Domain hijacking, or domain spoofing is a type of attack whereby an organization’s domain is stolen by changing the registration of a domain name without prior authorization of the domain’s owner. Domain hijacking typically occurs with the intention of associating malicious content or phishing websites with a trusted, and otherwise legitimate domain.
Domain hijacking typically occurs through phishing and social engineering, either by tricking the domain registrar to reset an account’s credentials; or through phishing an end-user who has access to the registrar’s web portal. Alternatively, a potential attacker may hijack a domain by exploiting a vulnerability in the domain name registrar’s system.
Aside from the loss of business incurred by the victims of domain hijacking, domain hijacking is a convenient way for an attacker to stage elaborate phishing campaigns or other scams, spread malware or even hold a domain for ransom, or, depending on the value of the domain, can even sell it for a lucrative sum of money.
Options for recovering from a domain hijack attack may be available to the victims, highly depend on the registrar in question. This is especially true if the domain would have been transferred to a registrar in a different country. This being said, the victim’s domain registrar may opt to invoke ICANN’s Registrar Transfer Dispute Resolution Policy in an attempt to regain control of the hijacked domain.
Further preventions include ICANN’s imposed a 60-day waiting period between a change in registration information and a transfer to another domain registrar. This measure is intended to make it harder for domain hijacking to occur since transferred domains are far more difficult to reclaim, with the hope that this time if enough for the original owner of the domain to realize domain hijacking has occurred, and subsequently alerts their registrar.
All this being said, serious domain registrars provide domain owners with options to enable security measures such as two-factor authentication and domain locking. Two-factor authentication is designed to prevent unauthorized access to an account (in the event of a stolen password being reused by an attacker to gain access); while domain locking, or transfer protection, is a feature typically offered by serious registrars which prohibits transfers to other registrars through the registrar’s web interface, making it one of the best defenses against domain hijacking.