Introduction
The Domain Name System (DNS) is the backbone of the Internet, translating human-friendly domain names into Internet Protocol (IP) addresses. However, as with all critical infrastructure, it is constantly exposed to exploitation and abuse that undermine the sanity and safety of its users. In this article, we will dissect two distinct forms of DNS abuse: content-driven and technical.
Content-driven Abuse
Content-driven abuse otherwise known as abuse by means of the DNS itself, involves manipulating domain names to host harmful or illegal content. Cybercriminals exploit this avenue for various purposes, such as distributing malware, hosting phishing sites, or disseminating hate speech. They often register seemingly innocuous domain names to conceal their true intent. These domains then serve as conduits for malicious activities, which endanger users and compromise the Internet’s integrity. Consider a seemingly harmless domain like “newsupdates[dot]com.”, which behind the scenes, hosts fake news articles, spreading misinformation and influencing public opinion.
To combat content-driven abuse, adequate monitoring and threat intelligence is crucial. Collaboration between non-governmental agencies (NGOs), domain registrars, cybersecurity experts, and law enforcement agencies is essential for swift takedowns of content-driven abuse of the DNS. An ecosystem where NGOs are proactively organizing awareness campaigns to end-users, law enforcement agencies that systematically provide platforms for reporting, and pragmatic efforts from domain registrars to take down manipulative and detrimental domain names to the Internet, should be worked on to ensure a safer Internet for all.
Technical Abuse
Technical abuse (known as abuse of the DNS infrastructure) focuses on exploiting and targeting the DNS infrastructure itself. It frequently happens when attackers manipulate DNS records, hijack domains, or launch distributed denial-of-service (DDoS) attacks against authoritative servers. Sophisticated techniques of technical abuse usually involve DNS cache poisoning, where attackers inject false data into DNS caches, redirecting users to malicious sites.
In addition to that, another famous technical abuse of the DNS is called domain hijacking. It occurs when unauthorized parties gain control over legitimate domains. Imagine a cybercriminal altering DNS records for a popular e-commerce site. Legitimate users unknowingly visit a fraudulent version of the site, which will expose them to a high risk of data theft or financial loss. DNS Security Extensions (DNSSEC) as well as regular audits of DNS configurations and monitoring for unusual activities, should be practiced by the technical community to enhance DNS security and help prevent more abuses from happening. This collaboration among DNS operators, registrars, and security professionals will not only strengthen defences but also increase consumer protection and business operation productivity.
Real Cases of DNS Abuse across Asia
Content-driven Abuse
In 2021, financial scams proliferated through deceptive domain names in Malaysia. The nation’s biggest bank, Maybank, has issued a warning to its users about a fake Maybank2u website that is being used by scammers for phishing attacks. Maybank2u[dot]com is not the same as maybаnk2u[dot]com. The “a” in the later URL is a Cyrillic alphabet. This type of content-driven attack is widely recognized as the Internationalized Domain Name (IDN) Homograph Attack which has led to countless victims falling prey to fraudulent Maybank sites, and losing money and personal information.
Technical Abuse
One of the most widely known technical abuse of the DNS via phishing attacks in Asia, was when a Japanese hosting service provider was targeted by an attacker who manipulated DNS information to create a fraudulent subdomain for phishing purposes. The subdomain was designed to deceive unsuspecting users, leading them to believe they were interacting with a legitimate service. To achieve their goal, the attacker added a malicious TXT record to the DNS configuration. TXT records are typically used for various purposes, including domain verification and SPF (Sender Policy Framework) settings. However, in this case, the attacker leveraged the flexibility of TXT records to avoid detection while setting up the phishing subdomain.
It took over a week for the hosting service provider to detect the phishing activity, clean its DNS information, and notify the Internet Service Provider (ISP) providing the service.
Conclusion
DNS abuse poses a significant threat to the digital ecosystem. Vigilance, collaboration, and technological advancements are essential to safeguard domain names and maintain a secure online environment. The choice is ours. Let us act with purpose, for every DNS query echoes a plea: “Protect me. Safeguard my purpose. Preserve the trust vested in my name.” Together, we can forge a secure online environment—one where domain names thrive, and the digital ecosystem flourishes.
Written by Ahmad Umair Suhaidi
Reference
- Internet Corporation for Assigned Names and Numbers (ICANN). (2024, June 23) Framework to Address Abuse. Retrieved from the Domain Name System (DNS) Abuse Framework website: [https://www.dnsabuseframework.org/media/files/2020-05-29_DNSAbuseFramework.pdf]
- The Star/Asia News Network. (2021, February 05). Maybank warns users of fake website used for phishing. The Straits Times. Retrieved from [https://www.straitstimes.com/asia/se-asia/malaysias-biggest-bank-warns-of-fake-maybank-website-used-by-scammers]
- Nakai, Shoko. (2022, June 30). Investigating DNS abuse in Japan. APNIC Blog. Retrieved from [https://blog.apnic.net/2022/06/30/investigating-dns-abuse-in-japan/]