Domain hijacking is the unauthorized modification of DNS records, redirecting domain traffic by exploiting vulnerabilities, or gaining access to domain management credentials without the owner’s consent.
How does Domain Hijacking Happen?
Domain hijacking, also known as domain name hijacking or domain theft, is a cyberattack where unauthorized individuals gain control of a domain by altering its DNS records without the owner’s consent. In the world of cybersecurity, domain registration hijacking is a serious threat because it enables attackers to redirect a domain’s traffic to malicious sites, leading to data theft, service disruption, and reputational damage.
Domain registration hijacking typically involves:
- Credential compromise: Attackers gain access to the domain owner’s account at their registrar or authoritative managed DNS provider, allowing them to modify DNS settings.
- Social engineering: Fraudsters manipulate registrars or DNS administrators to grant unauthorized access.
- Email compromise: If attackers control the owner’s email, they can reset domain management credentials.
- Dangling delegations: Where a domain or subdomain has designated NS records for the authoritative servers, but the zones have not been configured on the authoritative servers. This was recently publicized with the Sitting Ducks vulnerability.
- Routing hijacks: an attacker can hijack a network block and route it to their own infrastructure, where they have authoritative DNS servers.
- Dangling CNAMEs: where a hostname has been delegated to a service provider through a CNAME resource record, but the service has not been configured on the provider.
Once the domain is stolen, attackers can redirect traffic to malicious websites, steal sensitive information, capture email messages, or disrupt the domain owner’s services. In some cases, attackers may return DNS settings to avoid detection, as seen in the DNSpionage attack.
Domain Hijacking and malicious domain transfer.
Domain hijacking can also result in a malicious transfer of ownership, where attackers move the domain to a new registrar without the owner’s consent. This type of attack can be devastating for businesses, causing financial losses, reputational damage, and customer distrust.
Is Domain Hijacking common?
While domain hijacking of popular domains is not extremely common today, it remains a significant threat to cybersecurity due to the potential damage it can cause. In the case of the Sitting Ducks vulnerability, active Threat Actors and Advanced Persistent Threat groups were observed using widescale DNS hijacking of unused domains as a technique to gain control of domains and subdomains that they then used for phishing and malware Command and Control (C2).
How Domain Hijacking impacts your business.
Domain hijacking can have severe consequences for businesses. When attackers gain unauthorized control of a domain by exploiting vulnerabilities in the domain registration process or using social engineering tactics, the impact can be devastating. Here’s how:
1. Service disruption and loss of revenue.
A domain hijacking incident can cause significant service outages, preventing a business from operating normally. This causes an immediate outage for the website itself as users are sent to a malicious or non-existent site. This sudden loss of traffic can lead to immediate and direct financial losses, as customers are unable to access the business’s services or make purchases. Whether it’s an e-commerce site, online service, or corporate portal, the disruption can halt business operations, leading to loss of revenue and productivity.
2. Hijack of website traffic.
When a domain is hijacked, users who try to access the legitimate website may be redirected to a malicious site operated by the hijackers. The hijackers can then steal data and inject malware or any other type of malignant activity. Since DNS uses a Time-To-Live setting, a complete hijack of a domain could result in multiple hours of service interruption before the incorrect DNS responses are expired from recursive caches.
3. Data breaches and other information theft
Domain hijacking can result in the theft of valuable customer data such as credit card numbers and other Personally Identifiable Information (PII), login credentials, domain email, or proprietary information. By redirecting traffic to malicious websites, attackers can harvest PII that can be used in further cyberattacks like credential stuffing or fraudulent account creation. Data breaches may also lead to regulatory penalties for failing to protect customer data.
4. Reputational damage.
A hijacked domain can severely tarnish a company’s reputation. If customers are redirected to fraudulent or phishing websites, they may unknowingly share sensitive information, leading to distrust in the business. Some domain hijackingattacks result in Transport Layer Security certificates being issued for the hijacked domain that can be used in follow-on attacks. Even after the issue is resolved, rebuilding customer confidence can take significant time and effort.
5. Malicious transfers.
In some cases, domain hijacking involves a malicious transfer of the domain to a new registrar and new owner without the owner’s consent. This not only locks the business out of its own domain but increases the time and effort that it takes to recover ownership of the domain, prolonging the downtime and increasing the cost of remediation.
6. Legal and financial consequences.
Businesses affected by domain registration hijacking may face costly legal battles to regain control of their domains. Additionally, they may have to invest heavily in cybersecurity measures to prevent future incidents, adding to the financial burden.
Domain hijacking has the potential to cripple a business by causing financial losses, damaging its reputation, and exposing sensitive data. Building controls such as restrictive role management, two-factor authentication, and identifying and remediating misconfigurations around domain management is essential for preventing opportunities for these types of attacks, such as domain hijacking attacks, and ensuring business continuity.
How Vercara can help.
Vercara’s Authoritative DNS solution, UltraDNS, offers protection against domain hijacking, domain name hijacking, and domain theft. With UltraDNS, businesses benefit from security features that help safeguard domain management systems, prevent unauthorized access, and recover from a hijack if one occurs.
UltraDNS is a standards-compliant authoritative DNS platform that uses a combination of controls such as DNS server hardening, server segmentation, multiple points-of-presence, portal vulnerability management, and Route Origin Validation to ensure the security and availability of our platform to respond quickly and accurately to DNS queries.
UltraDNS uses dynamically assigned nameservers and a domain ownership validation process to reduce the impact of a dangling domain or subdomain delegation, as described in the Sitting Ducks vulnerability.
The UltraDNS management portal is compatible with identity providers (IdP) for Single-Sign-On via Security Assertion Markup Langua. ) such as Okta. This helps organizations to manage their DNS administrators, roles, and permissions using their own tools to perform identity management tasks such as account creation, recertification, and revocation and to assign permissions via groups. UltraDNS also supports multi-factor authentication with an authenticator application and Time-Based One Time Password (TOTP) algorithm for portal accounts that are not managed via an IdP.
The UltraDNS management portal supports audit trails that identify the user account and the changes that they made to assist with investigations and incident response when a malicious domain change occurs. Events such as record changes can be monitored using our push notification features to send alerts via email, pager, or chat. For example, it is common for UltraDNS administrators to use chatbots to post changes into a group chat.
Vercara has built UltraDNS Health Check as an automated scanning tool to identify vulnerabilities and misconfigurations, such as dangling delegations and missing registry and transfer locks. We made a subset of the tool available to the public.
UltraDNS has a Top-Level Domain offering for TLD operators that adds integrity controls, rollbacks, logging, reporting, DNSSEC, and other features to support the requirements of TLD Operators and registries to respond to and mitigate domain hijackings inside their second-level domains and subdomains.
UltraDNS supports DNS Security Extensions (DNSSEC), which allows for faster identification and blocking of hijacked domains to reduce the impact on a site’s users.
With Vercara’s UltraDNS and its features and security controls, businesses can protect their domains against hijacks, prevent malicious transfers, and ensure business continuity in the face of growing cybersecurity threats.
