The global DNS hijacking threat

In a series of related attacks, hackers are forging DNS records to send users to fake websites designed to steal login credentials and other sensitive information.

Learning Objectives

After reading this article you will be able to:

  • Define DNS hijacking
  • Outline how attackers are using DNS hijacking to obtain login credentials
  • Describe how DNS providers and web browsers can help prevent DNS hijacking

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is the global DNS hijacking threat?

Experts at major cybersecurity firms including Tripwire, FireEye, and Mandiant have reported on an alarmingly large wave of DNS hijacking attacks happening worldwide. These attacks are targeting government, telecom, and Internet entities across the Middle East, Europe, North Africa, and North America.

Researchers have not publicly identified the sites being targeted, but have acknowledged that the number of domains which have been compromised is in the dozens. These attacks, which have been happening since at least 2017, are being used in conjunction with previously stolen credentials to direct users to fake websites designed to steal login credentials and other sensitive information.

Although no one has taken credit for these attacks, many experts believe the attacks are coming from Iran. Several of the attackers’ IP addresses have been traced back to Iran. While it’s possible that the attackers are spoofing Iranian IPs to throw off the scent, the targets of the attack also seem to point to Iran. Targets include government sites of several Middle Eastern nations, sites containing data that don’t have any financial value but would be very valuable to the government of Iran.

How do these DNS hijacking attacks work?

There are a few different attack strategies being carried out, but the flow of the attacks is as follows:

  1. The attacker creates a dummy site that looks and feels just like the site they are targeting.
  2. The attacker uses a targeted attack (such as spear phishing) to obtain login credentials to the Admin panel of the DNS* provider for the target site.
  3. The attacker then goes into the DNS admin panel and changes the DNS records for the site they are targeting (this is known as DNS Hijacking), so that users trying to access the site will instead be sent to the dummy site.
  4. The attacker forges a TLS encryption certificate that will convince a user’s browser that the dummy site is legitimate.
  5. Unsuspecting users go to the URL of the compromised site and get redirected to the dummy site.
  6. The users then attempt to log in on the dummy site, and their login credentials are harvested by the attacker.
DNS Hijacking

*The Domain Name System (DNS) is like the phonebook of the Internet. When a user types a URL, like ‘’ into their browser, its records in DNS servers that direct that user to Google’s origin server. If those DNS records are tampered with, users can end up somewhere they didn’t expect.

How can DNS hijacking attacks be prevented?

Individual users cannot do much to protect themselves from losing credentials in these types of attacks. If the attacker is thorough enough when creating their dummy site, it can be very difficult for even highly technical users to spot the difference.

One way to mitigate these attacks would be for DNS providers to beef up their authentication, taking measures such as requiring 2-factor authentication, which would make it dramatically more difficult for attackers to access DNS admin panels. Browsers could also update their security rules, for example scrutinizing the source of TLS certificates to ensure that they originate from a source that conforms with the domain they are being used on.