Protecting Yourself from Domain HijackingTim Hamby
Protecting your email is one of the best ways to thwart domain hijacking
What is Domain Hijacking?
Domain hijacking, also known as “domain theft” or “hacking domain names” is the act of changing the registration of a domain name without the permission of the legal registrant. Theft of domain names occurs every day despite the best efforts of individual domain owners and hosting service providers. At minimum, this can cause great anxiety, but it can also be financially costly for those whose domains provide them income via websites or email accounts hosted at their domains.
That’s why Web.com and our family of brands, including Network Solutions and Register.com –two of the five original domain registrars– invest significant resources in protecting our customers from domain hijacking and other forms of malicious cyber-activity. This includes employing market-leading technology, recruiting top IT talent, conducting regular research and continually educating our clients on matters of cyber-security.
It also includes utilizing sound internal security protocols which are constantly re-evaluated in consideration of the latest regulatory policies; the continuing evolution of existing threats and emergence of new ones; evolving cyber-security best practices; and our own judgement, based upon years of industry knowledge and experience. Sometimes, security protocols can be frustrating (no one likes to be asked to remember yet another password, two more security questions or have their task at hand delayed by such requests). But rest assured, such protocols are in place for your protection.
What is Social Engineering and How Do Domain Hijackers Use it?
We, at Web.com, constantly update our security protocols to combat increasing attempts at domain hijacking via means such as, “social engineering”. Today, social engineering is one of the most popular means of hijacking domains. It refers to the practice of manipulating people into performing compromising actions or divulging confidential information, such as revealing sensitive account information or making unauthorized changes to accounts.
A very simple example of social engineering would be a fraudster contacting a domain registrar, pretending to be an authorized account administrator in order to gain access to the targeted domain’s control panel. Perhaps this individual had the real owner’s account information that they had gleaned from other security compromises such as the theft of personal documents, a hack into the owner’s home computer, mobile device, email or other methods. Once the hijacker gained access to the domain’s account and associated control panel, they could then “redirect” the domain to “point” to a new server that they controlled (aka “DNS hijacking”), while also making additional account administrator and password changes, giving them full future control of the domain.
Other simple forms of social engineering may involve cybercriminals pretending to be authorized account holders who call registrars with “dire emergencies” at businesses who claim to need immediate access to accounts without the required security information. Or pretending to be a close family member or employee of a deceased account owner or closed business, needing to access the owner’s account.
Even without ever interacting with a registrar physically, a domain hijacker really only needs information to hijack a domain, most importantly the domain name and an Administrative Contact email address. Armed with this information, the hijacker can then compromise the Administrative Contact’s email, and work from within that account to complete their attack.
How to Protect Yourself from Social Engineering and Domain Name Hijacking
So, how can we best protect ourselves against social engineering and domain hijacking?
Well, from the registrar’s side, we have little choice but to continue to take a hardline when it comes to account security. As part of our most recent security protocol update, we are revamping how we manage account changes on behalf of our customers, strengthening our customer confirmation and authentication policies, and generally fortifying our defenses against the uptick in this kind of malicious cyberactivity. While we recognize that this may diminish some level of convenience in some instances, we also understand that it is a tradeoff for improved security for individual customers, as well as all users within our systems, as a whole.
Protecting Your Email: What You Can Do
As noted previously, stopping domain name hijacking entirely is not realistic. However there are a few key things you can do to help protect yourself. The most critical element is to protect the Administrative email account affiliated with your registered domain. The best way to do this is to consider using private domain registration when registering your domain. Yes, private registration is a bit more expensive, but it is well worth the relatively small investment that will hide your name, phone number and email address from public viewing within the WHOIS database.
Other best practices for protecting your email include:
- Use strong password protection –
- Use a strong, unique password.
- Never use the default username, “Admin” or the password, “Password”.
- Make your passwordat least 8 characters long. The longer, the better. Longer passwords are harder for hackers to hack and they’ll typically seek the shortest routes from point A to point B.
- Do not use dictionary words. Cybercriminals use software that can guess those.
- Include a combination of numbers, upper- and lowercase letters, and symbols in your passwords.
- An excellent way to create an easy-to-remember password that’s hard for others to guess is to pick a phrase, then use the first letter in each word as your characters, such as, “My wife, Eden drives a 2012 Ford Explorer with a V8 engine” = MwEda2012FEwaV8e. You can use song lyrics, favorite quotes, etc.
- Have more than one email account – Use a personal one for friends and family and another for more public use in things like social media, online subscription registrations, etc. This may lead to you receiving a lot of unwanted spam mail
- Choose an email address that is difficult to guess – i.e. a series of numbers and letters. It is best not to have any identifying information in your email address, such as your full name, age or location.
- Never open attachments from people you don’t know – Sometimes viruses may be sent unwittingly in attachments, even from your friends and family – check with the person who sent it if you are unsure about an attachment they sent.
- Don’t click on any links inside spam, not even the “Unsubscribe” link – You do not know where you will wind up, and it will make you vulnerable to receive viruses. Clicking “Unsubscribe” on a link you know to be spam, just confirms for the spammer that your email address is active.
- Only give your email address to people you already know and trust – Be careful that your email address is not in your profile or on other websites where people you don’t know can find it.
- Use spam filters – These can offer some protectionby diverting suspected spam into a junk mail folder – ask your provider about this.
Finally, for maximum peace-of-mind with respect to domain security, you may also wish to consider a premium security product such as, WebLock. WebLock starts with the assumption that user credentials can be compromised through systems and processes outside of a registrar’s control and that the domains must be protected, even in the event of such a compromise by deploying a mix of proven techniques and processes that minimizes these risks.
Tim was the Director of Social Media at Web.com. A deeply experienced integrated marketing professional, former creative director and writer who operated his own full-service marketing, branding, public relations and design firm for 15 years, Tim provides a wealth of experience in nearly every area of marketing communications encompassing both new and traditional media.