DNS hijacking: the art of directing users into fake sites

Edward G. | July 24, 2020

DNS hijacking alters the authentic destinations of DNS requests to lead users into rogue websites. Strikingly similar to their original counterparts, fake versions are minefields. Some corrupted domains feature extensive amounts of ads. Others copy websites to the last design detail, hoping that people attempt to log in to their accounts. So, DNS hijacking can be highly difficult to recognize. You need to know the common red flags in case hackers reroute DNS requests and manipulate your final destination.

Recap on DNS and its flaws

DNS (Domain Name System) is a mechanism that translates human-friendly URLs into computer-readable code. Hence, DNS became an immeasurable library, facilitating systematic conversions between different formats. When you type an address in the tab, it automatically renders to the IP address associated with the site.

While seemingly simple on the surface, DNS is highly decentralized. What does this mean? Well, the DNS resolution works with multiple name servers, managing extensive databases. So, your request might bounce from one DNS server to another until the mechanism finds the necessary IP address. Since the DNS requests do not travel in a straight line, DNS hijacking becomes possible. When DNS requests move from one server to another, hackers can guide them to the wrong destination by pursuing a man-in-the-middle strategy (MitM).

How does DNS hijacking operate?

DNS hijacking is the spiteful practice of rerouting DNS queries incorrectly. While your ISP (Internet Service Provider) flips through servers, an adversary intercepts this search and misdirects it. Instead of sending authentic responses, crooks associate requests with false IP addresses. As a result, users reach fake versions of the official websites they wanted to visit. However, the consequences of DNS hijacking vary. Some attacks are downright aggravating, implemented by tricksters with no intentions to cause harm.

Nevertheless, DNS hijacking can manipulate and reroute requests to malicious websites. Deceptive destinations can pose as legitimate websites by scrupulously copying interface elements. With the site reproduced, it becomes a copy-cat, aiming to steal users’ credentials or transmit malware. Sadly, DNS hijacking professionals render the dummy domains as convincing duplicates of the legitimate versions. Hence, users might not be able to tell them apart.

The step-by-step workflow of DNS hijacking

  • Crooks craft a fake version of a legitimate website.
  • To poison a DNS server, the abuser needs to obtain login credentials and access the Admin panel of the DNS provider. Hence, before the DNS hijacking, hackers will target the website with other cyberattacks.
  • The attackers alter DNS records for the targeted website after retrieving the necessary login details. As a result, they make DNS reroute requests to the dummy site.
  • Hackers can add more convincing details, such as counterfeit TLS encryption certificates. This action might prevent browsers from labelling sites as potentially dangerous.
  • Finally, all traffic to the targeted website travels to the imposter site, belonging to crooks.
  • The narrative from this point can differ. Sites can feature malicious links or ads. People can attempt to log in to the fake website. Immediately after that, hackers will harvest provided credentials.

Previous DNS hijacking incidents

Experts have reported an alarming wave of DNS hijacking attacks. According to the ongoing investigations and incidents in the past, there are four types of attempts:

  • Against carefully selected websites. A group by the name Sea Turtle launched a global campaign of consecutive DNS hijacking attempts. The target list captivated the media with its high-level victims, ranging from foreign ministries to intelligence agencies. However, not all DNS hijacking focuses on government entities.
  • Attacks against regular users. Another stream of DNS hijacking attacks can target consumer-grade routers. Imitating official domains of Netflix, Gmail, PayPal, and Uber, hackers fake DNS responses and aim at users’ credentials.
  • Pranks on well-known websites. In 2017, hackers, calling themselves OurMine, poisoned DNS records and rerouted requests to Wikileaks. Instead of creating a dummy of Wikileaks, crooks misguided users to a message, mocking owners of the site.
  • Malware that changes DNS configurations. Your device might be a victim of a malicious program that overwrites DNS settings. As a result, you might unknowingly visit imposter sites and see malware-ridden ads.

How can you stop DNS hijacking?

DNS hijacking targets the backbone of the internet. While attacks in the past were more opportunistic, the experts see a spike in the targeted raids. So, here are the recommendations to battle this threat:

  • Install strong antivirus tools. DNS hijacking can occur due to a malicious application, residing in your device. So, make sure to run regular scans to detect potential threats.
  • Avoid ads. Malvertising is no joke. Vicious actors tempt consumers with flashy offers of discounts, one-time deals, or click-bait headlines. By clicking on the ad, you can allow hackers to track you, install malware, or extort personal data.
  • Be wary of suspicious websites. The golden rule is to avoid rogue websites. However, DNS hijacking forces you to be vigilant when visiting legitimate sites. So, if you notice irregularities on a page you visit regularly, be careful.
  • Get a VPN tool. While changes to IP addresses are the central features, VPNs also reroute DNS traffic. Even if crooks poison DNS servers, the robust VPN protection will keep you immune and prevent hackers from monitoring your activities.
Edward G.

Edward G.

Cybersecurity Researcher and Publisher at Atlas VPN. My mission is to scan the ever-evolving cybercrime landscape to inform the public about the latest threats.



© 2023 Atlas VPN. All rights reserved.