Home / Blogs

How Registrants Can Reduce the Threat of Domain Hijacking

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Danny McPherson

Because domain names represent the online identity of individuals, businesses and other organizations, companies and organizations large and small have expressed increasing concern over reports of "domain name hijacking," in which perpetrators fraudulently transfer domain names by password theft or social engineering. The impact of these attacks can be significant, as hijackers are typically able to gain complete control of a victim's domain name — often for a significant period of time. During that time, hijackers can defraud a victim's customers and compromise their credentials or other sensitive information, use a hijacked domain name as a launch point for malware, or soil a victim's hard-earned reputation and brand awareness.

Domain name hijacking occurs when an attacker falsifies the registration data for a domain name, transferring that name away from its rightful registrant and gaining full administrative and operational control over the domain.

Attackers use a wide range of techniques to hijack domain names, from spyware and keystroke loggers to "social engineering," in which scammers impersonate registrants or other entities in the chain of trust in order to gain access to passwords and personal information. Regardless of the technique used, the end-result for registrants is often severe. Once an attacker has full control of a domain name, they have free reign to use it for any number of nefarious purposes, from creating their own scam websites, to hosting illegal and dangerous content, to extorting the original owner.

Making matters worse, depending on the sophistication of the attacker, domain name hijacking can be extremely difficult to reverse as hijacked registrations are often "laundered" through a series of different registrars and registrants in an effort to make it more difficult for the rightful registrant to recover. How effective this tactic is depends somewhat on how vigilant the victim is about monitoring their domain name. But in spite of vigilant monitoring, attackers can be very cunning, leaving email and name server records untouched until they have passed a hijacked domain through several transfers.

While the danger of domain name hijacking is significant, it is a threat that can be significantly reduced with proper planning and mitigation techniques. In SAC044 [PDF], "A Registrant's Guide to Protecting Domain Name Registration Accounts," ICANN's Security and Stability Advisory Committee encourages registrants to establish routine monitoring of their domain names to detect, isolate and identify suspicious or malicious activity. Monitoring Whois change activity, DNS change activity, and establishing and monitoring domain status/domain lock services are all techniques that registrants should regularly employ. Additionally, SAC040 [PDF] "Measures to Protect Domain Name Registration Services Against Exploitation or Misuse" catalogs a number of high-profile incidents and provides additional background information related to protecting domain names from abuse.

Registrants should research their registrar's security offerings — and take advantage of the tools they offer. This kind of awareness can go a long way toward mitigating risk of hijacking. The vast majority of registrars are aware of the threat and care deeply about protecting their customers from fraud. Registrants who maintain active relationships with their registrars and ensure that their registration data and contact information is up to date, can avoid becoming the "low hanging fruit" that hijackers sometimes target.

For .com, .net [PDF], .name [PDF], .tv and .cc, Verisign offers Registry Lock, which enables registrars to offer server-level protection to the domain name and/or name server records for their registrants. Registry Lock was designed to be used in conjunction with a registrar's proprietary security measures to bring a greater level of security to registrants' domain names and help mitigate the potential for domain name hijacking, inadvertent or unintended deletions, transfers, or updates. Registry Lock allows registrants to set the conditions under which their registration information can and cannot be changed. At the highest settings, Registry Lock requires direct, human-to-human interaction between Verisign and the registrar of record in order for a registration to be transferred.

By taking advantage of domain locking tools offered by registrars, registrants can make it much less likely for their domain name registrations to be changed without their full knowledge and consent.

The threat of domain name hijacking is very real and largely preventable. However with appropriate vigilance and effective tools, organizations large and small can reduce the threat of hijacking significantly. It's critical that registrants consider the DNS registration ecosystem elements (e.g., registrar, DNS providers, registry operators, etc..) as part of their attack surface and treat it with as much care as any other asset when performing risk management functions.

By Danny McPherson, Senior Vice President and Chief Security Officer at Verisign

Related topics: Cybersecurity, Cybersquatting, Domain Names, Registry Services

 
   

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias

DNS Security

Sponsored by Afilias
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Verisign

Cybersecurity

Sponsored by Verisign

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

8 Tips to Find Your Perfect .COM Domain Name

Why .com is the Venture Capital Community's Power Player

Defending Against Layer 7 DDoS Attacks