NEUSTAR ⁄⁄ B L O G

DNS HIJACKING AND Phishing

Every day, millions of “phishing” go out to unsuspecting users, making it an extremely pervasive form of cyber attack. Phishing or its more targeted version, Spear Phishing, involves sending phony, yet legitimate-looking to an unsuspecting user. Typically the email’s origin (‘from’) is spoofed with a well-intentioned or trusted 3rd party, appearing to come from this trusted entity. Imagine that you get an email from a trusted organization, instructing you to visit a particular . Simply clicking the link can expose your system to malware. Certain malware might track your keystrokes, which could lead to the mass exposure of passwords across a range of systems. With alarming and increasing frequency, Key to a phishing attack is faking the email source, organizations all over the world are being targeted which is easily accomplished. The email appears by cyber attacks. Just over the last few months, to come from a trusted organization. But in reality a number of high-profile companies have been the hackers are merely posing as another entity to hit: , Lenovo, The New York Times, and The get the recipient either to click a link in the email or Huffington Post to name a few. expose something of interest, such as a password or credit card. Although not always the case, the perpetrators for these particular attacks were known hacker In the case of The New York Times, it’s suspected groups such as the Syrian Electronic Army or Lizard that phishing was the first step towards gaining Squad. Also known were the techniques used to control of the DNS records. After the successful penetrate the victimized systems. For two of these phish, the hackers gained the credentials needed techniques, DNS hijacking and phishing, there are to unlock and alter DNS records, directing solutions available on the market that, had they www.nytimes.com to a website of their choosing. been implemented, could have prevented, halted, or Although the change was made at the top-level minimized damage from the attacks. domain (TLD), the end result was the same: any user who typed www.nytimes.com into a browser was DNS Hijacking redirected to a malicious website established by DNS is the underlying directory framework of the the hackers. Internet. It turns a web address into an IP address that ultimately directs you to the website you’re What can Neustar do to help? trying to reach. If this DNS gets hijacked or taken Neustar has a suite of products for domain over by a hacker group, the web address can be protection that can help an organization make redirected to a completely different website. This DNS hijacking and phishing attacks much more malicious website may contain a nasty message difficult, if not impossible. Here are some areas or hacker taunt—or something more insidious and where Neustar’s products can make a difference in destructive such as malware. Whatever may be the hardening an Internet infrastructure. point of attack, for a media organization, brand and credibility hang in the balance. For an ecommerce Domain Locking. The DNS lookup process is company, buyers’ trust can be betrayed, competitors complicated and must be secured at every level. can benefit, and once again, the brand could suffer. Choose a registrar that offers domain locking. Neustar can do this for .biz, .co, .co.uk, .nyc and In the case of the Syrian Electronic Army attack on other TLDs for which Neustar is registrar. DNSSEC The New York Times, traffic from the actual Times zone signing can also make TLD reassignment much website was redirected to an alternate website more difficult. established by the hackers.

Neustar® ⁄⁄ www.neustar.biz/blog CYBER SECURITY & PERFORMANCE BLOG NEUSTAR ⁄⁄ B L O G

(See below for more information on DNSSEC.) delivered to end-user accounts, such as those using . Not only do the emails get blocked but you Secure DNS. Neustar operates one of the world’s get a report exposing the activity. This is powered by largest Authoritative DNS networks, called UltraDNS through special records that are provided UltraDNS. Neustar has added advanced security free of charge for trial accounts. Ask your Neustar features into the platform to make it much more account representative for information about difficult to maliciously obtain the proper credentials UltraDNS + Agari. to change a DNS record. These include: Permission Levels, Dual-factor Authentication (powered by Intelligent Recursive. Another way to make phishing Symantec) and Access Control List by IP range. less likely to occur is to block your internal network These layers of permissions security make it less users from going to malicious . Neustar’s likely to be compromised. UltraDNS is also protected UltraDNS Recursive is an advanced recursive DNS from DDoS attacks against DNS. resolver that allows the IT administrator to block access to 16 categories of web content, including DNSSEC. Normal DNS does not have any encryption malware and phishing sites. So even if an internal and is largely unauthenticated. DNSSEC adds network user falls for a phishing email, you can authentication to the DNS lookup process, with potentially block that user from accessing the site. complex digital signatures that ensure that the answer you get from DNS is legitimate. However, Active Monitoring. Neustar is able to monitor DNSSEC is difficult to manage for a typical DNS results as well as website performance organization, with complex key management characteristics through its Web Performance procedures and rollover periods. Neustar makes this Management (WPM) product. It will alert the IT easy with single click DNSSEC support in UltraDNS. administrator if a different IP range is returned Sign your domains with DNSSEC to combat cache by DNS. It can also issue an alert if the website is poisoning, DNS and TLD hijacking. suddenly unavailable, performance degrades, or the structure of the website has changed. Stop phishing email at your border. Malicious incoming email is a major threat to every Vulnerability and Network Assessments. organization and should be a concern of the IT staff. Ultimately, hackers exploit not only technical, but Employees should be trained to identify potentially human and social vulnerabilities as well. Neustar malicious emails and to be wary of phishing and consultants can deeply analyze all areas of your other social exploits. Organizations can also enforce network, policies, and permissions, and then inbound and rejection policies, provide a comprehensive assessment, assist with including SPF, DKIM, and DMARC. Most modern remediation, and optionally perform penetration mail servers support these layers of authentication, testing. Let the experts at Neustar help you to which can allow spoofed spam to be identified identify and lock down the weak points and key and deleted by the inbound mail server. Spoofed functional areas in your network. phishing emails will likely fail authentication and never be delivered to the end users in the first place. In the end, while no network is perfect and constant UltraDNS supports SPF, DKIM, and DMARC records. vigilance is necessary, Neustar can help protect domains from a number of known attack types, Stop phishing using your . Any including DNS hijacking and phishing. Neustar also organization, especially well-known, trusted brands protects against denial of service (DoS and DDoS) should be concerned that their domain is being attacks through a product called SiteProtect. used fraudulently in phishing schemes. The good ■ news is that there are techniques not only to gain For more information, please visit visibility into this malicious activity, but also to stop ://www.neustar.biz/services/ddos-protection the delivery of emails from your domain by phishers purporting to be you. UltraDNS has teamed up with Agari to do exactly that. Agari has partnered with (Gmail), Yahoo, AOL, and a growing number of personal email providers. Together, they authenticate and block spoofed email before it’s

Neustar® ⁄⁄ www.neustar.biz/blog CYBER SECURITY & PERFORMANCE BLOG