Like being pick-pocketed and unaware that your wallet is missing for an extended period of time, when your domain name is hijacked it could be a while before you notice. Countless examples of domain name hijacking have happened (e.g., Prince.com, CheckFree.com, Adios.com, P2P.com, etc.).
You may not notice that your email inbox has been lighter than normal. You may not notice less inquiries coming in through your website. In fact, like many people you may not even visit your own website as often as your customers. Quite possibly the only way you’ll notice your domain name has been hijacked is when one of your friends or business acquaintances calls you on the telephone to ask you why your website is in [name a language other than your normal website language]. But there are specific tactics to prevent your domain name from being hijacked.
Your Information Is Available to Be Stolen
Whenever you buy a domain name, you provide information about the registrant owner, technical contact and billing contact for the domain name, including name, address, telephone number and email address. It’s a requirement that you provide factual information, according to ICANN and your registrar, so they can contact you should the need arise (e.g., renewal, dispute, etc.).
However, this information is then available for anyone to view through a simple WHOIS lookup. A thief now knows your name, address and email address. This is the start of all of your potential problems. Why? Here’s what a thief can do with your information.
Ways Your Domain Name Can Be Hijacked
Below is a list of many ways your domain name can be hijacked. It includes a description, and what you can do to prevent it from happening to you.
1. Your Email Account is Compromised
Domain name hijackers can crack your password and break into your email account. It’s often not hard to break a password…common words, birthdays, the names of your kids — you name it, and someone can guess. Email providers often have a way to lock an account that has too many failed password trials, but it’s not foolproof.
Once a thief has access to your email account, any changes to your domain name registry go directly to the compromised email account and can be approved by the thief.
What You Can Do: Select a strong password. Passwords that are hard to guess and are changed frequently are critical.
Rules for selecting a strong password:
- Do not use real words
- Minimum 8 characters
- Including at least one of the following: uppercase letters, lowercase letters, numbers, symbols found on your keyboard, such as blank spaces, or ! * – () : | / ?
2. You’ve Been Socially Engineered
Wikipedia defines social engineering as “the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.”
If you receive a call from someone saying they are your bank or domain name registrar and requiring that you state your social security number before they’ll tell you about a security breach, don’t do it. Likewise, don’t provide your personal identification number, date of birth, mother’s maiden name, or any other highly-private information. Use your head and common sense! Any of this information can be used to help gain access either to your email account or your registrar account.
What You Can Do: Treat all of your personal information as private. Don’t write passwords on a cheat sheet that’s placed underneath your keyboard. Treat all of your personal information as you would your credit card numbers or cash.
3. You Were Never the Domain Name Registrant
Many business owners rely on the skills and experience of contractors to help them with their website development and domain name purchases. Frequently, domain names are registered by the contractor and never transfered to the business owner, for various reasons (e.g., speed, simplicity, etc.). Years later the contractor finds herself still the active registrant of the domain name, at which point they can allow the domain to expire or illegally sell the domain on an after-market. Even worse, they could claim ownership of the domain name and try to convince the business owner to compensate them for it.
What You Can Do: Always make sure your domain names are in your name. Performa a WHOIS lookup and verify it says your name and has your contact information and email address. Ask your contractor for the sign-in credentials for your business account at the registrar, then login and change the password after ensuring that all of your domains are present.
4. You Didn’t Protect Your Privacy
Many registrars now offer a service called domain privacy, which will conceal your personal information from all inquiring eyes. If you’re not actively trying to sell your domain name, this service can be well worth the cost of a few dollars a year.
What You Can Do: Sign into your account at your registrar(s), select the domain names of interest and add domain privacy to them for a few dollars a year.
5. You Didn’t Extended-Lock (More than Registrar-Lock) Yourself
Some registrars are now going beyond the regular registry lock, and are now offering an extended-lock product. Features of this service include:
- Prevent domain from being transferred out of registrar to another registrar
- Prevent domain from being pushed to another account at the same registrar
- Prevent any name server changes
- Prevent any changes to Registrar-Lock
Domain name registrars that provide some sort of extended-lock service include:
6. Your Email Address Expired
If you use your free email address (such as Gmail, or Yahoo Mail) to register a domain name, you have to make sure you keep the email address current. For example, “Google may terminate your account in accordance with the terms of service if you fail to login to your account for a period of nine months.” This is clearly stated in the Google terms of service. And Google probably allows longer inactivity than other available free services — so be aware.
What You Can Do: If you’re going to use a free email address as your registrant email address, make a recurring event in your calendar to send yourself an email every 6 months to your free email account, and then sign into your free email account to retrieve it.
What If Your Domain Is Hijacked Anyway
You’ve been diligent and followed all the suggested tactics listed above (or maybe not), but your domain name has still been hijacked. What should you do?
What You Can Do: Contact your registrar immediately by telephone — don’t allow an email delay to hamper the recovery of your domain name hijacking. Tell them your domain has been hijacked, and ask them to immediately contact the new registrar (where it was transferred to) and ask them to lock it so they can investigate this matter fully. Ask them how to file a formal complaint.
Don’t Be Confused — These Are Not Domain Name Hijackings
- Expired domain name — If you purposely or accidentally allow your domain name to expire, you’re out of luck. It’s not a hijacking.
- Script Injection and redirection — If your website code is not secure, it can allow users to inject scripts that cause pages to then redirect to other websites. This does not mean your domain name has been hijacked. Consult with your webmaster or IT administrator for more information.
[Photo credit: pasukaru76]
If you enjoyed this article, subscribe for updates (it's free)
I need to send this article to some of my clients that used other consultants prior to me. It is great info with enough data for them to understand what is going on so they can take control of their own destiny. Thanks!
Love this article — tons of useful tips. But LOVE the image of a storm trooper holding up another lego figurine. Classic! :)