Home / Blogs

How Registrants Can Reduce the Threat of Domain Hijacking

Danny McPherson

Because domain names represent the online identity of individuals, businesses and other organizations, companies and organizations large and small have expressed increasing concern over reports of "domain name hijacking," in which perpetrators fraudulently transfer domain names by password theft or social engineering. The impact of these attacks can be significant, as hijackers are typically able to gain complete control of a victim's domain name — often for a significant period of time. During that time, hijackers can defraud a victim's customers and compromise their credentials or other sensitive information, use a hijacked domain name as a launch point for malware, or soil a victim's hard-earned reputation and brand awareness.

Domain name hijacking occurs when an attacker falsifies the registration data for a domain name, transferring that name away from its rightful registrant and gaining full administrative and operational control over the domain.

Attackers use a wide range of techniques to hijack domain names, from spyware and keystroke loggers to "social engineering," in which scammers impersonate registrants or other entities in the chain of trust in order to gain access to passwords and personal information. Regardless of the technique used, the end-result for registrants is often severe. Once an attacker has full control of a domain name, they have free reign to use it for any number of nefarious purposes, from creating their own scam websites, to hosting illegal and dangerous content, to extorting the original owner.

Making matters worse, depending on the sophistication of the attacker, domain name hijacking can be extremely difficult to reverse as hijacked registrations are often "laundered" through a series of different registrars and registrants in an effort to make it more difficult for the rightful registrant to recover. How effective this tactic is depends somewhat on how vigilant the victim is about monitoring their domain name. But in spite of vigilant monitoring, attackers can be very cunning, leaving email and name server records untouched until they have passed a hijacked domain through several transfers.

While the danger of domain name hijacking is significant, it is a threat that can be significantly reduced with proper planning and mitigation techniques. In SAC044 [PDF], "A Registrant's Guide to Protecting Domain Name Registration Accounts," ICANN's Security and Stability Advisory Committee encourages registrants to establish routine monitoring of their domain names to detect, isolate and identify suspicious or malicious activity. Monitoring Whois change activity, DNS change activity, and establishing and monitoring domain status/domain lock services are all techniques that registrants should regularly employ. Additionally, SAC040 [PDF] "Measures to Protect Domain Name Registration Services Against Exploitation or Misuse" catalogs a number of high-profile incidents and provides additional background information related to protecting domain names from abuse.

Registrants should research their registrar's security offerings — and take advantage of the tools they offer. This kind of awareness can go a long way toward mitigating risk of hijacking. The vast majority of registrars are aware of the threat and care deeply about protecting their customers from fraud. Registrants who maintain active relationships with their registrars and ensure that their registration data and contact information is up to date, can avoid becoming the "low hanging fruit" that hijackers sometimes target.

For .com, .net [PDF], .name [PDF], .tv and .cc, Verisign offers Registry Lock, which enables registrars to offer server-level protection to the domain name and/or name server records for their registrants. Registry Lock was designed to be used in conjunction with a registrar's proprietary security measures to bring a greater level of security to registrants' domain names and help mitigate the potential for domain name hijacking, inadvertent or unintended deletions, transfers, or updates. Registry Lock allows registrants to set the conditions under which their registration information can and cannot be changed. At the highest settings, Registry Lock requires direct, human-to-human interaction between Verisign and the registrar of record in order for a registration to be transferred.

By taking advantage of domain locking tools offered by registrars, registrants can make it much less likely for their domain name registrations to be changed without their full knowledge and consent.

The threat of domain name hijacking is very real and largely preventable. However with appropriate vigilance and effective tools, organizations large and small can reduce the threat of hijacking significantly. It's critical that registrants consider the DNS registration ecosystem elements (e.g., registrar, DNS providers, registry operators, etc..) as part of their attack surface and treat it with as much care as any other asset when performing risk management functions.

By Danny McPherson, Senior Vice President and Chief Security Officer at Verisign

Related topics: Cybersecurity, Cybersquatting, Domain Names, Registry Services


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services


Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Domain Registrations Reach 331.9 Million, 6.7 Million Growth Year over Year

.brands Spotlight: Banking and Finance Industries

Google Buys Business.Site Domain for 'Google My Business'

Radix Announces Global Web Design Contest, F3.space

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate