’s exactly what we’re going to do.
Fear hijackers. Don’t fear taking a step to save your business assets.