When you load a website at the same domain you've always visited, you expect to find the website you usually go to. But cybercriminals have become experts at cloning familiar sites to trick users into handing over their personal information without realizing what's happening.
This is domain name server hijacking, or DNS hijacking, and it accounts for less than 1% of cybercrime worldwide. But even with numbers so low, an attack like this can leave your business with substantial damage.
The sophistication of these makes them difficult to spot, which is why you should have DNS security solutions in place to mitigate the risks. These tools redirect web traffic through filters that look for characteristics of DNS attacks and identify malware signatures before they have the chance to infect a user's device.
In order to hijack the DNS, hackers intercept traffic between the user's device and the IP address of the real website, instead directing them to a different IP address where they control the information. The criminals can then gather and steal user details directly from the cloned website, or they may install malware onto the device.
In many cases, DNS hijacking targets businesses whose websites as users provide some form of personal information, like login details or credit card numbers. Once they have what they want, perps can steal money from individuals and businesses, or even run extensive identity theft schemes.
Every website owner has DNS records. This is the information that notes the unique domain and internet protocol (IP) address that your website is connected to. These records make sure your website goes to the right place. For instance, if you switch your domain from MyBusinessName.com to BusinessNameCity.com, your website needs to update its DNS records to reflect the change.
In a DNS hijacking, cybercriminals typically alter the IP address within your DNS records, rather than the domain name. This means that although it looks like MyBusinessName.com is what's being loaded, the actual website it goes to is a spoof created by hackers.
By swapping out your IP for their own IP address, hackers can mask their illegal behavior by making it appear that the website is the correct, legitimate option.
Cybercriminals can employ several different types of DNS hijacking, typically one of four options:
Other methods that cybercriminals may use include distributed denial of service (DDoS) attacks wherein they flood the DNS server with unusually high load requests that cause it to become overwhelmed. Malware already on a device can also trigger DNS hijacking, where site redirects occur as soon as a user tries to load a website.
Determining whether your DNS records have been hijacked presents a big challenge, but you can learn to spot some signs, like sudden slow load times, along with numerous pop-ups where there were previously none.
Although many cybercriminals clone sites to match the legitimate ones, this isn't always the case. Sometimes, they simply redirect the original domain to an entirely different site. These don't always look suspicious, though.
However, if a site that you weren't expecting loads at that URL, always be cautious, especially if the site asks you for personal information like login or payment details. This could be a DNS hijack designed to steal your sensitive data.
Most websites these days have secure socket layer (SSL) certificates that establish a safe connection for users between their server and a web browser. Sites with these certificates, particularly e-commerce sites, encrypt payment and personal information so that only the business sees these details.
If you receive a warning about an incorrect or nonexistent SSL certificate, consider it a yellow flag and proceed carefully, or go to a different site. If a user has visited that site before and knows it has an SSL cert, this could be a sign of an attack. However, remember that this isn't always a sure way to determine a DNS hijack. SSL certificates do expire, so it's possible that the site owner or administrator just forgot to renew it.
Several types of DNS hijacks use routers to infect devices with malware and update the DNS settings through these vulnerabilities. By routinely checking your router settings, you can see if the DNS records are still the same ones that they've always been or if anything has been changed.
Tools like WhoIsMyDNS check that your DNS records match those from your internet service provider (ISP). By reviewing these records a year, you can make sure that the DNS servers you're using to host your website are legitimate and haven't been changed due to a DNS hijack.
DNS hijacking can have severe consequences for both individuals and organizations. Here are some of the potential impacts:
You must keep your business data safe, especially for your employees and customers so it's important to take steps that lower the risk of a DNS hijack.
Both individual device and router passwords should be routinely changed to avoid hacking attempts. Many routers come with default easily-guessed passwords that are easy to predict so make sure to change them.
Use strong, unique passwords on all applications and online logins. Should a DNS hijack take place and someone enters a simple password into the spoof site, all other accounts that use that password become vulnerable.
Security patch updates fix bugs or weaknesses in your applications, hardware, and software. As new cyberattacks are developed, antivirus and anti-malware tools should be updated to their latest versions in order to protect your systems.
A virtual private network (VPN) is a great way to encrypt your data and keep your activity safe from certain types of DNS hijacking. Encourage your team to use a VPN, particularly when using public Wi-FI in order to add an additional layer of security.
DNS filters and firewalls can be configured to allow sites to only load specific IP addresses, which means that if DNS records are updated to a malicious address, the site won't load and it will be impossible for users to unknowingly hand over their private information.
Educating your team about protocol for encountering suspicious activity helps stop all kinds of cyberattacks. Phishing accounts for over 70% of cybercrime worldwide, often because employees click links in emails or provide private information thinking that the recipient is a bank or government entity.
Training your team about what a phishing scam can look like and how to report attacks to your IT or security team goes a long way toward avoiding these types of cyberattacks. If staff have concerns that a DNS hijack may have occurred, they should know who to contact to start an investigation. While they may not understand the ins and outs of this kind of crime, they should be aware of what online or device behavior could be red flags for a possible hack.
DNS hijacking can be caused by various factors, including: malicious code, network misconfigurations, phishing attacks, cyberattacks.
While it can be difficult to detect DNS hijacking directly, you can look for signs like unusual website behavior, slow loading times, or unexpected redirects. You can also use online tools to check your DNS settings and identify any anomalies.
If you suspect DNS hijacking, contact your internet service provider (ISP) or IT support immediately. They can help you investigate the issue and take necessary steps to mitigate the threat.
To fix DNS malware, you can:
There's no debate: you must protect your business information online. Cybercriminals become sneakier and craftier every year when it comes to rolling out attacks, but you can stay one step ahead by implementing safeguards in your network to stop potential privacy pirates from taking what belongs to you.