Preventative actions to safeguard your domains and recover from domain name hijacking

Domain hijacking
(Image credit: Shutterstock/Shamleen)

Every year, organizations and individuals around the world fall victim to a preventable and costly cyberattack – domain name hijacking. This attack occurs when a malicious actor takes control of a domain name and gains access or control of the services and resources the domain name refers to, such as websites, email, and customer or user personal information. 


David Conrad is the Chief Technology Officer of the Internet Corporation of Assigned Names and Numbers (ICANN).

Worse, the compromise of a domain name also compromises all of its existing subdomains. For example, if the top-level domain (TLD) .ZZ is compromised, all second-level domains in .ZZ are at risk of being compromised (e.g. companyname.ZZ), as well as all associated third-level domains (e.g., specific website pages, etc.).

A recent report by CSC shows that 83% of Forbes 2000 organizations’ web domains are poorly protected against domain name hijacking. During an attack, malicious actors may impersonate the registrant, i.e., you - the organization or individual who registered and holds the domain name, in order to collect sensitive information from the website’s users, illicitly transfer the domain to a new holder, redirect unsuspecting visitors to a malicious website, or hold the domain ransom for monetary gain. 

Recovering from a domain name hijacking can be lengthy and costly, both from a reputational as well as financial standpoint. As such, it is vitally important for businesses and individuals to understand that domain names are critical assets – they represent your presence on the Internet, both as an outward representation, i.e., your brand, as well as an entry point to all the services and resources you provide over the Internet. 

In most cases, domain names are acquired through registrars (e.g.,, GoDaddy, etc.), which have agreements with TLD registries. The generic TLD registries that have contracts with the Internet Corporation for Assigned Names and Numbers (ICANN) allowing them to make second-level domains available in a non-discriminatory fashion. 

Each entity in this chain, from ICANN to TLD registries to registrars to registrants represent a part of an attack surface that has become increasingly attractive to malicious actors. Unfortunately, the malicious actors tend to target the easier prey first, and in this case, that target is typically you, the registrant. 

Every registrant – large multinational organizations, small businesses, individuals, hospitals, governments, and beyond, needs to take precautions and practice good online hygiene to ensure their domain name(s) remain secure. 


(Image credit: Shutterstock / Sashkin)

What follows is a list of preventative actions you, as a registrant, should take to safeguard your domain names and associated resources and services. 

Be defensive in online behaviors. As with nearly anything on the Internet today, it pays to be defensive. The key assets attackers typically look to obtain are usernames and passwords, and phishing schemes are a common way to acquire them. Therefore, something as simple as clicking an innocent-looking link in a phishing email or unwittingly opening a malicious attachment can give attackers access to your credentials, potentially including those that allow control over your domain names. In particular, as a registrant, treat any email purporting to come from ICANN, a registry, or a registrar with care – phishing attacks of this nature are unfortunately common.  Similarly, running out of date or vulnerable software can provide an opening for malicious attackers, particularly if your connection to the Internet is not filtered by a firewall.  

General “cyberhygiene” advice applies: be wary of any externally originated email, use anti-virus software, keep systems and software up to date, be careful in what you download and open or run, etc. Further, as with anything secured online, a strong and unique password is a must when registering the domain name, ideally making use of multi-factor authentication. 

Finally, as a registrant, when accessing your domain name registration account, it’s important to use an encrypted channel, e.g., a connection using Transport Layer Security (TLS), such as HTTPS, to prevent an attacker from intercepting, eavesdropping, or tampering with communications with your registrar.

Register the domain name with an unrelated email address and monitor that address regularly. When registering a domain name, every registrant is required to provide contact information, including an email address. It’s important to use an email address that’s not associated with the domain name that is being registered, because if an attacker compromises the domain, they can redirect all email addresses within the domain and may be able to simply change the registration information (also known as “WHOIS” data) to make themselves the registered holder. For instance, if the domain name is EXAMPLE.COM, the email address used should not be user@EXAMPLE.COM since an attacker that is able to compromise the EXAMPLE.COM domain can easily hijack mail to that domain. 

Using an email not associated with your domain name may also be the only way for you to prove to your registrar that you are indeed the rightful registrant, in the event your domain name is hijacked. 

It is equally, if not more important, that the email address you provide to the registrar at the time of creation of the domains is active and regularly monitored. This address is where you will receive important notifications, including the renewal reminders sent prior to a domain’s expiration, a yearly WHOIS verification request, alerts when changes are made to the domain name registration information, among others. 

An unfortunately large number of domains are lost because the registrant is unaware they are expiring. Once a domain is lost it can be snapped up by malicious actors that can then harvest connection attempts, collect email, and act as a man-in-the-middle for all communications destined for the expired domain name.

Make registrar security practices key criteria for selecting your registrar. Increasingly, attackers are targeting registrars in order to gain access to all its registered domain names. As such, just as you should follow good cyber hygiene practices, it is important that your registrar follows similar practices. Investigating what those practices are can help you evaluate the risks you might encounter via the registrar. In particular, you should use registrars that offer multi-factor authentication processes for added protection. 

Typically, multi-factor authentication requires some type of unique security code, in addition to the standard username and password, to access the account. As a registrant, you can ask your registrar if multi-factor authentication is available and, if so, how to enable it for all your domains. If a registrar does not provide multi-factor authentication, you may wish to seriously consider transferring your domains to one that does.

Also, when selecting a registrar, you should ensure the registrar is accredited by ICANN.  ICANN accreditation provides a baseline of behaviors the registrar is contractually obligated to follow and provides for some remedies in the event a registrar does not live up to their obligations. 

Where possible, “lock” your domain. In most cases, there are a variety of “locks” you can put in place to reduce the risk that your domain name can be altered or hijacked. Working with a registrar that supports a “transfer lock,” you can mark your domain in such a way that will require extra authentication, typically a phone call or SMS message exchange to a pre-established number, to enable the domain to be transferred to a different registrar. Every registrar has its own unique process to implement a transfer lock, and while they are not fool-proof, they do add another layer of protection to deter domain name hijacking.

Even further, in some cases, a registry may have a facility known as a “registry lock”.  A registry lock is in concept similar to a transfer lock, however it is implemented at the registry instead of the registrar. This form of locking is generally more secure because a compromise of your credentials at the registrar can allow the attacker to modify your contact information. 

Depending on the registry or registrar, other forms of locking may be available. There are a set of “status codes” used by the registrars to communicate with the registries that are used to lock various aspects of registrations, including whether the domain can be deleted, transferred, or updated. A full list of these status codes is available at Asking your registrar which of those codes you are allowed to set, and how, can provide tools to help you protect your domain name.

When domain hijacking happens

However, despite all protective measures you may take, what can you as a registrant do if your domain name is still hijacked? The key is quick action and an ability to show proof of ownership. As the legitimate registrant, you should:

  • Immediately contact your registrar. Time is of the essence; immediately contact your registrar if you notice any of your account or domain registration information has been unexpectedly modified or if the domain name has been transferred to a completely new registrar or registrant. Waiting to notify the registrar only gives the hijacker more time to transfer the domain through multiple registrars, which makes the retrieval process even more difficult.
  • Be prepared to prove you are the domain name registrant. Once the issue has been flagged to your registrar, the first step to recovering a domain name is to prove ownership of the domain name. Many times, a domain name hijacker will change the registration data associated with the domain name to create their own proof of ownership. Examples of documentation to prove your ownership to the domain name can include: the history of the domain, e.g., copies of registration records, tax filings, receipts, billing records, or financial transactions that associate them with the account, as well as registrar correspondence such as renewal notices, etc. You can proactively prepare for a domain hijacking by keeping an updated record of these types of documentation at the ready.
  • Don’t panic; follow procedures. There are specific rules to protect rightful name holders on the transfer of domain names. First, a domain name transfer can only be initiated by a registrar if the proper paperwork, called a Form of Authorization (FOA), has been completed. The new registrar that the domain name was transferred to is required to be able to provide such documentation, and failure to do so warrants a reversal of the transfer. In this event, the rightful name holder must file a complaint under the Transfer Dispute Resolution Policy. If you are following these steps but not receiving the necessary support from your registrar, an Unauthorized Transfer Complaint can be submitted directly to ICANN to help recover the domain.

There are about 1,500 domain name registries and thousands of registrars, all part of a competitive, diverse and vibrant Domain Name System (DNS) ecosystem, which has led to millions of different domains registered today. But this volume also provides a wide attack surface. Compromise of a domain name means all emails, services, and resources that domain refers to are subject to compromise as well. To help keep users and organizations safe from DNS hijacking, it is crucial for all registrants to be familiar with their rights and responsibilities to ensure that they protect not only themselves but also their customers and users.

  • We've built a list of the best CDN providers available

David Conrad is Chief Technology Officer of the Internet Corporation of Assigned Names and Numbers (ICANN).