Internet Identity

Part of IID's DNS Dojo Series

In my previous DNS Dojo post, I explained how serious problems can arise when employees use an unsecure domain name system resolver while surfing the Web. Beginning with this post, we’ll look at how various business sectors are impacted by DNS dangers, starting with the financial industry.

When Hackers Turn Into Safecrackers

When it comes to DNS security, the stakes are always high. But it’s hard to imagine a commercial institution with more to lose from cybercrime than a bank. Money is the lifeblood of businesses and consumers. When that money is illegally “transfused” into a cybercriminal’s bank account via a DNS hijacking, the victimized customer whose account was just emptied may very well terminate his relationship with the bank, even if the funds are replaced.

Moreover, if hackers were ever able to break into and freeze the shared infrastructure by which clearing banks process checks, it could potentially wreak havoc on the global financial markets.

While phishing attacks might be a more common way to lure online bank customers to malicious websites where funds and identities are stolen or computers are infected with malware, a DNS hijacking is also a viable scheme.

Such attacks are generally trickier to pull off because the hacker must first gain access to the bank’s DNS. But they are also less detectable, because while online customers are actually entering the correct URL and domain name, the hacker reroutes them to a malicious IP address. If the fake site looks real enough to the casual observer, there is little reason for users to be suspicious as they enter in their account passwords and other sensitive information.

Sometimes, however, cybercriminals aren’t trying to pilfer a bank’s money. Sometimes they’re trying to damage its reputation and credibility, along with customers’ sense of security. Other times they might be trying to spread chaos for the sheer thrill, or perhaps to make a political statement.

For instance, so-called “hacktivists” might perpetrate a DNS hijacking in order to lead customers to a defacement page that spews negative messages and invectives toward the targeted bank. As anti-corporation, anti-Wall Street sentiments grow more vocal within the U.S., and anti-capitalist views fester in certain foreign hotspots, there is no shortage of people out there with an axe to grind against financial institutions.

A Heavy Dose of DDoS

Outside of hijackings, there’s another way a bank’s DNS infrastructure can be attacked: Distributed denial-of-service attacks. Such intrusions flourished in September and October 2012 when the U.S. banking industry was besieged by a series of politically inspired DDoS attacks originating from the Middle East, followed by a second wave of attacks in December.

To perpetrate a DDoS attack targeting DNS infrastructure, a hacker activates a network of compromised computers called a botnet. These compromised computers, known as bots, then flood a targeted company’s domain name servers with continuous queries, tying up the system and preventing real customers from being able to do business on said company’s website. If bank customers want to go online to authorize an account transfer or check transaction records, they will be unable to do so.

What made the 2012 DDoS bank attacks even more noteworthy is how they were accomplished: Instead of harnessing the power of many individual computers, typically personal machines on a home connection (as is the standard modus operandi), the hackers managed to take over legitimate hosting accounts on hundreds of web servers, leveraging their increased bandwidth to tie up banks’ web-based operations.

Both methodologies come with pros and cons: the thousands of individual computers that comprise a traditional botnet are virtually impossible to track and shut down, especially when they’re programmed with dynamic IP addresses that repeatedly change - but it would take an army of them to overwhelm a large company’s infrastructure. Hacked websites, on the other hand, can do a lot of damage on their own, without botnet reinforcements, though it’s theoretically easier to identify and potentially block them.

Security Solutions Lending a Hand to Banks

Solving conventional DNS hijackings can be done through security solutions like Internet Identity’s ActiveTrust DNS, which detects, diagnoses and mitigates such incursions on a round-the-clock basis.

A DDoS attack, on the other hand, requires a different approach from banks. One countermeasure is to bolster one’s IT infrastructure with more robust and redundant servers in order to accommodate a larger volume of queries, thus compensating for the DDoS attack until it subsides. Another option is investing in a series of filtering and mitigation solutions designed to separate false queries from real ones, while lessening the damage of the attacks. Unfortunately, there is no silver-bullet solution.

If DNS threats against banks sound like the stuff of nightmares, just think about the ramifications of cybercriminals targeting the government sector, affecting websites of key agencies designed to protect the public. We’ll discuss that very scenario in further detail in our next blog post.