Editors’ Note: This article was originally featured in the August 2014 (Vol. 11, Issue 2) edition of Verisign’s quarterly DNIB report. To access the full report, including a snapshot of Verisign data and domain name industry trends in global registrations from that quarter, or any historic quarterly report data, please visit our archive.
Because domain names represent online identities, businesses of all sizes have expressed increasing concern over reports of “domain name hijacking.” Domain name hijacking occurs when perpetrators falsify the registration data for a domain name by transferring the name away from its rightful registrant, thereby gaining unauthorized access to data and control over the namespace.
Attackers use a wide range of techniques to hijack domain names, from spyware and keystroke loggers to social engineering, in which scammers impersonate registrants or other entities in the chain of trust in order to gain access to passwords and personal information. Regardless of the technique used, the end-result for registrants is often severe. Once an attacker has full control of a domain name, they have free reign to use it for any number of nefarious purposes, from creating their own scam websites, to hosting “watering holes” with illegal and dangerous content such as malware, to extorting the original owner.
The danger of domain name hijacking is a threat that can be significantly reduced with proper planning and mitigation techniques. Monitoring Whois change activity, DNS change activity, and establishing and monitoring domain status/domain registry lock services are all techniques that registrants should regularly employ. Additionally, registrants should research their registrar’s security offerings and take advantage of the tools they offer. This kind of awareness can go a long way toward mitigating risk of hijacking. Registrants who prioritize maintaining active relationships with their registrars and ensure that their registration data and contact information is up to date can avoid becoming the “low hanging fruit” that hijackers often target.
Today, there are also additional tools to help registrants protect their domain names. Registry-level Lock Services provide additional levels of authentication between a registry and registrars by helping to prevent unauthorized, unwanted or accidental changes to registered domain names through server-level protection of “locked” domain names and/or name server records for registrants. For example, Verisign’s Registry Lock Service, which is available through registrars for domain names on .com, .net, .tv, .cc and .name, was designed to be used in conjunction with a registrar’s proprietary security measures to bring a greater level of security to registrants’ domain names and help mitigate the potential for domain name hijacking, inadvertent or unintended deletions, transfers or updates. Registry Lock allows registrants to set the conditions under which their registration information can and cannot be changed. At the highest settings, Registry Lock requires direct, human-to-human interaction between registries and the registrant of record in order for a registration to be transferred. Furthermore, Whois lookup tools for registries such as Verisign enable administrators to check if their domains are locked at the registry.
By taking advantage of domain locking tools offered by registrars, registrants can make it much less likely for their domain name registrations to be changed without their full knowledge and consent. However, this is not the only precaution necessary to avoid hijacking.
Given that a single DNS name server can act as the name-to-address resolution point for thousands or millions of users, the potential impact of Man-in-the-Middle (MITM) attacks can be considerable, and one of the most effective forms of protection from MITM attacks is the Domain Name System Security Extension (DNSSEC). It protects the Internet community from forged DNS data by using public key cryptography to digitally sign authoritative zone data. DNSSEC validation of this data by users provides assurances that the data originated from the stated source and that it was not tampered with in transit. It can also prove that a domain name does not exist.
Verisign implemented DNSSEC in the .com and .net zones to help assure users that the data they receive from their Internet request originated from the stated source and was not modified in transit by malicious actors. Additionally, Verisign has been instrumental in advancing DNS protocols for security and efficiency. For example, it has worked to enhance the DNS-Based Authentication of Named Entities (DANE) protocol, which builds on the DNSSEC infrastructure to enable cryptographically-secure communications. This technique can be used to exchange cryptographic credentials, such as for more generally enabling signed and encrypted email between Internet users in different organizations.
Although DNSSEC enhances DNS security, it’s not a comprehensive solution. Other layers of protection, such as DDoS mitigation, security intelligence, Secure Sockets Layer (SSL) encryption and site validation, and two-factor authentication should be used in conjunction with DNSSEC.
While the threat of domain name hijacking is very real, organizations can significantly reduce the threat of hijacking through effective tools and the appropriate vigilance. It’s critical that registrants consider the DNS registration ecosystem elements (e.g., registrar, DNS providers, registry operators, etc.) as part of their attack surface, know that adversaries see them as potential “soft spots,” and treat the task of preventing domain name hijacking with as much care as any other asset when performing risk management functions.