The Domain Name System (DNS) is a hierarchical system that assigns names to computers, resources and services connected to the web. It is responsible for relating information associated with each Internet-based entity to a domain name. As such, DNS is an essential tool for organizing the web.
In the wrong hands, however, it can be used to create domains from which to launch attacks against businesses, governments, and other organizations. Malicious actors can also carry out additional attacks by changing the DNS records of legitimate websites, as hacking group Lizard Squad did to multinational technology company Lenovo earlier this year.
Recognizing these and other DNS-based threats, security companies IID and Infoblox have jointly released the latest issue of their Infoblox DNS Threat Index, a report which, according to Rod Rasmussen, chief technology officer at IID, “is intended to give insight into the extent to which bad actors are leveraging DNS for illicit activities.”
The most recent index relies on a baseline of 100, which is the average for all threat activity detected across the eight quarters of 2013 and 2014. 67 categories inform the index’s findings, with additional areas constantly added in to reflect the evolving threat landscape.
The second quarter of 2015 indicates a record high of threat activity at 133, reveals the report. This is up 58 percent from the second quarter of last year.
Whereas Q1 2015 saw the greatest increase in domain creation at the hands of the Angler, Nuclear, and Neutrino exploit kits, the second quarter has been dominated by attackers setting up the necessary infrastructure to stage phishing attacks. The authors of the Infoblox DNS Threat Index believe this is so partly because phishing relies on social engineering, i.e. exploiting weaknesses in human psychology, rather than on the more difficult task of undermining hardened security systems. Overall, phishing saw an increase of 74% in Q2.
Meanwhile, exploit kits accounted for 41% of the malicious domains created in the second quarter. This figure is the approximate average across the previous 11 quarters, with exploit kits accounting for between less than 20% and more than 70% of malicious domain creation detected by the index in past quarters.
Another trend revealed by the index is the cyclical nature of DNS-based attacks. One half of this cycle is referred to as “planting,” in which attackers create new infrastructure and domain names from which to launch attacks. The other half, “harvesting,” occurs when malicious actors actually begin launching attacks from those domains previously created.
Both the planting and harvesting stages are evident in the history of the DNS Threat Index:
“The Infoblox DNS Threat Index shows this endless cycle of planting and harvesting, when looking across the twelve quarters to date,” the report explains. “If the index is lower in a given quarter, this may correspond with a period in which the malicious agents are harvesting the infrastructure they have already created and are not setting up new bad domains at the same pace. If the index is higher in a quarter, this could indicate that the attackers are in a planting phase, establishing domains and other infrastructure to execute their plans.”
With the past three quarters’ threat activity on the rise, Infoblox and IID suspect that criminals are hard at work preparing new infrastructure from which to launch targeted attacks.
In anticipation of these attack campaigns, Internet pioneer and DNS expert Paul Vixie has proposed that a “cooling-off period” for DNS providers when activating new domains could help minimize abuse. Many domains are currently only USD $10.00 and can be activated in less than 30 seconds, which helps facilitate swift criminal activity online. By instituting a temporary hold on the time it takes to set up a domain, ranging from a few minutes to a few hours, security personnel could screen new domains and subsequently reduce DNS-based attacks.
In the meantime, for more information on DNS and how criminals are leveraging this tool for nefarious purposes, you can read the Infoblox DNS Threat Index (Q2: 2015) here.
Title image courtesy of ShutterStock