Thursday, January 21, 2016

DNS Hijacking Attack in Email Transport



DNS Hijacking is one of the most common recent threats, in which the attackers subvert the resolution of Domain Name System or DNS queries and redirects a victim machine to malicious websites for nefarious activities.

Study says, attackers can perpetrate DNS Hijacking while transporting emails from one mail server to another and thus, steal sensitive data transferred through the emails.

Let's understand in detail how it is possible.


What is DNS Hijacking Attack ?


When we type a URL in the address bar of the browser, the computer sends DNS query to appropriate DNS Servers and resolves the IP address of the required website.

In DNS Hijacking, the attacker infects the computer with malware and changes the DNS settings of the computer, such that when a DNS query is made, a rogue DNS Server controlled by the attacker is contacted instead of an authenticated one. As a result, whenever any URL is typed, the victim computer ends up sending the DNS query to the DNS Server controlled by the attacker and a malicious IP address is returned. And thus, the victim computer ends up visiting a malicious website controlled by the attacker.

Now, the attacker can spread malware through the website or steal sensitive data from the user to perpetrate Phishing attack later.

You can find more information on DNS Hijacking in DNS Hijacking.


How can attackers perpetrate DNS Hijacking Attack to steal sensitive data transferred over emails ?


Let's understand first, how emails are transported from one mail server to another mail server.

Suppose, Alice with email address alice@source.com wants to send an email to Bob, who has the email address bob@destination.com.

When Alice will send the email, mail server of Alice' mail provider will try to find out the IP address of the mail server of Bob's mail provider.

To do that, the source mail server ask the DNS Server for the DNS MX Record for the domain destination.com. An MX Record is a specific form of DNS Record that allows us to know the IP address of the domain where the email should be sent to.





The DNS Server at this point will respond with the IP address of the domain destination.com and the source mail server will send the email using that IP address.


In DNS MX Record Hijacking, the attacker compromises the DNS Server that is used by the source mail server. And IP address of a server controlled by the attacker is returned, instead of that of the domain destination.com.

The source mail server cannot realize the trick and it ends up sending the email to the attacker's server.










The attacker can now read the email and steal sensitive information transferred through the email. And, to make the attack invisible, after stealing the information the attacker sends the email to the mail server of Bob's mail provider.


How can we safeguard ourselves ?


SMTP STS is a recent technology which can be effectively used to prevent this attack. SMTP STS or SMTP Strict Transport Security is a policy that ensures secure SMTP sessions over TLS. 

You will find more information on this policy here : SMTP STS


Using DNSSEC or Domain Name System Security Extension is also one possible option to mitigate this attack.


In DNSSEC, responses from DNS Servers are validated with digital signatures and cryptographic keys. As it will not be possible for attackers to duplicate cryptographic keys, it will be very difficult for attackers to do DNS MX Record Hijacking, thus preventing the attack altogether.





Read More

Infographic : How to sign and encrypt emails using PGP ?

What is PGP or Pretty Good Privacy ?

How are S/MIME and PGP different from each other in encrypting emails ?

How can Bitmessage be used to send encrypted messages ?

What is SMTP Strict Transport Security ? 

How can attackers perpetrate TLS Downgrade Attack to steal sensitive data transferred over emails ?



No comments:

Post a Comment