How Registrants Can Reduce the Threat of Domain Hijacking

Danny McPherson | Jul 22, 2013

Because domain names represent the online identity of individuals, businesses and other organizations, companies and organizations large and small have expressed increasing concern over reports of "domain name hijacking," in which perpetrators fraudulently transfer domain names by password theft or social engineering. The impact of these attacks can be significant, as hijackers are typically able to gain complete control of a victim’s domain name – often for a significant period of time. During that time, hijackers can defraud a victim’s customers and compromise their credentials or other sensitive information, use a hijacked domain name as a launch point for malware, or soil a victim’s hard-earned reputation and brand awareness.

Domain name hijacking occurs when an attacker falsifies the registration data for a domain name, transferring that name away from its rightful registrant and gaining full administrative and operational control over the domain.

Attackers use a wide range of techniques to hijack domain names, from spyware and keystroke loggers to "social engineering," in which scammers impersonate registrants or other entities in the chain of trust in order to gain access to passwords and personal information. Regardless of the technique used, the end-result for registrants is often severe. Once an attacker has full control of a domain name, they have free reign to use it for any number of nefarious purposes, from creating their own scam websites, to hosting illegal and dangerous content, to extorting the original owner.

Making matters worse, depending on the sophistication of the attacker, domain name hijacking can be extremely difficult to reverse as hijacked registrations are often “laundered” through a series of different registrars and registrants in an effort to make it more difficult for the rightful registrant to recover. How effective this tactic is depends somewhat on how vigilant the victim is about monitoring their domain name. But in spite of vigilant monitoring, attackers can be very cunning, leaving email and name server records untouched until they have passed a hijacked domain through several transfers.

While the danger of domain name hijacking is significant, it is a threat that can be significantly reduced with proper planning and mitigation techniques. In SAC044 [PDF], “A Registrant’s Guide to Protecting Domain Name Registration Accounts,” ICANN’s Security and Stability Advisory Committee encourages registrants to establish routine monitoring of their domain names to detect, isolate and identify suspicious or malicious activity. Monitoring Whois change activity, DNS change activity, and establishing and monitoring domain status/domain lock services are all techniques that registrants should regularly employ. Additionally, SAC040 [PDF] “Measures to Protect Domain Name Registration Services Against Exploitation or Misuse” catalogs a number of high-profile incidents and provides additional background information related to protecting domain names from abuse.

Registrants should research their registrar’s security offerings – and take advantage of the tools they offer. This kind of awareness can go a long way toward mitigating risk of hijacking. The vast majority of registrars are aware of the threat and care deeply about protecting their customers from fraud. Registrants who maintain active relationships with their registrars and ensure that their registration data and contact information is up to date, can avoid becoming the "low hanging fruit" that hijackers sometimes target.

For .com, .net [PDF], .name [PDF], .tv and .cc, Verisign offers Registry Lock, which enables registrars to offer server-level protection to the domain name and/or name server records for their registrants. Registry Lock was designed to be used in conjunction with a registrar’s proprietary security measures to bring a greater level of security to registrants’ domain names and help mitigate the potential for domain name hijacking, inadvertent or unintended deletions, transfers, or updates. Registry Lock allows registrants to set the conditions under which their registration information can and cannot be changed. At the highest settings, Registry Lock requires direct, human-to-human interaction between Verisign and the registrar of record in order for a registration to be transferred.

By taking advantage of domain locking tools offered by registrars, registrants can make it much less likely for their domain name registrations to be changed without their full knowledge and consent.

The threat of domain name hijacking is very real and largely preventable. However with appropriate vigilance and effective tools, organizations large and small can reduce the threat of hijacking significantly. It’s critical that registrants consider the DNS registration ecosystem elements (e.g., registrar, DNS providers, registry operators, etc..) as part of their attack surface and treat it with as much care as any other asset when performing risk management functions.