DNS is no longer just a name resolution system to make our lives easier in the day-to-day use of applications. It now plays an important role in the various techniques used by attackers. We know about the “Protocol abuse” attacks, which consist of using the DNS protocol in a hijacked manner. In addition, attacks exist that target the DNS with the aim of altering or rendering the DNS service inoperative.
In this blog we will look at other techniques on the DNS that malicious actors tend to use to threaten information system integrity.
Large international companies, large groups, large brands and even smaller ones all use domain names that are often exactly the same as their trade name:
This trend tends to make companies more visible on the Internet, promote their reputation but also reassure their customers and consumers.
The other side of the coin is the commercial value of a domain name that is very similar to your company or brand name (lorealparis.com or loreal.com). This name can become the target of malicious actors to launch attacks, deceive your users by referring them to false sites, and damage your reputation. Your domain names can also be targeted by “domainers”. These are not necessarily malicious actors, but they base their business on the purchase and resale of domain names.
- On OVH you reserve for your company : sstx.com
- The attacker (squatter) reserves: sstx.fr, sstx.ru, sstx.cn
The term attacker should be qualified here. Indeed, the reservation can be made with the aim of buying and reselling with the possibility of making a lot of profit. It can also be a mistake or lack of information about the existence of other extensions.
a. Strategies of the cybersquatter
Cybersquatting simply means reserving a domain as close as possible to your target’s name.
To achieve their goals, cybersquatters use several strategies:
- Buying domain names galore and betting on the fact that one day someone will buy them back. Of course, before buying a domain name, they use name generation algorithms. These algorithms can use several databases or be based on the most used words in social networks (top 1000# of twitter for example). This approach is certainly good, but it does present financial risks in the event that no entity or person comes forward to buy a domain or domains. The domainer business has become less profitable today and more financially risky even though record sales (transactions) have taken place in the past:
- LasVegas.com – 90 million dollars
- CarInsurance.com – 49.7 million dollars
- VacationRentals.com – 35 million dollars
- PrivateJet.com – 30.18 million dollars
- Internet.com – 18 million dollars
- 360.com – 17 million dollars
- Insure.com – 16 million dollars
- Bankaholic.com – 15 million dollars
- Sex.com – 13 million dollars
- Another approach is to monitor the domains already registered and hope that the owner gives up, forgets or does not renew in time. Expired domain names represent real opportunities to acquire a coveted domain name. In this strategy, the “cybersquatter” or “domainer” is subject to the vigilance of his potential victims. If they are as proactive as he is, he risks having a monitoring system that works very well but provides no attractive domain to reserve. Platforms exist which/ specialize in this area to provide their clients with useful information to enable them to quickly position themselves to buy expired domain names.
- There is the term “scammer”, which can be found in the field of cybersquatting. These are people who come to claim ownership of a domain name in an irregular manner. Cybersquatters who adopt this technique can be very persuasive and even threatening at times. Their objective is to cast doubt on the legitimacy of your domain name.
b. A very dangerous variant: typosquatting
Typosquatting is a variant of cybersquatting. It consists of registering a modified or misspelled domain name with a registrar in order to redirect users to a fraudulent website. It is therefore a method used by malicious people to deceive users’ vigilance.
For example, it is possible to redirect users to a fake website of their favorite bank, to a website containing malware in order to infect them or to steal personal and confidential information.
The examples below show the extent of the damage and the disconcerting ease of carrying out this type of attack.
Palo Alto UNIT42 publishes the following statistics on the most targeted areas over the year 2020.
These large groups are often subject to massive typosquatting campaigns to deceive their users.
c. The most well-known attack: Phishing
Phishing is a form of social engineering attack. It is a scam in which the attacker tries to pretend to be someone else (your financial manager, a strategic partner, your bank, your neighborhood association, etc.) in order to deceive your vigilance.
Among the techniques used, we often find the sending of an e-mail containing a link to a fraudulent site with the objective of :
- Compromising your position
- Stealing your bank account details
- Stealing your access identifiers (login / password) from your mailbox, your facebook account, instagram
This image shows a typical case of phishing. The link to be clicked does not lead to your Netflix account but instead to (https://dev-netflixi-panthonsite.io/1/rappel.html)
For a well-targeted attack, the domain name is of course best chosen
In a well-developed APT (Advanced Persistent Threat) attack, for example, phishing occurs fairly early in the kill-chain.
In this scenario, the attacker seeks to steal credit card codes. However, the attack will only be successful if users make a mistake and click on the fraudulent link in the email or open the attachment.
In such cases, e-mails are written with care, without any spelling, grammatical or syntactical errors. The domain names are also well chosen so as to be able to deceive the vigilance of the most reckless. If everything goes smoothly, the attacker will have started with the DNS until he succeeds in his attack by stealing confidential data via the DNS without being detected.
So we’ve seen in this blog some of the strategies and attack types often used. Look out for the sequel coming soon, where we’ll explain tools and techniques used to protect against cybersquatting.
Make DNS Your First Line of Defense
Discover more about the four categories of DNS attack types and why DNS attacks are top priority for threat actors.LEARN MORE