Types of Attack and Forms of Defense
As the Internet evolves, so do the methods that are used to attack domains. There are particular forms of attack to be aware of to best protect your website.
Typosquatting is a pretty common way for the less-savvy criminal to prey upon unwary site owners. Also known as URL hijacking, this is a form of cybersquatting where someone registers misspellings of someone else’s brand in the hope they can make money from the traffic made from typing mistakes. They target users who type the website address in their browser incorrectly.
When these types of typos are made, users might land on an alternative page created by a hacker designed for malicious purposes. Typosquatters not only target landing pages but employ phishing to get people to visit fake websites. Typosquatters are creative, registering all types of common misspellings to rob your brand traffic. They not only target misspellings, but singular and plural versions of your domain and common domain extensions.
The only way to protect your domain from typosquatting is registering misspellings of your domain name before hackers get the chance to.
Misspellings - Buy obvious misspellings of your domain name and consider phonetically spelt versions. Consider buying alternative spellings such as ones with a 1 or l for i, and a 0 for O. For instance, buying both onlylaptops.com and 0nlylaptops.com would be best practice.
Singular and Plural Versions - Buy both versions of your domain name to be on the safe side, portland-car-repair.com and portland-car-repairers.com for example.
Hyphenations - Purchase both hyphenated and not hyphenated versions, i.e. brasssupplier.com and brass-supplier.com. It would be wise for these versions to second guess people missing or adding a hyphen between words.
Common Domain Extensions - Purchase your domain name with the most popular domain extensions .org, .com, and .net at minimum.
Once you’ve registered all possible alternative versions of your domain name, just redirect them to you core domain. This way, instead of a hacker’s website picking up your typo-traffic, visitors will land on your true domain.
Registrar hacking, while uncommon, poses a serious risk to all domain website owners. Most domain names are registered via a registrar, except those privately registered such as brand TLDs, .google for example. Your registrar represents the greatest single potential point of failure. If your registrar is hacked, you’re done. The hackers will have complete control over your domain name. They can point it wherever they want and worse still, transfer it to a new owner.
When a hacker gets hold of your domain name logins, they can change the domain details on official nameservers and and do whatever they want with them: direct them to a clone site to collect customer information, serve up malware, and more. Threats can be on an epic scale and are varied in their execution. Taking into account the delay in updating the DNS, if any changes are made, they might go unnoticed for several hours before anything suspicious is detected.
Incidents have occurred where handovers of top-level domains enabled unauthorized access to the nameservers for a registry. This can result in redirecting thousands of domains to a malicious website. Once someone notices any suspicious activity, the registrar's technical team will change all affected logins and revert any changes made.This process can take several hours.
Despite the fact these incidents are out of your control, you may add extra security to your website and DNS to reduce the risk of your domain being hijacked:
Monitor DNS resolution actively; you might just catch a rat. Keeping an eye on your DNS traffic could reveal the presence of botnets (a network of infected computers, the network is used to spread malware) in your network. Monitor such traffic using name resolvers and security systems you maybe already have deployed.
Using a firewall (include a rule to prevent IP spoofing and deny queries outside your allocated numbers space - this will prevent your name resolver from being exploited in distributed denial of services attacks. Those which seek to take your site offline. Be sure to inspect DNS traffic for suspicious byte patterns to block name server software exokit attacks. Firewalls provide this feature readily, some such as Sonicwall can detect and block tunneling traffic.
Request DNSSEC from your domain name registrar. DNSSEC adds additional security to your DNS by attaching digital signatures to your domains DNS information.
Contact the registry for your domain extension (.us) for example about how it will detect an attack and act fast.
Protect visitors by preloading strict transport security into browsers.
Choose a registrar that offers additional security precautions which reduce the risk of your account falling into the hands of a hijacker. Specifically we recommend seeking out a registrar offering:
2-factor authentication - A significant amount of hijacks would have been prevented if domain registrars put enhanced authentication measures in place. Providing two-factor authentication requires not only a username and password, but also something unique to the user. The registrar might ask for a piece of information only the true domain owner would know. There is also technology in place to call or send an sms to a domain owners mobile phone containing a code that must be entered to access their account.
Account lock - To block people from trying all possible combinations of letters, numbers and special character to break your password, a registrar can automatically lock people out after entering three invalid passwords. The point of limiting password attempts is to stop brute force password attacks. If unusual login activity is noticed, the domain account will be locked for a set amount of time before the user can retry. The best case scenario is when the account is locked until the domain owner recovers it by resetting their password via the registrar.
Registry lock - Registry lock is a service designed to provide a high level of protection for a domain name. A registry lock is a mechanism whereby any requests to change a domain name server must be verified manually. Security researchers advocate it as a useful barrier in situations a registrar might be compromised.
If your registrar falls short, switch to a registrar with better security practices.
Domain hijacking is a form of theft that takes place online. The thief takes access of a domain without the consent of the domain registrant. It’s up to yourself and your domain/ hosting company to prevent your domain falling prey to this form of attack because they happen due to security flaws on both yours and their end.
Domains can be hijacked for malicious use, when hackers seek to take a website down. While it’s inaccessible, the domain owner might be losing money. Their reputation as a safe website will also have taken a blow. The hacker might extort money from you to transfer your domain back into your hands, or replace your website with another to extort money or precious information from unknowing visitors, this is known as phishing which we’ll look into later.
Competent hackers may transfer the domain from the rightful owner to some other name. In these cases, it’s tricky to get your domain back. Hackers may impersonate you to request your registrar transfer the domain to a different registrar or another account. In this scenario, legal help would be necessary to claim your domain back if you aren’t able to convince the registrar about your situation.
What Happens When a Domain is Hijacked
To hijack a domain, an attacker needs to gain access to the targeted domain’s control panel. For this they need just two things:
The name of the domain registrar.
The administrative email associated with the targeted domain and a password. An attacker can use one of the popular password cracking methods such as brute-force. A brute-force attack involves trying all possibilities of numbers, letter and special character combinations until eventually guessing correctly.
A straightforward lookup in the public WHOIS database of the target domain will give an attacker the administrator record including the admin email associated with the domain. In effect, anyone listing their contact information in the WHOIS database is giving out the back door to hijacking their domain name.
To unlock the domains control panel to take over full access to the domain, the hacker must hack the admin email. Once they have this access, they may reset the control panel password, login in and hijack the domain.
Protect yourself with these countermeasures:
Protect your domain control panel - Protect your domain control panel - don’t allow your domain to suffer from hijacking because of your negligence toward security. Once your domain is registered, the registrar will grant you access to your domain’s control panel. From the panel you can modify your domains settings such as which server it's pointed toward.
On registration, you will have provided an email address for access to the panel. If anyone has access to the administrative email account, they have access to your domains control panel and all its settings. Hackers often get this information from the WHOIS registration records. Using domain privacy will block them from accessing this information.
Choose a trusted domain provider - another security threat comes is the result of the security failings of your domain provider. If a hacker has access to the back end of your registrar, your domain is at risk.
To protect yourself, choose an ICANN accredited domain registrar. ICANN is the body who coordinate IP addresses for domain names across the world, and they also issue new domain extensions. If there are any disputes over ownership, administering body ICANN is your best bet to recover a domain.
Enable domain auto-renewal - Not all domains are stolen, your domain registration can expire, and someone can register the domain in the meantime. This is an entirely legal practice so you can’t take any actions against this behaviour. To avoid this happening, enable auto-renewal of your domain or register for longer durations. Most registrars allow up to ten years for example.
Apply for domain privacy protection - Use WHOIS privacy to block your name from the WHOIS records, swapping your details for your domain registrars in the records.
How to recover a stolen domain name
Contact your domain registrar, the people you purchased your domain name from initially. Contact the support team, and explain the situation. Provide them with relevant details such as the account name used to purchase the domain, any recent correspondences, and complete any required paperwork.
If the registrar is of no help because the domain has already been transferred to another registrar, seek legal help. Documentation is key to proving your right to ownership, for example, copies of registration records or correspondence from registrars relating to the hijacked domain, Keep track of any financial transactions associating you or your organization with the hijacked domain and any marketing material or directory such as the Yellow pages associating the hijacked domain with your organization.
Your final option is to contact ICANN. ICANN has extensive documentation relating to domain dispute resolution. If you find yourself in this situation, follow this link to their help page. The documentation and steps provided may help recover your hacked website.
Spam is more than merely annoying, unsolicited emails. It’s known as the preferred delivery infrastructure for ransomware, malware, phishing and other security threats.
Domain phishing is a scam which tricks unsuspecting email recipients into handing out their account details. An email is sent to a domain owner imitating their registrar, asking them to click. There have been instances where the link asks them to log into their account to check for suspicious activity. The link forwards them to a replica site where they freely give up their username and password.
It’s important to keep on top of phishing scams because they are also the delivery mechanism for malware. Another type of phishing email ask recipients to follow a link to download all complaints against their domain name. The file downloaded is packed with malware. These types of emails are blanket sent to clients of numerous registrars, they can be unsophisticated, yet people still click.
Why do people fall for phishing?
It’s not at all surprising that people click on bad links, and why phishing scams are prevalent.
Registrars aren’t following email best practices - It’s difficult for cybercriminals to merge data in emails. When a registrar sends you an email, it should not only address you by name. Unfortunately, It’s not expected of registrars, so not a red flag when you receive a phishing email. If you have any doubts about an emails legitimacy, feel free to contact your registrar's support separately with any questions. An extra five minutes could save you a lot of headaches.
Companies selling inexpensive WHOIS data - Some registrars sell WHOIS data. This is why domain owners receive so much spam after registering their domain name. Fly-by-night registrars have been known to sell cheap copies of WHOIS data. For this reason, new domain registrars receive a lot of spam.
New verification requirements in WHOIS - The new requirements as of 2013 RAA require registrars to verify information in WHOIS. Phishing is often accomplished by emailing registrants asking them to click a link. This is in a sense training customers to click on links in emails, instead of instructing them to go to the site and log in, leaving them naturally more likely to fall for these scams.
Protect yourself from falling prey to one of these emails with these countermeasures:
Check for authenticity - There are some telltale signs to spot a "fishy" email.
Are there unique identifiers addressing you when your registrar emails you. For example, an email containing "dear Sir/ Madam" is more likely phishing than one that includes specific information such as your name and/ or account information.
Does the message contain a mismatched URL? Verify links - Check the full URL within an email by hovering over a link. If the hyperlinked address is different from the address displayed in the email text body, it’s probably malicious.
It’s unlikely a reputable registrar would send out an email on behalf of their company before it has been reviewed for spelling, grammar and legality. If a message is full of spelling and grammar mistakes, it probably didn’t come from them.
One of the biggest red flags is when a message asks for personal information. No matter how official the email might look, it’s a bad sign to ask for details such as password, login details or the answer to your security question.
Trust your instincts, if something just doesn’t look right, there’s probably good reason. In this instance, contact your registrar and confirm the email came directly from them.
Turn on 2-factor authentication - This is a solid form of counter-defense if you are prey to a phishing attack. If your registrar doesn’t offer this, switch to one that does.
Add WHOIS privacy - Block the number of scam emails from making it to your inbox. Hackers avidly phish people listed in the WHOIS records.
Use an up-to-date browser with antivirus software - Most modern browsers will alert you if you’re visiting a page identified in a phishing attack, but it can take some time for sites to be flagged. You should also use antivirus software. In the current attack, this should stop you from opening the download file.
DNS attacks and cache poisoning
Today’s headlines are filled with reports of successful DNS attacks. "65,000 Internet users in the United States lose connectivity because of DNS changer malware", "Bank of America customers cannot access website or account information because of a DOS/DDOS attack" are just a few headlines reported by the press.
When the Internet was originally architected services such as DNS weren’t necessarily designed with security in mind. If DNS goes down, all network-attached devices go down. DNS-based attacks are on the rise because many organizations don’t realize DNS is a threat and therefore don’t protect it. A company loses connectivity to the Internet and hence cannot conduct business online. This leads to loss of revenue, customer defection and negative brand impact.
When attackers targeted Microsoft and Twitter, they gained access to MelbourneIT, the registrar responsible for these important domains and changed the authoritative DNS servers, diverting them to their own. Twitter’s attackers were a function of the Iranian Cyber Army altered the DNS records and redirected the traffic and redirected traffic to propaganda hosted on servers they controlled. They were able to modify DNS Twitter settings after they compromised a Twitter staffer's email account. They used this account used to authorize DNS changes. During that incident, the registrar Dyn Inc. was contacted in to process the change request.
Domain Attacks: Time to Live
This style of domain name system attack is one of the most problematic to undo since the attacker has compromised not only the registration of the domain itself, they can change the DNS servers assigned to it. The most dangerous part of this attack is what's called time to live (TTL). Changes of this nature are cached on recursive DNS servers across the globe for a matter of seconds, or a full day. Unless operators can purge caches, it can take an entire day (sometimes longer) to reverse the effects.
Let’s take a look at the primary forms of DNS attack to be aware of:
Attack 1: DNS Spoofing
Also referred to as DNS cache poisoning, DNS spoofing diverts traffic from one computer towards fake, replica ones. When a user looks up a domain name in their browser, they are routed to the wrong website. For example, a user might type Yahoo into a browser but a page chosen by the hacker loads on their screen instead. Since they are typing in the correct domain name, they don’t always realize the site they are using is fake.
Detecting DNS cache poisoning is difficult. It can last until the administrator realizes and resolved the problem. During this time, the opportunity for attackers to use phishing technique to mine information, from login credentials to banking information from unsuspecting Internet users. The extent of the attack depends on the intention of the attacker and the scope of the poisoning.
Attack 2: DNS amplification for DDoS
DNS amplification attacks differ from spoofing, instead of threatening the DNS systems, hackers exploit the open nature of DNS services to give force to attacks. Well known sites, Microsoft, Sony and the BBC have been targeted in this manner.
Amplification attacks occur when an attacker takes advantage of a DNS server that permits recursive lookups and uses recursion to spread his attack to other DNS servers. In simpler terms, rather than sending traffic directly from a botnet to a victim, the botnet forwards DNS requests to other systems. Those systems respond by sending even larger volumes of traffic to the targeted website.
The result of an amplified attack is the relatively small amounts of traffic sent from a botnet which requires proportionally greater use of resources. Hence the term increased volumes of traffic from DNS servers. This extra traffic is directed to a victim website, causing the system to crash or slow down.
Attack 3: Cache poisoning
Cache poisoning occurs when DNS cache data is corrupted. Whenever you browse the web visit websites and send emails, your computer is most likely using DNS data cached from somewhere on the DNS network. This process improves the speed emails are sent, and web pages are loaded, however, caches are another point of vulnerability.
During a cache poisoning attack, attackers seek to exploit and target vulnerabilities in DNS servers and change the addressing information in caches. When users attempt to visit a site, they land at a server controlled by an attacker and land on a substitute site. Often these are close replicas of the targets official site. It’s difficult for the users to be aware that they are being phished because their browser is telling them it is the official site.
The impact of such as attack includes the loss of vital information from logins and password to logins and passwords to the credit card numbers of the users captured. The best method to prevent a DNS cache poisoning attack includes regular program updating, regularly clearing the DNS caches of local machines and networking systems and setting short TTL times.
Attack 4: Denial of service and DDoS
Denial of service is an attack in when a hacker or malicious bot sends more traffic to a targeted IP address than the programmers who planned its data buffers anticipated someone might send. The attacker uses a network of malware-infected computers to send large amounts of traffic to a target, such as a server. The target becomes unable to resolve legitimate requests.
A distributed denial of service attack (DDoS) involves the attacker uses a botnet to generate massive amounts of resolution requests to a targeted IP address. The goal is to overload the target domain and slow it down or crash it. No matter how over-provisioned a website may be, if the DNS infrastructure cannot handle the number of incoming requests it receives, the performance of the site will be degraded or disabled.
DNS is particularly vulnerable to such attacks because it represents a logical choke point on the network. One solution to this problem is DNSSEC which has been widely rolled out across registrars and registries.
How to prevent and mitigate DNS attacks
As a response to such attacks, ICANN has invested in DNSSEC, a technology developed to avoid DNS server attacks. DNSSEC works by adding a signature of authenticity to each DNS request to help servers weed out fake requests. The one drawback to DNSSEC is that it must needs to be implemented at all stages of the DNS protocol to work – which has taken some time to apply.
You can implement safeguards to reduce the risk of falling victim to a DDoS attack against your domain names:
Keeping up to date on the latest DNS attacks and the technology to prevent is a good way to stay ahead.
Host your domain on multiple servers, that way, if one becomes overloaded, the other will kick in.
Use a managed DNS provider that employs a widely distributed, highly redundant network of Anycast servers to handle DNS traffic. Using Anycast to mirror your DNS servers can significantly improve performance as well as balance the load during a DDoS attack. If you would instead build your own managed DNS service, then be sure to leverage the power of Anycast.
Deflect and defend with UTM firewalls. They can be configured to recognize and block DDoS attacks in real time.
Configure your systems to rely on more than one DNS server so that if the primary server goes down, you have a fallback.