Directing someone to a specific IP address becomes simpler when altering the HOSTS file on their machine. However, modifying this file across numerous devices is a challenging task. Consequently, attackers often target the DNS server itself, making a single change that updates the responses for all querying clients. While various methods exist to manipulate DNS servers, most involve gaining control over the server.

What Is DNS and How Do DNS Servers Function?

Let’s revisit what DNS means. The Domain Name System is a foundational internet service that facilitates the conversion of human-readable domain names into machine-understandable IP addresses. Here are some essential components related to DNS:

• IP Address (Internet Protocol): A unique string of numbers assigned to each computer and server on a network, allowing them to locate and communicate with each other.
• Domain: A memorable text name, like “www.google.com,” that corresponds to the IP address of a server, simplifying the process of connecting to websites.
• Domain Name System (DNS): This system translates domain names into IP addresses.
• DNS Servers: These include four types of servers crucial to the DNS lookup process: resolving name servers, root name servers, top-level domain (TLD) name servers, and authoritative name servers. For simplicity, let’s discuss the resolver name server.
• Resolver Name Server: Operating within your system, this server begins the translation process by querying other servers to find the IP address associated with a domain name.

The DNS Lookup Process

When you enter a website’s domain name, the following process unfolds:

1. Your web browser and operating system (OS) first attempt to retrieve the domain’s IP address from the computer’s internal memory or cache, if previously visited.
2. If the cache doesn’t contain the IP address, the OS reaches out to a resolver name server.
3. This resolver then searches through a chain of servers to locate and return the correct IP address to your OS, which relays it to your web browser.

The DNS lookup process is a critical infrastructure component across the internet. However, vulnerabilities in DNS can expose users to security risks, such as malicious redirects, underscoring the importance of awareness and preventive measures.

What is DNS Hijacking?

DNS hijacking, also known as DNS redirection, is a broad term that describes any attack where a perpetrator manipulates an end user’s device into connecting with a fraudulent domain or IP address, under the guise of a legitimate domain. This type of attack can deceive users into thinking they are interacting with a legitimate site when they are not.

There are numerous methods of DNS hijacking, and not all are unlawful. A common legal example is seen with pay-per-use WiFi portals. These services intercept DNS requests before the user has paid for access. Regardless of the user’s settings, all requests direct to a payment server page where the user can purchase WiFi access.

Another prevalent method involves altering the DNS settings on a client’s device. An attacker may change the settings so that the device uses a DNS server under their control instead of a legitimate service like 8.8.8.8. When a user attempts to access a secure site such as their online banking website, the rogue DNS server may redirect them to a fake website. This site acts as a proxy to capture all transmitted data. This technique was famously used by the DNSChanger trojan/malware, which, while now rare, was once a significant threat.

Other hijacking tactics include exploiting vulnerabilities within DNS server software, manipulating DNS registration systems, or utilizing visually deceptive domain names (homograph attacks). One early example of phishing employed a domain named paypaI.com where the letter ‘I’ was capitalized to mimic a lowercase ‘L’, misleading users into thinking it was the legitimate PayPal.com. With DNS now supporting international characters, these attacks have become even more sophisticated and harder to detect.

What is DNS Spoofing

DNS spoofing also refers to any attack that tries to change the DNS records returned to the requester to a response chosen by the attacker. This can include some techniques such as using cache poisoning or some type of man-in-the-middle attack. We sometimes use the terms “DNS hijacking” and “DNS spoofing” as synonyms. This method is also widely used by paid Wi-Fi access points in airports and hotels. In some cases, network security groups can use it as a quarantine tool to isolate an infected device.

Difference Between DNS Spoofing and DNS Hijacking

Although DNS spoofing is often confused with DNS hijacking because both occur at the local system level, they are two different types of attacks. In most cases, DNS spoofing or cache poisoning simply involves overwriting the local DNS cache values with fake ones to redirect the victim to a malicious website. On the other hand, DNS hijacking (also known as DNS redirection) often involves malware infection to hijack this critical system service. In this case, malware hosted on the local computer can change the TCP/IP configuration to point to a malicious DNS server, eventually redirecting traffic to the phishing website.

Conclusion

As you can see, DNS is critical to the day-to-day operation of websites and online services. Unfortunately, attackers may see it as an attractive opportunity to attack your networks. This is why monitoring your DNS servers and traffic is crucial. We must be careful where we go on the Internet and what emails we open. Even the slightest difference, for example, the absence of an SSL certificate, is a signal to check the website you want to visit.

The post DNS Spoofing vs DNS Hijacking appeared first on Gridinsoft Blog.

DNS Cache Poisoning Overview

DNS cache poisoning is a type of attack where hackers impersonate another device, client, or user. To do this, hackers alter the cached IP addresses stored locally on the device. As a result, when a user tries to visit a website, they end up on a fake site that the modified DNS cache returns, instead of the legitimate one they intended to reach. This trick is hard to notice on the final stage, as fake sites are typically designed to look like the real ones. The result of a successful cache poisoning is similar to a “man-in-the-middle” attack: it allows an attacker to intercept data that goes from the user machine to a website.

By poisoning a DNS server, attackers can redirect all your traffic to their own servers. For instance, if you type “amazon.com,” a poisoned DNS server can redirect you to a fake version of Amazon. Attackers can poison the DNS cache by filling it with false data. They do this by making a request to the DNS resolver and then spoofing the response when the resolver queries the name server. When the DNS resolver receives a fake response it accepts and caches the data. This is because cached info is considered trustworthy, and it is hard to prove this wrong without additional actions. The reason hides in the very idea of DNS as a system: it appeared back in the days when no one thought of such an attack vector.

DNS Cache Poisoning Mechanism

Since IP addresses don’t change often (if at all), a computer saves the association between an IP address and a URL. For example, www.gridinsoft.com will get the association to the IP address 104.26.15.79. If an attacker can get the targeted system to receive falsified information from DNS, the client will send data to a fake IP address. In the best-case scenario, this results in a denial of service. In the worst case, the attacker can intercept traffic, leading to severe consequences.

A successful attack expectedly makes the user think they are visiting a legit site. Therefore, the user doubtlessly enters confidential account information, which immediately goes to the attacker. A “successful” attack means the user doesn’t notice the deception and calmly enters their login and password. This hands over their credentials to the attacker.

As a result of such an attack, an attacker can redirect a user to fake or malicious websites, leading to malware deployment. For example, a fake online banking site might prompt the user to update an application. Instead of the legitimate application, the user receives a malicious file. Additionally, a compromised website can initiate malware downloading.

On the other hand, attackers can also disrupt legitimate software updates by poisoning the DNS cache. For example, an attacker could block updates to antivirus software signature databases. Besides DNS cache poisoning, there is also the direct hacking of DNS servers, which I covered in a separate article.

DNS Cache Poisoning Application

Reading through technical details of the cache poisoning makes it clear that using such a complicated technique is not about massive attacks. The majority of DNS cache poisoning attacks happen in targeted cyberattacks, particularly on corporations. Since the attack supposes localized changes, it may be harder to detect proactively, especially without special software.

By altering DNS cache on a selection of corporate workstations, hackers can gather login credentials to pretty much any web resource. The ability to select which site is spoofed in a poisoning attack once again makes it harder to detect, and also prevents login data from other sites from flooding the resulting log. In the hands of a skilled adversary, DNS cache poisoning may be an outstandingly effective and dangerous tool.

DNS Cache Poisoning and Censorship

Some governments have intentionally poisoned DNS caches in their countries to block access to certain websites or web resources. For example, the Great Firewall of China uses DNS filtering and fake responses for geoblocking, censorship, and restricting access to specific websites. Additionally, some internet service providers (ISPs) use DNS interception to display advertisements or block access to illegal websites.

Malware in Cache Poisoning Attacks

Technical execution aside, there is one question remaining: how can cybercriminals do this? Getting to the system files, and DNS cache in particular, requires accessing the environment remotely. There are several malware types that can provide such access, namely backdoors and remote access trojans. Following their injection into the network, hackers can control pretty much any element of the system, both through commands and direct access.

As DNS cache poisoning attacks are pretty rare and require thorough planning and targeting, the corresponding actions are often embedded into the malware sample. In addition to this, malware may be able to undo these changes, to cover the tracks after the successful attack.

Preventing DNS Poisoning Attacks

The best way to prevent DNS resolver cache poisoning is to implement secure cryptographic and authentication methods. Replacing DNS globally with DNSSEC (Domain Name System Security Extensions) would address this issue, as DNSSEC creates a unique cryptographic signature stored with the DNS records. This signature is then used by the DNS resolver to verify the authenticity of the response and record. Additionally, this scheme helps establish a trusted chain from the top-level domain (TLD) to the authoritative domain zone, ensuring the security of DNS name resolution.

The post DNS Cache Poisoning appeared first on Gridinsoft Blog.

Types of Spoofing Attacks

For attacks to be successful, hackers can spoof many things: an IP address, a web page, a phone number, a login form, a GPS location, an email address, a text message, and even a face. Some of these actions rely on human error, while others rely on the use of hardware or software flaws. Of all the scenarios that fit the form of a spoofing attack, the following are the most common these days.

1. ARP Spoofing

This is a reasonably common man-in-the-middle attack technique. The cybercriminal fills the local network with forged Address Resolution Protocol (ARP) packets, thus disrupting the normal traffic routing process. This intervention aims to map an adversary’s MAC address to the IP address of the target LAN’s default gateway. As a result, all traffic is redirected to the attacker’s computer before reaching its destination. In addition, the attacker can change the data before forwarding it to the actual recipient or interrupt all network communications. ARP spoofing can also serve as a launching pad for DDoS ² attacks.

2. MAC Spoofing

In theory, every network adapter inside a connected device should have its own unique Media Access Control (MAC) address that cannot be found anywhere else. In practice, however, a clever hacker can change this. Using the shortcomings of some hardware drivers, an attacker can modify or spoof the MAC address. Thus, he masquerades as the device registered in the target network to bypass traditional access limiting mechanisms. In this way, he can impersonate a trusted user and perpetrate fraud such as business email compromise (BEC), data theft, or placement of malware in a digital environment.

3. IP Spoofing

In this case, the attacker sends Internet Protocol packets with a falsified source address. In this way, he hides the real online identity of the sender of the packet and thus pretends to be another computer. Also, IP spoofing³ is often used to launch DDoS attacks. It is difficult for the digital infrastructure to filter such fraudulent packets, given that each one comes from a different address, which allows the scammers to simulate legitimate traffic convincingly. In addition, this method allows bypassing authentication systems that use a device’s IP address as an important identifier.

4. DNS Cache Poisoning (DNS Spoofing)

The Domain Name System (DNS) is a kind of telephone book for the Internet. It turns familiar domain names into IP addresses that browsers understand and use to load web pages. Attackers can distort this mapping technology using the known weaknesses of DNS server caching. As a result, the victim risks navigating to a malicious copy of the intended domain. This is a good basis for phishing attacks that look very plausible.

5. Email Spoofing

Basic email protocols are pretty vulnerable and can provide an attacker with some opportunities to distort specific attributes of a message. One common vector of this attack is to change the header of an email. As a result, the sender’s address (displayed in the “From” field) appears to be real when in fact, it is not. A hacker can take advantage of this mismatch and impersonate a trusted person, such as a senior executive, colleague, or contractor. Often the BEC mentioned above scams rely on this exploitation, resorting to the use of social engineering and manipulation so that the victim, without thinking, allows a fraudulent bank transfer to take place. The purpose of email spoofing is precisely to deceive the user, not to be declassified.

6. Website Spoofing

A scammer may try to trick a victim into going to an “exact copy” of the website they usually use. Unfortunately, hackers are getting better and better at mimicking the layout, branding, and login forms. And in combination with the DNS mentioned above spoofing technique, it will be tough to find the trick. Still, website spoofing is not a perfect scheme. For maximum effect, you should send a phishing email to the victim, which will prompt the recipient to click on the malicious link. Usually, criminals use such a scheme to steal authentication data or spread malware which then gives them a backdoor into the corporate network. Also, URL spoofing can lead to identity theft.

7. Caller ID Spoofing

This is a rather old scheme, but it is still sometimes used today. In this scheme, the attacker uses loopholes in the functioning of telecommunications equipment, thereby fabricating data about the caller, which the victim sees on his phone screen. In addition to pranks, the attacker can use such techniques to forge the caller ID by posing as someone the victim knows or as a representative of a company with which the victim cooperates. Sometimes to increase the chances that the victim will answer the call, the information displayed on the smartphone display will include a well-known brand logo and physical address. This type of spoofing attack aims to get the victim to reveal personal information or pay non-existent bills.

8. Text Message Spoofing

Unlike the previous method, this one is not always used for fraudulent purposes. Today, this method is used by companies to interact with their customers. It replaces the traditional phone number with an alphanumeric string (for example, the company name) and sends text messages. Unfortunately, scammers can also use this technology as a weapon. One variation on the text-message spoofing scam involves the scammer substituting the SMS sender’s identifier for a brand name the recipient trusts. This impersonation scheme can be the basis for targeted phishing, identity theft, and the increasing frequency of gift card scams targeting organizations.

9. File Extension Spoofing

Windows systems, by default, hide file extensions to streamline user experience. However, this feature also provides an opportunity for cybercriminals to distribute malware more easily. They often employ double extensions to mask a dangerous executable file as a harmless one. For instance, a file named Resume.docx.exe will misleadingly display as a standard Word document. Thankfully, most security programs actively detect such deceptions and alert users before they open these potentially harmful files.

10. GPS Spoofing

Today, users increasingly rely on geolocation services to avoid traffic jams or get to their destination. Unfortunately, cybercriminals may trick a target device’s GPS receiver into preventing it from working correctly. National states can use GPS spoofing to avoid gathering intelligence and sometimes even sabotage other countries’ military installations. But businesses can also use it to their advantage. For example, a competitor can interfere with the navigator in the car of a CEO who is rushing to an important meeting with a potential business partner. As a result, the victim will make a wrong turn, get stuck in traffic, and be late for the meeting. This could interfere with a future deal.

11. Facial Spoofing

Facial recognition is now the basis of numerous authentication systems and is rapidly expanding. In addition to unlocking gadgets, the face could become a critical authentication factor for future tasks such as signing documents or approving wire transfers. Cybercriminals are bound to look for and exploit weaknesses in the Face ID implementation chain. Unfortunately, it’s pretty easy to do so now. For example, security analysts have demonstrated a way to fool the Windows 10 Hello facial recognition feature with an altered, printed user photo. Fraudsters with enough resources and time can detect and exploit such imperfections.

How to Avoid Spoofing?

Here are the main signs that you are being spoofed. If you encounter any of these, click “Close”, click the “Back” button, and close the browser.

• There is no padlock symbol or green bar next to the address bar. All secure authoritative websites must have an SSL certificate. The third-party CA has verified that the web address belonging to the entity is verified. But it is worth noting that SSL certificates are now free and easy to obtain. So even though there may be a padlock on the site, it does not guarantee that it is the real deal. Just remember, nothing on the Internet is 100 percent safe.
• The site does not use file encryption. HTTP, aka Hypertext Transfer Protocol, is long obsolete. Legitimate websites always use HTTPS, an encrypted version of HTTP, when transmitting data back and forth. If you are on a login page and see “HTTP” instead of “HTTPS” in your browser’s address bar, think carefully before you type anything.
• Use a password manager. It will automatically fill in your login and password log to any legitimate website that you save in your password vault. But in case you go to a phishing site, your password manager will not recognize the site and will not fill in the username and password fields for you – a clear sign that you are being spoofed.

How to Minimize the Risks of Spoofing Attacks?

The following tips will help you to minimize the risk of becoming a victim of a spoofing attack:

• Turn on your spam filter. This will protect your mailbox from most fake newsletters.
• Do not click on links or open email attachments if they come from an unknown sender. If there is a chance that the email is legitimate, contact the sender through another channel to verify that it is legitimate.
• Log in via a separate tab or window. For example, if you receive an email or message with a link asking you to do something, such as log in to your account or verify your information, do not click the link provided. Instead, open another tab or window and go directly to the site. You can also sign in through the app on your phone or tablet.
• Call back. If you receive a suspicious email, presumably from someone you know, call or write to the sender to be sure they sent the email. This is especially true if the sender makes an unusual request: “Hi, this is your boss. Can you buy ten iTunes gift cards and email them to me? Thank you.”
• Show file extensions in Windows. You can change this by clicking the “View” tab in Explorer, then checking the box to show file extensions. This will in no way prevent crooks from spoofing file extensions, but you will be able to see the spoofed extensions and not open those malicious files.
• Use a good antivirus program. For example, suppose you click on a dangerous link or attachment. In that case, a good antivirus program can warn you about the threat, stop the download, and prevent malware from entering your system or network. The most important rule is to remain vigilant. Always watch where you’re going, what you’re clicking on, and what you’re typing.

The post 11 Types of Spoofing Attacks appeared first on Gridinsoft Blog.

DNS (Domain name server) spoofing or DNS cache poisoning is a type of cyberattack used by an attacker to direct the victim’s traffic to a malicious website (instead of a legal IP address). Attackers use DNS cache poisoning to redirect Internet traffic and steal sensitive information.

For example, a hacker wants to trick users into entering personal information on an insecure site. How does he do that? By poisoning the DNS cache. The hacker spoofs or replaces the DNS data for a specific site and redirects the victim to the attacker’s server instead of the legitimate server. In this way, the hacker achieves his goal because he has many opportunities: he can commit a phishing attack, steal data or even inject malware into the victim’s system.

How Does DNS Spoofing Work?

Before talking about DNS cache poisoning, let’s first remember what DNS and DNS caching are. DNS is a worldwide directory of IP addresses and domain names. DNS pairs user-friendly addresses, such as facebook.com, into IP addresses, such as 157.240.22.35, that computers use on the network. DNS caching is a system for storing addresses on DNS servers worldwide. To speed up the processing of your DNS requests, developers have created a distributed DNS system. Each server keeps a list of available DNS records called a cache. If the DNS server closest to you does not have the required IP address, it queries the higher DNS servers until the address of the website you are trying to get to is not found. Your DNS server then saves this new record in your cache to get a response faster next time.

Unfortunately, DNS has several security flaws that attackers can exploit and insert forged Internet domain address records into the system. Typically, criminals send fake responses to the DNS server. The server then replies to the user who made the request, and at the same time, the legitimate servers will cache the fake record. Once the DNS cache server stores the fake pair, all subsequent requests for the compromised record will get the server’s address controlled by the attacker.

DNS Spoofing Techniques Can Include:

Cybercriminals can easily compromise DNS responses while remaining undetected due to security vulnerabilities in specific web applications and the lack of proper authentication of DNS records. Let’s take a closer look at them:

Lack of Verification and Validation

DNS has a first trust structure that does not require IP validation to verify before sending a response. Because DNS resolvers do not validate data in the cache, an invalid entry remains until it is manually deleted or the TTL expires.

Recursive DNS Resolver Vulnerability

When recursive querying is active, the DNS server receives the request and does all the work of finding the correct address and sending the response to the user. If it does not have a record in its cache, it will query other DNS servers until it gets the address and returns it to the user. Enabling recursive querying presents a security vulnerability that attackers can exploit to poison the DNS cache.

As the server looks for the address, the attacker can intercept the traffic and provide a fake response. The recursive DNS server will send the response to the user and simultaneously store the spoofed IP address in its cache.

No Encryption

Typically, the DNS protocol is not encrypted, making it easier for attackers to intercept its traffic. In addition, servers do not have to verify the IP addresses to which they route traffic. Hence they cannot determine whether it is genuine or spoofed.

How to Prevent DNS Spoofing?

Real-time monitoring of DNS data can help identify unusual patterns, user actions, or behaviors in traffic, such as visiting malicious sites. And while detecting DNS cache poisoning is difficult, there are several security measures companies and service providers can take to prevent it. Some measures to prevent DNS cache poisoning include using DNSSEC, disabling recursive queries, and more.

The Limit of The Trust Relationships

One of the vulnerabilities of DNS transactions is the high trust relationship between different DNS servers. Therefore, servers do not authenticate the records they receive, allowing attackers to send fake responses from their illegitimate servers.

To prevent attackers from exploiting this flaw, security groups should limit the level of trust their DNS servers have with others. Configuring DNS servers to not rely on trust relationships with other DNS servers makes it difficult for hackers to use a DNS server to compromise records on legitimate servers. There are many tools available to check for DNS security threats.

Use the DNSSEC protocol

Because Domain Name System Security Extensions (DNSSEC) uses public-key cryptography to sign DNS records, it adds validation and allows systems to determine whether an address is valid or not. This prevents forgery by verifying and authenticating requests and responses.

In regular operation, the DNSSEC protocol associates a unique cryptographic signature with other DNS information, such as CNAME and A records. The DNS resolver then uses this signature to authenticate the DNS response before sending it to the user.

Security signatures ensure that a legitimate source server validates responses to requests that users receive. Although DNSSEC can prevent DNS cache poisoning, it has drawbacks such as complex deployment, data provisioning, and zone enumeration vulnerabilities in earlier versions.

Use The Latest DNS and BIND Versions Software

Beginning with version 9.5.0 BIND (Berkeley Internet Name Domain) includes enhanced security features such as cryptographically secure transaction identifiers and port randomization, which minimizes the chance of DNS cache poisoning. It is also important that the IT staff keeps it up to date and ensures that it is the latest and safest version. Here are some more useful tips to help prevent DNS cache poisoning.

DNS cache poisoning causes domain users to be redirected to malicious addresses. In addition, some attacker-controlled servers can trick unsuspecting users into downloading malware or providing passwords, credit card information, and other confidential information. To prevent this, it is essential to use reliable security methods.

The post DNS Spoofing: Key Facts, Meaning appeared first on Gridinsoft Blog.