What is Domain Hijacking? (AND How to Avoid It)

In this article, we'll look at the practice of domain hijacking by highlighting some major examples of attacks and offering strategies to prevent it.

For brands that rely on an internet presence, their most valuable asset may very well be their domain name. When obtaining a .com or .net address through a domain registrar, the most sought after ones can often sell for tens or hundreds of thousands of dollars, especially those connected to celebrities or popular entities. That's because by having a well-known domain name, it's easier to attract customers to your website, products, and services.



But because of their intrinsic value, domain names are often a primary target for hackers and cybercriminals. They know that they can seize control over a popular .com or .net address, and then cause mayhem for the business and the people who use the website.



How Domain Hijacking Happens


As mentioned before, URL addresses must be obtained and then registered through a verified domain registrar. When you acquire your desired domain name, you do not receive anything physical or digital. Instead, you are provided access to the domain registry record, which tracks what IP address the URL should connect to through browsers.



Domain names must be renewed annually and although some registrars offer auto-renewing options, there are still instances where a website owner forgets to renew their domain. Cybercriminals are constantly scouring the internet for domains and will jump on any popular URL that has lapsed.



When linking your main server's IP address to a new domain name, your registrar will also instruct you to provide contact information for the URL owner. If you provide false or inaccurate information, the registrar may actually release your domain ownership giving hackers another chance at it.



But a true domain hijacking occurs when a cybercriminal obtains direct access to your domain record and then uses it to negatively affect your website and business. This can happen if you lose your registrar password or are a victim of a social engineering attack.



Case Studies of Domain Hijacking


Let's take a look at four different instances of domain hijacking. The first occurred in 2016 when one of the largest banks in Brazil suffered a domain hijacking incident. Hackers were able to change domain records for 36 different URLs. Rather than simply taking the websites offline, they redirected it to a phishing page that looked similar to the authentic one. From there, they were able to steal thousands of customer passwords and debit card numbers.



A similar event occurred in 2014 when the popular website Craigslist was targeted by hackers. The attackers were able to swap domain name service (DNS) entries from the primary IP addresses to ones pointing to external websites. As a result, some visitors were redirected to parody sites. This may not sound like a serious breach, but it did have a negative impact on the site's reputation.



Another case was in 2004 when a teenager was able to take control of eBay's DNS. Luckily, in this instance, the teenager was not looking to cause harm, but in the wrong hands of a hacker, it could have been catastrophic for the large online retailer. And yet another instance of a DNS attack was the attack of sex.com where the DNS was hijacked by the infamous con-man Stephen Cohen. In this instance, Cohen had met his match with Sex.com's owner Gary Kremen, who spent 10 years and millions of dollars to reclaim his site. The saga was later made into a book.



How to Protect Your Domains


The first step for avoiding domain hijacking attacks is to maintain a good routine with your registrar. That means using auto-renewal if it is available or setting yourself reminders for when a domain is set to expire. Always make sure your contact information is up to date and your registrar account is secured with a complex password. If possible, add two-factor authentication to make it even harder for someone to hack your records.



Be extra careful when choosing what email address you decide to link to your domain registrar entries. If a hacker is able to compromise your email account, it is only a matter of time before they hijack the domains you own. Be on the lookout for potential phishing attempts that could include suspicious links or attachments in an email message.



If you are nervous about maintaining your own domain records, consider outsourcing that responsibility to a hosting provider. For those using the WordPress content management system, you can research cloud service providers which specialize in WordPress environments, and will include free domain names with your subscription.



Variations of Domain Attacks


If a cybercriminal finds that they are unable to compromise your domain registrar entries, they may look to execute a related attack. One example is domain spoofing, where the hacker creates its own website and registers for a URL that looks similar to yours. For example, they might change the .com to a .biz address or change one letter in the name.



Another hacking tactic is to go after DNS servers at a local level instead of focusing on the top-level domain. A DNS hijacking incident can begin when a hacker loads malware onto an individual server or router. Then they can function as a man-in-the-middle and intercept web requests before they ever reach the open internet. Users may get routed to different websites without even noticing.



In a worst-case scenario, the actual domain registrar could become the victim of a cyberattack. Hackers are constantly looking for vulnerabilities in domain systems that will let them seize registrar entries in bulk so that they can inflict maximum damage to businesses and customers as quickly as possible.


Final Thoughts


The World Wide Web wouldn't function without DNS capabilities. Every internet company around the world operates DNS servers so that online traffic knows where it is supposed to go. From the user's perspective, you get to type a simple URL into your browser and never have to worry about what IP addresses are interacting behind the scenes.


You usually only notice DNS activity when something goes wrong, like with an instance of DNS hijacking. Once a criminal gains access to your email or registrar account, they essentially have full control over your various websites. Regaining power over the domain records can be challenging or impossible, which is why it's so important to be proactive and take steps to lock down your registrar information.

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.,