The domain name is one of the most valuable assets for a business that has a strong online presence. It is associated with a certain level of trust and a loss of a domain name can have serious consequences. However, the value of the domain is also a very tasty treat for cybercriminals who employ several methods to either take control of a valuable domain name or exploit user trust in that domain name.

How Does the Domain Name System Work

Every top-level domain (TLD), for example, .com or .info, is managed by an organization called a domain name registry, which is appointed by the Internet Corporation for Assigned Names and Numbers (ICANN). Biggest domains are managed by major businesses or organizations such as Verisign (.com and .net), Public Interest Registry (.org), and more. National domains are managed by organizations in their respective countries. However, registries are often not the ones who handle domain name registration for businesses and individuals.

Companies that handle domain registration are called domain name registrars and they are usually accredited by domain name registries (in some cases, for example, for national domains, they may be the same company). However, accredited registrars may also subcontract non-accredited registrars to sell more. The importance of this fact is that the non-accredited companies have to handle all potential disputes with the accredited registrars, which makes such disputes longer and more difficult.

Every registry has its own rules for domain ownership, domain transfer, and more. However, in the case of the most popular TLDs, you are able to register the domain using one registrar and then transfer control over the domain to another registrar, for any reasons you deem fit (for example, better pricing scheme or better customer experience). The process is a bit more complicated than registering a new domain but still fairly straightforward. This process, however, is the reason why domain hijacking is possible.

What Is Domain Hijacking

The term Domain hijacking (domain name hijacking, domain theft) applies to a situation when a malicious party actually takes over the control of a domain name. The rightful owner loses control of the domain name in the process. There are several ways that cybercriminals try to employ to hijack a valuable domain:

  • The most effective method is social engineering (including phishing). A hijacker may impersonate an employee of the business or the domain registrar over the phone to get login information for the actual domain registrar. A criminal may also create a phishing campaign aimed at your business. Employees responsible for domain management could be fooled into entering login credentials on a fake page. Once the hijacker gets their hands on credentials, the rest is easy: they use the credentials to transfer the domain to another registrar, usually abroad and often shady.
  • The hijacker may also attempt to infect your systems with malware (often using social engineering as well). Malware such as a trojan or a keylogger lets the criminal obtain credentials for the domain control panel.
  • A rare case, but nevertheless possible, is exploiting a vulnerability in the domain name registrar system. If a vulnerability like this exists, it may allow a criminal to access functionality required to transfer the domain to another registrar. Unfortunately, such vulnerabilities might appear for major and globally trusted registrars just as well.
  • If you use a weak password in the domain control panel, a hijacker may try to guess it. This, again, depends on the choice of the registrar: some may have better protection against password guessing (such as time-based lockouts), and the best ones even give you a two-factor authentication option, which makes such password guessing useless.
  • Domain hijackers may also carefully wait until the domain is about to expire and hope that it does not get renewed in time due to a human mistake (notable examples: Microsoft forgetting to renew in 1999 and in 2003). Most registrars are very aggressive with their renewal reminders, but your email system may classify them as spam. Such opportunities are the worst to recover from because it’s not illegal to buy an expired domain. Opportunists may also watch for the availability of domain names that you no longer use, for example, those bought for marketing campaigns or representing your old business trademarks.

Domain Hijacking Consequences, Recovery, and Prevention

After the hijacker gets hold of your domain, they might use it for many purposes. For example, phishing becomes pharming: getting information out of your customers becomes a piece of cake. Just imagine what would happen for example if a criminal got their hold on! All in all, the consequences are unlimited and very harmful to your reputation, they may even completely destroy your business.

When you notice that you are no longer in control of your domain, immediately contact your registrar to open a domain name dispute. Since the recovery process depends on the registrar, we cannot give you the exact steps required. You will need to somehow prove that you are the original domain owner and explain how you lost control of your domain due to unauthorized access. The recovery process is usually manual, may take some time, and your domain registrar may have to opt to invoke ICANN Registrar Transfer Dispute Resolution Policy. However, in most cases, you will be able to regain full control of the domain.

To prevent domain hijacking, use the following security measures and follow these tips:

  • Select a renowned, trusted and accredited registrar. Check the TLD registry site to see the list of accredited registrars. Do not work with non-accredited (second-hand) registrars.
  • Select a registrar that gives you an option to use multi-factor authentication and use it.
  • Select a registrar that gives you a domain locking option and use it. This option prohibits transfers to other registrars through the registrar’s web interface.
  • Select a registrar that lets you anonymize your WHOIS information such as the administrative contact information or phone numbers. The less such account information you provide publicly, the harder it is for a hijacker to attempt social engineering or identity theft to obtain control of the domain.
  • Use strong passwords. You can use a password manager to generate strong passwords and store them safely.
  • Train your employees to recognize phishing and social engineering attempts.

Registrars, registries, and ICANN also attempt to prevent domain hijacking. For example, ICANN imposes a 60-day waiting period between a change in the registration information and a transfer to another domain registrar. This measure is intended to make it harder for domain hijacking to occur since transferred domains are far more difficult to reclaim. This time should be enough for the original owner of the domain to realize domain hijacking has occurred and subsequently alert their registrar.

What Is Domain Spoofing

The term domain spoofing is used for several types of criminal activities:

  • A criminal may spoof your domain by using an email address with your domain name as the sender address. The sender address that you see in the email client may be spoofed in some cases (read more about how emails work in our article about email header injection), depending on email server configuration. Most servers employ strong protection mechanisms, but some may still be vulnerable to such spoofing. Since your email server is not used during spoofing, it’s the victim’s server that must be sufficiently protected.
  • A criminal may use a visually similar domain name, for example using Unicode letters and a mechanism called Punycode. This is sometimes called HTTPS spoofing or an IDN homograph attack (you can read more about it in our article about man-in-the-middle attacks). Luckily, most modern browsers protect the user by displaying the Punycode, not the resulting Unicode letters – this makes IDN homograph attacks impossible.
  • Domain spoofing may also mean situations when online advertisers sell ads for higher prices, pretending that these ads are going to be displayed on a more popular web page.

In all these cases, domain spoofing is an attempt by the criminal to monetize on your domain reputation without you actually losing control of the domain. Therefore, you have limited options to prevent it and there is no need for recovery. The only ways to prevent domain spoofing are improvements in general cybersecurity of the Internet, for example, safe browser technologies (employed by most modern browsers) or improved email protocols (employed by most major mail servers).

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.