Login
Login

Domain hijacking

{{short description|Using identity theft or other tactics to gain ownership over a domain name}}

{{Distinguish|Domain hack}}

{{Use dmy dates|date=October 2020}}

{{multiple issues|

{{More citations needed|date=March 2011}}

{{Original research|date=April 2011}}

}}

Domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant, or by abuse of privileges on domain hosting and registrar software systems. {{Cite web|date=2021-02-10|title=Preventing Risks From Subdomain Takeover - Cloud Exploits|url=http://thehackreport.com/preventing-risks-from-subdomain-takeover-cloud-exploits/|access-date=2021-04-14|website=The Hack Report|language=en-US}}

This can be devastating to the original domain name holder, not only financially as they may have derived commercial income from a website hosted at the domain or conducted business through that domain's e-mail accounts, {{cite news|last1=Simon|first1=Ruth|title=Cybercriminals Are Misappropriating Businesses' Web Addresses As a Result, Customers Can't Find the Real Companies on the Web|url=https://www.wsj.com/articles/now-cybercriminals-are-misappropriating-businesses-web-addresses-1426120840|website=The Wall Street Journal|date=12 March 2015 |publisher=The Wall Street Journal|access-date=12 September 2016}} but also in terms of readership and/or audience for non-profit or artistic web addresses. After a successful hijacking, the hijacker can use the domain name to facilitate other illegal activity such as phishing, where a website is replaced by an identical website that records private information such as log-in passwords, spam, or may distribute malware from the perceived "trusted" domain.{{cite web|last1=Weslow|first1=David|title=Dealing with cybersquatting: the wisdom of thinking ahead|url=http://www.trademarksandbrandsonline.com/article/dealing-with-cybersquatting-the-wisdom-of-thinking-ahead|website=TBO: Trademarks & Brands Online|access-date=12 September 2016|archive-date=31 March 2022|archive-url=https://web.archive.org/web/20220331231901/https://www.trademarksandbrandsonline.com/article/dealing-with-cybersquatting-the-wisdom-of-thinking-ahead|url-status=dead}}

Description

Domain hijacking can be done in several ways, generally by unauthorized access to, or exploiting a vulnerability in the domain name registrar's system, through social engineering, or getting into the domain owner's email account that is associated with the domain name registration. {{cite web|title=CLBR Featured Segment: David Weslow on Domain Theft|url=https://cyberlawradio.wordpress.com/2015/07/01/clbr-featured-segment-david-weslow-on-domain-theft/|website=Cyber Law Radio|date=July 2015 |access-date=12 September 2016}}

A frequent tactic used by domain hijackers is to use acquired personal information about the actual domain owner to impersonate them and persuade the domain registrar to modify the registration information and/or transfer the domain to another registrar, a form of identity theft. Once this has been done, the hijacker has full control of the domain and can use it or sell it to a third party.

Other methods include email vulnerability, vulnerability at the domain-registration level, keyloggers, and phishing sites. {{cite web|url=http://aplegal.com/blog/slamming-door-domain-name-hijacking/|title=Domain Name Hijacking|date=31 December 2014|access-date=13 May 2017|archive-date=12 December 2016|archive-url=https://web.archive.org/web/20161212183846/http://aplegal.com/blog/slamming-door-domain-name-hijacking/|url-status=dead}}

Responses to discovered hijackings vary; sometimes the registration information can be returned to its original state by the current registrar, but this may be more difficult if the domain name was transferred to another registrar, particularly if that registrar resides in another country. If the stolen domain name has been transferred to another registrar, the losing registrar may invoke ICANN's Registrar Transfer Dispute Resolution Policy to seek the return of the domain.{{cite web|title=Registrar Transfer Dispute Resolution Policy|url=https://www.icann.org/resources/pages/tdrp-2012-02-25-en|website=ICANN|access-date=12 September 2016}}

In some cases, the losing registrar for the domain name is not able to regain control over the domain, and the domain name owner may need to pursue legal action to obtain the court ordered return of the domain.{{cite web|title=Domain name theft: Knowing where to turn|url=http://www.trademarksandbrandsonline.com/article/domain-name-theft-knowing-where-to-turn|website=TBO: Trademarks & Brands Online|access-date=12 September 2016|archive-date=4 August 2016|archive-url=https://web.archive.org/web/20160804203236/http://www.trademarksandbrandsonline.com/article/domain-name-theft-knowing-where-to-turn|url-status=dead}} In some jurisdictions, police may arrest cybercriminals involved, or prosecutors may file indictments.{{cite web|author=Mike Masnick |url=https://www.techdirt.com/articles/20090804/0217125767.shtml |title=Criminal Prosecution For Domain Hijacking |publisher=Techdirt |date=2009-08-04 |access-date=2019-06-19}}

Although the legal status of domain hijacking was formerly thought to be unclear, {{cite web|last1=Smith|first1=Gerry|title=When Hackers Steal A Web Address, Few Owners Ever Get It Back|url=http://www.huffingtonpost.com/2014/09/29/domain-theft_n_5877510.html|website=Huffington Post|date=29 September 2014}} certain U.S. federal courts in particular have begun to accept causes of action seeking the return of stolen domain names.{{cite web|last1=Berkens|first1=Michael|title=Wiley Rein Files Suit Over 14 Stolen Domain Names: 9 Are 3 Letter .com's|url=http://www.thedomains.com/2014/10/23/wiley-rein-files-suit-over-14-stolen-domain-names-9-are-3-letter-coms/|website=The Domains}} Domain hijacking is analogous with theft, in that the original owner is deprived of the benefits of the domain, but theft traditionally relates to concrete goods such as jewelry and electronics, whereas domain name ownership is stored only in the digital state of the domain name registry, a network of computers. For this reason, court actions seeking the recovery of stolen domain names are most frequently filed in the location of the relevant domain registry.{{cite web|last1=Allemann|first1=Andrew|title=Lawsuit filed to recover stolen three letter domain names|url=http://domainnamewire.com/2014/10/23/lawsuit-filed-to-recover-stolen-three-letter-domain-names/|website=Domain Name Wire|access-date=13 September 2016|date=23 October 2014}} In some cases, victims have pursued recovery of stolen domain names through ICANN's Uniform Domain Name Dispute Resolution Policy (UDRP), but a number of UDRP panels have ruled that the policy is not appropriate for cases involving domain theft. Additionally, police may arrest cybercriminals involved.{{cite web|title=WIPO Arbitration and Mediation Center|url=http://www.wipo.int/amc/en/domains/decisions/html/2008/d2008-1141.html|access-date=12 September 2016}}{{cite web|title=WIPO Arbitration and Mediation Center|url=http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2010-1661|website=WIPO: World Intellectual Property Organization}}{{cite web|title=Mascot Media Circle, LLC dba OnlineMBA v. WhoIsGuard, Inc. / Ahmed Guettouche Case No. D2015-1209|url=http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2015-1209;|website=WIPO: World Intellectual Property Organization|access-date=12 September 2016}}{{cite web|url=http://www.adrforum.com/domaindecisions/1674326.htm| title= DECISION Donald Williams v. wangyan hong | website=Forum: Arbitration, Mediation, International|access-date = 2017-04-23}}

Notable cases

  • During the original "dot com boom", there was extensive media coverage of the hijacking of "sex.com".{{cite web|author=Dawn Kawamoto |url=https://www.cnet.com/news/sex-com-domain-hijacker-captured/ |title=Sex.com domain hijacker captured |publisher=CNET |access-date=2019-06-19}}
  • Basketball player Mark Madsen unknowingly bought a "stolen" (or hijacked) URL by way of eBay auctions.{{cite web|url=https://www.slamonline.com/archives/man-who-sold-web-domain-to-mark-madsen-going-to-jail/ |title=Man Who Sold Web Domain to Mark Madsen Going to Jail | SLAM |publisher=Slamonline.com |date=2011-07-26 |access-date=2019-06-19}}
  • In 2015 Lenovo's website and Google's main search page for Vietnam were briefly hijacked.{{cite news |last1=Kirk |first1=Jeremy |title=Lenovo, Google websites hijacked by DNS attacks |url=https://www.pcworld.com/article/2889392/like-google-in-vietnam-lenovo-tripped-up-by-a-dns-attack.html |access-date=12 October 2018 |work=PC World |date=26 February 2015}}
  • In early 2021, Perl's domain was briefly hijacked,{{cite web |author=Richard Speed |url=https://www.theregister.com/2021/01/28/perl_hijacking/ |title=Perl-clutching hijackers appear to have seized control of 33-year-old programming language's .com domain • The Register |publisher=The Register |access-date=2024-03-16}}{{cite web |author=brian d foy |url=https://www.perl.com/article/the-hijacking-of-perl-com/ |title=The Hijacking of Perl.com |publisher=Perl.com |access-date=2024-03-16}} causing a relatively major issue with CPAN.{{Citation needed|date=September 2023}}
  • On August 19th 2024, FurAffinity's domain was hijacked for over a day, redirecting users to a Washington Post article, then to Kiwi Farms a short time later.{{Cite web |last=Noblitt |first=Elissa |date=2024-08-21 |title=Furry Art Platform Fur Affinity Was Taken Over by Hackers: "Do Not Interact With the Website" |url=https://www.distractify.com/p/what-happened-to-fur-affinity |access-date=2024-08-21 |website=Distractify |language=en-US}}{{Cite web |title=Aug 22nd - All Our Base Are Belong To Us -- Fender's Journal |url=https://www.furaffinity.net/journal/10936501 |access-date=2024-08-22 |website=www.furaffinity.net |language=en}}
  • In early 2024, 8,000 domains and 13,000 subdomains of major brands including eBay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, and The Economist were taken over via a specific form of hijacking called SubdoMailing. This attack focused on spam proliferation and click monetization.{{Cite web |last=News |first=The Hacker |title=8,000+ Domains of Trusted Brands Hijacked for Massive Spam Operation |url=https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html |access-date=2025-05-13 |website=The Hacker News |language=en}}{{Cite web |title=The complete guide to SubdoMailing {{!}} Red Sift |url=https://redsift.com/guides/subdomailing-guide#what-is-subdomailing |access-date=2025-05-13 |website=redsift.com |language=en-us}}

Prevention

ICANN imposes a 60-day waiting period between a change in registration information and a transfer to another registrar. This is intended to make domain hijacking more difficult, since a transferred domain is much more difficult to reclaim, and it is more likely that the original registrant will discover the change in that period and alert the registrar. Extensible Provisioning Protocol is used for many TLD registries, and uses an authorization code issued exclusively to the domain registrant as a security measure to prevent unauthorized transfers.{{cite web|author1=Internet Corporation For Assigned Names and Numbers|title=DOMAIN NAME HIJACKING: INCIDENTS, THREATS, RISKS, AND REMEDIAL ACTIONS|url=http://archive.icann.org/en/announcements/hijacking-report-12jul05.pdf|access-date=17 October 2014|date=15 July 2005}}

RFC’s

  • {{IETF RFC|3375|link=no}} - Generic Registry-Registrar Protocol Requirements
  • {{IETF RFC|3735|link=no}} - Guidelines for Extending EPP
  • {{IETF RFC|3915|link=no}} - Domain Registry Grace Period Mapping (e.g. Add Grace Period, Redemption Grace Period)
  • {{IETF RFC|4114|link=no}} - Using EPP for ENUM addresses
  • {{IETF RFC|5910|link=no}} - Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP) (obsoletes {{IETF RFC|4310|link=no}}, DNSSEC)
  • {{IETF RFC|5730|link=no}} - Extensible Provisioning Protocol (EPP) (obsoletes {{IETF RFC|4930|link=no}}, which obsoleted {{IETF RFC|3730|link=no}})
  • {{IETF RFC|5731|link=no}} - Extensible Provisioning Protocol (EPP) Domain Name Mapping (obsoletes {{IETF RFC|4931|link=no}})
  • {{IETF RFC|5732|link=no}} - Extensible Provisioning Protocol (EPP) Host Mapping (obsoletes {{IETF RFC|4932|link=no}})
  • {{IETF RFC|5733|link=no}} - Extensible Provisioning Protocol (EPP) Contact Mapping (obsoletes {{IETF RFC|4933|link=no}})
  • {{IETF RFC|5734|link=no}} - Extensible Provisioning Protocol (EPP) Transport over TCP (obsoletes {{IETF RFC|4934|link=no}})

See also

References

{{reflist}}

External links

  • [https://www.wsj.com/articles/SB119068079815138145 Wall Street Journal: Web-Address Theft Is Everyday Event]
  • [http://www.nj.gov/oag/newsreleases11/pr20110725d.html Office of Attorney General - State of New Jersey: First Known Conviction in U.S. of Domain Theft]

{{DEFAULTSORT:Domain Hijacking}}

Category:Domain Name System

Category:Cybercrime