An attack where criminals redirect users to undesired/malicious websites, usually by compromising devices or servers and changing settings.
The Domain Name System (DNS)is essentially an internet phonebook, which allows domains (groups of devices) to locate and talk to each other so they can access resources such as web pages Locating domains correctly is quite a convoluted process involving a lot of entities.
In a stripped down scenario, when you type in a domain name/URL (e.g. 'www.google.com' for the website hosted by Google), your browser will ask your internet service provider where that domain is located. Your service provider doesn't have this information, so it asks other organisations who are responsible for domain records such as registrars/registries. These organisations will eventually locate the desired domain, and that domain will verify that it is in fact the correct one (i.e. "Yes that website is hosted here and belongs to us, here it is!").
[Note: In this process, domain names are translated to numeric labels called 'IP addresses' - because computers prefer working with numbers!]
If there's a compromise anywhere in this chain then that can be a real problem. Modified DNS settings can redirect a visitor to a malicious website belonging to an attacker. The visitor likely won't be aware that this has happened as they type the same URL in as usual, it just gets redirected in the background. The fake website could be designed to steal sensitive information or get someone to download malware.
There are a few different DNS hijacking methods to be aware of. These are discussed below, along with advice on how to protect yourself against these methods.
Criminals will seek to install malware on your device which modifies the DNS settings on your computer/router. This will silently point you to rogue websites. To counter this, make sure that you:
- Install security patches and updates as they're released.
- Install and frequently update antivirus and anti-malware software.
- Avoid clicking on suspicious links in unsolicited emails/texts/social media messages.
- Don't download dodgy/untrusted applications.
Criminals will hack into your router and change the DNS settings:
One way you can protect your router from being compromised is to make sure you change the default admin username and password for the device. Default factory logins are available readily online, so this is an easy way in for hackers if login info is left unchanged.
As discussed in the Threat section, your internet service provider or external agency may have become compromised. If this has happened, unfortunately there isn't a whole lot you can do. However, bear in mind the following points:
- Be very cautious and suspicious when a site that you visit regularly is behaving strangely (e.g. new pop-ups and unusual calls to action).
- Review your Business Continuity and Incident Response plans, and think about how incidents such as these are factored into your plans.
It's also possible that a criminal will connect to public Wi-Fi networks and masquerade as a legitimate hotspot so that they can eavesdrop on your web traffic. To defend against this, avoid using public Wi-Fi to conduct any sensitive business which requires login information. As a rule, if the Wi-Fi doesn't have a landing page discussing terms of service or similar, be suspicious.
Every Report Matters – if you have been a victim of fraud or cyber crime, report it to Action Fraud (either online at https://www.actionfraud.police.uk/ or call 0300 123 2040).