Previously we shared some interesting tips about domain hijacking, where we discussed a few concepts, information and tips to prevent this kind of malicious activity against your domain names.
Domain stealing, also known as domain theft, is a common criminal activity on the Internet. It consists in transferring your domain name illegally to another registrar, without you knowing about it.
As you know, 99.9% of online-based businesses depend on their domain names, so when this happens their entire online business can suffer as a result.
What would happen if you went to work one morning to discover that your email, webpage, and the rest of your web-based services were no longer working? Then you asked your web hosting technical support for help and was told that the web-server was working just fine?
You might eventually realize that it’s a domain name problem. Digging into the domain details you’d find that your DNS no longer points to your nameservers, and even worse, your domain name was transferred to a new registrar, and now belongs to a new person.
That could be your worst nightmare.
How could this happen?
Someone hacked you, it’s as simple as that. That’s the only reason anyone can steal your domain name right before your eyes.
Most of the time, attackers try to hack the email address associated with your domain name, which is often not protected and publicly available by simply fetching a WHOIS query.
Once they gain access to your email they can try logging in to your email registrars, and it won’t be your lucky day if you’re using the same password for both services (email and domain name registrar).
Their next step is to unlock the domain name, get the EPP code, and transfer your domain name to another registrar.
Let’s look at this problem from a different perspective.
Buying stolen domain names
What would happen if you were on the other side? Let’s say you were a domain names buyer — and someone announced a very good deal for a short (3 to 5 letters) domain name.
Before purchasing, you’d try to find all the possible details about the person you were buying from, and it looked like a solid profile (most of these sales are done over domain forums). At the end, the auth code was passed, everything looked good, and you had your brand-new domain name.
But suddenly, hours or days later, the real owner of that domain name gets in touch with you telling you he or she is the legitimate owner of the domain name, and that it was stolen by a hacker.
What should you do in that situation?
Looking at a similar case described in this thread at NamePros, the next step is to file a dispute with the payment processor who was used in the money transfer, so you can get your money back.
Most of the person-to-person domain selling and purchases are done using Paypal, so filing a dispute with your payment processor will be the wisest thing to do at this time.
And of course, think about giving that domain back to the original owner, as using a stolen domain name is not legal.
Stay in the loop with the best infosec news, tips and tools
Follow us on Twitter to receive updates!Follow @SecurityTrails
How to avoid getting tricked by domain thieves
Here are a few tips to help you avoid getting involved in illegal domain-selling activities:
Run intelligence research about the person or company that is selling the domain name. Ask for opinions in specialized domain forums like NamePros, DNForum, etc.
How trustworthy is his profile? Has he had any other suspicious domain-selling activity before? Any trouble with other members? Keep all of this in mind.
- Use 3rd-party intermediate services like Escrow, who are excellent in handling these kinds of situations and have the right tools to help you immediately whenever you report something wrong with your business.
- If possible, do this using a bank transfer, that traceable by legal authorities in case you need help.
Investigate the WHOIS history, name server and DNS changes, and IP details about the domain using the SecurityTrails free API tier; or with the powerful SurfaceBrowser, look for anomalies or anything that looks weird to you, especially about the last update date, contact details, etc. If domain ownership has changed recently, contact the prior owner to make sure the domain hasn’t been stolen.
In the case reported in NamePro’s forum, the stolen domain name was
nwx.com, which had an NS update between December 6th and 8th, as you can see by exploring the NWX.com name server historical records:
One interesting thing to mention about this case (and most domain and DNS hijacking cases) is that the transfer date is not always the date when the attackers got access to your domain details or registrar account. So it’s always useful to start digging into these details days or weeks prior to the domain transfer.
- Ask yourself: Is it too good to be true? If the domain name you are buying has a good 3-letter combination, then it would never be sold for less than 20k. Start digging to get more details about this person, because that looks suspicious.
Now, let’s get back to the root of the problem if you are the legal owner of the domain name.
How can you prevent domain stealing from happening to you?
Let’s see what can be done to protect your domain names from being illegally transferred to another registrar.
Use two-password authentication on your domain contact email. As we’ve said before, most domain thieves will target the email associated with your domain names. That is the one used to approve domain changes, especially when you need the authentication code to start the domain transfer.
When you use a weak password, the probability your email will be hacked is really high. In this case, the best you can do is set a stronger password, and after that, activate 2FA protection.
This way, even if the crackers get your email password, they won’t be able to log in to your inbox, and you’ll be notified about the attempt.
Remember that the really useful and safe 2FA protection method is the one integrated with popular apps like Google Authenticator or Authy apps. 2FA using text messages is every bit as vulnerable as using an unprotected email address.
Never use ISP-based email addresses or legacy email providers. AOL, Verizon, Comcast, Yahoo and other popular providers use old and vulnerable email systems that have been targeted by password data leak attacks in the past, exposing your login details to the entire Internet.
This is easily verifiable by using sites like Have I Been Pwned? Start using Gmail or ProtonMail with two-factor authentication enabled.
Never host your email in your own infrastructure, unless you have really intelligent and strict authentication mechanisms (such as 2FA or limited logins by country or region with geoIP technologies) that are always up to date.
Using your own email servers will be never as good as using popular 3rd-party ones like Google’s G Suite, Office 365 Business Premium accounts or ProtonMail.
- Use a password manager like LastPass or 1password. It will help you increase your password security by generating random complex password combinations, keeping all your passwords secure in one single place, under your full control, and outside normal password attacking techniques used by crackers.
- Do not click on that suspicious link in an email coming from your “domain registrar,” it could easily be a fake email. Double check first, make sure the email is coming from the right domain or service, and that it isn’t a spoofed email address that will redirect you to a phishing page.
Security answers to default security questions in email services or domain registrars should never be real ones (this was mentioned in the forum thread mentioned before). Crackers know how you think — they will probably run intel research about you, and can easily guess your most common security answers.
Instead, it’s best to generate a random password using your password manager. Attackers will try to find your security answer and will never imagine it’s a hard-to-guess password.
Domain stealing is a very common Internet crime. It can affect an entire company and cause you to go offline for several weeks or even months. And that’s if you’re lucky enough to get this resolved in time.
Part of keeping your domains secure is to apply general best security practices like using strong passwords, never repeating them for your registrar login, enabling 2FA and avoiding the use of old ISP-based email providers.
If this problem is happening to you right now, you now know where to launch complaints against this kind of activity: go to NamePros or any other popular domain name forums and start a thread as soon as possible, get advice from professionals, and of course, file a dispute with ICANN and your own domain registrar.
Remember to use SecurityTrails free API access to investigate WHOIS history, as well as new name servers and general information to see if anything has changed.
If you want to move forward, book a demo with our sales team to discover the hidden power of SurfaceBrowser, our all-in-one security and domain investigation platform that will help you gain deeper insights into any of your domain names, DNS and IP addresses.