September 23rd, 2020

Find Out if Your Domain Has Been Hijacked – in Near Real Time

On the list of Worst Case Nightmare Scenarios/Cybercrime Category, a domain or DNS hijack has to be near the top.

It happens in an instant, out of the clear blue.

It can go unnoticed for hours or even weeks, depending on the scope and sophistication of the attack.

And it can bring catastrophic consequences to your online presence, your brand and your reputation – not to mention the customers and users who are unknowingly directed to a malicious website thinking it’s yours, or through a man-in-the-middle server skimming their credentials.

In a domain hijack, cyber criminals take control of your domain, targeting your registrar with social engineering or using credentials obtained through a spear phishing or malware attack. Or they use the same techniques to gain access to your domain nameserver and manipulate its DNS to reroute queries to a different IP range that they control.

Domain hijacking was the attack vector for some of the most serious and sophisticated cyberattacks of recent years, including Sea Turtle and the earlier DNSpionage campaign linked to Iran. Both were multi-year spying efforts that primarily targeted national security organizations.

These attacks captured headlines and attention. But the larger and more serious story is the day-in and day-out hijacking of ordinary commercial domains, and the havoc it creates. One international nonprofit that tracks cyber threats estimates as many as 100 domains are hijacked every day.

If that’s not enough to keep you awake at night, consider these facts:

  • A hijack can happen to anyone, including sophisticated, well-run, security-conscious organizations. The DNSpionage campaign successfully hit a global provider of DNS services and a non-profit that manages the DNS infrastructure for more than 500 top-level domains. Sea Turtle compromised at least one national top-level domain – and through it, all its second-level domains. If these kinds of organizations are at risk, everyone is.
  • A registry lock may not save you. Late last year cyber crooks targeted a fraud prevention company’s domain with a well-executed social engineering campaign targeting its registrar. They claimed to be the domain’s new owner, and successfully transferred it to an account they controlled – despite the fact that the domain’s real owner had a registrar lock in place. A few days later the hijacked domain was moved to a new registrar.
  • The consequences can be very serious. For starters, you can lose control of your domain – a truly catastrophic outcome. Hackers can also damage your brand by hosting malware or launching spam or phishing campaigns that evade spam filters and other reputational protections thanks to your (formerly) good name.

    Users and customers can suffer as well. Customers of one bank with a hijacked domain reached what looked like the bank’s website, which captured their credentials before displaying a message that online banking was temporarily unavailable. The crooks then accessed each customer’s accounts and cleaned them out.
  • A hijack is hard to detect – and the longer it goes, the harder it is to recover. You may notice a fall-off in your site traffic. But if the hijack affects just part of your domain, or traffic in one country or region, it might be hours or even days before the change is noticed. Worse, there may be no obvious change. A hijacker seeking to harvest user credentials from an organization, for example, might only divert email traffic for an hour or so – leaving users thinking it was just the mail server.

Worst case: If you lose your domain altogether, it can take months to recover it. Most domains can’t be moved for at least 60 days once they’ve been transferred to a new registrar.

That is catastrophic – and why it’s so important to catch a domain hijacking as soon as possible after it is initiated.

Fortunately, you can learn immediately if your nameserver or infrastructure has been changed. If you didn’t initiate the changes, a hijack may be in progress.

The data you need is provided in two Domain Update feeds from Neustar UltraThreat Feeds, an indispensable range of targeted feeds that provide actionable data to counter threats ranging from malicious DGAs to DNS tunneling to phishing activity.

The Domain Update feeds capture the two different kinds of domain change that could indicate a hijacking:

  1. Domain Updates/Nameserver lists updates in the nameserver record for a domain
  2. Domain Updates/Hosting IP Address notifies you of updates to the IP addresses where domains are hosted, when the changes are greater than /24 (256 IP addresses).

Critically, both feeds are delivered in near real time so you’ll know immediately if unauthorized changes have been made to your domain. That allows your team to take immediate action to investigate and remediate the issue – and prevent a cascade of serious consequences.

The data is provided in a JSON file that can be delivered directly to your environment or platform – for example, into a database where it can be filtered for the domains that concern you. The feeds can also be delivered into an Azure or Amazon Web Services S3 bucket.

The reliable source: DNS data itself. The vast amount of DNS data coursing through the Internet has long been recognized as a potentially invaluable source for threat insights, if only it could be processed in a timely fashion. The recent revolution in data analysis has finally unlocked that potential, enabling security teams to gain timely, actionable and important threat insights.

As a leading worldwide provider of DNS services for more than 20 years, we operate a globally distributed network of authoritative and recursive DNS service sites that processes well over 100 billion lookups every day.

For the Domain Update feeds, we use machine learning powered by artificial intelligence to process and analyze in near real time the enormous volume of DNS exhaust from our network and zero in on changes in the nameserver record or the hosting infrastructure for a domain. This needle-in-a-haystack data is distributed immediately to enable your security team to respond quickly to a potential hijack attack.

It is indispensable threat data that is simply not available any other way.

The Domain Update feeds are just two of the valuable threat feeds Neustar offers IT security teams to help them protect their brand, defend their domain and mitigate fraud. If you’d like to learn more about how you can incorporate these timely, DNS-derived insights into your security framework, contact us or give us a call at 1-855-898-0036 in the US or +44 1784 448444 in the UK.

Let's Connect

Learn How Your Company Can Benefit from the Power of Trusted Connections.

Contact Us   Give us a call 1-855-898-0036