What is domain hijacking?

When an attacker hijacks a domain, the owner no longer has control over the site content, email, or any other app services that rely on the domain name.

Learning Objectives

After reading this article you will be able to:

  • Define domain hijacking
  • Explain how domain hijacking occurs
  • Differentiate between domain hijacking, DNS hijacking, and domain spoofing
  • Understand ways to protect against domain name hijacking

Copy article link

What is domain hijacking?

Domain hijacking is when an attacker takes control over a domain name, typically through social engineering. A domain name is the unique, easy-to-remember address used to connect users to websites, and the foundation upon which an organization’s public-facing Internet identity is built.

When an attacker successfully hijacks a domain, the legitimate owner loses control over all of their many domain-linked services. That includes website content, corporate email, VoIP call centers, cloud storage services, and other apps associated with the domain. This makes domain name hijacking one of the biggest online threats to one's brand, revenue, and reputation.

How do domains work?

Domain names make it easier to access websites without having to remember alphanumeric IP addresses. Domain names are matched to IP addresses thanks to the Domain Name System (DNS), which acts as the Internet’s phonebook.

Domains are established through domain name registrars. When it comes to obtaining a domain, there are two key players: registrars and registries. Think of registries (such as VeriSign) as wholesalers, and registrars as the retailers. Registries own the database of all registered domains within a TLD. They delegate the reservation of available domain names to registrars. In turn, registrars — of which there are thousands — “sell” (or rather lease) domain names to end users for a certain timeframe.

Domain names are comprised of two or three parts, each separated by a dot. When read right-to-left, the identifiers in domain names go from most general to most specific:

  • The section to the right of the last dot in a domain name is the top-level domain (TLD). Examples of TLDs include “.com”, “.net”, “.co”, “.uk”, and “.in.”
  • To the left of the TLD is the second-level domain (2LD) — and if there is anything to the left of the 2LD, it is called the third-level domain (3LD).
Examples of TLD, 2LD, and 3LD in a domain name

To help prevent unauthorized domain name modifications, domain owners can apply “client” locks (registrar locks) through their registrar. Registries apply “server” locks, also known as registry locks. However, if an attacker gains the proper account access, they can remove domain locks and make unauthorized registrar changes.

How does domain hijacking occur?

There are many ways for a domain to be hijacked. For example:

  • Social engineering and phishing schemes: Broadly speaking, social engineering is any attack that manipulates people into giving up sensitive information. For instance, an attacker sends the intended victim a legitimate-looking phishing email that appears to be from the registrar. The recipient clicks one of the email's links, thinking it will take them to the registrar’s website, but it actually points them to a spoofed domain designed to steal their registrar login credentials.
  • Exploiting dormant or expiring domains: Most domain names can only be registered for up to 10 years at a time. It is the responsibility of the registrar to alert its customers when their domains are set to expire. However, if the end user fails to properly renew their domain (or fails to properly decommission the domain), an attacker can purchase and exploit the domain.
  • Registrar breaches: Attackers may also exploit registrar vulnerabilities. For example, when Squarespace was in the midst of migrating roughly 10 million domain names from Google Domains, attackers exploited a flaw that allowed them to take over accounts and modify DNS records (specifically those of certain crypto and blockchain companies). Then, attackers redirected visitors to phishing sites attempting to steal tokens and other digital currency.
  • Compromised API keys: API keys and other authentication tokens are designed to allow applications to access online accounts — such as certain domain services — via an API. If those keys are exposed or accidentally leaked, they could provide access to an organization’s registrar account.

What is the impact of domain hijacking?

Once a domain has been successfully compromised, attackers can disrupt a myriad of web operations. For example, they can:

  • Change the content of the original site
  • Redirect visitors to a different, malicious site
  • Divert online payments to attacker-controlled accounts
  • Send spam and phishing emails from the domain’s mail server
  • Read sensitive emails sent to corporate inboxes
  • Change API calls to disrupt an organization’s mobile apps and other digital services

It is simple enough to transfer domains between registrars, but it is very difficult to recover a stolen domain. It can take weeks, or even months. It may even require legal action. Part of what makes it so difficult is that the proper documentation might live in systems (such as corporate email) that the original domain owner can no longer access. The domain could be recovered in a few days; or, the original (legitimate) owner may never get their stolen domain back.

Regardless of the outcome, a hijacked domain can ultimately lead to serious financial, reputational, and even regulatory consequences.

Domain hijacking vs. domain spoofing

In domain hijacking, the attacker steals the legitimately registered domain name. Domain spoofing is when cyber criminals create a fake website or email domain to try to fool users — like a con artist who shows someone fake credentials to gain their trust. Attackers do not need to take over a registrar account in order to spoof a domain.

Domain hijacking vs. DNS hijacking

Domain hijacking — which compromises the domain itself — is different from DNS hijacking (also known as DNS poisoning). In DNS hijacking, an attacker targets the DNS record of the website on the nameserver.

Nameserver records basically tell the Internet where to go to find out a domain’s IP address. If the nameserver records are improperly configured (i.e., “poisoned”), attackers can divert queries to a different domain nameserver. Instead of loading the correct website or application, for example, user traffic may be diverted to a destination that is a replica of the original site but distributes malware.

How to prevent domain hijacking

The simplest way for organizations to protect themselves against domain hijacking is to choose a reputable domain registrar who offers strong security measures. Look for features such as:

  • Two-factor authentication (2FA): 2FA requires all registrant account holders to prove their identity in two different ways before being granted access.
  • Privacy for domain registration: Domain privacy services can redact domain registrant contact information from public records.
  • Registrar lock: Many mass-market registrars support registrar lock, which prevents the registry from altering information unless the registrant explicitly removes the lock.
  • Registry lock: Registry lock is a higher level of security that requires multiple independent, offline verification sources and steps.
  • Renewal grace periods: A grace period after expiration can help customers who missed the expiration deadline. This can even affect users who were on auto-renewal, if their credit card on file has expired. Choosing a registrar with a grace period is essential for thwarting attackers actively looking to exploit expiring domains.

How Cloudflare helps prevent domain hijacking

Cloudflare’s domain name registrar service, Cloudflare Registrar, offers Enterprise plan customers with Custom Domain Protection to prevent domain hijacking. With Custom Domain Protection, any changes to domain ownership or nameserver are verified and executed manually. The strict change protocol helps ensure any changes are approved by organizations directly.

Cloudflare Registrar also includes built-in, universal DNSSEC for all domains to protect domains against a wide spectrum of DNS-based attacks.