Domain Hijacking

Domain Hijacking is an attack where the attacker takes control of a domain name by changing the registration information on file with the registrar. It is also known as "Domain Theft", which is exactly what it is.

Domain Hijacking is usually performed by social engineering (pretexting). An attacker acquires enough personal information to call up the registrar's customer service and impersonate the real owner. The convince customer service to either reset their password or to change other settings (such as the account email address) which allow them to access the accounting settings. It is also possible to hack the owner's email account, steal their credentials, exploit another vulnerability in the registrar's system.

Once an attacker has stolen the domain, it can be used for malicious activities such as phishing. In many instances, it is used to serve ads which generate money for the attacker. The domain could also be sold for a quick profit or transferred to another registrar, often one in another country where it is much more difficult for the original owner to reclaim it.


Domain Hijacking Preventions

The best preventions are to use a reputable registrar and then secure the account login with a strong password and multi-factor authentication. It is also important to keep domain contact information up to date so that any notifications from the registrar about recent changes to the domain are received. Some registrars offer a setting for "report unusual activity" and some offer "domain locking" and "registry locking" to make it more difficult to change these settings. ICANN requires a 60-day waiting period to change registrars which helps prevent domains from being transferred out of the country and out of reach.

Fork me on GitHub