Domain Hijacking Cyber Security​

Domain Hijacking Cyber Security​ can completely ruin your business and loss of customers’ trust forever. We shall here elucidate to you what domain hijacking is, how it works, and defenses you can utilize to prevent this threat.

What is Domain Hijacking?

Domain name hijacking is the change of registration of a domain name without the owner’s consent or abusing privileges on domain hosting and domain registrar systems.

Domain name hijacking is devastating to the original domain name owner’s business with wide-ranging effects including:

Financial damages: All kinds of businesses that depend on their websites to finish a business, such as e-commerce and SaaS companies, may lose millions of dollars because they lost control of their domain name-it is one of the most valuable assets for all companies. Domain hijacking presents the largest cyber risk online businesses are facing.

Reputational damages: The hijackers can hijack the email accounts of a hijacked domain. Using the domain name, they can perform other types of attacks, like malware install, or social engineering attack.

Regulatory damages: Being in possession of a domain name gives the hackers a way to replace the web page with an exact web page that fetches sensitive information or personally identifiable information (PII), which falls under the scheme of phishing. This includes accounts and their contacts through email addresses and phone numbers, social media accounts, personal information, IP addresses, or other information which may be used for identity theft or unauthorized access to customers’ accounts.

Note that in many countries (and/or customers) your organization will be held accountable for data breaches or data leaks; it does not matter whether such breaches/leaks are due to a cyber attack in the form of domain hijacking or misconfiguration. Domain hijacking is an actual cyber threat; blocking this must be included in the scope of your cybersecurity.

Let’s have a look at the inner workings of the DNS and its shortcomings to give some context to the problems associated with domain hijacking.

(This is not intended as an introduction to how DNS works; I am including it solely for background purposes and in case you don’t understand what the following paragraphs are talking about.).

How Does the Domain Name System (DNS) Work?

Each TLD has a domain name registry that is designated by ICANN. The Internet Corporation for Assigned Names and Numbers is the organization that regulates an authority that administers every top-level domain.

The largest TLDs are run by big entities such as Verisign for (.com and .net) or Public Interest Registry for (.org).

Nearly all country-code domains like the .io or .com.au are managed by organizations located in different countries.

Another important thing to know is that registries do not necessarily administer domain name registration. Those firms involved in administering domain registration are called domain name registrars (as opposed to domain name registries) and are typically accredited by registries.

Accredited registrars may then delegate to non-accredited registrars, thereby increasing third-party risks and fourth-party risks and extending the time needed to resolve any potential domain name disputes.

That means every single registrar has its own set of rules and requirements on how one proves ownership over a domain and how one permits transfer of a domain.

Actually, however, most TLDS permit anybody to register the domain on a first registrar and, for any reason whatsoever, transfer control of the domain to another registrar, such as from Namecheap to Google domains, for better pricing, better security measures, or a better customer experience.

This has its advantages but also allows for domain hijacking.

Domain hijacking can be a threat to your business even if it’s not your domain that is compromised. Any third-party vendor with which you regularly communicate, or that handles your or your customers’ data, could have its domain hijacked. Adding Domain Hijacking prevention controls to your Vendor Risk Management and Third-Party Risk Management frameworks will be a necessity.

Although transferring domains is slightly more complex than registering a new domain, in practice it is an extremely straightforward process.

How does domain hijacking work?

In general, domain hijacking occurs because of unauthorized access into, or exploitation of some weakness in a domain name registrar, through social engineering, or through gaining access to the domain name owner’s e-mail account and then resetting the password to their domain name registrar.

This is gathering personal data about the owner of the actual domain, impersonating that person, and convincing the domain registrar to change registration information or to transfer the domain to another registrar they control. Pretty sneaky .

Through email-related scams, attacks at the level of domain registration, obtaining login details via keyloggers, and courtesy of phishing attacks, these are some techniques used.
Now, let us consider the methods of recovering the angeles domain for example after it was hijacked:
The likelihood of reclaiming ownership of a domain that has been taken hostage largely rests with the registrar’s capabilities to reverse the attack. In some cases, the registrant’s information can still be restored to the rightful owner. Such an outcome becomes quite difficult to achieve, especially when the grappler had gone ahead to transfer to another registrar and a foreign jurisdiction moves things a notch higher.

If you can’t stop the transfer to another registrar, ask your registrar to invoke ICANN’s Registrar Transfer Dispute Resolution Policy to try regaining control of the domain. Alternatively, you can pursue recovery of stolen domain names through ICANN’s Uniform Domain Dispute Resolution Policy (UDRP), but it may not be the right policy for domain theft cases.

On other occasions, however, it will not be possible to resolve the issue amicably and a court may be approached for help in order to regain the domain back. Such a procedure is usually prolonged – sometimes far too long – and fails to provide a solution to the core problem: the loss of one’s website and/or email accounts. That is why it is said that prevention is the best medicine.

Is Domain Hijacking Illegal?

The legal status of domain hijacking remains vague. However, some U.S. federal courts recently began accepting causes of action that seek to return the stolen domain names to their rightful owners.

There is no much difference between domain hijacking and stealing; the original owner loses the advantages of the domain and cannot operate as normally. The reason lies in that theft has always been thought of in relation to physical items such as jewelry, electronics and cash.
Domain ownership is only stored in a digital state on the domain registry, there is no real physical presence.

It becomes more complex because the plaintiffs’ typical courthouse is not where the victim resides but where the action has been filed, which is typically where the relevant domain registry is located. Arrests may be made by police in some jurisdictions for domain hijacking.

How to Prevent Domain Hijacking

ICANN has established a 60-day waiting period from when the information relating to registration is modified, to when a registrar transfer takes place. It is assumed that within this timeframe, the original registrant will become aware of the changes and contact his or her registrar with regard to recovering a transferred domain.

Many TLD registries use the Extensible Provisioning Protocol because it grants authorization code solely to the domain name registrant for security reasons against unauthorized transfer.

Whereas, prior to EPP, the registries had no particular approach and several proprietary interfaces existed; EPP presents a much more robust and flexible means of providing communication between domain name registries and the domain name registrars.

The following would also help in prevention against unauthorized domain transfers:

Select a reputable registrar firm: Opt for an accredited registrar and avoid using non-accredited, or second-hand registrars. A good domain registrar should also facilitate two-factor authentication, secure DNS management, and provide technical support with 24×7 coverage.
Turn on two-factor authentication: Two-factor authentication should be enabled for all accounts where available. A second layer of security can protect you in case someone obtains one of your accounts.

Turn on domain registry lock: A registered domain name registrar will usually include domain locking as one of the common security features that a holder may prevent the unauthorized transfer of the domain name to another registrar.

Account lock: use a registrar who will lock your account and send you an email warning you of potentially unusual behavior in the case of brute force attacks.

Activate WHOIS protection: WHOIS protection reduces the sensitive information you are exposing to the Internet like address (street address, city, state and country), telephone number, and email address. WHOIS details can be useful for cyber hackers during a social engineering attack.

Enable auto-renewal: Not all domains have been hijacked; your domain registration expiration date can roll over and an unscrupulous person may then register your domain name.

Use strong passwords: Strong passwords can prevent brute-force attacks. Read our strong password checklist here.

Change password if other sites have been breached: Data breaches can expose common passwords shared across services, whenever any service is breached ensure that the exposed password is only used once.

Keep domain contact details updated: Some common hijacking happens because old expired domain e-mail addresses are used as contact addresses that never get updated. It lets the attacker register these addresses as his own and thus takes control over your domain. All contact information needs to be kept current or your domain may be taken over.

Never share your domain registrar login or your domain control panel with anyone else. They’ll be able to alter your DNS records, update the ownership details of your domain, set up your DNSSEC, and even change the name servers. Giving someone access to your domain registrar essentially gives them control of your domain, thereby opening it to potential hijacking of the domain and/or DNS.

Be cautious of any emails asking for you to provide your registrar login information. Phishing scams come in every day. Scam and phishing attacks also often come under a forged sender’s email address or from a domain name that sounds identical to your actual registrar company. Approach your domain registrar via an official web page and send the email over to them to determine whether it’s real.

Do not register your domain at the same company you host your web through: Don’t put all your eggs in one basket. You do not want an attacker to gain access to your domain and your sensitive files that may be on your hosting provider.

What is Reverse Domain Hijacking?

Reverse domain hijacking or reverse cybersquatting is the process through which a trade mark owner, who has already registered a trade mark, attempts to acquire a domain name by making false claims of typosquatting against the legitimate registrant of a particular domain name.

Conclusion

Domain hijacking poses a significant threat to businesses, often resulting in financial, reputational, and regulatory damages. With attackers using various methods like social engineering and phishing to gain unauthorized control of domains, it’s essential to implement robust security measures. Protecting your domain through registrar lock, two-factor authentication, WHOIS protection, and strong passwords can reduce vulnerabilities. Proactively safeguarding your domain and regularly updating contact information can prevent potentially devastating consequences of domain hijacking. Remember, taking preventive actions now is the best defense against this cyber threat.

Disclaimer

The information provided in this article is for general informational purposes only and does not constitute legal, technical, or professional advice. While every effort is made to ensure the accuracy of the information, cybersecurity threats evolve rapidly, and it is advisable to consult with professionals or legal counsel to address specific risks or situations. The authors and publishers are not liable for any damages resulting from the use of this information.