Domain Hijacking
Domain Hijacking is an attack where the attacker takes control of a domain name by changing the registration information on file with the registrar. It is also known as “Domain Theft”, which is exactly what it is.
Domain Hijacking is usually performed by social engineering (pretexting). An attacker acquires enough personal information to call up the registrar’s customer service and impersonate the real owner. They convince customer service to either reset their password or to change other settings (such as the account email address) which allow them to access the account settings. It is also possible to hack the owner’s email account, steal their credentials, or exploit another vulnerability in the registrar’s system.
Once an attacker has stolen the domain, it can be used for malicious activities such as phishing. In many instances, it is used to serve ads which generate money for the attacker. The domain could also be sold for a quick profit or transferred to another registrar, often one in another country where it is much more difficult for the original owner to reclaim it.
Domain Hijacking Preventions
The best preventions are to use a reputable registrar and then secure the account login with a strong password and multi-factor authentication. It is also important to keep domain contact information up to date so that any notifications from the registrar about recent changes to the domain are received. Some registrars offer a setting for “report unusual activity” and some offer “domain locking” and “registry locking” to make it more difficult to change these settings. Under ICANN’s Transfer Policy, changes to a gTLD domain’s registrant contact (name, organization, or email) trigger a 60-day “Change of Registrant” lock that blocks transfers to another registrar — a security measure designed specifically to prevent domain hijacking by giving the legitimate owner time to detect and reverse unauthorized changes before the domain can be moved out of reach.