DNS Hijacking Continues

Latest Activity

Over the past few months we have been monitoring a large number of DNS manipulation attacks. One of the features of our sensor is to detect fast fluxing and changes to the DNS name resolution over time. Over the last several months we have been observing several DNS attacks at large and small companies. Several servers that are hosted on AWS and OVH hosting have been identified that appear to be part of the campaign. We are more interested in the redirection from legitimate websites host that are proxying (and presumably sniffing traffic) to and from these websites.

Last week a customer owned sensor identified 2 instances where the TTL of a popular domain was changed from 7200 down to 30 seconds. These low time to live values make it easier for attackers to quickly redirect a host through an intermediary. A look at cached DNS TTL values also shows that this activity has been occurring since 2016 on the host that Jigsaw Security is tracking.

Continued attacks are also being seen from other countries in coordinated and highly effective efforts to steal credentials.

Heuristic Detection Module

As you may be aware, Jigsaw Security's FirstWatch sensor includes a Heuristic Detection module that looks for these types of attacks. A review of historical logging shows that this activity started occurring more frequently in February of 2016 and targets can be determined fairly easily. In particular, several open and popular networks that are provided to retail customers have also been affected. It is believed that this method is being used to harvest credentials to sensitive websites while users are shopping, visiting coffee shops and wireless networks with popular SSID's in busy locations such as train stations and public venues.

This same method is also be utilized for cellular networks whereas unauthorized pico and micro cells are being brought online in popular locations.

Suggestions to Mitigate this Issue

One of the methods that Jigsaw Security has employed on our customer networks is always on VPN for mobile devices and laptops. This ensures that mobile devices or devices that are used out of the office are being forced to use your authorized DNS servers where the FirstWatch sensors have visibility into what is occurring.

Another module we have provided detects when DNS entries for critical services change and notify the security team that tampering may be occurring.


Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2018 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business Jigsaw Security is an operator of WIMAX networks and is operating under license WQVC235 as a common carrier, non-common carrier and private communications operator. Jigsaw Security operates cable and satellite services. Courses may be provided by a third party authorized training partner in some cases. Some training is only available for cleared and US Citizens. Courses approved by the North Carolina Department of Public Safety Private Protective Services Board for licensing and CE credits. JPM program insurance is provided by an authorized Jigsaw Security Insurance Partner and is not underwritten by Jigsaw Security. For insurance information please contact our JPM program manager. Jigsaw Security operates a network through our NCBroadband brand.