1(630)802-8605 Ravi.das@bn-inc.net

Just this last week, I wrote an article for a client on E-Skimming.  You may be thinking that this involves stealing your credit card info when you swipe it across a reader when you are at the checkout at a brick and mortar store (probably because of the word “skimming” that is involved). 

But this is only partially correct.  E-Skimming actually involves the theft of your credit card information when you are making purchases online, at an E-Commerce store.

But, this form of Cyberattack has become so sophisticated that even when you think you are at a real shopping cart when you check out your items and are about ready to make payment, there are chances that you may be at a spoofed website, or worst yet, you could be on the real checkout page, but instead you have been redirected to malicious domain name.

But despite all of this, there are chances that you think you could be at a legitimate site, but your credit card number could still be heisted even despite all of the security precautions you have taken. 

It is important to keep in mind that Web Applications like the online store have become so complicated that they are becoming dependent upon other pieces of source code and other kinds of plug ins created by other entities, not just by one trusted, software development team.

Although these various source code modules appear to be working seamlessly on the front end (which is the side you see as the end user), there are pretty good chances that they may not be working so well together on the backend. 

As a result, this leaves backdoors for the Cyberattacker to penetrate into, and from there, launch malicious malware in order to steal your credit card information.

It is through this weakness also that a Cyberattacker can take a real website and spoof it up.  Or, they could even take the real thing and get another domain that looks almost exactly as the same as the legitimate domain and put the real website on that one.  You may be asking at this point where I am actually headed with all of this?

Well, this whole issue of spoofed websites and fake domain names fall under a category known as the “Domain Name System”, or DNS for short.  For example, when you type in a domain name into your web browser, it gets transmitted to a set of servers that are physically located here in the United States. 

These domain names are then broken down into its IP Address, which is a series of numbers, which looks something like this:  111.222.333.444

This IP Address tells the DNS which web server the website that you want to go to is hosted, and once that it is determined, you are then redirected to that particular website.  Although a lot happens here, this only takes a matter of a few seconds to accomplish. 

So, as you can tell, the entire DNS can also be at risk as well from a security standpoint because it’s main function deals with the billions of domain names and IP addresses it must serve on a daily basis.

There are many types of DNS Attacks, and some of the top ones are as follows:

*Domain Hijacking;

*The DNS Flood Attack;

*The Distributed Reflection Denial of Service;

*DNS Cache Poisoning;

*DNS Tunneling;

*DNS Hijacking;

*Random Subdomain Attacks;

*The NXDOMAIN Attack;

*The Phantom Domain Attack.

I will examine the details of these in future blogs, but the one that is most relevant to this blog is the first one (which is Domain Hijacking).  Any of us could fall victim to this, even Corporate America, and yes, even our Federal Government. 

This is according to the latest market research survey that was conducted by a Cybersecurity firm known as “EfficientIP”, entitled the “Global DNS Threat Report”.  It can be downloaded from this link:

In their work, they discovered that the United States Federal Government has been the prime target by the Cyberattacker for DNS based threat vectors.  Here is what they found:

*The government overall suffers from at least 12, large scale DNS Attacks on a yearly basis;

*Each attack can cost as much as $558,000.  When converted over to a yearly basis, this translates to $6.7 Million;

*51% of all of the Federal Government agencies were a victim of some sort of DNS Attack;

*41% of these agencies were impacted by either a spoofed website or domain name;

*19% of the agencies that the Personal Identifiable Information (PII) of American citizens and other forms of Intellectual Property (IP) were the prized “crowned jewels” for the Cyberattacker.

The numbers get even worse when it comes to recovery time after a particular agency has been impacted:

*It takes an astounding 7 hours or more to restore baseline operations.  During this time, other Cyberattacks could be occurring;

*51% of the respondents said that they had to shut down mission critical servers completely in order to mitigating the Cyberattacker once it was detected.  This indicates that there is no effective plan in place to keep mission critical operations running at a very minimal level;

*32% of the respondents simply do not understand the relevance and/or the importance of the DNS as it relates to the operations of the agency that they work for;

*32% of them also do not perform any kind of analysis or forensics-based examination after they have been impacted. 

My Thoughts On This

Honestly, I am surprised that the Federal Government is such a valued target for the Cyberattacker.  I would think that it be Corporate America that would be much more at risk, given all of the millions of credit card transactions that occur on a daily basis. 

And also, I would think that the Federal Government would have much stronger lines of defenses, given that they have just about all kinds of Cybersecurity resources and financing available at their fingertips.  I never even realized that such a large majority had to resort to actually physically shutting their servers down. 

Shutting down the IT and Network Infrastructure or even just a small segment of it should only be used as the ultimate last resort, because you never really know what the impacts will be if this is initiated.  If this was ever used, the servers should be shut down for only a very small amount of time (something like no greater than one hour); 7 hours is just way unacceptable in my professional view.

But what I am most surprised by is the sheer number of these agencies that simply do not analyze the DNS traffic that is both inbound and outbound, or worst yet, not even conduct a thorough investigation of what happened after they have been impacted. 

I know for a fact that there a lot of good Cybersecurity firms out in the DC area (primarily because I interviewed them on my podcasts) that can offer these kinds of services.

So, IMHO, there is no reason why these agencies can’t hire them to see what happened and determine how it can be avoided in the future.  According to the 91% of the Malware that is lurking out there is deployed onto the DNS, so this really needs to be taken seriously. 

If these issues are not addressed and to some degree or another not resolved by our Federal Government, we could be impacted by a Cyberattack that is nothing like we have ever seen before: A massive, multiple wave assault onto our Critical Infrastructure, with the end result that our entire nation could be severely crippled.