DNS Hijacking Attack in Email Transport: DNS Hijacking is one of the most common recent threats, in which the attackers subvert the resolution of Domain Name System or DNS queries and redirects a victim machine to malicious websites for nefarious activities.

A Study says, attackers can perpetrate DNS Hijacking while transporting emails from one mail server to another and thus, steal sensitive data transferred through the emails. Let’s understand in detail how it is possible.

What is DNS Hijacking

When we type a URL in the address bar of the browser, the computer sends DNS query to appropriate DNS Servers and resolves the IP address of the required website.
In DNS Hijacking, the attacker infects the computer with malware and changes the DNS settings of the computer, such that when a DNS query is made, a rogue DNS Server controlled by the attacker is contacted instead of an authenticated one. As a result, whenever any URL is typed, the victim computer ends up sending the DNS query to the DNS Server controlled by the attacker and a malicious IP address is returned. And thus, the victim computer ends up visiting a malicious website controlled by the attacker.
Now, the attacker can spread malware through the website or steal sensitive data from the user to perpetrate Phishing attack later.

DNS Hijacking in Email Transport

Let’s understand first, how emails are transported from one mail server to another mail server.
Suppose, Alice with email address alice@source.com wants to send an email to Bob, who has the email address bob@destination.com.
When Alice will send the email, mail server of Alice’ mail provider will try to find out the IP address of the mail server of Bob’s mail provider.
To do that, the source mail server ask the DNS Server for the DNS MX Record for the domain destination.com. An MX Record is a specific form of DNS Record that allows us to know the IP address of the domain where the email should be sent to.
The DNS Server at this point will respond with the IP address of the domain destination.com and the source mail server will send the email using that IP address.

DNS Hijacking Attack in Email Transport

In DNS MX Record Hijacking, the attacker compromises the DNS Server that is used by the source mail server. And IP address of a server controlled by the attacker is returned, instead of that of the domain destination.com.
The source mail server cannot realize the trick and it ends up sending the email to the attacker’s server.
DNS Hijacking Attack in Email Transport
The attacker can now read the email and steal sensitive information transferred through the email. And, to make the attack invisible, after stealing the information the attacker sends the email to the mail server of Bob’s mail provider.

Mitigation

Using DNSSEC or Domain Name System Security Extension is one possible option to mitigate this attack.
In DNSSEC, responses from DNS Servers are validated with digital signatures and cryptographic keys. As it will not be possible for attackers to duplicate cryptographic keys, it will be very difficult for attackers to do DNS MX Record Hijacking, thus preventing the attack altogether.
This would be all about DNS Hijacking Attack in Email Transport. If you have any further queries please leave us comment.

Leave a Reply