Domain Name Hijacking: Difference between revisions
7th DNS Seal wiki article. |
No edit summary |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
'''Domain Name Hijacking''' or Domain Hijacking refers to the security breach that occurs when an outside agent, such as a hacker, gains control over a domain registered to another individual or organization.<ref name="report">[http://archive.icann.org/en/announcements/hijacking-report-12jul05.pdf Domain Name Hijacking: Incidents, Threats, Risks, and Remedial Actions] (PDF), ICANN's SSAC</ref><ref name="go">[http://www.gohacking.com/how-domain-name-is-hijacked-how-to-protect/ How a Domain Name is Hijacked and How to Protect it] by Srikanth Ramesh, GoHacking.com</ref> Hijacking can be accomplished via various practices and often results in domain name registrants losing control of their domains as traffic is redirected to a different site, the content of the original site is changed, or the outside agent switches the control of the name through the registrar. <ref name="go"/> This practice has reportedly tripled since 2005 and is related to [[Reverse Domain Name Hijacking]]<ref name="cio">[http://www.cio.com/article/699206/4_Ways_to_Prevent_Domain_Name_Hijacking_?page=1&taxonomyId=3089 4 Ways to Prevent Domain Name Hijacking] by Meridith Levinson (February 1, 2012), CIO</ref> | |||
==Types of Redirection== | |||
Also called DNS Hijacking, this practice refers to situations in which queries are incorrectly resolved in order to redirect users to malicious sites due after perpetrators have installed [[Malware]] on user computers, taken over routers, or intercepted [[DNS]] communication.<ref>[https://www.imperva.com/learn/application-security/dns-hijacking-redirection/ DNS Redirection, Imperva]</ref> | |||
* Local - when Trojan malware is installed on a user’s computer, it changes the local DNS settings to redirect the user to malicious destinations. | |||
* Router - when attackers take over routers, they can overwrite DNS settings. | |||
* Man in the middle - attackers intercept communication between a user and a server and change the destination [[IP address]]. | |||
* Rogue server - when a server is hacked and the DNS records are changed to redirect DNS requests to malicious sites. | |||
==Public Perception== | ==Public Perception== | ||
Line 13: | Line 14: | ||
The broader outcome of this behavior is that users' domain names are at risk from predatory parties. Individuals can lose control of their domain names and larger organizations can face major losses, monetarily and in consumer confidence. | The broader outcome of this behavior is that users' domain names are at risk from predatory parties. Individuals can lose control of their domain names and larger organizations can face major losses, monetarily and in consumer confidence. | ||
== | ==Vectors== | ||
Domain name hijacking has been used for a number of purposes, such as "malice and monetary gain."<ref name="report"/> If the hijacked site deals with Internet commerce or retail, for example, its users may be redirected to a [[phishing]] webpage designed to steal their financial information.<ref name="cio"/> A domain name is vulnerable to hijacking through a number of different avenues: | Domain name hijacking has been used for a number of purposes, such as "malice and monetary gain."<ref name="report"/> If the hijacked site deals with Internet commerce or retail, for example, its users may be redirected to a [[phishing]] webpage designed to steal their financial information.<ref name="cio"/> A domain name is vulnerable to hijacking through a number of different avenues: | ||
Line 24: | Line 25: | ||
*Phishing: an outside agent can pose as a representative of the registrar and ask for log-in information directly.<ref>[http://www.ehow.com/how_8743588_recover-hijacked-domain.html How to Recover a Hijacked Domain] by James Johnson, eHow.com</ref> | *Phishing: an outside agent can pose as a representative of the registrar and ask for log-in information directly.<ref>[http://www.ehow.com/how_8743588_recover-hijacked-domain.html How to Recover a Hijacked Domain] by James Johnson, eHow.com</ref> | ||
==ICANN Policy== | ==Notorious Cases== | ||
*[[Transfer | * ''Sea Turtle Attacks'' <br/> | ||
On April 17, 2019, [[Cisco]]'s Talos security division identified a hacker group called "Sea Turtle" conducting espionage via DNS hijacking among at least 40 organizations. Se Turtle was able to compromise [[ccTLD|country-code top-level domains]].<ref>[https://www.wired.com/story/sea-turtle-dns-hijacking/ Sea Turtle Attacks, Wired]</ref> The victims included telecoms, internet service providers, registrars, ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. The hackers silently carried out Man in the Middle Attacks to intercept all internet data being sent to the victim organizations. | |||
==ICANN Responses== | |||
* [[DNS Security Facilitation - Technical Study Group]] | |||
===ICANN Policy=== | |||
* [[Inter-Registrar Transfer Policy]]: This policy requires that registrars send registrants an authorization/confirmation notice when domain names are going to be transferred and that registrants reply in a secure way.<ref>[http://www.icann.org/en/resources/registrars/transfers/policy-15mar09-en.htm Policy on Transfer of Registrations between Registrars | In effect until 31 May 2012], Internet Corporation for Assigned Names and Numbers (ICANN)</ref> | |||
*[[Registrar Transfer Dispute Resolution Policy]]: This policy outlines how registrars deal with transfer disputes, including unauthorized transfers.<ref>[http://www.icann.org/en/help/dndr/tdrp Registrar Transfer Dispute Resolution Policy], Internet Corporation for Assigned Names and Numbers (ICANN)</ref> | * [[Registrar Transfer Dispute Resolution Policy]]: This policy outlines how registrars deal with transfer disputes, including unauthorized transfers.<ref>[http://www.icann.org/en/help/dndr/tdrp Registrar Transfer Dispute Resolution Policy], Internet Corporation for Assigned Names and Numbers (ICANN)</ref> | ||
**Note: It can be challenging to prove to registrars that a domain name has been hijacked as "Registrars are often skeptical of claims of domain hijacking."<ref name="help">[http://www.circleid.com/posts/help_domain_name_hijacked/ Help! My Domain Name Has Been Hijacked!] by Brett Lewis (January 12, 2007), CircleID</ref> | **Note: It can be challenging to prove to registrars that a domain name has been hijacked as "Registrars are often skeptical of claims of domain hijacking."<ref name="help">[http://www.circleid.com/posts/help_domain_name_hijacked/ Help! My Domain Name Has Been Hijacked!] by Brett Lewis (January 12, 2007), CircleID</ref> | ||
Line 45: | Line 53: | ||
<references/> | <references/> | ||
[[Category: | [[Category:DNS Abuse]] |
Latest revision as of 17:51, 2 November 2021
Domain Name Hijacking or Domain Hijacking refers to the security breach that occurs when an outside agent, such as a hacker, gains control over a domain registered to another individual or organization.[1][2] Hijacking can be accomplished via various practices and often results in domain name registrants losing control of their domains as traffic is redirected to a different site, the content of the original site is changed, or the outside agent switches the control of the name through the registrar. [2] This practice has reportedly tripled since 2005 and is related to Reverse Domain Name Hijacking[3]
Types of Redirection[edit | edit source]
Also called DNS Hijacking, this practice refers to situations in which queries are incorrectly resolved in order to redirect users to malicious sites due after perpetrators have installed Malware on user computers, taken over routers, or intercepted DNS communication.[4]
- Local - when Trojan malware is installed on a user’s computer, it changes the local DNS settings to redirect the user to malicious destinations.
- Router - when attackers take over routers, they can overwrite DNS settings.
- Man in the middle - attackers intercept communication between a user and a server and change the destination IP address.
- Rogue server - when a server is hacked and the DNS records are changed to redirect DNS requests to malicious sites.
Public Perception[edit | edit source]
Domain name hijacking is viewed negatively by most people and can be referred to as domain theft.[2]
Outcome[edit | edit source]
The broader outcome of this behavior is that users' domain names are at risk from predatory parties. Individuals can lose control of their domain names and larger organizations can face major losses, monetarily and in consumer confidence.
Vectors[edit | edit source]
Domain name hijacking has been used for a number of purposes, such as "malice and monetary gain."[1] If the hijacked site deals with Internet commerce or retail, for example, its users may be redirected to a phishing webpage designed to steal their financial information.[3] A domain name is vulnerable to hijacking through a number of different avenues:
- DNS Servers: if the DNS is hijacked or poisoned, people typing in a domain name may be redirected to another page without their knowledge.[3] This method does not require any registrant account information to be compromised or readily available. See DNS Hijacking for more information.
- Registrar Security: if a registrar's security is compromised and a domain name is not locked, it could be transferred to a different user and registrar before the owner is notified.[5]
- Email Security: a third party can use WHOIS to find information about a registrant, such as a personal email account, and once the email account is compromised, use it to request a new password from the registrar.[2][3] If the third party gains access to the registrant's account with its registrar, it can change primary ownership and notification information.
- Phishing: an outside agent can pose as a representative of the registrar and ask for log-in information directly.[6]
Notorious Cases[edit | edit source]
- Sea Turtle Attacks
On April 17, 2019, Cisco's Talos security division identified a hacker group called "Sea Turtle" conducting espionage via DNS hijacking among at least 40 organizations. Se Turtle was able to compromise country-code top-level domains.[7] The victims included telecoms, internet service providers, registrars, ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. The hackers silently carried out Man in the Middle Attacks to intercept all internet data being sent to the victim organizations.
ICANN Responses[edit | edit source]
ICANN Policy[edit | edit source]
- Inter-Registrar Transfer Policy: This policy requires that registrars send registrants an authorization/confirmation notice when domain names are going to be transferred and that registrants reply in a secure way.[8]
- Registrar Transfer Dispute Resolution Policy: This policy outlines how registrars deal with transfer disputes, including unauthorized transfers.[9]
- Note: It can be challenging to prove to registrars that a domain name has been hijacked as "Registrars are often skeptical of claims of domain hijacking."[10]
Legislation[edit | edit source]
There is no U.S. legislation that directly addresses domain name hijacking. However, as it potentially can involve theft, fraud, identity theft, and phishing, there are avenues for legal redress. It is worth noting that proving domain name ownership after being hijacked can be difficult.[10]
Additional Resources and Tips[edit | edit source]
- Read ICANN's Report on Domain Name Hijacking for a brief overview of domain name hijacking and a thorough account of notable domain hijacking incidents
- View How to Recover a Hijacked Domain
- View ICANN's Standardized Authorization Form required to transfer domain names from one registrar to another
- For tips on how to prevent domain name hijacking, read Help! My Domain Name Has Been Hijacked!
Related Articles[edit | edit source]
References[edit | edit source]
- ↑ 1.0 1.1 Domain Name Hijacking: Incidents, Threats, Risks, and Remedial Actions (PDF), ICANN's SSAC
- ↑ 2.0 2.1 2.2 2.3 How a Domain Name is Hijacked and How to Protect it by Srikanth Ramesh, GoHacking.com
- ↑ 3.0 3.1 3.2 3.3 4 Ways to Prevent Domain Name Hijacking by Meridith Levinson (February 1, 2012), CIO
- ↑ DNS Redirection, Imperva
- ↑ ICANN warns world of domain hijacking by Kieren McCarthy (July 12, 2005), The Register
- ↑ How to Recover a Hijacked Domain by James Johnson, eHow.com
- ↑ Sea Turtle Attacks, Wired
- ↑ Policy on Transfer of Registrations between Registrars | In effect until 31 May 2012, Internet Corporation for Assigned Names and Numbers (ICANN)
- ↑ Registrar Transfer Dispute Resolution Policy, Internet Corporation for Assigned Names and Numbers (ICANN)
- ↑ 10.0 10.1 Help! My Domain Name Has Been Hijacked! by Brett Lewis (January 12, 2007), CircleID