What is domain hijacking?

Domain hijacking involves altering the registration of a domain name without consent from its rightful owner or through misuse of privileges granted by hosting and registrar systems for domains.

Understanding domain hijacking

Domain hijacking is the unauthorized takeover of a domain name, typically through fraudulent or deceptive means. It involves someone unlawfully gaining control over a domain registered to another individual or organization without their consent. This unauthorized control allows the hijacker to change the domain's registration information, DNS settings, and other crucial details, effectively redirecting web traffic intended for the legitimate owner's website to a destination of their choosing.

Domain hijacking can occur due to various vulnerabilities, including weak passwords, compromised registrar accounts, or social engineering tactics to manipulate domain registrars into transferring ownership.

See also: What are DNS cyberattacks?

How does domain hijacking work?

Domain hijacking typically involves exploiting vulnerabilities in the domain registration process or the domain owner's security measures. Here's a general overview of how domain hijacking may occur:

• Social engineering: Hackers may use social engineering tactics to trick domain registrars or domain hosting providers into transferring ownership of a domain. This could involve impersonating the legitimate owner through email, phone calls, or other communication channels and providing false information to convince the registrar to make the transfer.
• Compromised accounts: If the domain owner's registrar account is compromised due to weak passwords, phishing attacks, or malware, hackers can gain unauthorized access to the account and make changes to the domain registration details.
• Registrar exploitation: Hackers may exploit security vulnerabilities or weaknesses in domain registrar systems to gain access to domain registration controls. This could involve exploiting software bugs, manipulating domain transfer processes, or bypassing authentication mechanisms.
• Unauthorized access to email accounts: Since many domain registrars use email verification for domain management tasks, hackers may gain access to the domain owner's email account to intercept verification emails and complete the domain transfer process.
• Forged documentation: In some cases, hackers may submit forged or falsified documents to domain registrars to claim ownership of a domain. This could involve creating fake legal documents or using stolen identity information to deceive registrars into transferring ownership.

Once the hijackers gain control of the domain, they can modify DNS settings to redirect web traffic to their own servers, display malicious content, or hold the domain for ransom. They may also attempt to extort money from the legitimate owner in exchange for returning control of the domain.

See also: What is pharming?

Common sources 

• Weak passwords: If domain owners use weak or easily guessable passwords for their registrar accounts, they become vulnerable to brute force attacks or password guessing.
• Phishing attacks: Hackers may use phishing emails or fake websites designed to mimic legitimate domain registrars or hosting providers to trick domain owners into providing their login credentials.
• Compromised computers or devices: Malware infections on computers or devices used to access domain registrar accounts can lead to the theft of login credentials, allowing hackers to hijack domains.
• Expired domain registrations: If a domain owner fails to renew their domain registration on time, it may become available for purchase by others. Hackers may monitor expired domain lists and attempt to register valuable domains as soon as they become available.
• Domain registrar vulnerabilities: Security vulnerabilities in domain registrar systems or processes can be exploited by hackers to gain unauthorized access to domain management controls.

See also: HIPAA Compliant Email: The Definitive Guide

Defending against domain hijackings

Defending against domain hijacking requires a multi-layered approach to mitigate risks and protect your domain assets. Here are some methods to defend against domain hijacking:

• Use strong and unique passwords: Ensure that you use strong, complex passwords for your domain registrar accounts. Avoid using easily guessable passwords and consider using a password manager to generate and store unique passwords for each account.
• Enable two-factor authentication (2FA): Most domain registrars offer two-factor authentication (2FA) as an additional layer of security. Enable 2FA for your registrar accounts to require a second form of verification, such as a code sent to your mobile device, in addition to your password.
• Regularly update contact information: Keep your contact information up to date with your domain registrar. This includes your email address, phone number, and mailing address. Regularly review and update this information to ensure that you receive notifications about changes to your domain registration.
• Monitor domain status and activity: Regularly monitor your domain registration accounts for any unauthorized changes or suspicious activity. This includes checking for changes to DNS settings, contact information, or domain transfer requests.
• Lock domain transfers: Many domain registrars offer a domain transfer lock feature that prevents unauthorized transfers of your domain to another registrar. Enable this feature to add an extra layer of protection against domain hijacking.
• Secure email accounts: Since email is often used for domain management tasks, it is crucial to secure your email accounts. Use strong passwords, enable 2FA, and be cautious of phishing emails or suspicious links that could compromise your email account.
• Monitor domain expiration dates: Keep track of your domain expiration dates and renew your domain registration well in advance to prevent it from becoming available for hijacking if it expires.
• Choose a reputable registrar: Select a domain registrar with a strong reputation for security and customer support. Research registrars and choose one that implements robust security measures and offers responsive customer service.
• Educate employees: Educate your employees about the risks of domain hijacking and phishing attacks. Train them to recognize phishing attempts, avoid clicking on suspicious links or downloading attachments from unknown sources, and report any suspicious activity immediately.
• Regular security audits: Conduct regular security audits on your domain registration accounts and systems to identify and address any vulnerabilities or weaknesses that could be exploited by hackers.

How to recover hijacked domains

Recovering a hijacked domain depends on the registrar's ability to reverse the attack. If the hijacker was able to transfer your domain to another registrar operating under a different jurisdiction, recovery becomes even more challenging.

“When a stolen domain is transferred to another registrar, ask your registrar to invoke ICANN's Registrar Transfer Dispute Resolution Policy to try regain control of the domain. Another option is to pursue recovery of stolen domain names through ICANN's Uniform Domain Dispute Resolution Policy (UDRP) but the policy may not be appropriate for cases involving domain theft,” says UpGuard. This may not always be possible; therefore, you may need to “pursue legal action from the courts to reclaim the domain.” 

FAQs

What is ICANN?

The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit organization that manages various databases associated with the Internet's namespaces and numerical spaces. Its primary responsibility involves coordinating maintenance and procedures to ensure consistent network operation while maintaining security protocols.

ICANN oversees the DNS, which serves as the Internet's address book, translating domain names (such as example.com) into IP addresses used by computers to communicate with each other.

How can I tell if my domain has been hijacked?

Signs that your domain may have been hijacked include sudden changes to DNS settings, unauthorized transfers to a different registrar, inability to access your domain registrar account, or receiving notifications about changes you did not authorize.

Is it possible to recover a domain if the hijackers have transferred it to a different registrar?

Yes, it is possible to recover a domain even if the hijackers have transferred it to a different registrar. You may need to work with both the current registrar and your original registrar, as well as ICANN and possibly legal authorities, to reclaim ownership.