DNS hijacking is one of the most common recent threats, in which attackers subvert the resolution of Domain Name System or DNS queries and redirect a victim’s machine to malicious websites for nefarious activities. Attackers can perpetrate DNS hijacking while transporting emails from one mail server to another and, thus, steal sensitive data transferred through the emails. Let’s understand the attack in more detail.
What is DNS hijacking?
When we type a URL in the address bar of the browser, the computer sends a DNS query to the appropriate DNS servers and resolves the IP address of the required website. In DNS hijacking, an attacker infects a victim’s computer with malware and changes the DNS settings of the computer. As a result, when a DNS query is made, a rogue DNS server controlled by the attacker is contacted instead of an authenticated one. Thus, whenever any URL is typed, the victim’s computer ends up sending the DNS query to the DNS server controlled by the attacker, and a malicious IP address is returned. So, the victim’s computer ends up visiting a malicious website controlled by the attacker. Now, the attacker can spread malware through the website or steal sensitive data from the user to perpetrate a phishing attack.
Interested readers can find more information on DNS hijacking here: What is DNS hijacking?
How can DNS hijacking be perpetrated to steal sensitive data transferred over emails?
Let’s first understand how emails are transported from one mail server to another mail server. Suppose Alice wants to send an email to Bob. When Alice sends the email, the mail server of Alice’s mail provider tries to determine the IP address of the mail server of Bob’s email provider.
To do so, the source mail server asks the DNS server for the DNS MX Record for the destination domain, say destination.com. An MX Record is a specific form of DNS record that allows us to know the IP address of the domain to which the email should be sent. The DNS server, at this point, responds with the IP address of the domain destination.com, and the source mail server sends the email using that …
0 Comments