Your company’s online presence relies on a domain name. That domain name is registered, and you would think as a result that it would be hard for a criminal to steal, but that’s not the case. Domain name compromise makes possible a wide array of attacks--including the introduction of ransomware and other extinction-level exploits.
While no business can make themselves a hundred percent cybersecure, understanding not only the way domain names work, but also how they can be leveraged by hackers is mission critical when it comes to avoiding common security pitfalls.
What is DNS?
Domain names are a foundational service of the Internet, and are controlled by a protocol called Domain Name System, or DNS. While the details are complicated, DNS ultimately serves a straightforward purpose: it helps route traffic on the internet using human-friendly names.
Everything connected to the internet, from smartphones and fitness trackers to enterprise-level email servers, has a unique identifying address called an IP address. Every activity on the internet, from checking email to web browsing to posting to Instagram is a means of connecting a request from one IP address to its destination IP address.
IP addresses aren’t especially user-friendly. In much the same way that the standard smartphone will connect a contact like “Mom” or “Pizza Parlor” to its corresponding phone number, DNS works by connecting a domain name like “Google.com” to the corresponding IP address, which in Google’s case is 126.96.36.199.
When a domain name is entered by a user, they’re connected to a DNS server, which functions as a switchboard of sorts by looking up the IP address associated with the domain name. Several companies provide public DNS servers, including Google and Cloudflare, and most major ISPs provide and maintain them as well.
A single domain name can point to different IP addresses depending on the user’s destination within a digital ecosystem. To use Google as an example again, any traffic to their main search page is routed to one IP address, traffic to Gmail would point to another, as would Google Docs, Google translate, and so on.
This might sound complicated, but it’s pretty seamless. For most of us, there’s no real perceivable difference between a domain name and the server it connects to. It just works. Unfortunately, this seamlessness creates a golden opportunity for hackers, who can use a wide variety of techniques to redirect us to other sites, capture credentials, and spread malware.
In short: in making the internet easier to use and more accessible, DNS has also opened the door to a multitude of potential hacks.
Domain Name-Based Hacks
There are several different variations on domain name hacks, but most of them revolve around fooling a user into connecting to a criminal-controlled server or resource online without their knowledge rather than the site they intended to visit.
Some domain-name attacks involve extremely sophisticated techniques deployed by government-sponsored (or otherwise associated) hacking collectives; others are comparatively crude, but each redirect can spread malware, steal credentials, and compromise networks and/or individual devices in myriad ways.
The following are some of the more common domain name-based hacks.
Typosquatting is perhaps the least sophisticated form of domain name hacking. It relies on user error, specifically the odds of a user mis-typing a URL address into their web browser. Hacker register a misspelled version of a well-known domain name, such as “gooogle.com” or “gooogl.com” rather than google.com. (Important: do not visit either “gooogle.com” or “gooogl.com”. They are dangerous).
Once a would-be victim has accidentally connected to a typosquatted domain, hackers can deploy any number of exploits. They will often create a copy of their targeted website but replace the most clicked links to malware, or they might prompt a user to enter their login and password for the “real” site and deploy those credentials in credential stuffing attacks on other websites or networks (a technique called “pharming”). Another strategy might involve the installation of a malicious browser extension or phony security software, both granting hackers unfettered access to their target’s devices.
One of the more famous examples of typosquatting in recent years involved one the world’s most trafficked websites.
A hacker acquired the domain name “reddit.co” and created a facsimile of the ReddIt site. The goal was to pharm user credentials. The domain name was identical to ReddIt except it was designed to identify sites registered in the nation of Colombia. The sole difference--a .co suffix, rather than .com, which is reserved for commercial websites was easily disregarded as one of the vagaries of the mysterious world wide web.
The hacker behind reddit.co also acquired an SSL domain certificate for the facsimile site, which meant the site displayed a green padlock secure symbol on most major web browsers (that is, until it was discovered by security researchers and marked as a fraudulent site).
“[T]his is an effective scam,” said cybersecurity expert Azeem Aleem of the ReddIt hack. “They’ve put in the time and effort to create a remarkably realistic website that even shows a secure SSL certificate in your browser window. It is well designed, well executed, and it highlights the very real danger of modern spoofing attacks... what’s more worrying is what this stolen data will be used for, as stolen credentials are used to breach the victim’s other accounts, and carry out sophisticated phishing attacks on friends, colleagues, and family.”
One of the more sophisticated versions of a domain name cyberattack happens when hackers compromise an entire DNS server-- the online “switchboard” provided by major internet service providers and portals to translate domain name requests into corresponding IP addresses.
While DNS servers are typically more secure and harder to hack than individual devices or networks, their role as a major hub for a core internet service means that they can be leveraged to compromise thousands, if not millions, of devices.
“That moment when a name is matched to a number is where hackers can intervene,” says CyberScout founder Adam Levin. “There are a number of ways it can happen, but DNS hijacking is when your page request doesn't go to the site you asked for, or it takes a detour through a hacker's computer before it gets there. And the problem here is that there's no obvious way to tell that it's happening.”
A compromised DNS server ultimately provides hackers with complete control over where their targets connect online. They can redirect users, or block them from connecting to key services entirely. It’s this level of control that makes domain names and DNS a favorite avenue of attack for private and government-linked hacking groups alike.
Threat actors connected to the Iranian government have launched successful DNS hijacking campaigns against public and private sector targets for the last several years; other hacking groups successfully hijacked Google’s DNS servers in 2014.
Hosts File Hijacks
DNS servers aren’t the only way that domain name requests are translated to IP addresses: there’s a single and easily edited file on Windows, Mac, and Linux computers as well as iOS and Android devices that can control DNS entries at a local level.
The hosts file is a local simple text file that’s used by operating systems to tell individual machines how to route their traffic. This is commonly used by system administrators to connect employees within a company to resources within an intranet, to block websites and services that don’t comply within company policies, and by web developers to be able to test a site in production. It’s also a common target for malware and hacking campaigns.
A typical hosts file entry is straightforward:
This single line would tell a computer to direct a visitor from asitethatisnotgoogle.com to 188.8.131.52, which is Google’s primary IP address.
Malware will often target these hosts files and rewrite them to add malicious entries; the hack can also be performed by anyone with access to either an unattended computer or device. The hack can be completed in a few moments. Once compromised, a hosts file can redirect any outgoing internet traffic from a machine, including web page requests and email communications, all without any visibility to the victim.
Domain Account Takeovers
Not every domain name hack requires high-tech espionage or the deployment of sophisticated malware; for many all a hacker needs is a login and a password.
While enterprise-level domain registrars will often boast strong security measures, most domain names are registered on consumer-grade domain registrars, many of which don’t even require baseline security such as two-factor authentication.
If a company or an individual has an account with a consumer domain registrar that doesn’t require multi-factor authentication, there’s a good chance that the login and password combination to the account is one that has been used elsewhere. Despite years of cautionary tales and a near-endless cycle of data leaks and breaches, recent studies show that at least 50% of respondents use the same passwords for personal and work accounts, and that 65% of respondents admit to using the same password for multiple, if not all of their online accounts (these figures could be significantly higher).
Login and password combinations from prior data breaches are readily available by the billions online on dark web marketplaces. If a hacker is able to successfully use one of these to access a domain registrar account, they can transfer any or all of the domain names associated with it to another account or simply change the password and contact information to lock their target out of it.
Once a domain registrar account has been compromised, a hacker can redirect their victim’s websites, block their email services, or hold the account and any associated domain names for ransom.
“Even in situations where companies are able to respond quickly to the loss of a domain name, the damage to their reputation and loss of confidence with customers can be lasting,” says Levin.
How to Protect Against Domain Name Hacks
“Domain names are far from the only vector of attack, but they're one of the most visible,” says Levin.
Although hackers can deploy a wide array of methods to hijack domain names, there are fortunately several ways businesses and organizations can protect against them.
Businesses and organizations can and often do lose track of who has access to their domain name accounts, whether or not they’re protected by multi-factor authentication, and if the passwords used to access them have been compromised in a previous breach. It’s important to perform regular and thorough security reviews and to make adjustments as needed.
“Whether your company is international or a regional operation, the time to invest in a cybersecurity audit was yesterday,” says Levin. “It should include an inventory of who can access registrar accounts, implementation of two-factor authentication, and password hygiene checks.”
Hackers frequently use commonly misspelled domain names to spread malware and pharm credentials. Companies should consider taking a proactive approach to this threat by buying similar domain names to their primary domain. The costs for acquiring and maintaining a broad portfolio of domain names can add up quickly, but when compared against the costs of recovering a compromised domain name, it’s a sound investment.
One of the easiest ways for individuals or organizations to protect against domain name based hacks is by installing security software and keeping it updated to identify new threats. Most modern security software will protect against hosts file hijacks, identify incoming malware and phishing emails, and will block suspicious device activity.
It’s relatively easy for a hacker to fake the originating domain name for emails. This can be used to great effect in phishing campaigns where victims receive emails that appear to come from within their company or organization and are accordingly more likely to open suspect files and attachments.
Domain-based Message Authentication, Reporting & Conformance (DMARC) is a protocol designed to prevent domain name spoofing in emails by authenticating any messages against their originating domain. Domain names with DMARC enabled can make it significantly easier for email services and internet service providers to filter out suspicious messages while keeping false positives to a minimum.
Domain names and DNS were developed decades ago, when the internet was primarily used by government agencies and universities. As a result, security was not a consideration in how they were designed - this is why domain names are such a frequent vector of attack for hackers.
Recognizing the widespread vulnerabilities in DNS, the Internet Engineering Task Force created a security protocol called Domain Name System Security Extensions, or DNSSEC, which helps to authenticate traffic on the internet against its originating domain name. While adoption of DNSSEC has been a slow process, its deployment helps to address a major security hole at the very center of the internet.