Domain Hijacking — Worst-case scenarios and how to protect yourself

Hijackers can have varying motives to take over a domain, we look at some.

What is Domain Hijacking?

Domain name hijacking is when a hacker wrongfully gains control of their targets complete Domain Name System (DNS) information, enabling them to make unauthorized changes and transfers to their advantage. 

How is a Domain Hijacked?

There are a few different methods in which your domain name can be hijacked; however, the easiest and most common way is by changing the administrator’s handle information through social engineering or hacking into the administrators email account. The first piece of information that an attacker needs to access their targets’ domain control panels is the administrative contact email address.  This can be found (and often is) of public record via the WHOIS record for the domain. Or in some cases, a disgruntled employee may simply already have the necessary information.

Once the hacker has obtained the email address, they are just an email hack or phone call away from taking over their targets’ domain. Seems simple, doesn’t it? 

Why do they do it?

Hijackers can have varying motives to take over a domain, and it is critical to understand the severity of the outcomes that can occur from their particular intentions. Hijackers can be motivated by money, whether it’s for resale of a valuable domain or blackmail.  Often a hijacker’s motivation isn’t monetary gain but rather purely for the challenge, for malicious intent, or for hacktivism. 

Worst case scenarios  —most common hijacks:

• Domain Name transferred:

  Once a hacker has accessed their targets’ domain control panels, a common tactic is to transfer the domain name to redirect Internet traffic through external hosts. This can be particularly damaging when an eCommerce business is the target, given their website is their most valuable asset, whereby transferring the domain name to redirect traffic can result in their business losing thousands of dollars in revenue. This can explain why eCommerce sites have become a popular target for hackers, especially when money is the hacker’s main motive. For example, if a luxury merchandising company had their website hijacked and transferred to a fake website, they would not only lose revenue, but would also damage their superior luxury brand image, and trust from their loyal customers. This occurred in February 2015 to ShadesDaddy.com, when their domain name was transferred to an account in China, which sold counterfeit merchandise. Hackers got into their registrar account and managed to manipulate all their information and transferred the domain. They lost all their website traffic, thousands of dollars lost in revenue, and their trusted image not to mention the cost in IT and management time in sorting out the problem.

• Communication disruption:

  When taking over a domain, hackers have the ability to disable and interfere with communication channels, including web and email. Oftentimes, a hijacker will take a sneakier approach by taking over a target’s email without their knowledge. The attacker can remain hidden while receiving all the target’s incoming emails. To understand the severity of this kind of situation, an extreme example would be if an attacker hijacked the Toronto Stock Exchange or perhaps an investment banking site. Once given access to all incoming emails, the hijacker would be privy to secret information and could make millions with this confidential information. 

  Additionally, an attacker can take a more aggressive approach by sending out fake emails from the target’s address. For instance, they could use the database of customer emails to their own advantage by sending out spam or trying to sell another product/ service.

• Pharming:

  When the hijacker points the current website being attacked to a malicious site, or takes control of the site and posts offensive content, this is called pharming. Companies are vulnerable to new content put on their site, and this can result in severely damaging their reputation, and the loss of customers. A recent example of pharming hijacking is when Air Malaysia’s domain name was hijacked and replaced with a picture of tuxedo-adorned, pipe smoking, monocled lizard. This type of nuisance hijack had a measurable and costly impact in damaging the reputation and trust of the airline just as they were grappling with some high profile air disasters.

• Phishing

  A more advanced form of domain hijacking, which can be extremely detrimental to customers, is phishing. Phishing refers to when a hijacker replicates a company’s website (aka Pharming) to collect valuable information, for example credit card and social security numbers.  The attacker is able to send emails by legitimate authority to customers with the aim of gaining valuable personal and financial information, for instance credit card numbers, and passwords.

  For instance, imagine if a hacker got into a university’s site and began sending out emails from an administrative account to all students requesting that they update their account information and passwords. They could even point the request to a seemingly legitimate domain name. The hacker could then have access to thousands of students’ personal information, including grades and billing information as they enter it. 

• Domain takeover

  Domain names are a valuable asset, and the high prices attract not only companies, but can also attract hackers. Once a hijacker takes over your domain they have complete control and can sell your domain leaving you with nothing, or blackmail you for ransom. For example, Micheal Lee was the owner of the website MLA.com which he bought in 1997 for only $600, and the website was recently valued at $47,000. Importantly he was also using it to run his business (Michael Lee and Associates) so the value included an operational website and email addresses. In 2014 a hacker stole his website and there was little he or GoDaddy, his domain registrar, could do. While this story has a happy ending, it took almost two years for Michael to get it back and illustrates of a number of important administrative and security measures to remember when managing a domain.

  The situation with a .CA domain would be quite different because CIRA has Nexus requirements for both domain holders and their registrars. This means that you and domain registrars need an attachment to Canada to be granted a .CA domain (or to sell them). It makes it easier to track down, fix, and even prosecute fraud for the parties involved. However, even the simple act of updating domain records requires us to follow very careful protocols to avoid being victims of social engineered ourselves. Your site will be down for an indeterminate period while we conduct careful verifications. 

How to recover after an attack

If you find yourself as one of the many unfortunate victims of domain hijacking, the first step is to immediately contact your domain registrar, and change all passwords to prevent the hacker from getting into any other accounts. Your registrar will work with the .CA registry to help track down where your domain was sent, and if it has been registered somewhere else. 

After your domain hijack is hopefully resolved, depending on the severity of the hijack, it can be beneficial to share your story to build back your reputation and trust. In any scenario, whether your site was shut down, directed to malicious content, or your emails were interfered, it is important to explain the situation to maintain customer and user trust.

Prevention

Now do you have a better understanding of the severity of domain hijacking? Don’t worry. The purpose of this blog post was to communicate the various worst-case scenarios that can, and do, happen so that you make take appropriate steps to mitigate them. Locking domains with the Registry represents the most secure way to protect them from hijacking. As an alternative, registrars often also have some form of locking mechanism within thier software tools; available as an up-sale or with their higher level packages. 

If you have a .CA domain, CIRA has two options to lock your domain

Registry Lock is a service offered by some domain registrars whereby you go through their administrative processes to lock (and unlock) the domain with CIRA. Another option is to add D-Zone Domain Lock for your website. D-Zone Domain Lock is a simple click of a button available only to delegated authorized user profiles within your organization. It is available to those who are using the D-Zone Anycast Secondary DNS Service. If your DNS service doesn’t include the ability to implement this important security feature then please take the time to contact us to learn more about secondary DNS services and more about Domain Lock. Together they are powerful protection for your most important domain assets.