This article was originally published on May 11, 2015. It was updated on October 22, 2021.
- Social engineering is one of the most popular means of hijacking domains. It pertains to manipulating people into performing compromising actions or divulging confidential information.
- Private registration can be a bit more expensive, but it is well worth the relatively small investment that will hide your name, phone number, and email address from public viewing within the WHOIS database.
- Protecting your email is one of the best ways to thwart domain hijacking.
What is domain hijacking?
Domain hijacking, also known as “domain theft” or “hacking domain names,” is the act of changing the registration of a domain name without the permission of the legal domain owner, also known as the registered name holder (RNH). Theft of domain names occurs every day despite the best efforts of individual domain owners and hosting service providers. At minimum, this can cause great anxiety; but it can also be financially costly for those whose domains provide them income via websites or email accounts hosted at their domains.
That’s why Web.com invests significant resources in protecting our customers from domain hijacking and other forms of malicious cyber-activity. This includes employing market-leading technology, recruiting top IT talent, conducting regular research, and continually educating our clients on matters of cyber-security.
It also includes implementing internal security protocols which are constantly re-evaluated in consideration of the latest regulatory policies; the continuing evolution of existing threats and emergence of new ones; evolving cyber-security best practices; and our own judgement, based upon years of industry knowledge and experience. Sometimes, security protocols can be frustrating (no one likes to be asked to remember yet another password, two more security questions, or have their task at hand delayed by such requests). But, rest assured, such protocols are in place for your protection.
Watch this: Protect your brand name in 5 steps
What is social engineering and how do domain hijackers use it?
Web.com constantly updates its security protocols to combat increasing attempts at domain hijacking via means such as, “social engineering.” Today, social engineering is one of the most popular means of hijacking domains. It refers to the practice of manipulating people into performing compromising actions or divulging confidential information, such as revealing sensitive account information or making unauthorized changes to accounts.
A very simple example of social engineering would be a fraudster contacting a domain registrar, pretending to be an authorized account administrator to gain access to the targeted domain’s control panel.
Perhaps this individual had the real owner’s account information that they had gleaned from other security compromises such as the theft of personal documents, a hack into the owner’s home computer, mobile device, email, or other methods. Once the hijacker gained access to the domain’s account and associated control panel, they could then “redirect” the domain to “point” to a new server that they controlled (aka “DNS hijacking”), while also making additional account administrator and password changes, giving them full future control of the domain.
Other simple forms of social engineering may involve cybercriminals pretending to be authorized account holders who call registrars with “dire emergencies” at businesses who claim to need immediate access to accounts without the required security information. Or pretending to be a close family member or employee of a deceased account owner or closed business, needing to access the owner’s account.
Even without ever interacting with a registrar directly, a domain hijacker only needs information to hijack a domain—the domain name and an administrative contact’s email address. Armed with this information, the hijacker can then compromise the administrative contact’s email, and work from within that account to complete their attack.
How can we best protect ourselves against social engineering and domain hijacking?
We have little choice but to continue to take a hardline when it comes to account security. We continue to revamp how we manage account changes on behalf of our customers, strengthen our customer confirmation and authentication policies, and fortify our defenses against the uptick in this kind of malicious cyberactivity. While we recognize that this may diminish some level of convenience in some instances, we also understand that it is a trade-off for improved security for individual customers, as well as all users within our systems.
Protecting your email: what you can do
As noted previously, stopping domain name hijacking entirely is not realistic. However, there are a few key things you can do to help protect yourself.
The most critical element is to protect the RNH email account affiliated with your registered domain. The best way to do this is to consider using private domain registration when registering your domain.
Private registration can be a bit more expensive, but it is well worth the relatively small investment that will hide your name, phone number, and email address from public viewing within the WHOIS database.
Other best practices for protecting your email include:
- Use strong password protection
- Use a unique password.
- Never use the default username, “Admin” or the password, “Password.”
- Make your password at least 8 characters long. The longer, the better. Longer passwords are harder for hackers to hack and they’ll typically seek the shortest routes from point A to point B.
- Do not use dictionary words. Cybercriminals use software that can guess those.
- Include a combination of numbers, upper- and lowercase letters, and symbols in your passwords.
- An excellent way to create an easy-to-remember password that’s hard for others to guess is to pick a phrase, then use the first letter in each word as your characters, such as, “My wife, Eden drives a 2012 Ford Explorer with a V8 engine” = MwEda2012FEwaV8e. You can use song lyrics, favorite quotes, etc.
- Have more than one email account: Use a personal one for friends and family and another for more public use in things like social media, online subscription registrations, etc. This may lead to you receiving a lot of unwanted spam mail
- Choose an email address that is difficult to guess: It is best not to have any identifying information in your email address, such as your full name, age or location. Best suggestion is to use a series of numbers and letters.
- Never open attachments from people you don’t know: Sometimes viruses may be sent unwittingly in attachments, even from your friends and family. Check with the person who sent it if you are unsure about an attachment they sent.
- Don’t click on any links inside spam, not even the “Unsubscribe” link: You do not know where any link will wind up so it will make you vulnerable to receive viruses. Clicking “Unsubscribe” on a link you know to be spam just confirms for the spammer that your email address is active.
- Only give your email address to people you already know and trust: Be careful that your email address is not in your profile or on other websites where people you don’t know can find it.
- Use spam filters: These can offer some protection by diverting suspected spam into a junk mail folder. You may ask your service provider about this.
The most important thing to keep your domain name secure online is to use your common sense. Don’t go click-crazy on links emailed to you and be aware of the information presented to you on the Internet. Along with these practical steps, you will get the peace of mind you need to make sure you’re keeping your domain name, and more importantly your brand, safe and secure online.
Image Credits: Shutterstock
Tim was the Director of Social Media at Web.com. A deeply experienced integrated marketing professional, former creative director and writer who operated his own full-service marketing, branding, public relations and design firm for 15 years, Tim provides a wealth of experience in nearly every area of marketing communications encompassing both new and traditional media.