Domain hijacking

Domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant.

This can be financially devastating to the original domain name holder, who may have derived commercial income from a website hosted at the domain or conducted business through that domain's e-mail accounts. Additionally, the hijacker can use the domain name to facilitate illegal activity such as phishing, where a website is replaced by an identical website that records private information such as log-in passwords.

Exploiting expiration

While not technically domain hijacking, domain sniping is a related practice of a bad actor registering a domain name whose registration has lapsed. Although domain registrars often make multiple attempts to notify a registrant of a domain name's impending expiration, these may fail due to out of date contact information or confusion by unsophisticated domain holders. Registrars and ISP's now normally have measures such as a Redemption Grace Period to provides some protection,^[1] but unless the original registrant holds a trademark or other legal entitlement to the name, they are often left without any form of recourse in getting the domain name back.

Description

Domain hijacking can be done in several ways, generally by exploiting a vulnerability in the domain name registration system or through social engineering.

The most common tactic used by a domain hijacker is to use acquired personal information about the actual domain owner to impersonate them and persuade the domain registrar to modify the registration information and/or transfer the domain to another registrar, a form of identity theft. Once this has been done, the hijacker has full control of the domain and can use it or sell it to a third party.

Other methods include email vulnerability, vulnerability at the domain-registration level, keyloggers, and phishing sites.^[2]

Responses to discovered hijackings vary; sometimes the registration information can be returned to its original state by the current registrar, but this may be more difficult if the domain name was transferred to another registrar, particularly if that registrar resides in another country. In some cases the original domain owner is not able to regain control over the domain.

The legal status of domain hijacking remains unclear. It is analogous with theft, in that the original owner is deprived of the benefits of the domain, but theft traditionally regards concrete goods such as jewelry and electronics, whereas domain name ownership is stored only in the digital state of the domain name registry, a network of computers. There are no specific laws regarding domain hijacking, nor any law that specifically holds the domain name registrar responsible for allowing the registrant information to be modified without the permission of the original registrant. In some cases there may be recourse under trademark law, but not all domain names are (or can be) registered as trademarks.

Another method of cybercriminals doing "domain hijacking" is from the backend of hosting and registrar companies. Misusing their company systems to prevent the owner from being contacted by interested parties, for example by fraudulently entering whois-data, and even knowingly stopping or cancelling a customers payment for renewal, allowing the "stolen" domain to then be expired and auctioned via a domain-auctioning site like SnapNames.com . This is considered to be backend computer-misuse, which is within the scope of UK cybercrime legislation.^[3]

Prevention

ICANN imposes a 60-day waiting period between a change in registration information and a transfer to another registrar. This is intended to make domain hijacking more difficult, since a transferred domain is much more difficult to reclaim, and it is more likely that the original registrant will discover the change in that period and alert the registrar. Extensible Provisioning Protocol is used for many TLD registries, and uses an authorization code issued exclusively to the domain registrant as a security measure to prevent unauthorized transfers. ^[4]

There are certain steps that a domain-name owner can take to reduce the exposure to domain name hijacking. The following suggestions may prevent an unwanted domain transfer:

Change your email password often. Test your password for its security strength. (There are free sites for checking password strength.) Disable POP if your email provider is able to use a different protocol. Tick the setting “always use https” under email options. Frequently check the “unusual activity” flag if provided by your email service. Use a two-step (two-factor) authentication if available. Make sure to renew your domain registration in a timely manner—with timely payments and register them for at least five (5) years. Use a domain-name registrar that offers enhanced transfer protection, i.e., “domain locking” and even consider paying for registry locking. Makes sure your WHOIS information is up-to-date and really points to you and you only. If you have 2500 or more domain names consider buying your own registrar. Relief via the Inter-Registrar Dispute Process ^[5]

See also

• Cybersquatting
• DNS hijacking
• Domain tasting

External links

• Major Domain Hijacking Alert: Industry Pioneer Warren Weitzman Has Over a Dozen Domains Stolen From his Enom Account
• Anatomy of a Domain Hijacking
• Wall Street Journal: Web-Address Theft Is Everyday Event
• Office of Attorney General - State of New Jersey: First Known Conviction in U.S. of Domain Theft
• Quotes from Landmark 2011 Domain Name Theft Case: First U.S. Criminal Conviction
• Stop Domain Theft - Alerting Media, Lawmakers, Law Enforcement
• non-profit trade organization representing domain name investors, website developers and related companies.
• How to Recover a Stolen Domain Name

References

• Domain name hijacking: Incidents, threats, risks, and remedial action. A report from the ICANN Security and Stability Advisory Committee (SSAC) 12 July 2005