How Does DNS Filtering Stop Phishing Attacks?

Posted by Trevagh Stankard on Tue, Apr 5th, 2022

Phishing is unfortunately embedded in the day-to-day security challenges of every organization across the world; why? Because a staggering 90% of data breaches begin with a phishing email. This is not surprising, as research by the Swedish Defence Research Agency shows 24% of users will click on a phishing email link and 21% will then enter their passwords into spoof sites. It only takes a single individual to spark a major ransomware attack or initiate a data theft event. Phishing is highly successful and will continue to be the weapon of choice of the cybercriminal. An effective way to fight back against phishing is to implement a DNS filter and break the phishing cycle.

What is a DNS (Domain Name System)?

People need to have a human-readable link (URL) to help remember a website. However, the internet needs URLs to be machine-readable. A DNS is used to match a website domain name to an IP address to deliver web content to a browser; for example, if you look up the IP address of TitanHQ you will see several IP addresses, one of which is 52.222.137.93. Multiple IP addresses reflect the highly distributed architecture of DNS servers, used to remove any single point of failure.

Several steps are involved in matching a URL to an IP address. This stepwise process is essential to allow the content of a website to load in a user’s browser: a DNS filter leverages this process to prevent malicious website access by employees, etc.

The Scourge of Phishing Websites

The spoof (or phishing) websites that facilitate the theft of login credentials and/or installation of malware are widespread. In Q1 2021, there were almost 612,000 phishing websites detected, slightly down from the 637,000 spoof sites of the previous quarter. Research shows that in 2020, Google registered over 2 million phishing websites. There are consistently many hundreds of thousands of spoof websites waiting to steal credentials and infect networks. Many phishing campaigns rely on a user clicking on a malicious link in a phishing email that then takes them to a website. These phishing websites are extremely dangerous and use a variety of mechanisms to install malware or steal data (including login credentials). The phishing website is, therefore, a source of many cybersecurity attacks; the prevention of an employee and others from accessing these sites can significantly de-risk a company.

How does a DNS Filter Break the Phishing Cycle?

According to the Verizon Data Breach Investigation Report, cyber-attacks are often financially motivated. It is this thirst for cash that motivates cybercriminals to become increasingly devious in their phishing endeavors. Phishing is now a complex cycle that increasingly involves intelligence gathering on a target organization and its staff to help design believable phishing campaigns that typically involve spear-phishing emails and branded websites. These emails are used as bait to push targeted employees to click links that go to phishing websites; the result is data theft, ransomware infection, or a similar damaging cyber-attack. This cycle of phishing emails, the urge to click, and malicious websites, must be broken to stop a cyber-attack.

A DNS filter is used to prevent an employee from navigating to a malicious website, thus breaking the phishing cycle. DNS filters work by creating a ‘blocklist’ of URLs. Any employee trying to navigate to that IP address, for example, by clicking on a malicious link in a phishing email, is prevented from doing so. DNS filtering can also be used on a per-device basis, for example, applying filtering policies to education sector Chromebook users. This granularity of control makes some DNS filters more appropriate for enterprise use, where certain employee roles are targeted by spear-phishing campaigns.

AI-powered DNS Filter

Deciding which URLs to add to a blocklist could potentially make the use of a DNS filter complicated and less effective, as new phishing URLs are registered. However, advanced systems such as WebTitan DNS Filter, use hundreds of millions of end-users as a source to generate a “threat corpora”, used to train human-supervised Machine Learning algorithms. This AI-powered DNS Filter helps to create active lists of dangerous URLs, including emerging URLs that have not been added to known phishing blacklists.  

What Threats does a DNS Filter Prevent?

By breaking the cycle of phishing, a DNS filter can prevent a series of phishing-related threats:

Malicious URL access: malicious URLs are blocked by a DNS Filter and become no-go zones.

Zero days (0-day threat): a 0-day threat has not yet been identified and has no traditional anti-virus signatures available to prevent its exploit. By scanning the internet continuously, an AI-powered DNS Filter can prevent newly registered domains and zero-day threats, in real-time.

Spear-phishing campaigns: cybercriminals are increasingly turning to spear-phishing campaigns to carry out complex cyber-attacks, including Business Email Compromise (BEC). A DNS Filter will cut the cyber-attack off at the source by preventing anyone clicking on a malicious link from continuing to propagate the attack.

Mistyped URLs (typosquatting/URL hijacking): cybercriminals exploit common typos by buying up domain names that are like well-known websites or that are like the target company’s web address. If a person then mistypes that URL, the person will be taken to a phishing website. A dynamic DNS Filter will check typed URLs against a database of known typos and threat patterns to prevent this exploit.

Filter out the Cybercriminal

The phishing cycle must be broken to change the dynamics of cybercrime and fraud. One of the best ways to achieve this is to snip the link and remove access to the phishing website: A DNS filter does this instantly, cleanly, and effectively making sure that malicious websites become no-go zones.

Take our Security Training Awareness Quiz