NordVPN Promotion

Home / Blogs

Help! My Domain Name Has Been Hijacked!

They are out there. In Internet Cafes and dark rooms from New York to Hong Kong to Iran, the domain name hijackers are plotting to steal your domain names. Fortunately, there are some steps that you can take to protect yourself against losing your domain names.

What is Domain Name Hijacking? Domain name hijacking is the terminology commonly used to describe the wrongful taking of a domain name from its rightful owner, by deception or fraud. Some common forms of domain hijacking include:

  • impersonation of a registrant in communications with a registrar (sometimes called “social engineering”)
  • registering a lapsed registrant email address to reset a password and authorize a transfer of registrar or registrant
  • registering a lapsed domain name, used for an administrative contact or registrant email address, and then spoofing the email address
  • hacking or spyware
  • forgery of transfer authorizations or other account verification information
  • theft by a disgruntled company employee or business partner
  • adding new verification information to an account, and later confirming the falsely added verification information to gain access to the account
  • hijacking an email server to spoof email to make it look like it came from a registrant

Why They do It - Some hijackers do it for the money. Domain names are often valuable, either for their value to an existing business, for resale, or for the click-through traffic that they might bring. Some do it for the challenge or the notoriety. It is not uncommon for a hijacker to breach an account and assume control of the domain names in the account, yet not sell them. Some might do it purely to be malicious. What matters most is that these people are out there, they are persistent, and they have no qualms at all about taking your valuable assets away from you.

Once stolen, it can be difficult to recover a domain name. Registrars are often skeptical of claims of domain hijacking, and the hijackers often “launder” the domain names to look as if they have sold them to third parties, even if they have not. By the time you discover that your domain name has been stolen, it may be at its third or fourth different registrar in the name of a completely different party, who claims to have purchased the domain for value. At that point, you may need help unraveling the mess - but what if your domain name is not worth enough to justify hiring an attorney? What if the registrar still won’t listen? You may have to try to track down the thief, and sue him or her to recover your name, or you may have to sue the third party who purchased the domain name from the thief. These are both costly propositions, and while you pursue legal action, your online business is quietly being dismantled and monetized by the thief or the new “owner” of the domain.

Prevention - When confronted with the issue of domain hijacking, the best practice is to prevent a hijacking from ever occurring. The hijackers are aware of certain vulnerabilities in the domain name registration system, and they exploit these weaknesses. You can reduce the likelihood that any of your domain names will ever be hijacked by following some simple rules:

  • Always maintain accurate contact information with your registrar or services provider - In the event of a theft, if the Whois information for a domain is inaccurate, it will be difficult for a registrar or service provider to determine who the rightful registrant of the domain name should be. Don’t make things more difficult for yourself by providing phony contact information.
  • Register Your Domains with a Reputable Registrar - There are literally hundreds of registrars to choose from and thousands upon thousands of resellers. Complaints about lack of service and responsiveness at shady service providers abound. If your domain name is hijacked from one of these providers, you may have a difficult time getting anyone to listen. Domain name resellers are not under contract with ICANN and are not directly obligated to follow the same transfer confirmation processes that ICANN requires of registrars. Many do, but there is a greater risk that a reseller will not follow best practices, making it more likely that your domain name can be hijacked. Also look for a registrar that sends a transfer confirmation email prior to transferring a domain name.
  • Never Allow your Listed Email Address to Expire - Your email address is the key to unlocking your domain names. Your listed registrant or administrative contact email address can be used at many registrars to reset the controlling user name and password for your account. In addition, under ICANN’s Transfer Policy, a gaining registrar usually obtains the required transfer confirmation through electronic mail, sent to the registrant or administrative contact email address on file for the domain name. If you allow your email address to expire, a hijacker will steal your domain name, provided it’s worth stealing.
  • Keep User Names and Passwords Secure - Do not share these with anyone, unless they have an absolute need to know.
  • Use a Whois Privacy Service - If your contact information, including your email address, is private, it will be harder to spoof.
  • Lock Your Domains - This is self-explanatory. Many registrars offer a “locking” service, and will not allow a transfer of a locked domain.
  • Monitor Your Portfolio - Routinely monitor your portfolio for any unauthorized changes. The sooner that a hijacking is discovered, the better chance that you have of recovering your domains. This can also be done through an automated script.

If you follow these steps, you will greatly reduce the likelihood that your domain names will be stolen, or, if stolen, that you will be able to recover them quickly. It also helps to have a contingency plan in-hand, know the phone numbers that you will have to call in an emergency, and keep up to date records showing that you are the master of your domains.

By Brett Lewis, Internet Attorney

Filed Under

Comments

George Kirikos  –  Jan 12, 2007 10:04 PM

Good summary of the standard “best practices” for securing one’s domain names, Brett.

I’d disagree with the need for WHOIS Privacy services, though. I believe that can work against you. People who use the “WHOIS History” feature of services like www.domaintools.com to check the good provenance of a domain name will have a much harder time to trace the ownership path of a domain name when there is a proxy WHOIS involved. Indeed, how do you prove you were the true registrant of a domain name 6 months ago, when the WHOIS history 6 months ago shows only a proxy WHOIS? With a proxy WHOIS, anyone can claim they were the real registrant during that time.

Indeed, when I’m purchasing a valuable domain name, it raises a red flag when I see the use of a WHOIS Privacy service, as it could mean that the domain name was hijacked already, and the thief is covering their tracks by hiding behind the proxy WHOIS. In those cases, other evidence is needed to ensure a safe transaction.

Instead, I consider it better practice to keep your true WHOIS visible, and make sure that the WHOIS gets cached in the WHOIS history by manually performing a WHOIS at places like DomainTools.com (which also have automated monitoring tools to email you if the WHOIS has changed, as do GoDaddy and others).

Having a good relationship with your registrar is also important so that they can initiate a transfer dispute under the mechanism provided by ICANN’s transfer dispute resolution procedure. Consolidating all your domains with that registrar might be wise, instead of having domains with dozens of different registrars.

Furthermore, .com and .net recently switched to EPP, which has “auth_info” codes for each domain name (other TLDs have been using EPP for years). Registrants should ensure they have unique codes for each domain name that are hard to guess (e.g. 10+ characters in length, with a mix of uppercase, lowercase, numeric digits, and even symbols).

For your most valuable domains, you should also renew them well in advance of expiry (many of my company’s most valuable domains are renewed up to the 10 year maximum). Some of the slimier registrars can’t wait to get their dirty little hands on your valuable domain names once they expire, and will auction them off or keep them for themselves. A stronger Redemption Grace Period policy is needed (ICANN has a habit of writing loopholes into its policies).

Lastly, one might want to become one’s own reseller, to have greater control and make it harder for hijackers. For example, at Tucows (my preferred registrar), the reseller is able to totally disable the lock/unlock capability by registrants. Thus, being my own reseller with that option set appropriately, it would not be sufficient for a hacker to hijack the end user account/password for a domain name. To unlock the domain, they’d have to hijack the reseller account too. Hacking 2 independent systems is a lot harder than hacking just 1 (making sure to use different email addresses, etc. will make the systems more independent).

Looking to the future, PayPal and eBay recently announced that they intend to give security keys to customers (these 2-factor authentication systems have been widely used in the financial industry, using RSA SecurID keys for years). If VeriSign or other registries were to implement such a security feature on a valued-added opt-in basis, they’d have my support (no registrar that I know of offers these at the registrar level, yet).

John Berryhill  –  Jan 23, 2007 10:18 PM

Add to Brett’s list:

Avoid accessing your domain registration account from internet cafe’s while travelling.

Hackers love to leave keyloggers on public computers.  It’s even better when the hackers run the local network.

Brett Lewis  –  Jan 24, 2007 3:14 PM

George,

You make some very interesting and insightful comments.

As to whois masking, I am not sure that I fully agree with your comments, although I can see your point.  First, if an individual or company registers a domain name to use it and keep using it, rather than to sell it, there is far less benefit to having archived whois records.  It is better for these people that their email addresses remain unknown, rather than risk having their domains stolen. 

As to entities in the business of buying and selling domain names, your concerns are not invalid, but by leaving the email address exposed, you invite hijackers to try to steal your domains.  As an alternative, sellers should proactively print and keep records from their domain name accounts, showing them listed as the actual registrants of the domain names.  Also, the registrars, themselves, keep records of who the proper holder of a domain name is, and could be a source of verification.  Further, any changes in Whois would be reflected by Name Intelligence, so any recent changes from a named individual to masked whois would need extra scrutiny. 

B.E.L.

George Kirikos  –  Jan 24, 2007 4:48 PM

Another reason not to keep your domain name masked via a registrar proxy service is that you don’t lose valuable time in the event of a UDRP or other legal process. If the registrar is slow or negligent in forwarding relevant emails, faxes, mailed documents, etc., conceivably a registrant could find themselves in default and lose a domain name without even knowing about it. Given that the proxy contracts are typically very one-sided and written in favour of the registrar’s interests, one can find oneself with no good recourse in the event the registrar screws up.

Perhaps your introductory paragraph should be amended to include the “bright rooms in corporate law offices”, where overly aggressive lawyers see little downside in engaging in reverse domain name hijacking.

Brett Lewis  –  Jan 24, 2007 5:27 PM

Reverse domain hijacking is a different problem.  I have not heard of a situation yet where someone lost a domain name via a UDRP from using a proxy service, though if it has happened, I would be interested to know.

First, most attorneys want to name the actual registrant and request that the proxy whois be unmasked.  Registrars do not want to be involved in UDRP proceedings, or incur the cost, and will unmask the whois records upon request.

Second, a UDRP against a whois proxy service should fail every time because the proxy service did not “register” the domain name—the actual registrant did.  Proving bad faith in such a situation, as against a proxy agent, should be impossible.

Third, using a reputable registrar will assure that 99.9% of the time proper process is followed and mail and email do not slip through the cracks, due to use of a whois proxy.  Using some of the outlyers in the industry, domain holders are taking chances anyway.


B.E.L.

Stephen Douglas  –  Feb 3, 2007 11:34 AM

I agree with Brett Lewis: The best defense is to register or transfer your domains to a reputable registrar.

Only one registrar I know requires a “double” auth code to proceed with a transfer, and they are ferocious about protecting their customers’ domains.  That’s Moniker.com.

One area of concern not mentioned here (no disrespect to the other posters) is the problem of rogue registrars who sign up with expiring domain auction sites such as Snapnames and Pool, TDNAM (how about that company for not know what domain name to buy that makes quick sense ? LOL) and Enom.

Check out this scenario, which I have personally experienced, and from my discussion on other domain forums, seems to be a common problem:

1. You win a bid for a domain name on Pool.com that cost you $2,000.

2. You find out the domain is owned by domainmonkeys.com (not a fake name, truly… I’m not kidding.. it’s a registrar)

3. You try to remember to transfer the domain out after 60 days, and if you do, you find there is no easily obtained EPP code. In fact, you can’t find a domain management page that even allows you to UNLOCK your domain.

4. Let’s say you forget to transfer your domain out from domainmonkeys.com and 11 months goes by. You might expect that 30 days out, the registrar will send you a renewal notice or two. No renewal notice is sent.

5. Let’s say 14 days from your domain expiring, no “renewal notice” is sent to you from Domainmonkeys.com.

6. Let’s say that one week before your premium domain is set to expire, no renewal notice is sent to you from Domainmonkeys.com.

7. Let’s say that on the day your domain name is set to expire, Domainmonkeys.com does not send you a renewal notice for your domain that you paid $2,000 for a year earlier.

8. Let’s say that 30 days later, you start getting renewal notices from Domainmonkeys.com. However, the renewal notices require you to fill out an attached document that asks for your credit card info, including your CVV code, and a lot of other information you might feel uncomfortable providing. The email from Domainmonkeys.com states you MUST RENEW your domain for THREE YEARS at $14.95 and pay a “reinstatement fee” of $40. You realize that your domain has expired and is heading into the RGP—days from being resold in auction.

9. Let’s say you think “what a scam, I’ve been forced to pay over $80 for a domain that I could have renewed if I received renewal notices even 14 days before its expiration”.  Some people might say “you should have transferred it out—and you say “see # 3 above”.

10. Let’s say you fill out the form, scan it to a jpg file, and try to send it to Domainmonkeys.com’s support email address, using the exact links provided for you to do so.

11. Let’s say that the link they provided bounces your email back as “undeliverable”

12. Let’s say that you try two other email addresses for Domainmonkeys.com, and those emails bounce back as “undeliverable”

13. Let’s say you leave a message on their voicemail, and another email appears from a NEW email address from Domainmonkeys.com, and you again reply with your document and your credit card info. (sending documents that can be stored or printed with your credit card info PLUS your CVV number is dangerous). You’re nervous at this point.

14. Just to follow up, you finally FAX your credit card info to the fax number provided in order to secure the renewal of your valuable domain. The fax comes back as “UNDELIVERABLE”.

However, lucky for you, the last email address provided worked, they got your credit card info and charged the renewal fees to your card. You were able to save your domain and it only cost you $84.85 and hours of time and infinite frustration.

There are about a fifty registrars/resellers out there right now that we all can say fit the profile of the above scam process. This occurs because there is a lack of a uniform system of required proper and fair processing of domain names by registrars. I’ve already received almost a hundred responses from domainers complaining about this very same thing—- but many weren’t as lucky. Some registrars don’t sent out anything at all to remind you to renew your domain because they know they can resubmit it on the auction block and make more money in the resale of the domain. This is actually more common than you think.

So if you buy your domains from an expiring domain company at an auction, be sure to set some sort of ALARM program up to beep you after 60 days to start transfer efforts if you don’t recognize the registrar. You may still have to jump through flaming hoops to get your domain transferred out, but at least you’re 10 months away from actually having the registrar recapture the domain and resell it through the auction sites. This type of activity just makes the domain industry look like we still don’t have our sh*t together. And you know what? We don’t.

Just a heads up.

Anyone can contact me for discussion about this at http://www.dnforum.com—my handle is “successclick”

I’m ready to kick ass for domainers. Anyone ready to join up?

Stephen Douglas
Successful Domain Management™
DomainRelevance.com
“Own Your Competition™”
Executive Producer
Domain Roundtable Conference
NameIntelligence.com

sibyl  –  Feb 27, 2008 2:19 AM

my domain was just stolen and i do not know what i am doing. I have had the domain http://www.muahs.com for 4 years with no problems till last week when i logged in my ftp and it was not working. Turns out someone got in my email and just transferred it to dodaddy. i have contacted ic3.gov and have heard nothing back. I have looked into wipo and as soon as i saw 1,500 $ i was very scared. I cant afford some top lawyer for my 19.99 site. But i would like it back any help is appreciated.-Sibyl

sibyl  –  Mar 22, 2008 6:10 AM

This is unreal my domain is still hijacked. I have been going after my registar instead of godaddy
Melbourne.it has not contacted me back yet they are supposed to help me file a domain dispute transfer and send a foa to godaddy proving the site was mine.

noone has helped me and i dont think theres any hope ;o(

Domain hijacking by registrars Lisa Miller  –  Jun 10, 2009 6:04 PM

I don’t know if this is considered domain hijacking - maybe pre-emptive hijacking, but a customer recently asked me to register 5 domains names and wanted to know if they were avaialable. They were not common sounding domains, so I was was reasonably certain they would be avaialable, but I checked any way and they were, all using the same regiastar, Godaddy. When I went back to register them the very next day, to my dismay they were all registered!. A whois check showed me they were all registered by the same party. This also happened to my client **** but we checked again after 2 weeks and they party had dropped the domain name and we were able to register.

It is very unsettling if a domain registrar is doing this but I aslo wonder if it perhaps some kind of spyware on on’es computer and they can see where you surf and what you attempt to register. Surely, this practice must be illegal. Has anyone heard of a registrar or spyware program doing this?

what a joke sibyl  –  Jun 18, 2009 7:01 AM

you are right if you test a domain it does get reserved. It would be hard to prove most likely. godaddy is a shady company. In fact godaddy was holding my stolen website for ransom. I just gave up. lets face it anything on the internet "illegal" seems to be not important. Its all about being greedy and how much money a domain costs.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

NordVPN Promotion