Watch out for DNS sub-domain hijacking

Takeaway: Patrick Lambert cautions that DNS sub-domain hijacking is on the rise, especially for organizations that don’t have DNS-handling in-house. Here’s how to guard against the damage that could result.

Security has become ever-present on any IT worker’s mind. With the amount of hacking going on out there, we’ve all become accustomed to securing our systems, servers and networks. We spend a lot of time and money on security solutions, and then monitoring is a key part of making sure no one gains unauthorized access. But there are still some areas that can fall through the cracks. One such area is DNS, which is often something that isn’t handled in-house, especially for small and medium organizations. Lately, a new kind of hack has been spreading with alarming frequency, called DNS sub-domain hijacking, and according to a recent report from the Internet Storm Center, an initiative of SANS Institute, this affects many legitimate corporations, organizations, and government sites.

The initiator is simple. Bad guys out there want to sell cheap drugs, run Facebook scams, or otherwise trick users to click on links to malicious web sites. But people are becoming slightly more aware of these scams, and they keep an eye out for what URLs they connect to. So instead, hackers have started getting into DNS control systems of legitimate sites, and creating sub-domains for their own sites. For example, while you may have the legitimate www.example.com, if they can get access to that site’s DNS, they can create cheap-drugs.example.com and payday-loans.example.com, pointing them to their own IPs and tricking users. They even benefit from SEO advantages because of the trusted domain name. So instead of causing damage right away to the organization they hacked, the hackers simply sit on these domain names, sometimes for years, and rake in profits.

According to the report, this happened to many, many sites. Some of the domains affected include apptech.com, cfi.gov.ar, eap.edu, fabius-ny.gov, haskell.edu, and many more. Typically, they are sites small enough to not host their own domain systems internally. They rely on external services, either their Internet providers, their hosting providers, or even some third-party web design company. The result of this is that access can be gained through the web, via a cPanel or other type of interface. That way, they don’t even have to breach an internal network to gain access, and once they are in, chances are they can remain undetected, unless the organization makes it a habit of checking their own entries regularly. The worse thing is if the newly created sites are discovered, then that means the hacked organization is the one who will be blamed initially, and has to deal with the effects of whatever the bad sites were doing.

It’s hard to know how hackers gained access to the 50+ sites that ISC uncovered, and the likely hundreds more that are hacked and haven’t been found yet. It’s almost certainly a combination of factors. Some panels allow users to try an unlimited amount of login attempts, so brute force is fairly easy to do. Others may use an older DNS installation, and be vulnerable to DNS poisoning attacks. There are even reports that some hosting companies allow anyone to add sub-domains for any domain that the site is hosting, regardless of who actually owns it, and as long as the sub-domain doesn’t already exist. Obviously, that would be a big vulnerability and something you can easily test against. Either way, it’s important to remember that your domain name is your company’s identity online, and any time your organization outsources its DNS to someone else, they are trusting their identity to that provider.

Protecting yourself from sub-domain hijacks

The easiest way to secure yourself from these types of attacks, assuming bringing your DNS servers in-house isn’t an option, would be to monitor for a known list of sub-domains. You can usually log into your provider’s panel and check the listing to make sure it’s up to date. A more automated way to do it is from any terminal, using dig to make a zone transfer, where you can get a listing of everything under your domain name:

dig @a.iana-servers.net example.com axfr

Simply replace the NS name and the domain name, and make sure zone transfers are authorized for your machine. Look especially for any entry that leads to IP addresses outside your normal range. Then of course the basic security measures still apply, like using strong passwords, and making sure you use a hosting service that’s trustworthy. Unfortunately there’s no sure-fire way to be completely safe from this type of hack, and it’s likely to become more prevalent in the future. Since many of these infrastructures are handled remotely, by hosting companies, it’s something that can easily be forgotten, and you then end up with a bunch of unauthorized sub-domains laying dormant for a long time.