Skip to content
media-podcast-icon Blogpost

Domain Hijacking | What to do if it happens?

Time to read 13 Min

Have you ever heard of domain hijacking? What if we simply call it domain theft? A cold shiver went down your spine? Find out how hijackers can gain access to a domain name and what you can do to recover your stolen one.

Published by


Simone Catania


Cybercriminal Domain Hijacking on White Circle and a World Globelicon

Let’s talk about Sarah, a fashion designer from Berlin, and her bad adventure with domain hijacking. She had recently launched her small internet retail showcase of vintage and pin-up clothing and dresses. She was very lucky to get a valuable domain name matching perfectly the name of her business. Within a few years the revenue first doubled, then tripled, and what had started as a hobby was about to become her dream full-time job.

One day one of her best clients wrote to her that there seemed to be a problem with her website. Sarah typed the address in the browser bar and she found out her domain name redirected to another similar website with vintage products. But despite looking very similar, this was not her showcase website! She rushed to call her IT expert but she was confused hearing: “It looks like your domain has been hijacked”. She had never heard of this term before and, unfortunately, she had to experience it in the worst way.

The unexpected worst case scenario had occurred: someone managed to obtain the ownership of her domain name, transferred it, and perhaps even sold it! Now it belongs to someone else, perhaps a competitor in another country. Overnight, along with her web presence, she lost access to her online business identity.

Domain hijacking has critical consequences for your business

Are you a domain owner or do you run multiple domains for your clients? A successful domain hijacking is almost equivalent to depriving you of your business, profits, and earnings and it seriously impacts your future, leading to loss of customers and a worse online reputation.

Among all the possible worst-case scenarios, domain hijacking can be a real nightmare come true. It happens out of the blue without warnings and it can remain unnoticed for hours or even weeks.

We invite you to keep reading to discover how domains can get stolen and what you can do to avoid this from happening.

What is hijacking?

In computer science, hijacking attacks are aimed at gaining unauthorized access to information or services in the IT infrastructure.
Depending on where the attack is carried out, we can identify different types of hijacking techniques:

  • DNS hijacking, also called DNS poisoning, corrupts the resolution of the DNS queries.
  • IP hijacking, also known as BGP or route hijacking, disrupts the normal routing of the network using the Border Gateway Protocol (BGP) to illegitimately take over groups of IP addresses.
  • URL hijacking, also called typosquatting, relies on typos or mistakes made by the users in the website addresses. This way they are led to malicious websites.
  • Domain hijacking, or domain theft, occurs when the hacker changes the registration of a domain name.

Domain hijacking means losing the ownership of your domain name

Usually, domain hijacking aims to connect an unsuspecting user to a malicious website by pretending to be the one the user wanted to access. But generally speaking, domain hijacking is understood as a form of theft since the attacker gains access to a domain name without the consent of the original registrant.

How does domain name hijacking work?

When you type the address of a domain name in the browser, it will retrieve a DNS record. If this search is performed for the first time, or the record is no longer available in the cache, the browser has to communicate with a name server. This communication between browser/device and server can be tricky: it is exactly during the interaction and exchange of requests and responses that malicious actions have the potential to strike.

Furthermore, communications that are not encrypted offer hackers several ways to intercept and redirect users. In particular, domain hijacking occurs when a hacker attempts to access the account details associated with a domain to make unauthorized changes. This can include changing DNS name servers, setting a new domain status, or transferring the domain name.

How can you protect yourself against domain hijacking?

There are several ways hackers can hijack your domain name. The vulnerabilities that come into play are not only technical ones. As a domain owner, you play the main role in making sure to apply the strongest defense around your digital assets. Sometimes it’s not your fault as a registrant. The hijackers could make their way to your domain through your domain provider infrastructure. Let’s see how you as the registrant, the domain provider and other technical aspects are involved in securing a domain name against hijacking.

The registrant’s vulnerable side

The registrant’s neglect of proper security measures is one of the main reasons domains get hijacked. Once you have registered a new domain name you get access to its settings. Social engineering including phishing techniques, malware, such as trojan, keylogger, or spyware can infect your systems and easily allow hackers to gain your credentials to access your domain management panel.

Furthermore, a variety of personal data, such as names, email addresses, and other information related to domain registrations can be found in the WHOIS data records. There hackers can easily find information about you and your domain name. If they succeed in hacking your accounts, the domain ownership and related notifications can be changed.

If possible, hide or use different login information for your domain owner’s profile and the domain management system.

Possible vulnerabilities affecting the domain provider

The other actor involved in domain management is the provider. Registrars are usually aware of possible security issues but vulnerabilities can affect even major and global companies. If the hacker succeeds in accessing the backend services provided by the registrar, there is a high-risk potential for your domains.

Hence, always make sure to choose a trusted domain provider. InterNetX for example offers four layers of domain security, offering a sophisticated security concept on the administration, domain, name server, and server-side. Further safety measures include 2FA, DNSSEC, Anycast, IP restriction, WHOIS privacy, domain monitoring services, and access control (ACL) management in the all-in-one domain management platform AutoDNS.

Technical reasons why domains get hijacked

There may also be a third problem that could cause the hijacking of your domain. Namely: Your domain registration has expired and you have not renewed it. If you fail in following this deadline, someone may register your domain and you will lose not only your domain but all services related to it, such as email and webspace. This action is completely legal and you won’t have the chance to claim it back.

To prevent such a scenario, make sure to turn on the auto-renewal option and register the domains for longer periods.

What are hijacked domains used for?

Why are domain names hijacked? What can a hijacker do with a stolen domain? Hackers may want to steal your domain for several reasons. As you can imagine they are always looking for economic gain. Usually, the hijacked domains become inaccessible and your online identity under that domain, i.e. your website, is no longer to be found. A ruinous outcome since your business relies on its website as a source of income. This is why the hacker may ask for a ransom to transfer the domain back to you.

In other cases, the hijacker could replace your website with another similar one and misuse it for phishing or other malicious activity. A real threat for your users who may mistakenly enter their sensitive information, such as bank details, on this new bogus website. The hacker could also impersonate your brand identity and damage your reputation with fake news or negative statements. The hacker can also resell your domain name, once it was successfully transferred.

Notable cases of domain hijacking

In the past few years, there were notable cases of successful domain thefts, targeting very well-known brands as well.

Probably the first case ever to capture media attention is related to the during the dot-com bubble in the late 90s. For the first time, the U.S. court declared that internet domain names should be treated as real property, turning domain hijacking into a form of theft.

On February 25, 2015, Lenovo’s website redirected the users to an attacker-controlled page labeled as being “the new and improved rebranded Lenovo website”. The same hackers managed to hijack Google’s main search page for Vietnam, redirecting users.

In recent years domain hijacking was used also in some serious and sophisticated multi-year spying attacks like the state-sponsored DNSpionage campaign targeting Lebanon and the United Arab Emirates (UAE), and the Sea Turtle, targeting national security organizations, mostly in the Middle East and North Africa. This is just the tip of the iceberg because the larger and most serious domain thefts target SMEs who mostly do not have enough knowledge or skills to face and eventually solve the problem.

Three methods to recover a stolen domain

If the nightmare came true – all is not lost! Fortunately, there is still a chance you can recover a hijacked domain. Here we present to you three possible methods, with different degrees of efficiency, cost, and timing.

1. Contact your registrar

Your domain provider is always the first point of contact when it comes to your domains. At the very moment you realize your domain has been stolen, ask immediately for the transfer to be canceled. Usually, the transfer process is subject to a 60-day transfer lock. The chance of recovery is higher if the domain has been transferred to an internal account at the same registrar, while if it has already been transferred to a different one, the registrar’s willingness to collaborate comes into play. However, it is always advisable to attempt this first method right away, in the hope of resolving the issue quickly and containing any damage.

2. Address a UDRP complaint or equivalent procedures

The Uniform Domain-Name Dispute-Resolution Policy (UDRP) is an agreement that all ICANN-accredited registrars must abide by to settle disputes over the ownership of domain names for generic extensions such as .com, .net, .info, etc. It was mainly designed to combat cybersquatting or infringements of registered trademarks, therefore it might not yield results if your domain name is not connected to a trademark. Among its clauses, however, the policy can be invoked also to curb abusive and bad faith hoarding. Therefore, it is not excluded that it may be useful in some other cases.

If you own a registered trademark, the UDRP is the right procedure to follow. In this case, it has the advantage of allowing immediate blocking of the domain, preventing its data from being changed or transferred to another registrar. It should also block internal transfers between accounts of the same registrar. Once again, it all depends on how much the latter is cooperating.

Unfortunately, in the past years, the UDRP has opened the doors to some malicious actions called Reverse Domain Name Hijacking (RDNH). This practice occurs when the hacker tries to deprive someone of the domain name by alleging in bad faith the trademark rights connected to the domain.
Be aware that if your domain name is under a ccTLD like .de, or .it, the national registries have their own regulations similar to UDRP, which allow you to object in case of improper transfers.

3. Pursue legal action

The UDRP has proved to be an effective tool on several occasions, but it may not be the right one for you in the event of a stolen domain. In this case, the advice of a lawyer or an expert in the domain industry is highly suggested. This action can be filed both for the domain theft as well as for the probable hacking operation behind it. You can appeal the court even if there are no registered trademark violations. The downside is that this procedure is often very lengthy and highly expensive.

Furthermore, it should be borne in mind that the process is carried out in the court where the relevant registry resides. For example, a legal action connected to a .com domain will take place in Northern Virginia in the United States where the Verisign registry is based.

But if the court supports your claim, you can be sure to receive back your domain. It is going to be the registry’s responsibility to take care of transferring the ownership of the domain to you, bypassing the possibly uncooperative registrar.

How can you protect your domain?

The best defense is a good offense – so here are some tips to prevent domain hijacking and secure your domain names.

1. Choose a reliable domain provider

You are not sure about the criteria that help you choose the best partner? First of all, make sure you’re relying on an ICANN-accredited registrar. Price is an important factor but do not forget about security: choose a registrar that offers effective and constant technical support and excellent DNS management.

2. Use the DNSSEC protocol

The DNSSEC (Domain Name System Security Extensions) protocol allows the browser to authenticate the source, strengthening the authenticity and integrity of your domain.

3. Set strong passwords and change them periodically

Having a strong password is a vital practice in the digital environment. Once you have created your domain management account, set a strong and unique password, and keep your associated email account secure.

4. Use two-factor authentication

The 2FA adds an extra security layer. You can use it to log into your AutoDNS account for example and it will protect you from losing control over your domain name if someone tries to gain access to your username and password.

5. Protect your business from phishing and scams

Phishing and scam emails are often sent under the guise of a trusted sender or domain name. Always make sure to double-check who sent the email and under what URL you are typing username and password.

6. Active the WHOIS Privacy

The WHOIS Privacy and WHOIS Privacy Plus offered by InterNetX hides WHOIS data from direct access by third parties. The Plus option allows anonymous communications between domain owner and inquirer.

Domain safety? InterNetX won’t let you down!

Sarah, the vintage clothing business owner from Berlin, was not able to recover her domain. She contacted her domain provider but they could not take any actions as everything seemed to be correct on their side and her domain name was not yet connected to a registered trademark. She asked for a legal consultation but the cost was higher than she expected. Eventually, she chose to launch a brand new domain name and start her digital showcase from scratch. This meant changing all the marketing materials and redirecting the traffic to this new domain.

Ensure the continuity of your online presence for you and your clients. Raise awareness about cybersecurity threats and learn how to protect your digital space against domain hijacking.

Do you need assistance with your domains?

Reach out to our domain support icon-arrow--right