In a series of related attacks, hackers are forging DNS records to send users to fake websites designed to steal login credentials and other sensitive information.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Experts at major cybersecurity firms including Tripwire, FireEye, and Mandiant have reported on an alarmingly large wave of DNS hijacking attacks happening worldwide. These attacks are targeting government, telecom, and Internet entities across the Middle East, Europe, North Africa, and North America.
Researchers have not publicly identified the sites being targeted, but have acknowledged that the number of domains which have been compromised is in the dozens. These attacks, which have been happening since at least 2017, are being used in conjunction with previously stolen credentials to direct users to fake websites designed to steal login credentials and other sensitive information.
Although no one has taken credit for these attacks, many experts believe the attacks are coming from Iran. Several of the attackers’ IP addresses have been traced back to Iran. While it’s possible that the attackers are spoofing Iranian IPs to throw off the scent, the targets of the attack also seem to point to Iran. Targets include government sites of several Middle Eastern nations, sites containing data that don’t have any financial value but would be very valuable to the government of Iran.
There are a few different attack strategies being carried out, but the flow of the attacks is as follows:
*The Domain Name System (DNS) is like the phonebook of the Internet. When a user types a URL, like ‘google.com’ into their browser, its records in DNS servers that direct that user to Google’s origin server. If those DNS records are tampered with, users can end up somewhere they didn’t expect.
Individual users cannot do much to protect themselves from losing credentials in these types of attacks. If the attacker is thorough enough when creating their dummy site, it can be very difficult for even highly technical users to spot the difference.
One way to mitigate these attacks would be for DNS providers to beef up their authentication, taking measures such as requiring 2-factor authentication, which would make it dramatically more difficult for attackers to access DNS admin panels. Browsers could also update their security rules, for example scrutinizing the source of TLS certificates to ensure that they originate from a source that conforms with the domain they are being used on.