Imagine this scenario: your customer service line gets a call from the owner of a small business whose e-commerce website is hosted through your service. The owner is in a panic. After months of steady visitor traffic and consistent daily transactions, suddenly all visits to her site have stopped. Not knowing what do to next, she now turns to you for help.
After a little bit of investigating, you discover that someone has unlawfully accessed your domain control panel by impersonating her company’s administrative contact, modified the Domain Name System (DNS), and transferred her domain name to a different server. You’re now placed in the unenviable position of informing her that her domain has been hijacked.
Sound implausible? Such attacks have actually happened, with some even targeted at high-level companies listed on enterprise-class domain registries. While not as common as the threats posed by viruses and malware, domain hijacking can be equally as devastating to an individual customer’s financial stability and your reputation as a web host. The process of recovering a hijacked domain through logging a dispute through the Internet Corporation for Assigned Names and Numbers (ICANN) be costly as well, with many customers simply choosing to register a new domain name in the end (most likely through another web host).
Who’s Responsible for Domain Security?
The common line of thinking is that the responsibility of protecting a domain name lies with the customer who registers it, and that a compromise of security to that name is the result of poor monitoring on their part. Yet in the wake of investigations into the hijacking of the domains of some very prominent sites, ICANN’s Security and Stability Advisory Committee (SSOC) identified failures on the part of both domain name registrants and the registrars with whom they had worked as being responsible for the incidents. Plus, from a customer perspective, they pay you for secure web services. In their minds, that includes the safety of their domain names.
Domain Hijacking Explained
In order to properly understand how you might be able to prevent your customers’ domains from being hijacked, it helps to first understand the process of how a hacker can actually hijack a domain. What’s most important to understand is that an attacker doesn’t need to access your web server in order to get at a domain. Rather, hijackings occur via a backdoor route through the customer’s actual contact email address.
Here’s how the entire hijacking process works:
- The attacker goes to whois.domaintools.com and searches for the target domain name. Under the Whois Record, he or she gets the customer’s administrative contact email address.
- Searching the same record, the attacker finds the domain registrar (your web hosting service, in this case) under the “Registered through:” field. If that information is not recorded there, he or she can simply find the ICANN Registrar listed under the “Registry Data” heading.
- With access to the administrative email address, the attacker simply needs to hack into that email account.
- Having control of the customer’s administrative contact email, the attacker then visits your website and chooses the “Forgot Password” option in the login portal. He or she then enters either the actual domain name or the administrative email address to reset the password.
- An email is sent to the administrative contract address with instructions on resetting the password. The attacker creates a new password on the domain control panel, and now has full control of the domain.
- Within a mere matter of minutes, the attacker redirects the domain to his or her web server.
Because your system recognizes the attacker as the customer’s administrative contact, the hijacking often isn’t discovered until the customer notices an abrupt halt to his or web traffic and/or email correspondence. By that time, the amount lost in customer transactions coupled with the expenses required to fix the problem can be enormous.
What You Can Do
Recognizing the vulnerabilities inherent with the domain registration process, the SSAC highlighted several measures that both domain name registrants and registrars can do to help mitigate the threat of a hijacking. As a registrar, following these recommendations could help provide your customers with the peace-of-mind needed in order to trust their domains to your care. These recommendations include:
- Establish uniform guidelines for Extensible Provisioning Protocol (EPP) authInfo. The transfer policy requires that registrar-generated authInfo codes be unique to each domain. However, customer-generated codes are not subject to the transfer policy restrictions. Thus, a customer may create a single code for all of his or her domains. If that code is somehow compromised, an attacker has access to all of the domains that are linked to that code. It’s recommended that you encourage customers to follow the policy of one authInfo code per domain.
- Create a uniform default setting that applies domain locks on all customer domains. Communicate instructions on how to unlock the domain lock to the customer through means of correspondence other than email.
- Convey to your customers the importance of applying domain privacy protection to their hosting service package. Though such protection may come at an increased cost, the intangible value that their domain names hold as a symbol of their reputations with their own clients can be invaluable. Thus, that information should be afforded the same level of protection that they would give to customer and enterprise financial data.
- Look for ways to improve your customer authentication and authorization processes for any and all updates or changes associated with a domain. EPP can help by providing communication whenever domain information is renewed. Yet it may also benefit you to establish strict verification standards beyond a simple confirmation of the domain name or email address when a request is initiated to change customer contact or delegation information.
Domain hijacking sounds scary and intimidating because it is just that. Knowing that someone with the right know-how can simply hack into an email account and modify a DNS can easily scare customers away from your hosting service. Thus, it’s imperative that you as a web host do all that you can to assuage customer concerns by implanting the right kinds if safeguards to help protect them from would-be hijackers. While a fail-safe method to prevent domain hijacking has yet to be identified, you as a host can make the actual process of doing so difficult enough as to deter hijackers from targeting your customer’s domains.
Top image ©GL Stock Images