How Domain Hijacking Works and What Web Hosts Can Do about It:

Posted by Mary McCoy on May 6, 2015 10:40:00 AM

How_Domain_Hijacking_Works_and_What_Web_Hosts_Can_Do_about_It

As web hosting providers, your business is only successful if your customers' websites are live and generating new business for them. Still, there are threats which can lead to downtime that your customers can ill afford.

You're likely already aware of domain hijacking, a targeted attack that manipulates the communication between your customers' domain name and your web server, thereby taking their website offline and replacing with the hijacker's website. Your customers may not know about this risk, and you can't rely on the domain registration company they're working with to provide the resources needed to make them savvier website owners.

That's where you come in! 

The System that Domain Hijacking Exploits

Before I explain what happens in a domain hijacking, let's first understand how domain names and web hosting servers interact. GoHacking.Com actually explains this relationship clearly and concisely. Share this information with your customers! Essentially, there are a few moving pieces. We have the domain name, like r1soft.com for instance, and the web hosting server, which hosts website files. To connect these two components, your customers rely on their domain registrar or registrant to point their newly-registered domain to your web server.

Let's say you have a client that's purchased a domain and now wants to buy a hosting plan from you. The client uploads their files to the web server you're providing, and the domain registrar directs requests to the proper domain name server which in turn directs the requests to your web server. Voila! Now, when website visitors type in the domain name, they'll receive the web page you intend for them to see. 

The goal of domain hijacking is ultimately to replace the legitimate web server with one of the attacker's choosing. This is accomplished by gaining access to the domain name control panel and changing the values for the domain name server to another that the attacker controls. This simple change will cause your web server to never see traffic requests for your customer's domain. The traffic will be redirected to a different web server hosting a malicious website. With DNS caching in both the browser and domain name servers themselves, it may be many hours before your customer can even detect that their domain has been hijacked!

How Does Hijacking Work?

As explained in WebHostingGeeks.com's helpful blog post, Can Your Domains Get Hijacked?, hackers don't need to compromise your web server in order to compromise your client's domain. As with a handful of other cyber-attacks, there's a back door entry. 

How do attackers access their targets' domain control panels? Through your customer's administrative contact email address. This account information is public record. All an attacker has to do to get it is go to whois.domaintools.com, search for the target's domain name, and click "Lookup." Then they'll see the Whois Record, and here, the attacker can obtain your customer's administrative email address. 

At this point, the attacker is just an email hack away from hijacking your customer's domain. Once this occurs, the hijacker can simply click the "Forgot Password" link, access the verification link sent to the hacked email address to authenticate the request, and reset the password when they visit your customer's site. Since the attacker has already hacked and gained access to that domain's administrative email address, he/she can set a new password for the domain control panel. With full control of the domain, the hacker can then point the domain name to his/her malicious web server. 

Aside from being costly to correct, domain hijacking is particularly devastating for those customers of yours that use your web hosting services for an e-commerce website. 

How Web Hosts Can Protect Customers by Being Their Trusted Advisors:

It can be difficult to affect change if you're not also your customer's domain registrar. In lieu of this, you can be your customers' trusted advisors and educate them to make informed decisions around policies and processes.

First, teach your customers about this danger so they understand how easily they can become victims. Then make sure your customers understand the value in keeping their domain registration contact information up to date, especially the administrative contact email address. Your customers should keep that email account as secure as possible and that starts with using strong passwords. You can also implore your customers to ask their domain registration companies to add domain locks to all customer domains by default. Those registrars should then instruct them on how to unlock the domain, but not via email. Additionally, recommend that your customers use domain privacy protection to limit exposure of personally identifiable information. This information can be the basis of an attack on the administrative email account.

Just in case, explain why they should record their domain's AuthInfo code, or transfer secret. If they lose control of their domain control panel, then they should be able to use this code to transfer the domain to another registrar with an account they do control. To be safe, recommend that your customers do not create their own AuthInfo codes. Instead, suggest they only use domain registrar-generated codes, which can't be used for multiple domains anyway. They may not understand the ramifications of using the same customer-generated code for all of their domains. It's the same as using the same password for multiple account log-ins. If a hacker gains this information, the attack landscape is larger. In this case, the hijacker would then have access to all of the customer's domains.

Considering how easy it is to take control of a domain once an email address is compromised, you may want to encourage your customers to evaluate their authorization and authentication processes. If a domain hijacker attempts to change account information like the password, they may want to add additional account authorization requirements, such as two-step verification, that can prevent these attacks.


Have you ever had a customer's domain get hijacked? What were the consequences and how did you resolve the issue? Did you learn any additional tips or best practices to prevent future attacks or mitigate their financial loss? Let us know below!

Download "The Big Book of Backup"

 

See also: 

 

Meet Mary! Mary McCoy is Continuum’s resident Inbound Marketing Specialist and social media enthusiast. She recently graduated from the University of Virginia (Wahoowa!) with a BA in Economics and served as digital marketing intern for Citi Performing Arts Center (Citi Center), spearheading the nonprofit’s #GivingTuesday social media campaign. Like her school’s founder, Thomas Jefferson, Mary believes learning never ends. She considers herself a passionate, lifelong student of content creation and inbound marketing.

Find me on:

Topics: hosted services, Webhosting, data protection

Recent Posts

Posts by Topic

see all