When an attacker hijacks a domain, the owner no longer has control over the site content, email, or any other app services that rely on the domain name.
After reading this article you will be able to:
Copy article link
Domain hijacking is when an attacker takes control over a domain name, typically through social engineering. A domain name is the unique, easy-to-remember address used to connect users to websites, and the foundation upon which an organization’s public-facing Internet identity is built.
When an attacker successfully hijacks a domain, the legitimate owner loses control over all of their many domain-linked services. That includes website content, corporate email, VoIP call centers, cloud storage services, and other apps associated with the domain. This makes domain name hijacking one of the biggest online threats to one's brand, revenue, and reputation.
Domain names make it easier to access websites without having to remember alphanumeric IP addresses. Domain names are matched to IP addresses thanks to the Domain Name System (DNS), which acts as the Internet’s phonebook.
Domains are established through domain name registrars. When it comes to obtaining a domain, there are two key players: registrars and registries. Think of registries (such as VeriSign) as wholesalers, and registrars as the retailers. Registries own the database of all registered domains within a TLD. They delegate the reservation of available domain names to registrars. In turn, registrars — of which there are thousands — “sell” (or rather lease) domain names to end users for a certain timeframe.
Domain names are comprised of two or three parts, each separated by a dot. When read right-to-left, the identifiers in domain names go from most general to most specific:
To help prevent unauthorized domain name modifications, domain owners can apply “client” locks (registrar locks) through their registrar. Registries apply “server” locks, also known as registry locks. However, if an attacker gains the proper account access, they can remove domain locks and make unauthorized registrar changes.
There are many ways for a domain to be hijacked. For example:
Once a domain has been successfully compromised, attackers can disrupt a myriad of web operations. For example, they can:
It is simple enough to transfer domains between registrars, but it is very difficult to recover a stolen domain. It can take weeks, or even months. It may even require legal action. Part of what makes it so difficult is that the proper documentation might live in systems (such as corporate email) that the original domain owner can no longer access. The domain could be recovered in a few days; or, the original (legitimate) owner may never get their stolen domain back.
Regardless of the outcome, a hijacked domain can ultimately lead to serious financial, reputational, and even regulatory consequences.
In domain hijacking, the attacker steals the legitimately registered domain name. Domain spoofing is when cyber criminals create a fake website or email domain to try to fool users — like a con artist who shows someone fake credentials to gain their trust. Attackers do not need to take over a registrar account in order to spoof a domain.
Domain hijacking — which compromises the domain itself — is different from DNS hijacking (also known as DNS poisoning). In DNS hijacking, an attacker targets the DNS record of the website on the nameserver.
Nameserver records basically tell the Internet where to go to find out a domain’s IP address. If the nameserver records are improperly configured (i.e., “poisoned”), attackers can divert queries to a different domain nameserver. Instead of loading the correct website or application, for example, user traffic may be diverted to a destination that is a replica of the original site but distributes malware.
The simplest way for organizations to protect themselves against domain hijacking is to choose a reputable domain registrar who offers strong security measures. Look for features such as:
Cloudflare’s domain name registrar service, Cloudflare Registrar, offers Enterprise plan customers with Custom Domain Protection to prevent domain hijacking. With Custom Domain Protection, any changes to domain ownership or nameserver are verified and executed manually. The strict change protocol helps ensure any changes are approved by organizations directly.
Cloudflare Registrar also includes built-in, universal DNSSEC for all domains to protect domains against a wide spectrum of DNS-based attacks.