Domain hijacking is an attack in which the domain name of a certain party is stolen by another party. This is a certain form of cybersquatting, based on changing the domain name registration without getting the permission of its original owner. Domain name hijackers make use of domain name hijacking in order to steal traffic from high-traffic websites or to extort money from the entity associated with the domain name. Hijacking a domain name is a serious threat that may cause reputational damage and significant financial damage to the owner of the domain name.
It will be clarified that hijacking a domain name is a different action from Cybersquatting (stealing a domain name or seizing a domain name) – an action of purchasing a free domain name that is identified with a party other than the purchasing party (a reference to these actions is in another article we wrote on the subject).
In this article we will examine what domain name hijacking is, what are the consequences of domain name hijacking and how a hijacked domain name can be recovered.
What is domain name hijacking?
Domain name hijacking is stealing or changing the registration of the domain name without obtaining permission from the original owner of the domain name. Hijacking a domain name may also be an abuse of privileges found in both the hosting systems of the domain name and the registrar software systems.
Domain name hijacking helps the hijacker extort money from the party associated with the domain name in order to sell him his domain name. Hijacking a domain name also makes it possible to “get into” the commercial business of another entity, its audience, its profits, its email, etc., and exploit in an unfair and misleading way the reputation of the entity identified with the domain name.
There are several ways in which domain name hijacking is done:
The first and most common way is social engineering (phishing). The hijacker may contact the domain name owner impersonating the domain name registrar or may make them fill in the necessary information on a fake login page. Also, the hijacker may make the domain name registrar transfer control of the domain name to him by pretending to be the owner of the domain name.
Domain name hijacking may also be done by gaining illegal access or exploiting a common cyber security vulnerability in the domain name registrar’s system. Using outdated software poses high risks because it can be vulnerable to exploiting weak passwords or SQLi attacks.
Also, hijacking a domain name may be done by gaining access to the e-mail address of the domain name owner and then changing the password at the domain name registrar.
Once a domain name hijacker gains access to a domain name, they can use it for malicious purposes such as selling it to a third party, distributing malware, conducting phishing attacks, launching spam campaigns, social engineering scams, or cybercriminal activities.
What are the consequences of hijacking a domain name?
Hijacking a domain name has devastating consequences for the business of the original domain name owner:
Financial Damages – A domain name is one of the most valuable assets for e-commerce companies. E-commerce companies that rely on their website for business can lose a lot of money when they lose control of their domain name.
Reputation damage – domain name hijackers may use the domain name to sell competing products and services or to carry out additional cyber attacks such as installing malware or social engineering attacks.
Regulatory damages – domain name hijackers may replace the original web page with an identical web page designed to capture sensitive data or personal information (phishing) such as account details, contact details, personal information and more.
How to recover a hijacked domain name?
When domain names are hijacked, there are several actions you can take to regain control of the domain name.
Contact the registrar
The ability to recover a hijacked domain name depends on what the registrar of the specific domain name can do to reverse the attack. Sometimes it is possible to return registration information to the original owner. Thus, the specific domain name registrar can be contacted, and if the registrar can verify that the transfer of the domain name was fraudulent, he can return the domain name to its original owner.
This becomes more difficult when the kidnapper has managed to move to another registrar, and especially if the kidnapper has managed to move to a registrar in another jurisdiction.
ICANN Dispute Resolution Policy
When a stolen domain name is transferred to another registrar, the specific domain name registrar can be asked to apply the Registrar Transfer Dispute Resolution Policy of the Internet Corporation for Assigned Names and Numbers (ICANN) in order to reclaim ownership of the name .
Another option is to recover hijacked domain names using ICANN’s Uniform Domain Dispute Resolution Policy (UDRP), but this policy may not apply to domain name hijacking cases.
You can also contact the Domain Name System (DNS) Abuse Desk of the ICANN in order to get help and guidance on how to recover the hijacked domain name.
Appeal to judicial courts
The courts also have the authority to discuss procedures for returning a domain name to its owner. Going to court is usually recommended in a situation where DRP procedures cannot provide an efficient and quick solution to the problem.
An example of domain name hijacking – Perl.com domain name hijacking
The domain name Perl.com, which was the official website of the Perl programming language, was created in 1994 and registered with the registrar key-systems(.)net.
In September 2020 hijackers took over the domain name Perl.com. In December 2020, the hijackers transferred the ownership of the domain name perl.com to the domain name registrar Bizcn.com, but the name servers were not changed to prevent detection of the malicious activity. In January 2021, the hijackers again transferred ownership of the domain name to the German domain name hosting provider Key-Systems GmbH. They also changed the servers from Bitnames to Afternic and pointed it to an IP address that had been involved in malware campaigns in the past, including the distribution of the Locky ransomware. This is a classic case of hijacking a domain name.
Shortly after the second transfer, the Perl.com domain name was offered for sale by the hijackers for $190,000 on afternic.com.
In early February 2021 the original owner of the Perl.com domain name, Tom Christiansen, regained full control of the domain name.