Domain Hijacking Prevention

## What Is Domain Hijacking? Domain hijacking is the unauthorized takeover of a domain name. When it happens, the attacker gains control of your domain's DNS settings — and therefore your website, your email, and any services that rely on your domain. In severe cases, they can transfer the domain to a different Domain Registrar entirely, making recovery extremely difficult. High-profile cases include the hijacking of major financial and media domains, where attackers redirected traffic to phishing sites, intercepted email, or held the domain for ransom. The impact can be severe: customer trust collapses, revenue stops, and recovery can take days or weeks even with full cooperation from the registrar and registry. Understanding how hijackings happen is the first step to preventing them. ## How Domain Hijacking Happens ### 1. Registrar Account Compromise The most common attack path. If an attacker gains access to your registrar account — through a phished password, a reused credential leaked in a data breach, or a SIM-swap that intercepts your SMS 2FA — they have full control. They can change your DNS records immediately and initiate a domain transfer. ### 2. Registrar Support Social Engineering Attackers call or email registrar support, impersonating the domain owner. They use personal information from WHOIS records or social media to pass identity verification. Some registrars have weaker verification than others, making this a viable attack even without compromising your account directly. ### 3. Registrar Vulnerabilities Occasionally, attackers exploit bugs in registrar systems — SQL injection, authorization bypasses, or session hijacking — to gain access to accounts without credentials. This is rarer but has occurred at major registrars. ### 4. Expired Domain Squatting If you let a domain expire, it re-enters the pool of available domains and anyone can register it. Attackers monitor expiring domains and snap them up within minutes of release. This is particularly dangerous because your email infrastructure and website links continue pointing to the domain after it changes hands. ### 5. DNS Hijacking (Without Account Compromise) Even without controlling your registrar account, attackers can sometimes manipulate DNS responses through DNS cache poisoning or by compromising your DNS provider's infrastructure. This does not give them ownership of the domain, but it can redirect your visitors. DNSSEC prevents this class of attack. ## Prevention: Registrar Account Hardening Your registrar account is the primary attack surface. Protect it rigorously. **Use a unique email address for domain registration.** Never publish this address. If it is exposed nowhere, it cannot be phished directly. Use a dedicated mailbox: something like `[email protected]` rather than your personal or widely-shared business address. **Enable TOTP-based two-factor authentication.** SMS 2FA is better than nothing but vulnerable to SIM-swapping. Use an authenticator app. Some registrars now support hardware security keys (FIDO2/WebAuthn) — use them for domains of significant value. **Use a password manager with a unique, high-entropy password.** A credential stuffing attack from an unrelated breach should never reach your registrar account. **Set a verbal / account PIN.** This adds a layer of verification for phone support calls, blocking social engineering attacks. ## Prevention: Domain Lock Controls Domain Lock controls are the most direct defence against unauthorized transfers. **Registrar Lock** (`clientTransferProhibited`): Prevents outbound transfers while enabled. Confirm it is active via WHOIS Lookup Tool. You must explicitly unlock it to transfer your domain — providing a natural pause that gives you time to spot a fraudulent transfer request. **Deletion Lock** (`clientDeleteProhibited`): Prevents accidental or malicious deletion. Enable this as well. **Registry Lock**: For high-value domains, ask your registrar about registry-level locking. This requires out-of-band verification (phone, video call, or physical token) for any change. It costs more and makes legitimate changes slower, but it makes hijacking nearly impossible. See Registry Lock: The Ultimate Domain Protection for details. ## Prevention: Transfer Authorization When a domain transfer is initiated, the registry requires an **EPP authorization code** (also called an Auth-Info or transfer key) that only the current registrant holds. Keep this code confidential — it is the "key" to your domain's portability. Do not store it in a shared document or send it over unencrypted channels. Some registrars also require you to respond to a confirmation email before a transfer completes. Watch your registered email address for any unexpected transfer approval requests and treat them as high-urgency alerts. ## Prevention: Expiry Protection Many hijackings happen through expiry, not brute force. Defense is straightforward: - Enable **auto-renew** on every domain you want to keep. - Set the renewal period to the maximum your registrar allows (often 10 years for gTLDs). - Add **calendar reminders** 90 days and 30 days before expiry as a secondary check. - Make sure the **payment method on file is current** — an expired credit card silently prevents auto-renewal. - Keep your **registrant contact email** up to date so renewal notices reach you. ## Prevention: Monitoring **Enable registrar notifications** for all account activity: logins, password changes, DNS record changes, and transfer requests. Most registrars send these by email; some support webhooks. **Monitor WHOIS for unauthorized changes.** Set a calendar reminder to run WHOIS Lookup Tool on your most important domains monthly. Unexpected changes to registrant, nameserver, or status fields are red flags. **Watch for look-alike transfer phishing.** Attackers sometimes send emails that look like registrar notifications, tricking you into clicking a link and entering your credentials. Verify any suspicious transfer request by logging into your registrar directly, never by clicking email links. ## What to Do If You Suspect Hijacking If you detect unauthorized DNS changes or an unexpected transfer request, act immediately: 1. **Change your registrar account password** from a clean device. 2. **Contact registrar support** to freeze the account and flag the activity. 3. **Document everything** — screenshots, timestamps, headers of suspicious emails. 4. **File a complaint with ICANN** if the registrar is unresponsive. ICANN's Transfer Dispute Resolution Policy provides a path to recovery. See Domain Incident Response Playbook for a full step-by-step recovery playbook. ## Summary Domain hijacking is preventable. The attackers' preferred paths — account compromise, social engineering, and expiry — all have well-understood countermeasures. Enable 2FA, lock your domain, protect your account email, keep renewals current, and monitor for changes. Apply Domain Security Checklist as a structured audit to confirm every layer is in place.