Start Free Trial
Start Free Trial
Introspectus

DNS Decorations: DNS Hijacking and Redirected Festive Traffic

Executive Summary

Every December, as Australians flock online for festive shopping, cybercriminals quietly prepare their own “decorations”, hijacked DNS records. DNS hijacking allows attackers to redirect legitimate website traffic to fraudulent destinations, stealing credentials, payment details, and damaging brand reputation. For executives, the risk is particularly high during the Christmas rush, when customer trust and online sales are at their peak. A single compromise in your DNS infrastructure can redirect entire customer bases, disrupt digital operations and erode public confidence overnight.

How the Attack Works

DNS hijacking occurs when attackers gain unauthorised access to domain registrar accounts or DNS management consoles. Once inside, they modify DNS records, for example, changing the IP address of your company’s website to point to a malicious server. This enables them to intercept traffic, host phishing pages that mimic your brand, or redirect users to malware-laden sites.

Common methods include credential theft through phishing, exploiting unpatched registrar systems or compromising an administrator’s workstation. Attackers may also use cache poisoning, injecting malicious DNS records into public resolvers to redirect users even when your domain is uncompromised. These attacks are subtle, often unnoticed until customers report fraudulent activity or abnormal website behaviour.

Australian Context / Case Study

DNS hijacking incidents in Australia have affected small businesses and government portals alike. In one 2023 incident, a Brisbane-based retailer’s website was redirected to a phishing page imitating a courier service. In the same year, this strategy was used on a much larger scale in the United States with threat actors impersonating Walmart and the USPS. The ACSC has issued multiple alerts warning of registrar account compromises and urging the use of multi-factor authentication for DNS and domain management accounts.

How the Essential Eight Mitigates the Risk

The Essential Eight provides critical layers of defence that directly mitigate DNS hijacking and unauthorised domain modifications:

  • Multi-Factor Authentication (MFA): Protects registrar and DNS provider accounts from credential theft and unauthorised logins.
  • Restrict Administrative Privileges: Ensures that only authorised IT staff have permission to change DNS settings or manage domain records.
  • Application Control: Prevents unauthorised software or scripts that could alter DNS configurations on internal servers.
  • Patch Operating Systems and Applications: Closes vulnerabilities that attackers exploit to gain privileged access to administrative consoles.
  • Regular Backups: Ensures DNS configurations and website files can be restored quickly in case of tampering.
  • User Application Hardening: Reduces the attack surface of browsers and management tools used to access registrar accounts, mitigating credential-stealing malware.

When applied holistically, these controls prevent unauthorised access, detect anomalies faster and allow for rapid remediation of DNS-related incidents.

Executive Takeaways

  1. Require Multi-Factor Authentication on all domain registrar, DNS management, and hosting accounts.
  2. Restrict who can make DNS changes by implementing change control and approval workflows.
  3. Maintain an offline backup of your DNS zone files and configurations.
  4. Review registrar contact information and recovery options to ensure they are up to date.
  5. Monitor DNS records regularly for unauthorised changes or anomalies.
  6. Consider implementing DNSSEC (Domain Name System Security Extensions) to protect against cache poisoning and ensure authenticity of DNS data.

By taking these measures and maintaining Essential Eight maturity, organisations can ensure their digital ‘decorations’ remain untampered, keeping customers, data and reputation secure throughout the holiday season.