What is domain hijacking?
Domain hijacking is the unauthorized transfer of a domain name's registration, giving an attacker control over it without the owner's consent. Attackers typically exploit vulnerabilities in the domain registration system or use social engineering to access administrative controls.
How domain hijacking works
Attackers combine several methods to seize control of a domain:
Intercepting registrar communications, such as password reset emails, by compromising the owner's email account
Using keyloggers or malware to steal login credentials from the domain owner or an authorized user
Running phishing attacks to trick owners or administrators into handing over credentials
Exploiting weaknesses in the registrar's own systems to bypass security controls
Types of domain hijacking
DNS hijacking alters a domain's DNS settings to redirect traffic to a different IP address.
IP hijacking intercepts and reroutes IP traffic intended for a specific domain.
URL hijacking involves registering a domain with a similar spelling to the target, then building a site that mimics the original to deceive users.
Reverse domain hijacking occurs when a trademark owner falsely accuses an existing domain owner of cybersquatting to take control of the domain through dispute mechanisms.
Is domain hijacking illegal?
Domain hijacking is generally illegal, as it involves unauthorized system access and fraudulent activity. Prosecution is difficult due to jurisdictional complexity and the challenge of identifying attackers.
Impact of domain hijacking
A successful domain hijacking can cause financial losses from disrupted e-commerce, reputational damage to the domain and its owner, loss of audience or readership, and security risks for visitors who land on the hijacked domain and encounter malware or phishing pages.
Notable cases
Sex.com (1995): A hijacker fraudulently obtained control of the domain, triggering a legal battle that lasted until 2000 when the rightful owner recovered it.
Lenovo (2015): Hackers briefly redirected Lenovo's website traffic to an unrelated page.
Google Vietnam (2015): Google's Vietnam search domain was temporarily redirected to an unrelated site.
How to prevent domain hijacking
Use a registrar with strong security controls and a proven track record
Protect registrar accounts with unique passwords and multi-factor authentication
Keep domain registration information accurate and current
Monitor the domain for unauthorized changes or unusual activity
Enable WHOIS privacy protection and domain auto-renewal
How to recover a hijacked domain
Contact the registrar immediately and provide evidence of the unauthorized changes. Seek legal counsel to explore civil litigation or ICANN's dispute resolution process. Bring in security professionals to investigate how the hijacking occurred and close any remaining vulnerabilities.
Domain hijacking vs. DNS poisoning
Domain hijacking takes control of a domain through unauthorized registration changes. DNS poisoning modifies DNS server records to redirect users to fraudulent sites without touching the registration itself. Both exploit weaknesses in the domain name system but target different layers and carry different consequences for affected parties.
