Domain Hijacking: How It Works & Defenses
Domain hijacking is a cyberattack where hackers take control of a domain name that does not legitimately belong to them. For example, imagine that a company registered a domain name for their business on a registrar like Namecheap. An attacker who used phishing to gain access to the business’s control panel on Namecheap could use this access to point the domain to a scam site that the attackers control. Aside from potentially ripping off the company’s customers, such an attack could also damage the company’s reputation irrevocably.
The threat is not merely theoretical. Consider what happened in May 2022 to Hypixel Network, a Minecraft server with over 10 million active users:
“Attempting to visit a Hypixel-owned domain shows firstly a fake announcement post that the upcoming Hytale video game has been canceled, and lists the hacker’s crypto address to donate to. It may also show a troll message aimed at Hypixel CEO Simon Collins-Laflamme.”
– Nixinova News, Hypixel Hacked (May 3, 2022)
Recovering from the loss of trust after an attack like this is uniquely challenging due to the central role that domain names often play in online services and businesses. This article aims to provide you with a set of tools to prevent domain hijacking before it happens. We’ll also show you the steps you can take after the fact to try to recover a domain that’s been hijacked by attackers.
Summary of key concepts
Before we get into the details, let’s touch on the core themes that this article will cover.
What domain hijacking is | Domain hijacking occurs when hackers illicitly take control of a domain name away from its legitimate owner. |
How it works | Scammers trick you into giving them control of your domain. |
Why it’s harmful | Your domain name is trusted by users and can be exploited to launch scams. |
How to prevent it | Lock down your domain, secure your DNS settings, and follow cybersecurity best practices. |
How to recover* | Contact your registrar immediately and follow appropriate legal processes for recovering your domain if they apply to your situation. *Note: if the attack is not detected early, it is often impossible to recover the domain. |
Note that there are also a few related attacks:
- Domain takeover: Snagging a domain as soon as it expires before the original owner can renew it.
- Domain spoofing: Tricking a person into falsely believing you own a domain.
- DNS poisoning: Getting a nameserver to give an incorrect DNS record for a domain.
Although all of these attacks are sometimes called “domain hijacking,” we will not cover them in this article.
How domain hijacking works
Domain hijacking involves taking control over a domain illicitly, typically through social engineering.
For example, an attacker will use phishing to convince you to hand over access to your account with your domain registrar. The attacker will then use this access to transfer ownership of the domain to themselves, often with a different registrar (to make it harder for you to recover the domain).
Less commonly, the domain might be hijacked by exploiting a vulnerability in the registrar’s systems. In this article, we focus on social engineering as the cause — because it almost always is — but the solutions we provide for preventing and responding to this attack work equally well in either case.
Impact of a domain hijacking attack
Domain names are an essential part of many websites, apps, and businesses, which means a compromised domain name can lead to a myriad of opportunities for an attacker to exploit different aspects of an organization. Some ways this can hurt you include:
- Loss of trust with users
- Legal liability (if you lack adequate security or violated compliance standards)
- A lengthy legal process to recover the domain (if it’s connected to a trademark or copyright you own)
- The possibility of never recovering the domain name
- Attackers reading emails sent to accounts that use your domain
Of course, the most important risk is the way such an attack could harm your end-users — the people your service is meant to help. Some ways that a domain hijacker might exploit this attack in ways that harm users include:
- Changing responses from APIs served from your domain, which could allow the app to affect other products, like mobile apps
- Sending emails using your domain’s email addresses and receiving emails sent to such domains from users.
- Putting phishing content on your website
- Sending payments for online stores to the attacker’s bank or PayPal account
- Phishing users by impersonating your company using your email addresses
Platform
|
Success Rate
|
Success Rate Frame
|
Estimated FTEs
|
Maintenance
|
Marketplace Apps Identified
|
---|---|---|---|---|---|
DIY Manual
|
20%
|
12+ Months
|
2-3
|
Never ending
|
~100 services
|
Outsourced Manual
|
<40%
|
9-12 Months
|
1-2
|
Never ending
|
~100 services
|
Valimail Automation
|
97.8%
|
0-4 Months
|
0.2
|
Automated
|
6,500+
|
Defending against domain hijacking
Now that you understand how this attack works, let’s get to the practical matter of dealing with this threat. First, we’ll look at how you can stop this attack from occurring; then we’ll give you advice on how to respond to an attack after the fact.
Domain hijacking prevention
“An ounce of prevention is worth a pound of cure,” mused Benjamin Franklin to Philadelphia’s firefighters in 1736. The proverb holds true in today’s world for mitigating digital disasters as well. The prevention of domain hijacking rests on two pillars:
- Domain security
- Cybersecurity hygiene
Let’s go through both topics now.
Domain security refers to hardening a domain name within the settings of your registrar. These are some steps you can take to make your domain harder to hijack:
- Turn on extra protections to prevent phishers from easily transferring your domain, such as Registrar Lock for Namecheap or Domain Privacy & Protection for Godaddy. You can find out whether your registrar offers similar protections.
- Use WHOIS protection (to obscure your personal contact information).
- Turn on auto-renewal, so hijackers cannot snatch up the domain if you accidentally let it expire.
- Choose a trustworthy registrar with a reputation for excellent security.
Cybersecurity hygiene refers to general best practices for staying safe online. These digital safety tips will make it harder for scammers to launch social engineering attacks:
- Use multi-factor authentication.
- Use strong and unique passwords for every site and app. A password manager makes this easier to do consistently. You can check whether old, insecure passwords have been leaked in breaches using Have I Been Pwned.
- Employ anti-phishing protection mechanisms, such as honoring DMARC policies on incoming mail.
Domain hijacking recovery
If you discover that your domain has been hijacked, your first step should be to contact your registrar. Reporting to your registrar quickly is essential because if the attacker tries to transfer to another registrar, there is a limited amount of time during which the registrar can cancel the transfer.
The first step is to contact the registrar by phone and attempt to speak with a human. The registrar usually has an email address you can use that’s specifically dedicated to receiving reports of abuse. However, abuse desks are often understaffed, meaning the response is often slow, if you get a response at all.
Next, you will want to issue press releases designed to communicate with all possible users of your domain’s website and begin the process of mitigating the damage done by the breached domain. Specifically, you’ll need to get the word out that your website wasn’t under your control as of a given date/time, and let them know that they should contact their banks to cancel any transactions.
If the domain is connected to a trademark or copyright that you hold, the next step is to follow the Uniform Domain Name Dispute Resolution Policy (UDRP) process for claiming the domain. If you don’t hold a mark pertaining to the domain, then this won’t help you.
Your final option is to pursue legal action against the party that has hijacked your domain in a court of law. Unfortunately, this is often not feasible due to issues with jurisdiction and the lack of enforcement in countries where many of these attacks originate.
Conclusion
Domain hijacking occurs when attackers seize control of one of your most critical digital assets: your domain name. Once hackers steal your domain name, they can easily pivot to breaching your API, email, and other sensitive assets.
The good news is that this kind of attack is very preventable. By deploying simple mitigations like locking down your domain using your registrar’s security feature and applying general cybersecurity best practices, you can greatly reduce the risk that domain hijacking poses to your organization. Consider using Valimail’s DMARC Monitor to improve your domain’s visibility and enhance efforts to prevent brand abuse and email spoofing.