Domain hack

There is no overestimating the value of your company’s domain name. Whether you work for a big brand or run a mom-and-pop dot-com, the goal is easy navigation to your site. A prospective client or customer types your company name and their browser does the rest.

What would happen if you typed in “Amazon,” the corresponding domain popped up, and you clicked, but instead of finding the world’s largest online retailer, you landed on a 1980s WarGames-themed page with a laughing skull?

Think that would be impossible? While it may be for “Amazon”–or at least devilishly hard–it’s easier than you’d think. Far from being jealously guarded assets with Fort Knox-level security, a new study of Forbes Global 2000 Companies suggests many domain names are imminently hackable.

The study, released earlier this month by international business firm CSC, found that 83 percent of organizations surveyed haven’t implemented baseline security measures like domain name registry locks, which help prevent domain name hijacking and/or unauthorized transfers. More than half of the companies surveyed used retail-grade registrars, which typically provide less in the way of security safeguards and training than enterprise-grade registrars. A whopping 97 percent failed to use DNSSEC, a domain security protocol designed to address core vulnerabilities in the foundations of the internet itself.

A Prime Target for Hackers

As Zoom use skyrocketed with the spread of the Covid-19 pandemic, there was an immediate jump in lookalike domain names. Many of these faux-Zoom sites were used to distribute malware under the guise of links to online meetings. Hackers were also quick to pounce on the disruption caused by the 2018 shutdown of the U.S. federal government to hijack and tamper with government domain name entries.

Bottom line: Hackers sure know how to leverage the theft of a domain name.

A hijacked domain name can be used to extort ransom for its return, to redirect users to a seemingly identical website where hackers can deploy malware or collect user credentials and payment card information, or to simply leverage a target company’s reputation. All of these can be extinction-level events.

In 2015, Chinese hackers redirected the hijacked ShadesDaddy.com to a site selling counterfeit merchandise.

“Overnight, we lost our most valuable asset and were out of business,” wrote ShadesDaddy.com founder and CEO Pablo Palatnik of the experience. “They had all of our traffic and we were losing thousands of dollars daily in revenue.”

Hacking campaigns exploiting poor domain name security can be more subtle. A recent domain hijack of Japanese cryptocurrency exchange Coincheck.com was used to spoof the company in a spear-phishing campaign. Hackers posing as Coincheck.com employees contacted the company’s customers and requested their account credentials. Over 200 customers engaged with the hackers before they were discovered.

Even when companies are able to respond quickly to the loss of a domain name, the damage to their reputation and loss of confidence with customers can be lasting. We are all weary of the endless cycle of hacks and data breaches and we’re increasingly blaming businesses that have been compromised rather than the hackers themselves. That spells trouble if you’re the one that gets hacked.

What Can Be Done?

Domain names are far from the only vector of attack, but they’re one of the most visible.

Whether your company is international or a regional operation, the time to invest in a cybersecurity audit was yesterday. It should include an inventory of who can access registrar accounts, implementation of two-factor authentication, and password hygiene checks. Industry-level protections such as Domain-based Message Authentication, Reporting & Conformance (DMARC) should also be put in place. Enterprise-level domain registrars are also a good idea, since they have more stringent security and may be more effective at recognizing suspicious behavior and threats.

Regardless of how secure you believe your company to be, regular security training for employees is a must (even if you are the only employee). If all else fails (and cyber fails are more or less the third certainty in life), there’s some peace of mind to be had in securing a robust cyber insurance policy to mitigate losses in the event of a successful hack.