Home / Blogs

How Registrants Can Reduce the Threat of Domain Hijacking

Danny McPherson

Because domain names represent the online identity of individuals, businesses and other organizations, companies and organizations large and small have expressed increasing concern over reports of "domain name hijacking," in which perpetrators fraudulently transfer domain names by password theft or social engineering. The impact of these attacks can be significant, as hijackers are typically able to gain complete control of a victim's domain name — often for a significant period of time. During that time, hijackers can defraud a victim's customers and compromise their credentials or other sensitive information, use a hijacked domain name as a launch point for malware, or soil a victim's hard-earned reputation and brand awareness.

Domain name hijacking occurs when an attacker falsifies the registration data for a domain name, transferring that name away from its rightful registrant and gaining full administrative and operational control over the domain.

Attackers use a wide range of techniques to hijack domain names, from spyware and keystroke loggers to "social engineering," in which scammers impersonate registrants or other entities in the chain of trust in order to gain access to passwords and personal information. Regardless of the technique used, the end-result for registrants is often severe. Once an attacker has full control of a domain name, they have free reign to use it for any number of nefarious purposes, from creating their own scam websites, to hosting illegal and dangerous content, to extorting the original owner.

Making matters worse, depending on the sophistication of the attacker, domain name hijacking can be extremely difficult to reverse as hijacked registrations are often "laundered" through a series of different registrars and registrants in an effort to make it more difficult for the rightful registrant to recover. How effective this tactic is depends somewhat on how vigilant the victim is about monitoring their domain name. But in spite of vigilant monitoring, attackers can be very cunning, leaving email and name server records untouched until they have passed a hijacked domain through several transfers.

While the danger of domain name hijacking is significant, it is a threat that can be significantly reduced with proper planning and mitigation techniques. In SAC044 [PDF], "A Registrant's Guide to Protecting Domain Name Registration Accounts," ICANN's Security and Stability Advisory Committee encourages registrants to establish routine monitoring of their domain names to detect, isolate and identify suspicious or malicious activity. Monitoring Whois change activity, DNS change activity, and establishing and monitoring domain status/domain lock services are all techniques that registrants should regularly employ. Additionally, SAC040 [PDF] "Measures to Protect Domain Name Registration Services Against Exploitation or Misuse" catalogs a number of high-profile incidents and provides additional background information related to protecting domain names from abuse.

Registrants should research their registrar's security offerings — and take advantage of the tools they offer. This kind of awareness can go a long way toward mitigating risk of hijacking. The vast majority of registrars are aware of the threat and care deeply about protecting their customers from fraud. Registrants who maintain active relationships with their registrars and ensure that their registration data and contact information is up to date, can avoid becoming the "low hanging fruit" that hijackers sometimes target.

For .com, .net [PDF], .name [PDF], .tv and .cc, Verisign offers Registry Lock, which enables registrars to offer server-level protection to the domain name and/or name server records for their registrants. Registry Lock was designed to be used in conjunction with a registrar's proprietary security measures to bring a greater level of security to registrants' domain names and help mitigate the potential for domain name hijacking, inadvertent or unintended deletions, transfers, or updates. Registry Lock allows registrants to set the conditions under which their registration information can and cannot be changed. At the highest settings, Registry Lock requires direct, human-to-human interaction between Verisign and the registrar of record in order for a registration to be transferred.

By taking advantage of domain locking tools offered by registrars, registrants can make it much less likely for their domain name registrations to be changed without their full knowledge and consent.

The threat of domain name hijacking is very real and largely preventable. However with appropriate vigilance and effective tools, organizations large and small can reduce the threat of hijacking significantly. It's critical that registrants consider the DNS registration ecosystem elements (e.g., registrar, DNS providers, registry operators, etc..) as part of their attack surface and treat it with as much care as any other asset when performing risk management functions.

By Danny McPherson, Senior Vice President and Chief Security Officer at Verisign

Related topics: Cybersquatting, Domain Names, Registry Services, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Promoted Post

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

8 Tips to Find Your Perfect .COM Domain Name

Why .com is the Venture Capital Community's Power Player

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Radix Launches Startup League at TechCrunch

Celebrating One Year of .online

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

LogicBoxes Launches the New Elite Reseller Program

Sponsored Topics