I know it sounds a bit strange, that your domain name is hijacked, maybe you don’t have a PR 10 domain name with thousands of backlinks … but the truth is that it can happen. Although it does not seem very common, it occurs in some occasions.
Imagine the following: You own a domain name that is linked to an online store. For months, you have invested your small fortune in Google Adwords and you have ranked your website with the best organic SEO that you have been able to do. You’ve linked your 1200 Facebook fans and your over 4000 Twitter followers in the form of decent traffic conversion to your humble e-commerce. But suddenly, overnight, sales stop and you do not know why. Worst of all, Google Analytics does not release any data.
After not knowing what to do, you contact your hosting administrator and explain him what has happened and as it would happen if you had called the police or talked to the detective on duty, your hosting administrator starts to investigate the subject.
After a few hours, you receive a call from your hosting company and you are told that someone has gained access to your domain control panel using your username and password and that your identity has been stolen through your administrative contact details, that the DNS have been modified and that your domain name has been pointed to some other web server other than the original one. In short, your domain has just been hijacked.
Although this type of attacks are not common, they can happen and the way to proceed recover your domain is to enter into a dispute with ICANN, which is the highest body that regulates Internet domains. From there you will likely have to retain an attorney and pay out considerable money to both the attorney and to ICANN to process and resolve the dispute and regain control of your domain. Given the arduousness and expense of this process, you may wish to consider simply registering a new domain, if feasible.
It looks like the plot of a black novel, doesn’t it? With victims, kidnappers, detectives and judges. But don’t worry, the most likely thing that it won’t happen to you.
Who is responsible for domain security?
As these cases are somewhat implausible but real, initially the client believes that all responsibility must fall on the hosting company for having had a security breach in the system. But for ICANN and for the SAC (Stability Advisory Committee), both the hosting company and the client are to blame. The hosting company is responsible for not having established the proper security measures or having poorly monitored such attacks and the client is guilty of having hired his domain name with that hosting company. Yes, although it seems quite contradictory, it happens the same thing as in the movies: nobody is guilty until proven otherwise.
How Hijacking Works
The first thing is to think like a hacker and try to guess how he would gain access to the domain, and the truth is that it’s not very difficult to do so. He doesn’t really need to hack the server, but make something much easier and more affordable: access through a backdoor to the client’s email account and get the password. This is much easier for him and safer than attacking a server. Once done this, he already enters client’s server as if he were “him”, the client, and transfers the domain. That is why ICANN and SAC say that both of them may be guilty. In this case the hosting company has not committed any fault, since the account has been accessed by the “current user” and with the correct password and the domain has been correctly transferred, and if the client cannot prove that his account has been hacked (which is most likely due to lack of technical resources in the matter) then, there’s nothing they can do.
But let’s go deeper into the process of how Hijacking works.
To hijack a domain name, you need to gain access to the domain control panel of the target domain. For this you need the following:
- The domain registrar name for the target domain.
- The administrative email address associated with the target domain.
In order to obtain this information, the hacker accesses the WHOIS data of the target domain, so he follows these steps.
- He goes to whois.domaintools.com, enters the target domain name and clicks on Lookup.
- Once the whois data is loaded, he scrolls down to the Whois Record. Under this, he gets the “Administrative contact email address”.
- To get the domain registrar name, he looks for the domain registrar. If he doesn’t find this, he scroll sup to see ICANN Registrar under the “Registry Data”. In this case, the ICANN registrar is the actual domain registrar. The administrative email address associated with the domain is the backdoor to hijack the domain name. It is the key to unlock the domain control panel. So, to take full control of the domain, the hacker will have to hack the administrative email associated with it.
- Once the hacker takes full control of this email account, he will visit the domain registrar’s website and click on forgot password in the login page. There, he will be asked to enter either the domain name or the administrative email address to initiate the password reset process. Once this is done, all the details to reset the password will be sent to the administrative email address.
- Since the hacker has the access to this email account, he can easily reset the password of domain control panel. After resetting the password, he logs into the control panel with the new password and from there he can hijack the domain within minutes. So, to complete his masterpiece, he points your domain name to a web server other than the original one.
This is silent attack, since the client does not even think that someone is hacking his domain (in fact we only access our domain control panel either to modify the DNS’s, to transfer the domain or to cancel it, and that happens, ¿ how often? And for the server it’s just one more transaction.
That is why the client does not realize what has happened until the domain “disappears” and does not work or when he doesn’t have access to it. So calling upon ICANN and SAC to investigate what actually happened with the domain is very expensive. In addition the Hacker will obviously camouflage his identity, so crawling it all is going to be really difficult.
How to Protect the Domain Name from Getting Hijacked?
Once the above has occurred, the damage is done, so there are a number of security measures that both the client and the Hosting Company should follow:
Recommendations for the Client:
- If you lose the administrative email account associated with the domain, you lose your domain, so do everything possible to protect this account.
- Register your domain names using the domain privacy or WHOIS protection. Even though it costs a few extra bucks, all your personal details such as your name, address, phone and administrative email address are hidden from the public, hackers included. Thus, the private registration provides an extra security and protects your privacy, so it’s worth for its advantages.
Recommendations for the Hosting Company:
- Establish uniform guidelines for (PPE) authInfo extensions. Transfer policies require the generated AUTHINFO codes of the Registrar to be unique for each domain. However, customer-generated codes are not subject to transfer policies restrictions. Therefore, a customer can create a unique code for all his domains. If the code is somehow compromised, the hacker gains access to all domains that are linked to that code. We recommend the server to warn and encourage its clients to follow the “a single authInfo code per domain” policy.
- Create a default setting that applies locks to all clients’ domain names. Teach the client how to unlock the domain name lock through a system other than the email.
- Inform the client about the advantages of hiring a domain privacy or WHOIS protection so that the client’s details are hidden from the public. Although it costs a few extra bucks, it’s worth for its advantages.
As we said a little above, it looks like a black/ crime novel, but really the easiest thing to do is hiring the Domain Privacy Protection or WHOIS protection along with your domain name. It’s better to pay a little more and rest assured. It’s like when we do not want to hire additional homeowners insurance coverage when we hire a mortgage. We think that we are never going to need it, until disaster strikes.