Threat Protection

Modern cybersecurity requires intelligent, dynamic DNS protection

The cybersecurity landscape is ever evolving, with new threat vectors and sophisticated scams emerging every year. The one thing they all have in common? They originate online. DNS protection is the only security layer that shields your company from all threats that originate online by scanning, categorizing, and blocking hacked websites.
 

 

6320b5f1352c94e7805a3271_protect from cryptojacking

CRYPTOJACKING

WHAT IS CRYPTOJACKING?

Cryptojacking is a malicious form of mining cryptocurrency, sometimes referred to as simply cryptomining malware. Victims of cryptojacking experience the unauthorized takeover of their computer or network so the hackers can “mine” cryptocurrency. Compared to other malicious domain techniques leveraged by threat actors, cryptojacking is relatively new. ‍

While traditional cryptocurrency miners will use their own resources to “mine” for new cryptocurrency, cryptojackers will actually infect a distributed network of computers with malware to utilize another’s computational bandwidth. This slows down the device and, at scale, drives up energy costs.

The targets of cryptojacking attacks can be individuals, or whole organizations where hackers infiltrate and enlist masses of computational resources for their own mining operations. It’s a way for threat actors to increase the size of their cryptowallets without having to pay the energy or resource costs with their own equipment. ‍

HOW TO BLOCK CRYPTOJACKING?

In our 2021 Domain Threat Report, we took a close look at cryptocurrency and cryptojacking domains and found high volumes of copycat phishing domains for Bitcoin and cryptojacking domains heavily using the terms Ethereum, Dogecoin, and Litecoin. Many of these cryptojacking sites used a variation of the term “mining” in the domain name—nearly 19% of all cryptojacking sites identified on our network during the pandemic.

DNSFilter has a robust catalog of known cryptojacking sites, and domains that contain cryptocurrency references can be blocked in a single click.

We also allow our users to block new domains and malware for a blanketed approach to mitigating all malicious cryptomining activity that could be activated at your organization at the DNS layer.

WHY ARE CRYPTO-RELATED THREATS EVERYWHERE?

Cryptocurrency made a comeback in 2020, and that had a ripple effect. It wasn’t just investments that were impacted—security was majorly impacted because threat actors saw a new window for compromise.

Ransomware payments are made with cryptocurrency, as they are on the blockchain anonymously and cannot be traced. Because cryptocurrency marketplaces are popular right now, with many investors buying multiple coins, threat actors have chosen to create typosquatting and phishing domains for different cryptocurrencies.

And finally, malicious cryptomining is on the rise as cryptocurrency miners seek to make money, without investing directly in the currencies and without using their own resources.

Cryptojacking will continue to grow, as will other cryptocurrency-related threats.

WHY FILTER DNS?

Given its versatility, DNS filtering offers users advanced customization features. Depending upon your organization's needs, you can choose which types of content are permissible and which to block, specific to your company’s needs. In addition, by enabling DNS-based web filtering, you safeguard your users against malicious content. Let’s take a look at the four main benefits of filtering DNS.

GET THE DOMAIN THREAT REPORT

dnsfilter

Nation-state attacks. Cryptocurrency. The pandemic. These are just a few of the trends that defined cybersecurity over the last year. We've compiled research based on these trends in our annual Domain Threat Report.

GET THE REPORT
63f57b0149aece83f295d7e1_DNSFilter-2023-Annual-Security-Report-268x347-website-thumbnail

 

6320b5f11865d77343abe2e1_protect-against-dns-poisoning

DNS POISONING

WHAT IS DNS POISONING?

DNS poisoning. DNS cache poisoning. DNS spoofing. Many names for the same thing: A way for threat actors to insert false DNS records to route traffic intended for a legitimate domain to a fake one. It's called “poisoning” because the false entry (the poison) is injected into the system at a single point and can spread throughout the system, affecting other points. This results in the end user attempting to access a usually safe site, like twitter.com, and getting redirected to the spoofed version. Often, you're taken to a login page where you're asked to submit credentials. In this scenario, you're giving away your Twitter account to the attacker. Once the attacker harvests your login credentials, they redirect you to the original Twitter website to continue your session.

WHAT DOES DNS POISONING LOOK LIKE?

Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Another way a DNS poisoning attack can appear to an end user is when the domain refuses to load. This is done by attackers to frustrate the users of a service or cause harm to the business of that service. The attacker can substitute the IP address of the original domain with one that is not publicly accessible or simply spoof a “Not Found” page. Governments like China have also been known to spoof domains on their global block lists. In most of these cases, the end-user will likely never know they were the victim of DNS cache poisoning.

HOW TO STOP DNS POISONING

There are multiple actions you can take to prevent DNS poisoning. - Implement DNSSEC: DNSFilter fully supports DNSSEC, but proper configuration is key.

- Disable Dynamic DNS: While not everyone is able to disable Dynamic DNS because of their ISP, disabling it or never implementing it is another way to mitigate DNS poisoning.

- Encrypt DNS data: We support both DNS-over-HTTPS and DNS-over-TLS. And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.

DNS TUNNELING

WHAT IS DNS TUNNELING AND HOW CAN IT BE DETECTED?

DNS tunneling is a strategy used by black hats to create a covert channel into a victim’s computer or organization’s network. The channel created provides a means of encapsulating a malicious payload within DNS queries to take advantage of the relatively unrestricted flow of DNS traffic—especially in scenarios where almost all other traffic is restricted. DNS tunneling can be detected by performing DNS query analysis or traffic analysis, for example, analyzing the frequency of DNS traffic against a normal traffic benchmark within the network. When anomalies in query count and frequency are detected, a DNS tunneling attack is most likely in effect.

WHAT IS DNS TUNNELING USED FOR?

The covert channel created by a DNS tunnel is similar to a criminal breaking into a house: The potential damage they can cause is only limited by their imagination. A common use of DNS tunneling is data exfiltration, a process in which attackers steal information from the victim’s computer. Another use of DNS tunneling is to establish remote access to a victim’s computer or network allowing the attacker to execute malicious commands or install malware. DNS tunneling can also be used in releasing a worm into an organization’s network. This worm can be used to introduce ransomware or to shut down an organization’s business activities.

HOW TO STOP DNS TUNNELING

Having a DNS security platform to filter your DNS requests is one battle-tested solution that can help prevent DNS tunneling attacks. Because DNS tunneling uses DNS queries to establish a malicious connection with the attacker’s computer, monitoring, detecting, and blocking malicious queries proves to be very effective in combating these types of attacks. DNSFilter uses the following strategies to detect and block DNS tunneling attacks:

-Detect phishing attacks that can lead to the installation of malware

-Each time a DNS server receives a DNS request, it is compared against a block list of known malicious domains

-Detection of Domain Generation Algorithms (DGAs) used by attackers to generate random domains for attacks

-Detect unusual DNS traffic patterns

And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.

 

6320b5ef1d797140b5465330_protect-against-dns-tunnling

 

6320b7a6e2a7cd7cb78fdba2_protect-against-malware

MALWARE

WHAT IS MALWARE?

“Malware” is short for “malicious software” meant to harm or exploit a service, network, or device usually for financial gain. These malicious attacks can be used to exfiltrate data that can then be sold on the darkweb, to hold the data ransom (as in ransomware attacks), or in outright destruction of valuable data.

Ransomware, malvertising, worms, spyware, viruses, trojans—malware is a broad term that includes all of these threat types and more.

Because of the wide range of possible malware attacks, downtime, and costs can vary dramatically. However, according to Accenture, the average cost of a malware attack on a company is $2.6 million.

HOW DOES MALWARE WORK?

Malware can spread through a variety of avenues. One of the most effective ways of deploying malware is to host it as a forced download on a website domain and promote it through a phishing or social engineering attack. Standing up malicious URLs is an incredibly easy and effective way to spread malware. The threat actors usually take advantage of existing sites and hack them to host their malware.

Once someone unknowingly downloads any type of malware, it will usually “callback” to a host server for further instructions. It does this via DNS; these “callback” signals can be blocked if DNS security is in place. The instructions the malware receives will depend on what type of malware it is: Ransomware, spyware, adware, virus, etc.

Sometimes the malware will act immediately to make itself known, while other times it might stay on your device or network and quietly gather data for a long period of time.

HOW TO STOP MALWARE?

All organizations need to be prepared for a malware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against malware. But one of the best ways to combat a malware attack is to block threats at the DNS layer.

DNS security not only blocks domains hosting malware, but will also stop “callbacks” from malware to host servers. This disables the ability for malicious software to be deployed and take over your computer in the event a malware package is deployed on your computer.

Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.

PHISHING

WHAT IS PHISHING & HOW DOES IT WORK?

No one is safe from a phishing attack. Phishing is a type of social engineering attack where someone tries to trick the user into revealing information. This is most often done via malicious websites and emails. Email phishing happens when an email from a sender appears to come from someone you know, but it's actually from a malicious actor. It could be an email from your bank, for example, but what you don't know is that the email actually came from a fake email account and not your bank. The goal of the phisher is to trick you into giving up your login credentials—or any other sensitive information—by clicking on links or downloading attachments that contain malware. Phishers who send out spear phishing emails go a step further and target specific individuals or businesses instead of sending out mass emails indiscriminately. The goal is usually to steal data from those individuals or businesses. The hackers might trick someone into wiring money to them, or they might create a fake form to capture credit card or banking info. The possibilities are endless, but the main goal in all of this is deception.

PHISHING ATTACKS ARE EVERYWHERE

Phishing is one of the most common tactics used by hackers to gain access to data. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team.

Spear phishing campaigns are harder to detect because they require more time, effort, and resources on behalf of the sender. Hackers are clever in their spear phishing emails, fake ads, or social campaigns. They learn things about your role or you as an individual, and use that as a way to gain your trust and pull off their scheme. Small businesses are also at risk of spear phishing attacks. Common targets include small business owners or managers who have access to company bank accounts or W-2 information. These small companies may not have any cybersecurity measures in place which makes them easy targets for hackers looking for sensitive information without raising suspicion. Phishing attacks have moved from targeting individuals to going after organizations. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.

HOW TO STOP PHISHING

New domains are the biggest threats when it comes to phishing attacks. These attacks are often assembled quickly from kits, meaning it’s easy for hackers to get new sites up as their old ones are taken down. Old methods, like a list of threat feeds, are not enough to combat phishing.

With DNS Security, phishing attacks can be prevented by filtering out malicious websites that have never even been seen before.

Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing  PDNS and blocking new and uncategorized domains in addition to known phishing sites.

Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.

 

6320b7a9cc8b222cede08c44_protect-against-phishing

 

6320b7a94bf1966c46868dd6_protect-against-ransomware

RANSOMWARE

WHAT IS RANSOMWARE?

Traditional ransomware is a type of malware that renders a device (or files and applications on that device) unusable unless the owner pays a ransom to hackers. The device owners are then in the difficult position of either choosing to pay the ransom in exchange for a decryption key (without a clear guarantee they will receive the decryption key) or revert systems to backups and avoid paying the ransom altogether. ‍

However, in some cases, backups may be impacted, or companies may not have robust enough backups to restore all of their systems.

Getting fully back online after a ransomware attack can take days or even months. In the midst of a ransomware attack, as the organization decides between paying the ransom or rebuilding its systems, many companies need to rely on paper files. Hospitals and government agencies are particularly vulnerable to ransomware attacks, impacting critical systems that may directly result in fatalities.

HOW DOES RANSOMWARE WORK?

One major way ransomware is spread is through malicious URLs. These URLs can be shared in emails, SMS text messages, on chat forums like Discord or Slack—even in advertising campaigns on reputable websites.

These websites can host drive-by-downloads where just visiting a site force-downloads malicious software onto your computer that will initiate a ransomware attack.

Phishing campaigns and social engineering are also responsible for spreading ransomware. Fake social media accounts or too-good-to-be-true deals will often point users to malicious URLs, forcing malware downloads. Phishing emails are responsible for 54% of ransomware infections.

Another way ransomware can spread is through malicious attachments, which sometimes will trigger a DNS request.

HOW TO STOP RANSOMWARE

It’s important that every organization be prepared for a ransomware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against ransomware. But one of the best ways to combat a ransomware attack is to block threats at the DNS layer.

DNS security not only blocks domains hosting ransomware, but will also stop “callbacks” from malware to host servers. This disables the ability for ransomware to be deployed and take over your computer in the event a ransomware package is deployed on your computer.

Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.

ZERO DAY THREATS

WHAT IS A "ZERO DAY THREAT"?

A zero-day threat is an attack that has not been seen before and does not match any known malware signatures. It is referred to as a "zero-day" threat because once the flaw is eventually discovered, the developer or organization has "zero days" to then come up with a solution.

HOW TO STOP ZERO DAY THREATS

By securing your DNS traffic which uses machine learning to perform deep inspection of DNS traffic, achieving greater threat coverage.

 

6320b5ef2f73fd01cc419e31_protect-against-zero-day-threats

 

6320b5ec8d45053c03f738ac_protect-against-typosquatting

TYPOSQUATTING

WHAT IS "TYPOSQUATTING"?

Threat actors use typosquatting because they're relying on internet users to make mistakes. You'll mistype a domain name and find yourself on a site that looks like the one you wanted to land on anyway. If you looked closely at the URL you entered, you'd likely realize the mistake. But the goal here is to look identical to the original site it is mimicking. Typosquatting domains are traditionally used in phishing attacks. Amazon, Microsoft, and banking sites are popular victims of typosquatted phishing domains because they can direct users to login pages they're familiar with and steal their valuable credentials. Other uses for typosquatting include spreading malware. By using a familiar domain name (often swapping the TLD .com for .info or .top), they can bypass advertiser restrictions and trick end users. These ads often lead to malware, also known as malvertising. Typosquatting domains may also be used to sell knockoff brands (like Addidas). The possibilities for these copy cat domains are nearly endless, and hackers are using the ability to capitalize on typos to their advantage.

TYPOSQUATTING & PHISHING

Phishing is one of the most common tactics used by hackers to gain access to data. And typosquatting plays an important role in phishing. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team. Threat actors will register domains similar to technology used by those companies, or similar in name to the company itself. Depending on the attack, it might come from m1cr0soft[dot]com (similar to a vendor you might use) or company-name-here[dot]info (a copycat version of your own domain name). Phishing attacks have moved from targeting individuals to going after organizations. That's part of why typosquatting has become important to phishers: They're targeting professionals with some cybersecurity awareness. They need to do everything they can to go undetected. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter its size, is at risk.

HOW TO STOP TYPOSQUATTING

New domains are the biggest threats when it comes to phishing and typosquatting attacks.

With DNS Security, typosquatting domains can be blocked by filtering out malicious websites that have never even been seen before.

Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.

Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.

Customers love us, threats hate us