In 2024, a Singapore-based logistics company lost approximately S$2.3 million over a single weekend. The attack did not involve sophisticated zero-day exploits, complex malware, or an advanced persistent threat group. It started with a forgotten account on a domain registrar that had never been configured with multi-factor authentication. The attacker used credential stuffing — the same email address and password reused across multiple services — to access the domain control panel, updated the DNS A record for the company's primary domain to point to a server under the attacker's control, and harvested login credentials from a fake Microsoft 365 login page hosted there. By the time the IT team noticed the discrepancy in traffic patterns, the damage was done.
DNS hijacking — the manipulation of domain name system records to redirect traffic away from its intended destination — is one of the most effective and underappreciated attack techniques targeting Singapore businesses. It is not new. It is not exotic. And yet we continue to see it succeed against organisations that believe their domain security is someone else's problem, or that their registrar's default settings are sufficient. They are not.
Why DNS Security Deserves Explicit Attention in Singapore
The Domain Name System is the directory that translates human-readable domain names into IP addresses that computers can route. Every email delivery, every web browsing session, every API call to a cloud service begins with a DNS query. If an attacker controls your DNS records, they control where that traffic goes — and your users, customers, and employees have no reliable way to know the difference.
Singapore's digital economy creates specific DNS risk exposure. The .sg domain registry, administered by the Singapore Network Information Centre (SGNIC), requires registration through accredited registrars. Many Singapore businesses register their primary domains through one of these registrars and then delegate DNS hosting to a third-party provider — a common pattern that splits ownership of the domain between two providers and creates multiple points of failure if either is compromised. The proliferation of cloud services, single-page applications, and third-party email platforms means that Singapore organisations now manage DNS across multiple providers simultaneously: cloud DNS for AWS Route 53 or Azure DNS, SaaS platform DNS for Salesforce or HubSpot, and registrar-level DNS for the primary domain. The attack surface grows with every new service.
Singapore's threat landscape also includes attack motivations specific to the region: financially motivated cybercrime groups targeting Singapore banking credentials, state-linked actors conducting espionage operations against technology and defence sectors, and ransomware operators who use DNS manipulation as a pre-ransomware step to disrupt recovery communications. DNS is a high-value, low-complexity target.
The Four DNS Attack Techniques We See Against Singapore Organisations
1. Registrar Account Compromise
The most common DNS hijacking vector is the registrar account itself. Registrars hold the authoritative control point for your domain — if an attacker gains access to your registrar panel, they can update nameservers, modify A records, CNAMEs, and MX records, and transfer the domain to a different registrant entirely. Registrar accounts are frequently protected with nothing more than an email address and password — the same credential that has been exposed in dozens of major data breaches and is readily available in breach dumps. Two-factor authentication on registrar accounts is not universally enforced by all SGNIC-accredited registrars, and many Singapore businesses simply never activate it.
2. DNS Zone Manipulation and Cache Poisoning
DNS cache poisoning — also known as DNS spoofing — involves corrupting the caches of recursive DNS resolvers to redirect traffic from legitimate servers to malicious ones. This technique has been known since the early 2000s, but modern variants exploiting DNS protocol vulnerabilities continue to appear. In Singapore's environment, where many enterprises rely on their ISP's recursive DNS servers or corporate DNS infrastructure that may not receive timely security patches, the risk of cache poisoning is persistent. The result is that even if your own DNS configuration is secure, your users may be silently redirected to malicious servers when resolving your domain.
3. Subdomain Takeover
When an organisation decommissioned a cloud service, a web application, or a trial SaaS instance but failed to remove the associated DNS CNAME record, that subdomain becomes a dangling pointer — pointing to a resource that no longer exists under the organisation's control. Attackers actively scan for these dangling DNS records and claim the abandoned cloud resources before the legitimate organisation can. The result is a subdomain takeover: the attacker's server is now权威 for a subdomain of your domain. They can use it to issue SSL certificates, host phishing pages on your branded domain, and send emails that appear to come from your organisation. We have found subdomain takeovers in the DNS configurations of multiple Singapore organisations during external attack surface assessments — and the organisations were not aware.
4. MX Record Manipulation for Email Interception
Email remains the primary business communication channel for Singapore enterprises. Manipulation of MX records — the DNS records that specify which mail servers handle email delivery for your domain — allows an attacker to route all incoming email to a server they control. With access to the redirected email stream, they can harvest password reset links, intercept sensitive communications, conduct business email compromise operations, or simply monitor the organisation's external correspondence. This attack is particularly dangerous because it can persist for long periods without detection — the attacker does not need to break into any corporate system, they simply sit between your organisation and the rest of the world.
PDPA Implication: Under Singapore's Personal Data Protection Act, a DNS hijacking incident that results in unauthorized access to personal data — particularly if email is being redirected — may constitute a mandatory breach notification event. The PDPA requires notification to the Personal Data Protection Commission within three calendar days of becoming aware of a breach. Organisations that are unsure whether a DNS manipulation event has exposed personal data should treat the incident as a potential breach and engage legal and technical response immediately.
A Practical DNS Security Checklist for Singapore Businesses
DNS security is not a single configuration — it is a set of practices applied consistently across all DNS providers, registrars, and hosting platforms that your organisation uses.
- Enable registrar lock and DNSSEC on your primary domain. Registrar lock prevents unauthorised transfers. DNSSEC digitally signs your DNS records, allowing resolvers to verify their authenticity. Verify your domain's DNSSEC status through your registrar and ensure that DS records are properly configured in the parent zone.
- Activate two-factor authentication on all registrar and DNS hosting accounts. This is the single highest-impact change for most Singapore organisations. If your registrar does not support MFA, consider migrating to one that does — SGNIC-accredited registrars that support MFA include those with modern control panels.
- Audit all active DNS records across all providers. Map every DNS record for every domain you control — including subdomains, delegations, and MX records — against the services you actually operate. Remove any records pointing to decommissioned or abandoned resources. This is the most reliable defence against subdomain takeovers.
- Monitor your DNS records for unauthorised changes. Deploy DNS monitoring that alerts on any changes to your DNS records — new records, modified records, or changes to nameservers. Several DNS security platforms (including EasonDNS, NXNS, and CrowdSec) offer monitoring and change detection as part of their DNS security packages. This is the fastest way to detect a DNS hijack in progress.
- Verify TLS certificate issuance for your domains. The Certificate Authority Authorization (CAA) record in your DNS zone specifies which certificate authorities are permitted to issue TLS certificates for your domain. By configuring CAA records, you prevent attackers from obtaining fraudulent certificates for your domain even if they manage to control a subdomain.
- Separate your DNS management accounts from operational email. The account recovery email for your registrar should not be an internal corporate address that could be compromised through the same attack path. Use a dedicated, externally-hosted email address that is not connected to your corporate identity for registrar account recovery — and protect that account with MFA.
- Review delegated DNS zones and third-party integrations. If you have delegated DNS zones to a third party — a cloud provider, a SaaS platform, or a managed service provider — audit those delegations annually. Confirm that the third party has appropriate access controls and that you retain the ability to audit and revoke those delegations.
Find the DNS Gaps Before an Attacker Does
DNS security gaps are easy to overlook and dangerous to leave unaddressed. Infinite Cybersecurity offers DNS security assessments for Singapore organisations that map your entire DNS infrastructure, identify misconfigurations, subdomain takeovers, and registrar vulnerabilities, and provide a prioritised remediation roadmap. We also offer continuous DNS monitoring to alert on any unauthorised changes to your DNS records.
DNS Security Is a Shared Responsibility
The attack against the Singapore logistics company described at the start of this article was not sophisticated. The attacker used a credential exposed in a data breach. They logged into an account without MFA. They updated a DNS record. They waited. They harvested credentials from a convincing-looking Microsoft 365 login page. Every step was opportunistic — and entirely preventable.
The organisations that detect and recover from DNS-based attacks fastest are not the ones with the most advanced security tooling. They are the ones with DNS monitoring that detects record changes within minutes, with registrar accounts protected by MFA, and with an accurate, audited inventory of every DNS record they control. Start there. The next DNS hijacking campaign targeting Singapore businesses is already scanning for the domains that have not taken these steps.