Domain hijacking is the act of domain name theft. It can happen to individuals or organisations and it’s increasing in frequency. The name may be hijacked by someone else who passes themselves off as you, tricks your domain registrar into transferring your domain to them, or hacks into your account (sometimes through phishing) and transfers it themselves. This guide will give tips for protecting yourself from domain hijacking so that you don’t end up on the wrong side of this increasingly common crime!
What is DNS hijacking?
DNS hijacking is a domain attack that tricks your domain registrar into transferring your domain to the attacker. This can happen through domain spoofing or domain name system (DNS) phishing.
In DNS hijacking, the domain is transferred from your possession to someone who pretends to be you and tricks the domain registrar into transferring it over. This can happen in a number of phishing attacks such as a domain registrar account hacked by phishing, either an email pretending to be a domain registrar or other authority asking for login details.
Impacts of such attacks can’t be understated and could cause serious implications such as identity theft, loss of compliance or legal action on the business due to relaxed security measures.
How does DNS work?
The domain name server is run by your domain registrar, but there are hundreds of different companies and organisations that provide DNS including Google and Amazon. These domain name registrars are accredited by registries. Top-level domains (TLD) are managed by a domain name registry set up by ICANN. Verisign and PIR (Public Interest Registry) are the two top TLD providers managing the most popular TLDs (.com, .net, .org).
Domain names are routed through domain name servers (DNS) which link the domain to an IP address. When you type in a domain into your browser, it looks up that domain’s DNS on its own server and then links it to the corresponding IP address.
The domain name server is run by your domain registrar, but there are hundreds of different companies and organisations that provide DNS including Google and Amazon. These domain name registrars are accredited by registries. Top-level domains (TLD) are managed by a domain name registry set up by ICANN. Verisign and PIR (Public Interest Registry) are the two top TLD providers managing the most popular TLDs (.com, .net, .org).
This means that if an attacker gains access to the domain name servers (i.e., hijacks it), they can redirect traffic from where it’s supposed to go to somewhere else of their choosing.
For example, if domain A’s domain name server is hijacked so that it points to domain B instead of domain C where the IP address should be, then when someone types in domain A into their browser (or clicks on a link), they’ll end up at domain B. This means that traffic will go to whoever controls domain B which could be the domain hijacker or someone else.
How does domain name server hijacking work?
A domain name server (DNS) hijack happens when an attacker uses a man-in-the-middle attack to alter DNS records, such as your domain registrar’s account settings. Another registrar then transfers the domain registration details and control of the domain to them.
Is it legal?
Domain hijack isn’t illegal in all countries. Some domain registrars have conditions that specify this type of attack is against their terms and they won’t honour the domain transfer.
What is a domain hijacking attack?
A domain hijacking attack is an attempt to gain control of a domain name by altering DNS records so that the domain registrar will transfer the domain ownership over to you.
Various types of attacks associated with domain hijacking are:
Domain spoofing
Domain name fraud is where the attacker pretends to be you and convinces a domain registrar that they should transfer your domain over to them. Multiple forms of spoofing attacks including DNS spoofing are covered in a dedicated article here – what is spoofing , types of spoofing and prevention measures:
What is a spoofing attack? Types of spoofing and prevention measures
Domain phishing
Domain name fraud is where the attacker tricks you into giving them your password so they can log in to your domain registrar’s account and change the domain details.
DNS phishing
An attempt by attackers who target your domain registrar’s employees. This may happen through email or social engineering other channels such as customer support chat logs.
DNS poisoning
DNS poisoning is a type of cyber attack where the hacker takes advantage of poorly configured security gateways or domain name servers to associate a fake IP address with the target’s domain, giving them unauthorized access to it.
This happens by tricking local area network (LAN) switches into thinking that the target system is on a different physical segment from where it actually sits.
How to recover your hijacked domains?
You can recover your hijacked domain or stolen domain by following the steps mentioned below:
Step one: File a domain complaint. You can do this by filing an ICANN domain names dispute. The process for this varies depending on your domain registrar but it usually involves sending them evidence that you are the rightful domain owner (registrant), such as proof of registration and/or screenshots of any suspicious emails or chats with domain hijackers.
Step two: Change domain registrar if the domain is not returned within a certain time period (e.g., 24 hours). This can be done by transferring your domain to another name registrar that doesn’t allow DNS hijackings, such as Namecheap or Google Domains.
Common vulnerabilities causing a domain hijack
Some of the common vulnerabilities that domain hijackers exploit are as follows:
Outdated WordPress installation
If your domain is pointing to an outdated version of WordPress, then domain hijackers can edit the application and inject malicious code into it which redirects visitors. They may also take advantage of other vulnerabilities such as weak passwords or security holes like SQL injection that could lead to a domain hijacking attack.
Unprotected login portals
If your domain is pointing to a domain registrar login page that doesn’t have protection via two-factor authentication, then domain hijackers can try guessing your password or use brute force tools in order to gain access. They could also trick you into giving them your credentials by sending an email asking for it so they don’t need to guess the details.
Password reuse
Domain hijackers are aware of the fact that many users use weak passwords, so they could try to guess your domain registrar’s password or rely on the information you may have leaked online. For example, if your LinkedIn profile contains details such as what domain you own or where it is registered then this will be useful for attackers to try and guess your domain registrar’s password.
Weak domain name server records
Domain hijackers know that most websites are hosted on a web-server, so they can try to compromise this in order to host malicious code or redirect visitors of the website you own to their domain. To do this attackers will need access to your DNS records which is where domain name servers come into play.
Outdated software
A domain registrar’s website may be attacked by a domain hijacker if their system hasn’t been updated to patch any known security holes. This could allow attackers to gain access and change domain details without permission from the domain owner.
Different ways to protect your domain from hijacking
Both from registrant and registrar’s perspective, there are a number of ways to prevent domain hijacking. Our list below shares 10 different ways to protect your account from domain hijacking.
Extensible Provisioning Protocol (EPP) is a robust and flexible protocol to provide communication between domain name registries and domain name registrars. This helps to stop unauthorised transfers by providing a security measure prompting for authorization code during transfers.
1. Choose your domain registrar carefully
Consider a reputed domain name registrar that not only helps you understand their offerings easily but also provides additional benefits such as two-factor authentication, better customer support and secure DNS management.
DNS Hijacking isn’t legal in all countries and domain registrars often have conditions that specify this type of attack is against their terms. Also, they have mentioned the protection plans that they offer. Use a domain registrar that has terms of conditions and protection plans in place to protect against hijacking.
Discuss your concerns today
2. Use two-factor authentication
Domain registrars often offer multi-factor or two-factor authentication to better safeguard domain registration. This is a good way of preventing unauthorised domain name hijacking attempts from succeeding.
3. Use strong passwords
Use unique, hard to guess and complex passwords that are difficult for attackers to crack or guess correctly. Don’t recycle the same password you use on registration for other services. Check against leaked passwords and make use of password managers.
4. Use anti-phishing tools
Anti-phishing tools are a great way to protect yourself from domain name fraud and hijacking attacks that happen through domain spoofing or domain email spoofing. You can also use Trustwave Secure Email Gateway which is a secure email gateway with built-in anti-phishing tool settings along with spoofing and domain name fraud protection.
5. Use SPF
You can use a Sender Policy Framework (SPF) TXT record to help prevent domain hijacking attacks that happen through DNS phishing. This is harder for attackers to bypass than just relying on anti-phishing tools alone which only protect the email channel but do not protect domain name registration.
6. Monitor domain theft
Domain name fraud and hijacking attempts can be detected if you monitor domain registrations. It can help you spot a problem before it’s too late, allowing you to take action quickly if your domain does get hijacked.
7. Get a domain theft recovery plan in place
Domain name registrars have different policies when it comes to a domain name theft. Keeping a theft recovery plan in place with your domain registrar will make it easier if you ever need to recover the domain name in case of a stolen domain scenario.
8. Keep domain registration information safe
Secure all your domain ownership and related data so attackers can’t use it to hijack the domain or commit domain fraud. Do not keep this information in unsecured locations such as on a computer that is connected to the internet.
9. Use different aliases for domain registration purposes
Domain hijacking can be prevented through domain name spoofing which is using different aliases when registering domain names. This makes it difficult for attackers to guess the right email address or other contact details.
10. Use domain locking
Some domain registrars offer domain locking to prevent unauthorised changes. This is useful in cases where attackers have hijacked the domain but are unable to change it because of restrictions placed on the domain owner’s account.
Enable whois protection, or some providers call it a privacy guard that is usually a free add-on these days. It reduces the domain registrant information such as name, address, phone number, basically anonymising the whois information protecting you from social engineering attacks.
What can be the consequences of domain hijacking?
Domain hijacking can result in domain fraud and domain theft. If you’re a domain name owner, losing the domain to thieves will mean loss of revenue/profits as well as your brand image which is why it’s very important that steps are taken to avoid this from happening.
Discuss your concerns today
What happens if I lose my domain?
If you don’t take domain theft prevention steps, you could lose your domain name and all the data associated with it. This includes email addresses as well as website hosting/data storage which can be very difficult to recover if not impossible depending on what type of domain hijacking has taken place and who is behind it.
Examples of domain hijacking
Here are a few examples of domain hijacking which made it to the news.
1. In 1999, Microsoft forgot to renew passport.com and hotmail.co.uk, which resulted in their domain getting hijacked.
2. In 2014, mla.com was hijacked and it took almost two years for the domain owner to reclaim it.
3. ShadesDaddy.com was hijacked and transferred to an account in China in February 2015. Thousands of dollars in revenue were lost when their website traffic was wiped out.
DNS security sits at the centre of a secure infrastructure for an organisation. Get in touch to discuss DNS security concerns.
