Domain hijacking is the act of changing the registration of a domain name without the permission of the original owner, or by abuse of privileges on domain hosting and domain registrar systems.
Domain name hijacking is devastating to the original domain name owner's business with wide ranging effects including:
- Financial damages: Companies who rely on their website for business, such as ecommerce companies and SaaS companies, can lose millions of dollars when they lose control of the domain, their domain is one of their most valuable assets. Domain hijacking is one of the largest cybersecurity risks online businesses have.
- Reputational damages: Domain hijackers can take control of a hijacked domain's email accounts and use the domain name to facilitate additional cyber attacks such as installing malware or social engineering attacks.
- Regulatory damages: By gaining access to a domain name, hijackers can replace the real web page with an identical web page designed to capture sensitive data or personally identifiable information (PII), this is known as phishing. Account information, contact information (email addresses and phone numbers), social media accounts, personal information, IP addresses or any other information that could be used in identity theft or gaining unauthorized access to customer accounts is the target.
Note many countries (and/or customers) will hold your organization responsible for data breaches or data leaks, regardless of whether they result from a cyber attack like domain hijacking or misconfiguration. Domain hijacking is a real cyber threat, preventing it must be part of your cybersecurity efforts.
Before we dive into the details of domain hijacking, it's helpful to understand how the domain name system (DNS) works and its limitations.
How does the domain name system (DNS) work?
Each top-level domain (TLD) is managed by an organization called a domain name registry, which is appointed by the Internet Corporation for Assigned Names and Numbers (ICANN).
The most popular TLDs are managed by large organizations such as Verisign (.com and .net) or Public Interest Registry (.org).
National domains like .io or .com.au are managed by organizations in their respective countries.
One important thing to understand is registries do not always manage domain name registration. Companies that handle domain registration are called domain name registrars (versus domain name registries) and are usually accredited by registries.
This is because each registrar has its own rules and requirements for proving domain ownership and approving domain transfers.
That said, most TLDS allow anyone to register the domain on one registrar and transfer control of the domain to another registrar (such as from Namecheap to Google domains) for any reason, such as better pricing, better security measures or a better customer experience.
This has its benefits but also makes domain hijacking possible.
Domain hijacking is a risk to your business even if it's not your domain that is hijacked. Any third-party vendor you regularly communicate with or that handles your or your customer's data could have its domain hijacked.
While transferring domains is a little more complicated than registering a new domain, in practice it is a very simple process.
How does domain hijacking work?
Generally domain hijacking occurs from unauthorized access to, or exploitation of a vulnerability in a domain name registrar, through social engineering, or by gaining access to the domain name owner's email address and then resetting the password to their domain name registrar.
Another common tactic is to gather personal information about the actual domain name owner to impersonate them and persuade the domain registrar to modify registration information or transfer the domain to another registrar they control.
Other methods include email vulnerability, vulnerability at the domain-registration level, keyloggers to steal login credentials and phishing attacks.
How to recover hijacked domains
Your ability to recover a hijacked domain will largely depend on what your registrar can do to reverse the attack. Sometimes registration information can be returned to the original owner.
This becomes more difficult when the hijacker was able to transfer to another registrar, particularly if the registrar operates in a different jurisdiction.
When a stolen domain is transferred to another registrar, ask your registrar to invoke ICANN's Registrar Transfer Dispute Resolution Policy to try regain control of the domain. Another option is to pursue recovery of stolen domain names through ICANN's Uniform Domain Dispute Resolution Policy (UDRP) but the policy may not be appropriate for cases involving domain theft.
In some cases, this won't work and you will need to pursue legal action from the courts to reclaim the domain. This can be a lengthy process that doesn't immediately fix the real issue (lose of website and/or email accounts), which is why preventing domain hijacking is the most important thing.
Is domain hijacking illegal?
The legal status of domain hijacking remains unclear but certain U.S. federal courts have begun to accept causes of action that seek to return stole domain names to the original owners.
Domain hijacking is no different to theft, the original owner is deprived of the benefits of the domain and cannot conduct business as usual. The legal status is due to theft traditionally being associated with physical goods like jewelry, electronics or money.
Domain ownership is only stored in a digital state on the domain registry, there is no real physical presence.
This is further complicated because court actions are generally filed in the location of the relevant domain registry, rather than where the victim is located. In some jurisdictions, police may arrest domain hijackers.
How to prevent domain hijacking
To reduce the prevent of successful domain hijacking, ICANN imposes a 60-day waiting period between a change in registration information and a registrar transfer. Transferred domains are more difficult to reclaim and it is thought the original registrant will discover the changes in the 60 days and alert their registrar.
Extensible Provisioning Protocol (EPP) is used by many TLD registries as it provides an authorization code exclusively to the domain registrant as a security measure to prevent unauthorized transfers.
Prior to EPP, registries had no uniform approach and many different proprietary interfaces existed, EPP provides a more robust and flexible way to provide communication between domain name registries and domain name registrars.
Additionally, the following steps may help to prevent unwanted domain transfers:
- Choose a reputable domain registrar company: Use an accredited registrar and avoid working with non-accredited (second-hand) registrars. Reputable domain registrars will also allow you to enable two-factor authentication, have secure DNS management and have 24x7 technical support.
- Enable two-factor authentication: All accounts that have two-factor authentication available should have it enabled. If someone is able to gain access to one of your accounts, a second layer of authentication can help protect you against unauthorized access.
- Enable domain registry lock: Domain locking is a common security enhancement offered by domain name registrars, it allows you to prevent unauthorized domain name transfers to another registrar.
- Enable account lock: To block brute force attacks, use a registrar that limits the amount of invalid password attempts, locks the account and notifies you by email once unusual activity has been identified.
- Enable WHOIS protection: WHOIS protection reduces the amount of sensitive data you expose to the Internet including address (street address, city, state and country), telephone number and email address. WHOIS information can assist cyber criminals in social engineering attacks.
- Enable auto-renewal: Not all domains are hijacked, your domain registration can expire and someone else can then register your domain name.
- Use strong passwords: Strong passwords can prevent brute force attacks. Read our strong password checklist here.
- Change password if other sites have been breached: Data breaches can expose common passwords shared across services, whenever any service is breached ensure the exposed password is only used once.
- Keep domain contact details up-to-date: Many domain hijacking attacks are successful because the contact information for the domain included old, expired domain email addresses that are then registered by the attacker. Contact information must be kept up-to-date otherwise your domain may be compromised.
- Never share domain registrar credentials: Don't give out domain registrar credentials or access to your domain control panel. This can allow the person to change DNS records, change the domain owner, update DNSSEC settings and change name servers. When you give someone access to your registrar, you are handing them control of your domain and enabling potential domain and/or DNS hijacking.
- Pay attention to emails requesting registrar login details: Phishing attacks happen each day. Scam and phishing attacks are often sent by forging a trusted sender's email address or from a domain name similar to your real registrar company. Always contact your domain registrar via an official web page and forward the email onto them to determine if it is real.
- Don't use the same company for domain registration and web hosting: Don't put all your eggs in one basket. You don't want an attacker to gain access to your domain and your sensitive files that may be on your hosting provider.
What is reverse domain hijacking?
Reverse domain hijacking (or reverse cybersquatting) is when a registered trade mark owner attempts to secure a domain name by making false typosquatting claims against a domain name's rightful registrant.
What are notable cases of domain hijacking?
- Sex.com hijacker Stephen M. Cohen was taken into custody by U.S. enforcement officials, ending four years spent on the run after a court ordered him to pay $65 million in restitution.
- Mark Madsen, a former NBA player, unknowingly bought a hijacked domain in an eBay auction.
- Google's Vietnam search page was briefly hijacked in 2015.
- Lenovo's Vietnam domain was briefly hijacked in 2015.
How UpGuard can protect your organization from domain hijacking
UpGuard helps companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA improve their information security and prevent data breaches.
Whether your organization has one domain or thousands, our platform can monitor your organization's and its vendor's websites for susceptibility to domain hijacking, DNSSEC issues, typosquatting, man-in-the-middle attacks and other vulnerabilities. UpGuard BreachSight can also help prevent data breaches and data leaks of sensitive data and personally identifiable information (PII), protecting your customer's trust through cyber security ratings and continuous exposure detection.
We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and fourth-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure. Helping you scale your vendor risk management, third-party risk management and cyber security risk assessment processes.