If you haven’t heard already, the Australian Signals Directorate has issued a warning about a current global crime wave involving “DNS hijacking.”
What is DNS hijacking?
DNS hijacking is a malicious practice used to point domain names to rogue Internet Protocols (IPs), where data has been manipulated by an attacker, including the location of domain name resources. This data is sent from one device to another and core details are captured during the transfer.
Let’s say example “victimbank.com.au” has their DNS hijacked and for one hour every day the traffic is redirected to a website that appears to be legitimate. There, users unwittingly enter their username and password, which the criminals record and later use to access and clean out the accounts.
What is the threat of this particular campaign?
This new wave of DNS hijacking involves sophisticated hackers accessing organisations who store and manage the IP addresses of websites and other resources.
Usually, site visitors can defend themselves by directly typing in the banks address instead of clicking on a link in an email or ad that may be fraudulent. Typing in the address is always the safest course, although it is admittedly a bit more work.
When successful, these criminals can change the IP addresses for short periods of time during which even type-in traffic is transported to counterfeit sites. Then, they change the IP address back to mask their action. Since the correct IP address remains stored most of the time, this is a very difficult exploit to uncover.
What action(s) are required?
The Australian Signals Directorate recommends a series of actions that web hosters, registrars, and any organisation who manages their IP address can take to make it much more difficult for hackers to interfere.
These are summarized by the Australian Cyber Security Centre (ACSC) in ‘The Essential Eight Explained’, a detailed plan towards high system security.
As the registry for .au names Afilias strongly recommends setting up two-factor authentication for personnel with access to any DNS records as an initial precaution.
If you are a victim or suspect abuse of a .au domain name, please contact your registrar or email us at email@example.com.