A newly reported campaign nicknamed “Detour Dog” quietly compromised more than 30,000 websites by abusing Domain Name System (DNS) logic to redirect visitors and deliver malware, including the Strela info-stealer. Below we break down what happened, why it matters for small and medium-sized businesses, and the practical steps to protect your organization.

DNS security protecting small business websites from Detour Dog hijacks

What happened

Researchers observed attackers tampering with website infrastructure and server-side DNS behavior so that the website made special DNS queries and, in certain conditions, redirected visitors to malicious content. Because these look like normal DNS operations and occur on the server side, the activity is easy to miss during routine scans.

Why this attack is so sneaky

  • DNS-level control: Malicious instructions were delivered through DNS (including TXT responses), letting attackers steer traffic or fetch code without obvious on-page clues.
  • Conditional delivery: Redirects only trigger for certain geos/devices/IPs, keeping the campaign low-noise and hard to reproduce.
  • Long dwell time: DNS-layer manipulation can persist for months without targeted DNS and web telemetry.

What Strela Stealer actually steals

Strela is an “infostealer” that focuses on harvesting email credentials—notably from Microsoft Outlook and Mozilla Thunderbird—and increasingly from browsers and other sources. Stolen logins fuel Business Email Compromise (BEC), payroll fraud, cloud takeovers, or can be sold for further intrusions.

How to check if you’re affected

  1. Audit DNS and registrar access: Review A/CNAME/TXT records, recent changes, API tokens, and user roles. Turn on change logging.
  2. Inspect redirects: Check server configs, reverse proxies, .htaccess, CMS settings, and any plugin/module that can alter redirects.
  3. Hunt in logs: Look for unusual referrers, user-agent spikes, or geo-specific anomalies in WAF/CDN and web logs.
  4. Sweep endpoints: Run EDR/AV hunts for infostealers, browser credential dumpers, and persistence mechanisms on admin workstations and web servers.
  5. Rotate credentials + enforce MFA: Email, registrar/DNS, CMS, hosting, and critical SaaS. Assume saved credentials may be exposed.

Preventive steps we recommend

1) Lock down your domain & DNS

  • Enable MFA at your registrar/DNS provider; restrict roles and rotate API tokens.
  • Set up change alerts for DNS edits and retain logs.
  • Use protective DNS that inspects queries and blocks known-bad destinations.
  • Consider DNSSEC to improve record integrity (not a silver bullet).

2) Harden your website & endpoints

  • Patch CMS, plugins, and themes; remove abandoned components.
  • Deploy a WAF/CDN with bot management and OWASP rules.
  • Run EDR on all workstations/servers; block credential dumping and suspicious browser injections.
  • Apply least-privilege on web hosts; separate admin/publisher roles; enforce SSO/MFA.
Enable MFA and change alerts at your DNS registrar to prevent domain hijacking

3) Add monitoring for changes & anomalies

  • Continuously monitor DNS for drift; alert on unexpected TXT/redirect patterns.
  • Enable UEBA/SIEM detections for mass email-rule changes, repeated failed logins, and unusual data egress.
  • Back up site code/configs; test restores and keep periodic offline copies.

If you suspect compromise: 5 immediate steps

  1. Freeze DNS changes and rotate registrar/DNS credentials and API tokens.
  2. Remove malicious records, redirects, or injected code; redeploy clean artifacts.
  3. Force credential resets (email, CMS, hosting, SaaS) and enforce MFA.
  4. Re-baseline endpoints involved in admin work or site maintenance; image if needed and rescan.
  5. Notify impacted users if credentials or personal data may be exposed; involve legal/compliance as required.

How Landon Technologies can help

We offer a rapid DNS & Website Integrity Check for SMBs: registrar/DNS hardening, DNS drift review, CMS/plugin audit, WAF/EDR validation, and continuous monitoring options. Need help now? Schedule a quick consult or call us.

SMB cybersecurity expert auditing DNS and website integrity

Explore our related services: Cybersecurity · Managed IT Services · Remote IT Support · Data Backup

FAQ

Does DNSSEC stop this?

DNSSEC improves integrity but won’t block all server-side abuse or site-level compromise. Pair it with protective DNS and change monitoring.

We don’t run ecommerce—are we still at risk?

Yes. Infostealers target any saved credentials, which can unlock email, cloud storage, accounting, and more.

What’s the best “first control” to add?

Lock down registrar/DNS with MFA and alerts; then add protective DNS and endpoint EDR.

Sources & Further Reading

Last checked: Oct 3, 2025

Looking for immediate answers to your questions?

You May Also Be Interested In:

DNS Malware Is Back in the Headlines — What SMBs Need to Know

How Marietta Businesses Can Prepare for IT Disasters (Storms, Outages, Data Loss)

Top IT Challenges for Small Businesses in Jacksonville, FL

IT as a Service (ITaaS): Understanding Modern IT Delivery with Scalability

Flexible MSP IT Plans for Small and Midsize Businesses

A modern law firm office with advanced computer systems and IT support staff at work.

Law Firm IT Support: Ensuring Efficiency and Security in the Legal World

IT technician at workstation managing fully managed IT services for business support and system monitoring

What Are Fully Managed IT Services and Why Your Business Might Need Them

Two business professionals shaking hands to finalize a remote managed IT services partnership

What Does an IT Managed Services Company Do?

A team of network technicians carefully planning a network installation project in a business setting.

How Much Is Labor to Install a Network? Pricing Guide for 2025

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *