CFO

Domain Hijacking Alert: How to Protect Your Online Presence

By Ira Winkler, chief information security officer, Skyline Technology Solutions
November 1, 2021

In short:

  • You may not realize that your website or email has been redirected — but your customers will
  • A few simple precautions can ensure your domain stays out of attackers’ control
  • And, pay attention to your security certificate to make sure online services work as expected

There have been a few recent warnings about the potential for domain hijacking, in which an outside party takes control of your internet presence, including your company’s website and potentially email. In this type of attack, scammers contact your domain provider claiming to be with your organization. They then work to reset the account to gain admin privileges over the domain. At that point, they can transfer the domain name to another provider, reroute all web traffic to their own site and email servers — and basically become your organization to the online world.

Domain Hijacking Glossary

Your domain is the name of your website and how people send you email — www.netsuite.com is where Brainyard lives, and an email might be user@netsuite.com. When customers search for your business, they find your domain.

Domain registries are for-profit companies that sell domain names. Bluehost and GoDaddy are examples. These companies may also act as website hosts. Larger companies that host their own sites must still ensure they renew their domains annually.

An SSL certificate contains important information about who owns a website and how traffic to that site is protected.

The effects of these attacks are devastating. The criminals don’t need to successfully gain access to your websites or other services; they’re just redirecting visitors to their version of your domain. They can post the website that they want the world to believe that you have to your web address, then accept “orders” and record credit card or other information from customers. It’s like they filled out a change-of-address card at the Post Office, routing all your mail to their offices. Suddenly, clients and vendors cannot contact you — even though they think they are. The criminals can read your emails and potentially harm your business and reputation by replying in ways that are limited only by their imaginations.

This is not only embarrassing, it can also cost you a lot of money and customer trust. Domain hijackings have impacted large companies, nonprofits and political candidates alike. While it is more complicated than I can get into here, in many ways, similar issues contributed to the recent Facebook outage.

This threat is widespread and not at all limited to small companies. Eighty-one percent of Global 2000 firms are at risk of hijacking because they have not adopted basic domain security measures, according to name registrar CSC’s recent Domain Security Report.

There are a few fairly simple steps to protect your company. Let’s first acknowledge that a determined, focused criminal may eventually find a way to steal your online presence, even with the best protections in place. You can, however, significantly reduce the risk and make hijacking very difficult.

First, ensure that you renew your internet domain name. Sounds simple: Your technical team goes to a domain name provider and buys the web domain for your company. However, they don’t really buy the domain; they rent the domain name for yearly periods. If you don’t renew your domain, anyone on the internet can swoop in and acquire it at auction — there are sites that provide lists of recently expired domains. Best case, someone purchases yours and offers to sell it back to you for a tidy profit. Worst case, you’re out of luck.

Companies often set up automatic renewals, but if the technical contact leaves and/or the credit card expires and no one updates the payment method, you will lose the domain. So, make your point of contact an email address that a team of people monitor. That way, you can be sure someone will see administrative emails like domain renewals and take action when appropriate.

This is good practice for not only internet domains but all functions that require continuity of operations and involve employees who can depart at any time.

Second, lock your internet domains. Domain name providers realized that domain hijacking is common enough that it made sense to put countermeasures in place. One of those countermeasures is referred to as locking the domain. With this control in place, someone cannot just log in to an account and change the domain contacts and permissions. It requires fairly extensive interactions to unlock a domain, and locking yours will significantly reduce the risk of domain hijacking. The process  is generally as simple as logging into your domain registrar site and flipping a toggle switch on your dashboard, so there’s no reason not to do it.

You can also add domain privacy to your accounts. Domain providers offer this as a service: For a small fee, they agree not to publicly share contact information for the individuals who manage your domain. This reduces the risk from social engineering attacks, in which criminals attempt to con your admins into providing information that will allow them to pretend to be legitimate employees of your organization — it’s obviously easier to pretend to be a domain’s authorized owner when you know who the owner is.

Other steps you can take to better secure your organization’s online presence:

Pay attention to the encryption certificate, such as an SSL cert, that authenticates your site to outside parties. Should this certificate expire, various internet systems may block your site, creating operational problems for your organization. An expired certificate may also impact internet-based services that you rely on for continued operations. For example, the infamous Equifax breach continued much longer than it should have because a security certificate expired, preventing a security tool from functioning properly.

I have written that you can’t depend on security technology or awareness training and rather need to bake security into processes. But you do need to consistently remind the admin team that monitors and maintains your internet presence about the possibility of hijacking and appropriate prevention behaviors. That will help ensure they don’t fall for social engineering attacks, such as phishing and pretext phone calls. Like the finance team, web admins are prime targets for criminals. Just because they’re technically savvy, do not assume they are always security-aware and exhibit the proper behaviors.

The bottom line

The internet appears to work seamlessly, but like a Broadway show, there is a lot of underlying plumbing and backstage work involved in making the magic happen. Given the mission-critical nature of your web presence, I recommend taking time to ensure your organization is employing the right security precautions.


Sales Chat

How is your business adapting to change?

Start chat