DNS Hijacking and Phishing
With alarming and increasing frequency, organizations all over the world are being targeted by cyber attacks. Just over the last few months, a number of high-profile companies have been hit: Twitter, Lenovo, The New York Times, and The Huffington Post to name a few.
Although not always the case, the perpetrators for these particular attacks were known hacker groups such as the Syrian Electronic Army or Lizard Squad. Also known were the techniques used to penetrate the victimized systems. For two of these techniques, DNS hijacking and phishing, there are solutions available on the market that, had they been implemented, could have prevented, halted, or minimized damage from the attacks.
DNS is the underlying directory framework of the Internet. It turns a web address into an IP address that ultimately directs you to the website you’re trying to reach. If this DNS gets hijacked or taken over by a hacker group, the web address can be redirected to a completely different website. This malicious website may contain a nasty message or hacker taunt—or something more insidious and destructive such as malware. Whatever may be the point of attack on a media organization, brand and credibility hang in the balance. For an ecommerce company, buyers’ trust can be betrayed, competitors can benefit, and once again, the brand could suffer.
In the case of the Syrian Electronic Army attack on The New York Times, traffic from the actual Times website was redirected to an alternate website established by the hackers.
Every day, millions of “phishing” emails go out to unsuspecting users, making it an extremely pervasive form of cyber attack. Phishing or its more targeted version, spear phishing, involves sending phony, yet legitimate-looking email to an unsuspecting user. Typically the email’s origin (‘from’) is spoofed with a well-intentioned or trusted 3rd party, appearing to come from this trusted entity. Imagine that you get an email from a trusted organization, instructing you to visit a particular website. Simply clicking the link can expose your system to malware. Certain malware might track your keystrokes, which could lead to the mass exposure of passwords across a range of systems.
Key to a phishing attack is faking the email source, which is easily accomplished. The email appears to come from a trusted organization. But in reality the hackers are merely posing as another entity to get the recipient either to click a link in the email or expose something of interest, such as a password or credit card.
In the case of The New York Times, it’s suspected that phishing was the first step towards gaining control of the DNS records. After the successful phish, the hackers gained the credentials needed to unlock and alter DNS records, directing nytimes.com to a website of their choosing. Although the change was made at the top-level domain (TLD), the end result was the same: any user who typed nytimes.com into a browser was redirected to a malicious website established by the hackers.
What can Neustar do to help?
Neustar has a suite of products for domain protection that can help an organization make DNS hijacking and phishing attacks much more difficult, if not impossible. Here are some areas where Neustar’s products can make a difference in hardening an Internet infrastructure.
Domain Locking. The DNS lookup process is complicated and must be secured at every level. Choose a registrar that offers domain locking. Neustar can do this for .biz, .co, .co.uk, .nyc and other TLDs for which Neustar is registrar. DNSSEC zone signing can also make TLD reassignment much more difficult. (See below for more information on DNSSEC.)
Secure DNS. Neustar operates one of the world’s largest Authoritative DNS networks, called UltraDNS. Neustar has added advanced security features into the platform to make it much more difficult to maliciously obtain the proper credentials to change a DNS record. These include: Permission Levels, Dual-factor Authentication (powered by Symantec) and Access Control List by IP range. These layers of permissions security make it less likely to be compromised. UltraDNS is also protected from DDoS attacks against DNS.
DNSSEC. Normal DNS does not have any encryption and is largely unauthenticated. DNSSEC changes that, with complex digital signatures that ensure that the answer you get from DNS is legitimate. However, DNSSEC is difficult to manage for a typical organization, with complex key management procedures and rollover periods. Neustar makes this easy with single click DNSSEC support in UltraDNS. Sign your domains with DNSSEC to combat cache poisoning and TLD hijacking.
Stop phishing email at your border. Malicious incoming email is a major threat to every organization and should be a concern of the IT staff. Employees should be trained to identify potentially malicious emails and to be wary of phishing and other social exploits. Organizations can also enforce inbound email authentication and rejection policies, including SPF, DKIM, and DMARC. Most modern mail servers support these layers of authentication, which can allow spoofed spam to be identified and deleted by the inbound mail server. Spoofed phishing emails will likely fail authentication and never be delivered to the end users in the first place. UltraDNS supports SPF, DKIM, and DMARC records.
Stop phishing using your domain name. Any organization, especially well-known, trusted brands should be concerned that their domain is being used fraudulently in phishing schemes. The good news is that there are techniques not only to gain visibility into this malicious activity, but also to stop the delivery of emails from your domain by phishers purporting to be you. UltraDNS has teamed up with Agari to do exactly that. Agari has partnered with Google (Gmail), Yahoo, AOL, and a growing number of personal email providers. Together, they authenticate and block spoofed email before it’s delivered to end-user accounts, such as those using Gmail. Not only do the emails get blocked but you get a report exposing the activity. This is powered by UltraDNS through special records that are provided free of charge for trial accounts. Ask your Neustar account representative for information about UltraDNS + Agari.
Intelligent Recursive. Another way to make phishing less likely to occur is to block your internal network users from going to malicious websites. Neustar’s UltraDNS Recursive is an advanced recursive DNS resolver that allows the IT administrator to block access to 16 categories of web content, including malware and phishing sites. So even if an internal network user falls for a phishing email, you can potentially block that user from accessing the site.
Active Monitoring. Neustar is able to monitor DNS results as well as website performance characteristics through its Web Performance Management (WPM) product. It will alert the IT administrator if a different IP range is returned by DNS. It can also issue an alert if the website is suddenly unavailable, performance degrades, or the structure of the website has changed.
Vulnerability and Network Assessments. Ultimately, hackers exploit not only technical, but human and social vulnerabilities as well. Neustar consultants can deeply analyze all areas of your network, policies, and permissions, and then provide a comprehensive assessment, assist with remediation, and optionally perform penetration testing. Let the experts at Neustar help you to identify and lock down the weak points and key functional areas in your network.
In the end, while no network is perfect and constant vigilance is necessary, Neustar can help protect domains from a number of known attack types, including DNS hijacking and phishing. Neustar also protects against denial of service (DoS and DDoS) attacks through a product called SiteProtect. Ask your Neustar account executive for more information.