This accomplishment is not only a source of pride for SafeDNS but also a reaffirmation of the trust and confidence our users place in us. Our commitment to providing seamless, comprehensive, and cutting-edge DNS filtering services has consistently driven us to deliver excellence.

Great support and very effective system. Easy to setup for a multi-site company with many simple to use features and good written support materials. [Frank V.]

SafeDNS has always been driven by a customer-centric approach, striving to create an internet experience that is not only safer but also more efficient and tailored to individual needs. This recognition further motivates us to continue pushing the boundaries of what our service can achieve, constantly improving and adapting to the ever-evolving landscape of online threats.

Thank you once again for your unwavering support, and we look forward to bringing you even more groundbreaking innovations and enhancements in the future. Together, we will make the internet a safer place for all!

What is DNS Poisoning? 

DNS poisoning, also known as DNS cache poisoning or DNS spoofing, is a cyber attack that manipulates the DNS resolution process to redirect users to malicious websites or intercept their network traffic. This attack targets the DNS cache, where previously resolved domain names and their corresponding IP addresses are stored. By injecting false information into the DNS cache, attackers can trick users and redirect online traffic from them to malicious websites without their knowledge or consent.

Attackers can poison DNS caches by impersonating DNS name servers, making a request to a DNS resolver and then spoofing the response when the DNS resolver queries a name server. This is possible because DNS servers use UDP (User Datagram Protocol) instead of TCP and because there is currently no verification of DNS information.

The Mechanics of DNS Poisoning

DNS poisoning typically occurs in two forms: client-side and server-side attacks. In a client-side DNS poisoning attack, malware infects the user’s device and modifies its DNS settings to redirect DNS requests to malicious servers. On the other hand, server-side attacks exploit vulnerabilities in DNS servers, allowing attackers to inject false DNS records directly into the server’s cache. This enables them to redirect traffic across multiple devices connected to the compromised server.

The Dangers of DNS Poisoning

DNS poisoning can have severe consequences for both individuals and organizations. Here are a few notable dangers:

• Leakage of Sensitive Data: Phishing attacks can lead to the leakage of sensitive data. Attackers may attempt to trick users into revealing confidential information such as bank card details, login credentials, or personal information. By impersonating legitimate websites or services, phishing attacks can result in the inadvertent disclosure of sensitive data to malicious actors.
• Malware Distribution: DNS poisoning can be employed to redirect users to websites that host malware, resulting in unintended downloads and installations of malicious software.
• Unauthorized Data Access: Man-in-the-Middle attacks pose the risk of unauthorized access to personal data or the interception of sensitive information. In such attacks, malicious actors can intercept network traffic and manipulate or steal data by altering packets. This can lead to the exposure of personal information, financial data, or the reception of misleading and untrustworthy information.
• Brand Reputation Damage: Organizations may face reputational damage if their customers unknowingly access malicious websites that imitate their legitimate platforms, leading to compromised data or financial losses.

Detecting and Mitigating DNS Poisoning Attacks

Detecting and mitigating DNS spoofing attacks is crucial to ensuring online security. While there are various security solutions available, it is essential to understand the techniques and best practices that can help identify and counter DNS poisoning attacks. Here are some effective strategies:

• DNSSEC Implementation: DNS Security Extensions (DNSSEC) is a security protocol that adds an extra layer of authentication to DNS responses. By digitally signing DNS records, DNSSEC prevents attackers from injecting false information into the DNS cache and helps validate the authenticity of DNS responses.
• Regular DNS Monitoring: Organizations should proactively monitor their DNS infrastructure for any signs of poisoning attacks. This involves analyzing DNS traffic patterns, monitoring DNS cache contents, and utilizing intrusion detection systems (IDS) or security information and event management (SIEM) solutions to identify suspicious activities.
• DNS Firewall Protection: Deploying a DNS firewall can help block malicious DNS requests and prevent DNS poisoning of caches. DNS firewalls use threat intelligence, reputation-based filtering, and behavioral analysis to identify and block DNS requests associated with known malicious domains or suspicious behavior.
• Encrypted DNS (DoT/DoH): Encrypted DNS protocols such as DNS over TLS (DoT) and DNS over HTTPS (DoH) provide an additional layer of security by encrypting DNS traffic between clients and DNS resolvers. This prevents attackers from eavesdropping on or tampering with DNS requests and responses.
• Regular Security Audits: Conducting regular security audits of DNS infrastructure helps identify vulnerabilities and ensure proper configuration. This includes reviewing DNS server settings, access controls, and applying necessary patches and updates to mitigate potential security risks.

By implementing these strategies and staying vigilant, organizations can significantly reduce the risk of DNS poisoning attacks and protect their online presence and sensitive information.

Safeguarding DNS Infrastructure with Secure Practices

In addition to specific techniques for detecting and mitigating DNS poisoning attacks, there are general best practices to safeguard DNS infrastructure. Consider the following security protocols.

• Implement Access Controls: Restrict access to DNS servers by allowing only authorized personnel to make changes to DNS configurations. Enforce strong authentication measures, including two-factor authentication (2FA) or multi-factor authentication (MFA).
• Regularly Patch and Update: Keep DNS servers and associated software up to date with the latest security patches and updates. Promptly address any known vulnerabilities to minimize the risk of exploitation.
• Employ Network Segmentation: Separate DNS servers from other critical infrastructure by implementing network segmentation. This prevents unauthorized access or lateral movement in case of a security breach.
• Backup and Recovery: Regularly backup DNS configurations and zone files. In the event of a DNS cache poisoning attack, having recent backups ensures quick recovery and reduces the impact on DNS services.
• Continuous Staff Training: Provide ongoing training to IT staff and employees to educate them about DNS poisoning attacks, phishing techniques, and general cybersecurity practices. Encourage reporting of suspicious activities to facilitate early detection and response.  Consider SafeDNS cybersecurity awareness training to equip employees with the knowledge and skills needed to identify and respond to potential security risks.

Conclusion

DNS poisoning attacks pose a significant threat to online security, but with the right strategies and practices in place, organizations can detect and mitigate these attacks effectively. By implementing DNSSEC, monitoring DNS traffic, utilizing DNS firewalls, and practicing secure DNS infrastructure management, organizations can safeguard their online presence and protect sensitive information. Employing these techniques, along with regular security audits and staff training, will contribute to a robust defense against DNS poisoning attacks.

Understanding QR-Phishing or QR Code Scams

QR-phishing leverages fraudulent QR codes as a medium to deceive victims. A QR code is a matrix barcode that can be scanned using a smartphone or mobile device or other scanning devices. It can contain various types of information, such as URLs, text, or contact details. In the context of phishing, cybercriminals embed QR codes within their fraudulent messages or emails, for example by disguising them as harmless links or promotions. 

The Dangers of QR-Phishing

QR-phishing or QR code spoofing presents several dangers to individuals who unknowingly fall victim to the scam:

One of the significant hazards of QR-phishing is the potential for malware infections. Always treat QR codes as links. When you scan QR codes from a phishing email, it can trigger the download of malicious software onto your device. This malware can compromise your sensitive information, grant unauthorized access to your device, or even allow cybercriminals to control it remotely. The consequences can include data breaches, privacy violations, and financial losses.

Another danger is credential theft. QR-phishing attacks often employ deceptive techniques, such as creating fake login pages or forms that closely mimic legitimate websites. Unwitting victims may unwittingly enter their usernames, passwords, or other confidential details into these malicious portals. Cybercriminals can then capture this information and gain unauthorized access to their accounts. This can lead to identity theft, unauthorized transactions, and potential financial ruin.

Financial loss is a significant risk associated with QR-phishing. Scammers frequently redirect victims to a fake website or counterfeit banking or payment portals designed to look like genuine platforms. Unsuspecting individuals may unknowingly input their financial information, which can result in fraudulent transactions, unauthorized access to their accounts, and the exposure of sensitive data like credit card details. This can lead to substantial monetary losses and leave victims vulnerable to further financial exploitation.

Protecting Yourself Against QR-Phishing and QR Codes

Protecting yourself against QR-phishing can be challenging since traditional email protection systems may struggle to identify QR codes as malicious links. However, there are still proactive measures you can take to safeguard your online security:

1. Stay Informed: Educate yourself about QR-phishing and its potential risks. Understand that scanning a QR code can be as dangerous as clicking on a suspicious link. Exercise caution and avoid scanning QR codes from untrusted sources or unfamiliar emails.

2. Verify the Source: Be vigilant when receiving emails or messages containing QR codes. Verify the legitimacy of the sender and the content before taking any action. If you have doubts about the authenticity of the message, contact the organization or individual through verified channels to confirm the request.

3. Use Web Filtering: Employ a robust web filtering solution like SafeDNS to add an extra layer of protection. Web filters can help detect and block access to malicious websites associated with QR-phishing attacks, reducing the risk of unsuspecting users falling victim to such QR code scams.

4. QR Code Scanning Apps: Consider using reputable QR code scanning applications that offer security features. These apps can detect potentially malicious QR codes and provide warnings or block the user from accessing harmful websites.

What to Do If You Scan a Phishing QR Code

Despite your best efforts to stay vigilant, it’s still possible to fall prey to a phishing QR code. If you realize that you have scanned a QR code that leads to a malicious phishing website or suspect that you may have been a victim of QR-phishing, here are the steps you should take:

1. Disconnect from the Network: Immediately disconnect your device from the internet to prevent any further communication with the malicious website or potential malware. Disable Wi-Fi and cellular data connections to ensure that your device is offline.

2. Perform a Security Scan: Run a comprehensive security scan on your device using reputable antivirus or security software. This will help identify and remove any malware or suspicious files that may have been downloaded as a result of scanning the phishing QR code.

3. Change Your Passwords: Change the passwords for any accounts that you accessed or entered information into after scanning the QR code. Start with your email account, social media profiles, and online banking or financial accounts. Ensure that your new passwords are strong, unique, and not used for multiple accounts.

4. Enable Two-Factor Authentication: If you haven’t already done so, enable two-factor authentication (2FA) on your online accounts. 2FA adds an extra layer of security by requiring a verification code in addition to your password when logging in. This can help protect your accounts even if your login credentials have been compromised.

5. Monitor Your Accounts: Keep a close eye on your financial accounts, credit card statements, and any other accounts that may have been compromised. Look for any unauthorized transactions or suspicious activity. If you notice anything unusual, contact your financial institution or service provider immediately to report the incident.

Remember, it’s crucial to act swiftly if you realize that you have scanned a phishing QR code. Taking immediate steps to disconnect from the network, perform a security scan, change passwords, and report the incident can help minimize the potential damage and protect your online accounts and personal information.

Conclusion

As QR-phishing continues to evolve as a sophisticated cyber threat, it is crucial to remain vigilant and cautious when encountering QR codes, especially in emails or messages from unknown sources. By increasing your awareness of this technique and implementing proactive measures such as verifying sources and leveraging web filtering solutions, you can protect yourself from falling victim to QR code phishing attacks. Remember, your knowledge and carefulness are your best defenses against emerging threats in the digital landscape.

Why Cybersecurity Awareness Training Matters:

1. Embracing the Changing Threat Landscape:

As technology advances, so do the tactics employed by cybercriminals. Cybersecurity awareness training offers individuals and organizations an opportunity to stay ahead of the curve by staying informed about the latest threat landscape. By understanding emerging threats and attack vectors, participants can adapt their defenses and effectively mitigate potential risks.

2. Safeguarding Valuable Data Assets:

Data has become a currency of the digital age, making it a prime target for cybercriminals. Cybersecurity awareness training equips individuals with the tools to protect their personal and organizational data. By adopting best practices in areas like password hygiene, email security, and safe browsing habits, participants can safeguard their valuable information from unauthorized access or breaches.

3. Strengthening the Human Firewall:

While technological solutions play a crucial role in cybersecurity, human behavior remains a critical factor. Cybersecurity awareness training helps individuals develop a security-conscious mindset and empowers them to act as the first line of defense. By recognizing and avoiding social engineering techniques like phishing, individuals can prevent attackers from infiltrating their networks.

4. Fortifying the Digital Perimeter:

With the increasing prevalence of remote work and interconnected devices, the digital perimeter has expanded beyond traditional boundaries. Cybersecurity awareness training addresses challenges like securing Wi-Fi networks and managing Bring Your Own Device (BYOD) policies. By understanding and implementing best practices, individuals can establish robust defenses and minimize potential vulnerabilities.

SafeDNS: Empowering Digital Resilience:

SafeDNS understands the transformative impact of cybersecurity awareness training in today’s ever-evolving threat landscape. Our comprehensive training program empowers individuals and organizations to embrace their digital resilience. Covering critical areas such as password hygiene, email security, malware awareness, Wi-Fi security, BYOD security, and ongoing awareness and reporting, our training equips participants with actionable knowledge and practical strategies.

Through engaging modules, real-life examples, and interactive exercises, SafeDNS fosters a culture of continuous learning and preparedness. We emphasize the importance of staying informed about emerging threats and provide participants with the tools to adapt their defenses accordingly. Upon successful completion of the training, SafeDNS recognizes participants’ dedication and commitment with certificates of completion, enhancing their professional credentials.

Learn more about SafeDNS’s cybersecurity awareness training and start your journey towards a more secure digital future.

Embrace the power of cybersecurity awareness training with SafeDNS and unleash your digital resilience today!

We strive to make our service reliable and high-quality. The SafeDNS machine learning department employs various machine learning algorithms to verify and categorize domains. To ensure stable and high-quality filtering, we employ different approaches and utilize our own and third-party databases.

In this article, we will discuss the basic methods of threat detection, that allow us to handle the majority of cyber threats.

Detecting a domain that is not in our database with artificial intelligence

When you click on a link that is not in our database, our system launches a series of machine learning models for checks.

If we have not encountered the existing domain before, the user will be redirected to a blockpage and the domain itself will be “quarantined” until it is assigned a category. The page content is then scanned.

Based on this scan and a series of additional checks, the website is assigned a specific category. On the SafeDNS website, you can verify a link before clicking on it.

When the category is known, the system acts according to established rules, either blocking access or allowing the user to visit the website.

Parked Domains

A parked domain is a domain that is listed for sale. This means that the webpage associated with it either has minimal or no content because it is, for example, under development or will soon be transferred to another owner.

In addition to cross-checking other sources, the ML department monitors the NS (Name Server) addresses of most registrars. Parked domains are often gathered on separate NS servers, and we have the addresses of most of these servers. During domain analysis we look at where it is resolved, and if it is resolved to a dedicated NS server for parked domains, we assume it is a parked domain and assign it a corresponding category.

The threat posed by parked domains is that they can be acquired by malicious actors at any time and used to distribute malware or control botnets. Therefore, they should always be closely monitored.

Our algorithm regularly checks parked domains for content. If malicious content is detected on a website, it will immediately be categorized accordingly and blocked upon attempted access. The website can be assigned any other category based on its content.

Phishing

Phishing is a form of fraud in which a malicious actor attempts to obtain confidential information, such as login credentials or account data, by impersonating a reputable person or entity through email or other communication channels. According to the Forbes phishing is one of the most prevalent types of cybercrimes with over 500 million phishing attacks reported in 2022. For perspective, that’s over double the number of reported attacks in 2021.

The messages may appear similar to the ones you have received before. It could be an email from a bank, a ticket aggregator, or a notification from a social network. The message contains malware designed to infiltrate the user’s computer or a link to malicious websites to deceive and obtain account or credit card information.

Phishing is popular among attackers because it is easier to deceive someone into clicking on a malicious link that appears genuine than to try to breach computer security systems. Attackers disguise their messages to resemble content from various companies using logos and slightly altered phishing links that may differ from the original by just one letter. For example, “gogle.com” or “facebook.me.” Knowing that users may already be suspicious of such links, the malicious link may be embedded in a button, making the actual address invisible at first glance. However, in such cases the malicious resource will still be blocked. If you are reluctant to click on a link, you can copy the link address and verify it using our verification service.

Phishing links can be detected using ai and machine learning methods and natural language processing. The first step is to check for typosquatting.

There are known methods for creating phishing domain names that resemble legitimate ones but are actually different. This is called typosquatting. Typosquatting occurs when fraudsters intentionally use typos or similar characters to create domain names that look almost identical to the genuine ones.

Some typosquatting techniques include skipping, repeating, adding, or rearranging characters in the domain name. They may also substitute characters with visually similar but distinct characters or use characters located near each other on the keyboard.

To detect typosquatting-based phishing domain names, analysis of the web address and domain name is conducted. Specific patterns characteristic of fraudulent web addresses are sought. This approach allows for quick domain name checks without the need to load the content of the web page.

As a baseline method for detection, we use the Levenshtein distance. It is more likely for scammers to impersonate a domain associated with a well-known brand rather than a niche company. We take a comparison base of the top most popular domains, totaling around a million. We use a metric that measures the absolute difference between two character sequences. It is defined as the minimum number of single-character operations required to transform one character sequence into another.

We establish a threshold value for this distance. Then, we analyze the incoming domain name by calculating the distance to the original names. The smaller the distance, the more similar the domains are, indicating a higher likelihood of phishing.

In the example of Facebook.com and Facebok.com, the Levenshtein distance is 1. In comparison to the original, it would be 0.

The second stage involves checking other indicators such as domain age, external sources, content analysis, and more. When a combination of factors suggests the site is a phishing one, it is categorized accordingly, and the user will see a blockpage when attempting to access it. Knowing that a specific domain name belongs to the phishing category, all pages of that site will also be blocked.

Ransomware

Ransomware (or a ransomware program) is a type of malware that prevents or restricts users’ access to their system by either blocking the system screen or blocking users’ files until a ransom is paid. As in the case of phishing, when using our service, the user will not be able to click on the link where the ransomware program is located if this site is in our categorization database. It should be noted that attacks using ransomware can be large-scale. If the company and ransom amount are big, the attackers will carefully prepare for the attack taking into account the specifics of the security systems of said company. This is why we strongly recommend applying a set of cybersecurity measured and regularly conducting trainings with employees.

We need to mention that the volume of ransomware attacks dropped 23% in 2022 compared to the previous year. However, the nature of the attacks has changed and they have become more effective.

Botnets

A botnet is a network of compromised computers infected with malicious software. Cybercriminals use botnet networks consisting of a large number of devices for various malicious activities without the users’ knowledge.

Here’s how our system works in dealing with botnets:

• We analyze user traffic and look for requests to known botnets.
• If connections to command-and-control servers or infected nodes are detected, we consider the traffic from that user/device suspicious.
• We identify unknown domains in the traffic, which also fall under suspicion by default.
• The remaining domains are categorized as botnets, and attempts to access such websites are blocked.

In addition, SafeDNS monitors the volume of requests from users. If we observe sudden spikes in network traffic, network administrators will receive notifications about suspicious traffic growth.

In Q1 2023, attacks witnessed a significant 47% surge compared to the same period in the previous year. This rise was accompanied by a shift towards botnet utilization and an increasing prevalence of smokescreening techniques to conceal multi-vector incidents. Notably, the use of attacks as decoys rose by 28% in comparison to Q1 2022.

DGA

DGA stands for Domain Generation Algorithms. These are algorithms found in various families of malicious software that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers.

SafeDNS also tracks this category. The detection process is somewhat similar to typosquatting detection. We analyze the domain name by breaking it down into n-grams and compare how closely they match the pool of n-grams from known valid and “white” sites. We also use a range of other parameters for verification. In all cases, the age of the domain plays an important role in our assessment and trust in it.

In this category, there is a risk of blocking technical domains because their names are often generated randomly. To avoid this situation, we additionally check the content on the page before assigning it to a specific category. The age of the created domain is also taken into account. The younger it is, the higher the likelihood that it is a DGA-generated domain.

Cryptojacking

Сryptojacking is a type of cybercrime where a criminal secretly uses a victim’s computing power to generate cryptocurrency. Over the past years, there has been a sharp increase in cryptojacking cases. In the SonicWall Cyber Threat Report for 2023, researchers from SonicWall Capture Labs reported a 43% increase in cryptojacking attempts compared to the previous year, 2022.

Cryptojacking can remain unnoticed for a long time, as it often targets IoT devices, many of which are easily compromised due to the use of unprotected public networks.

If traffic to cryptojacking-related domains is detected, such traffic is blocked, and all unfamiliar domains are added to the database for verification.

Conclusion

All the threats described above as a rule exhibit fairly typical patterns of cyber attacks. For more targeted threats, we have the Passive DNS service, which helps cybersecurity specialists draw conclusions about potential threats.

We store and gather a history of domain changes, as well as the information about the IP address a particular domain belongs to, along with other relevant information. Based on this, we establish connections between nodes in the global network.

When a new domain enters our database, we compare its registered IP address, connections, and patterns with those in our database. If we see that the IP address has already been compromised (associated with or previously owned malicious domains), all other domains from that IP will be added to the “suspicious” website database and checked for malicious content.

Passive DNS historical data also enables security teams to identify patterns of malicious activity, detect phishing attacks, and other targeted threats.

Passive DNS helps identify patterns and enables predictive analysis for attack detection. At first glance, you can discover useful information about a domain. For example, you can view the date of the A record modification and identify changes in the A record.

The domain database is enriched from several dozen external sources, with cross-checks of data. The database is also replenished from daily user traffic. We constantly seek new sources of information in the field of child protection and cybersecurity and actively collaborate with data scientists, government regulators, safe internet associations, and technology companies.

It is worth mentioning that we actively collaborate with government organizations in the field of child protection. We implement lists from IWF (UK), BPjM (Germany), ARAHNID (Canada), CTIRU, as well as data from over 100 private and government organizations. We help companies comply with legal requirements and regulations.

The use of DNS filtering is recommended by the CISA. It serves as the first and effective layer of protection for your company’s network against malicious resources. Using DNS filtering in addition to other cybersecurity solutions significantly reduces the risks of data leaks and cyberattacks.