The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Cyber Security and Hacking News Website: DNS hijacking

DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains

DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains

January 23, 2019Swati Khandelwal
The U.S. Department of Homeland Security (DHS) has today issued an "emergency directive" to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains, within next 10 business days. The emergency security alert came in the wake of a series of recent incidents involving DNS hijacking , which security researchers with "moderate confidence" believe originated from Iran. Domain Name System (DNS) is a key function of the Internet that works as an Internet's directory where your device looks up for the server IP addresses after you enter a human-readable web address (e.g., thehackernews.com). What is DNS Hijacking Attack? DNS hijacking involves changing DNS settings of a domain, redirecting victims to an entirely different attacker-controlled server with a fake version of the websites they are trying to visit, often with an objective to steal users' data. "The attacker alter
GhostDNS: New DNS Changer Botnet Hijacked Over 100,000 Routers

GhostDNS: New DNS Changer Botnet Hijacked Over 100,000 Routers

October 01, 2018Swati Khandelwal
Chinese cybersecurity researchers have uncovered a widespread, ongoing malware campaign that has already hijacked over 100,000 home routers and modified their DNS settings to hack users with malicious web pages—especially if they visit banking sites—and steal their login credentials. Dubbed GhostDNS , the campaign has many similarities with the infamous DNSChanger malware that works by changing DNS server settings on an infected device, allowing attackers to route the users' internet traffic through malicious servers and steal sensitive data. According to a new report from cybersecurity firm Qihoo 360's NetLab, just like the regular DNSChanger campaign, GhostDNS scans for the IP addresses for routers that use weak or no password at all, accesses the routers' settings, and then changes the router's default DNS address to the one controlled by the attackers. GhostDNS System: List of Modules and Sub-Modules The GhostDNS system mainly includes four modules:
Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan

Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan

April 16, 2018Swati Khandelwal
Security researchers have been warning about an ongoing malware campaign hijacking Internet routers to distribute Android banking malware that steals users' sensitive information, login credentials and the secret code for two-factor authentication. In order to trick victims into installing the Android malware, dubbed Roaming Mantis , hackers have been hijacking DNS settings on vulnerable and poorly secured routers . DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their sensitive information like login credentials, bank account details, and more. Hijacking routers' DNS for a malicious purpose is not new. Previously we reported about widespread DNSChanger and Switcher —both the malware worked by changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by attackers. Discovered by security researchers at Kaspersk
New Point-of-Sale Malware Steals Credit Card Data via DNS Queries

New Point-of-Sale Malware Steals Credit Card Data via DNS Queries

February 09, 2018Swati Khandelwal
Cybercriminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect. A new strain of malware has now been discovered that relies on a unique technique to steal payment card information from point-of-sale (PoS) systems. Since the new POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit card information, security researchers at Forcepoint Labs, who have uncovered the malware, dubbed it UDPoS . Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used by most POS malware in the past. This malware is also thought to be first of its kind. Besides using 'unusual' DNS requests to exfiltrate data, the UDPoS malware disguises itself as an update from LogMeIn —a legitimate remote desktop control service used to manage computers and other systems remo
Warning: New Undetectable DNS Hijacking Malware Targeting Apple macOS Users

Warning: New Undetectable DNS Hijacking Malware Targeting Apple macOS Users

January 12, 2018Mohit Kumar
A security researcher has revealed details of a new piece of undetectable malware targeting Apple's Mac computers—reportedly first macOS malware of 2018. Dubbed OSX/MaMi , an unsigned Mach-O 64-bit executable, the malware is somewhat similar to DNSChanger malware that infected millions of computers across the world in 2012. DNSChanger malware typically changes DNS server settings on infected computers, allowing attackers to route internet traffic through malicious servers and intercept sensitive information. First appeared on the Malwarebytes forum, a user posted a query regarding unknown malware that infected his friend's computer that silently changed DNS settings on infected macOS to 82.163.143.135 and 82.163.142.137 addresses. After looking at the post, ex-NSA hacker Patrick Wardle analysed the malware and found that it is indeed a ' DNS Hijacker, ' which also invokes security tools to install a new root certificate in an attempt to intercept encrypte
New Android Malware Hijacks Router DNS from Smartphone

New Android Malware Hijacks Router DNS from Smartphone

December 28, 2016Mohit Kumar
Another day, another creepy malware for Android users! Security Researchers have uncovered a new Android malware targeting your devices, but this time instead of attacking the device directly, the malware takes control over the WiFi router to which your device is connected to and then hijacks the web traffic passing through it. Dubbed " Switcher ," the new Android malware, discovered by researchers at Kaspersky Lab, hacks the wireless routers and changes their DNS settings to redirect traffic to malicious websites. Over a week ago, Proofpoint researchers discovered similar attack targeting PCs, but instead of infecting the target's machines, the Stegano exploit kit takes control over the local WiFi routers the infected device is connected to. Switcher Malware carries out Brute-Force attack against Routers Hackers are currently distributing the Switcher trojan by disguising itself as an Android app for the Chinese search engine Baidu (com.baidu.com), and as
Critical glibc Flaw Puts Linux Machines and Apps at Risk (Patch Immediately)

Critical glibc Flaw Puts Linux Machines and Apps at Risk (Patch Immediately)

February 17, 2016Swati Khandelwal
A highly critical vulnerability has been uncovered in the GNU C Library (glibc) , a key component of most Linux distributions, that leaves nearly all Linux machines, thousands of apps and electronic devices vulnerable to hackers that can take full control over them. Just clicking on a link or connecting to a server can result in remote code execution (RCE), allowing hackers to steal credentials, spy on users, seize control of computers, and many more. The vulnerability is similar to the last year's  GHOST vulnerability (CVE-2015-0235) that left countless machines vulnerable to remote code execution (RCE) attacks , representing a major Internet threat. GNU C Library (glibc) is a collection of open source code that powers thousands of standalone apps and most Linux distributions, including those distributed to routers and other types of hardware. The recent flaw, which is indexed as CVE-2015-7547 , is a stack-based buffer overflow vulnerability in glibc's D
Have a D-Link Wireless Router? You might have been Hacked

Have a D-Link Wireless Router? You might have been Hacked

February 03, 2015Wang Wei
The popular DSL wireless router model from D-Link are allegedly vulnerable to a software bug that could allow remote hackers to modify the DNS (Domain Name System) settings on affected routers and to hijack users' traffic. The main goal of DNS hijacking is to secretly redirect user’s traffic from a legitimate websites to a malicious one controlled by hackers. The vulnerability might also affects other devices because it is located in the same, widely-used wireless router firmware used by different manufacturers. Bulgarian security researcher Todor Donev discovered the flaw which exists in a widely deployed ZynOS firmware from ZyXEL Communications Corporation, that is used in network hardware from TP-Link Technologies, ZTE and D-Link. According to the security researcher, D-Link’s popular DSL2740R wireless router and a number of other D-Link routers, particularly the DLS-320B, are vulnerable. Late last year, similar router vulnerability was discovered in the
GoDaddy Vulnerability Allows Domain Hijacking

GoDaddy Vulnerability Allows Domain Hijacking

January 21, 2015Swati Khandelwal
An Internet domain registrar and web hosting company GoDaddy has patched a Cross-Site Request Forgery ( CSRF or XSRF) vulnerability that allowed hackers and malicious actors to hijack websites registered with the domain registration company. The vulnerability was reported to GoDaddy on Saturday by Dylan Saccomanni, a web application security researcher and penetration testing consultant in New York. Without any time delay, the company patched the bug in less than 24 hours after the blog was published. While managing an old domain registered on GoDaddy, Saccomanni stumbled across the bug and noticed that there was absolutely no protection against CSRF vulnerability at all on many GoDaddy DNS management actions. Cross-Site Request Forgery (CSRF) is a method of attacking a website in which an attacker need to convince the victim to click on a specially crafted HTML exploit page that will make a request to the vulnerable website on their behalf. This common but rathe
Millions of Vulnerable Routers aiding Massive DNS Amplification DDoS Attacks

Millions of Vulnerable Routers aiding Massive DNS Amplification DDoS Attacks

April 03, 2014Swati Khandelwal
The Distributed Denial of Service (DDoS) attack is becoming more sophisticated and complex with the increase in the skills of attackers and so, has become one of favorite weapon for the cyber criminals to temporarily suspend or crash the services of a host connected to the Internet and till now nearly every big site had been a victim of this attack. Since 2013, Hackers have adopted new tactics to boost the sizes of Distributed Denial of Service ( DDoS ) attack known as ‘ Amplification Attack ’, leveraging the weakness in the UDP protocols. One of the commonly used by hacker is (Domain Name System) DNS Reflection Denial of Service (DrDoS). WHAT IS DrDoS ATTACK? The DNS Reflection Denial of Service (DrDoS) technique exploits security weaknesses in the Domain Name System (DNS) Internet protocol. Using Internet protocol spoofing, the source address is set to that of the targeted victim, which means all the replies will go to the target and the target of the attack receives re
Google Public DNS intercepted by Turkish ISPs

Google Public DNS intercepted by Turkish ISPs

March 30, 2014Swati Khandelwal
I know we all have freedom of speech, but unfortunately it’s not free, especially in the countries govern by the governments where they are ready to kill our voice anyhow, even by censoring the social media. The same happened few days before, when Twitter , the biggest Social Media platform, was banned by the Turkey government after an audio clip was leaked on YouTube and Twitter about the massive corruption of Turkey Prime Minister Recep Tayyip Erdoğan instructing his son to dispose of large amounts of cash in the midst of a police investigation. The Prime minister of the country, Erdoğan has full control on the old media, the television and the printing press, but he failed to stop the Ten Million Turkish citizen on twitter from sharing the audio all over the social media site, when Twitter itself reportedly refused to delete the incriminating audio of him. But it doesn't work very well, since the users have all way out. Millions of Turkey users began using Google’s DNS servi
Google Public DNS Server Traffic Hijacked

Google Public DNS Server Traffic Hijacked

March 17, 2014Mohit Kumar
The Internet is becoming a dangerous place day-by-day and especially for those innocent web users who rely on 3rd party services. The latest bad news is that the World's largest and most widely used Google's free public DNS (Domain name system) resolvers  raised   security red flags yesterday. DNS is the master address list for the Internet, which translates IP addresses into human readable form and vice versa. According to Internet monitoring firm BGPmon , Google's DNS server 8.8.8.8 /32 was hijacked yesterday for 22 minutes. The Google's DNS server handles around 150 billion queries a day and during the 22 minutes of hijacking, millions of Internet users, including Financial institutions , Governments were redirected to BT’s (British multinational telecommunications services company) Latin America division in Venezuela and Brazil. It is suspected that Hackers exploited a well-known  vulnerability in the so-called Border Gateway Protocol ( BGP) , which
Hackers exploiting Router vulnerabilities to hack Bank accounts through DNS Hijacking

Hackers exploiting Router vulnerabilities to hack Bank accounts through DNS Hijacking

February 10, 2014Anonymous
In past months, we have reported about critical vulnerabilities in many wireless Routers including Netgear, Linksys,  TP-LINK, Cisco, ASUS, TENDA and more vendors, installed by millions of home users worldwide. Polish Computer Emergency Response Team (CERT Polska) recently noticed a large scale cyber attack ongoing campaign aimed at Polish e-banking users. Cyber criminals are using known router vulnerability which allow attackers to change the router's DNS configuration remotely so they can lure users to fake bank websites or can perform Man-in-the-Middle attack. ' After DNS servers settings are changed on a router, all queries from inside the network are forwarded to rogue servers. Obviously the platform of a client device is not an issue, as there is no need for the attackers to install any malicious software at all. ' CERT Polska researchers said. That DNS Hijacking trick is not new, neither most of the router vulnerabilities are, but still millions of r
LINKUP - First Ransomware trojan that modifies DNS settings to mine Bitcoin forcefully

LINKUP - First Ransomware trojan that modifies DNS settings to mine Bitcoin forcefully

February 07, 2014Swati Khandelwal
Till now we all have heard about the Ransomware malware that encrypts your files or lock down your computer and ask for a ransom amount to be paid in a specified duration of time to unlock it. Emsisoft has detected a new piece of malware called “ Linkup ”, dubbed as “ Trojan-Ransom.Win32.Linkup ” that doesn't lock your computer or encrypts files; rather it blocks your Internet access by modifying the DNS settings, with the ability to turn your computer into a Bitcoin mining robot.  Sounds Interesting?? Once the Linkup Trojan is installed in your system, it makes a copy of itself and disables the selected Windows Security and Firewall services to facilitate the infection. Injected poisoned DNS Server will only allow the malware and Bitcoin miner to communicate with the internet. It display a bogus notification on the victim's web browser, which is supposed to be from the Council of Europe , that accuses you of viewing “ Child Pornography ” and only returns th
Tajikistan Domain Registrar hacked; Google, Yahoo, Twitter, Amazon also defaced

Tajikistan Domain Registrar hacked; Google, Yahoo, Twitter, Amazon also defaced

January 07, 2014Anonymous
Google’s primary search domain for Tajikistan had seemingly been hacked yesterday, along with other high profile domains including Yahoo, Twitter, Amazon -- redirected to a defaced page. Actually neither Google, nor Twitter servers have been hacked, rather website of Tajikistan's Domain registrar ( domain.tj ) authority has been hacked, that allows the hacker to access domain control panel. Server Kernel:  Linux mx.takemail.com 2.4.21-27.ELsmp #1 SMP Wed Dec 1 21:59:02 EST 2004 i686 Iranian hacker ' Mr.XHat' successfully managed to change the DNS records of attack websites and defaced them for about a day. Hacker told ' The Hacker News ' that he used Directory Traversal vulnerability to hack the website and still has the access to the control panel. Directory traversal is a type of HTTP exploit that is used by attackers to gain unauthorized access to restricted directories and files. Following the screenshot of compromised Domain Registrar's Control Panel:
Qatar is Down ! Syrian Electronic Army hijacks major Qatar websites

Qatar is Down ! Syrian Electronic Army hijacks major Qatar websites

October 19, 2013Mohit Kumar
The Syrian Electronic Army (SEA) is at it again. The hacktivist group, who are known to back Syrian President Bashar al-Assad , has hacked many high profile Qatar based websites, including the Google, Facebook, Aljazeera and Government - Military websites. Starting at about 4:25 am (GMT 5:30+), the Syrian Electronic Army shared this message on Twitter: Qatar is #down and  following that, they went about switching off government and private websites using the .qa extension. The domains are managed by Qatar’s Ministry of Information and Communication (ictQatar). Apparently, the Syrian Electronic Army gained access to  Qatar Domain Registrar ( portal.registry.qa ) and modifies the DNS entires to redirects the targeted websites to servers controlled by hackers serving defacement page, that include a picture of Assad and the groups logo, as shown. The List of the targeted websites is posted on Twitter by hackers - these include: moi . gov .qa facebook .qa gov .qa vodafone .qa a
Metasploit website Hacked just by sending a spoofed DNS change request via Fax to Domain Registrar

Metasploit website Hacked just by sending a spoofed DNS change request via Fax to Domain Registrar

October 11, 2013Mohit Kumar
A group of Pro-Palestine hackers ' KDMS Team ' today has been able to hijack the Metasploit website simply by sending a fax and hijacked their DNS records. Rapid7 is a leading Security Company and Creator of world's best penetration testing software called ' Metasploit '. The company confirmed via Twitter that Metasploit.com was hacked via a spoofed DNS change request sent via fax to its registrar, Register.com . The group came to prominence earlier this week when it managed to hijack the websites of popular messaging service WhatsApp and anti-virus company AVG among others. On the website, the hacker posted " Hello Metasploit.  After Whatsapp , Avira, Alexa , AVG and other sites. We were thinking about quitting hacking and disappear again! But we said: there is some sites must be hacked. You are one of our targets. Therefore we are here. And there is another thing do you know Palestine? " Rapid7 official statement regarding the in
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.