During the 1980s after the breakup of “Ma Bell” (AT&T Corp.) when US regulators broke up the AT&T Corp. monopoly by a consent decree in the anti-trust lawsuit, United States v. AT&T, a nefarious marketing technique known as “slamming” became prevalent in the industry. Basically, when a customer’s phone service was switched to another carrier without the customer’s knowledge or consent, most often the long-distance carrier, the term “slamming” was applied to such nefarious behavior. Eventually “slamming” was found to be an illegal practice and various consumer laws were passed to help prevent it, however, the practice has come of age in the Internet era by way of a variant known as “Domain-Name Hijacking.” We will examine how it happens that a domain name can be transferred to an unknown registrar without the owner’s knowledge or permission–and discuss ways to combat such vulnerabilities.
In mid-afternoon, on a Monday in May 2011, Lee checked his email and found displayed in a red box on his screen the following message: “Warning: we believe your account was recently accessed from Russia – ‘Show details and preferences’- ‘Ignore.’” After clicking on the first option, a new window opened informing him that his email had been accessed from an “unknown” protocol type via two IP addresses in Russia at 4:19 a.m. and 5:40 a.m., respectively. Since Lee lived in the United States and was asleep at home at those times—clearly the access was an unauthorized intrusion. Instinctively, he checked the “trash” folder in his email account only to be greeted by the sincere, yet dreaded, message from his legitimate registrar time-stamped at 5:45 a.m. notifying him that his domain had been “successfully” transferred to a Russian registrar and away from his long-time U.S. registrar. “Sorry to see you go. We’ll always welcome you back” were the only words in the message offering some measure of solace.
After first changing his email passwords, Lee logged onto his U.S. registrar’s site, which merely confirmed what he already suspected: his hijacked domain was not listed. He franticly contacted the registrar’s customer service department and followed up with detailed email explanations. The only problem: the replies from his registrar continued to go directly into his trash folder—his filters had also been compromised. A “WHOIS” search revealed that his domain-name servers were still listed, but that the registrar was the Russian entity—and all of his contact information had been erased. At this point, he was advised to file a “dispute on transfer away” with his original registrar, who would then attempt a return of the domain from the Russian registrar.
How Is It Done?
There are various ways by which a domain-name hijacker can achieve the improper transfer of a domain name to an unauthorized registrar. The most prevalent usually involves “email vulnerability”—such as in Lee’s case—or vulnerability at the domain-registration level. “Backend” hijacking exploits the hosting or registrar company. It is often difficult for the registrar to know that there has been a hijacking and if the “WHOIS” information has been altered over a long period of time, it can be quite difficult for the legitimate registrar to identify and contact the legitimate owner. Cybercriminals are savvy, and the determined domain-name thief—like the determined car thief—is constantly coming up with new means and methods to achieve his or her goal.
Google describes one method by which email accounts can be hijacked:
The victim visits a page while being logged into Gmail. Upon execution, the page performs a multipart/form-data POST to one of the Gmail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forwards them to an email of [the attacker’s] choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within [his or her] filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
Thus, a sophisticated email hijacker can plant a “backdoor” into an account merely by luring the account owner to a certain site or page. Other domain theft methods include: Registering dropped email accounts that are on domain name registrations; Key loggers that pick up usernames and passwords for email accounts and or registrar accounts; Phishing sites that look like the email system or registrar; and of course, social engineering where the hacker convinces a service provider rep to provide access to an account for which they should not have access. Internet users beware!
Tips for Prevention
There are certain steps that a domain-name owner can take to reduce the exposure to domain name hijacking. The following suggestions may prevent an unwanted domain transfer:
- Change your email password often.
- Test your password for its security strength. (There are free sites for checking password strength.)
- Disable POP if your email provider is able to use a different protocol.
- Tick the setting “always use https” under email options.
- Frequently check the “unusual activity” flag if provided by your email service.
- Use a two-step (two-factor) authentication if available.
- Make sure to renew your domain registration in a timely manner—with timely payments and register them for at least five (5) years.
- Use a domain-name registrar that offers enhanced transfer protection, i.e., “domain locking” and even consider paying for registry locking.
- Makes sure your WHOIS information is up-to-date and really points to you and you only.
- If you have 2500 or more domain names consider buying your own registrar.
Relief via the Inter-Registrar Dispute Process
If your improperly pushed domain name is still at the same registrar, but in a different account then you should immediately contact the registrar, report that the domain push was not authorized and ask the registrar to lock the domain. Most importantly, provide proof that you own the domain and the account from which the domain was pushed and request the registrar to reverse the push.
Transfer of domain names is done in accordance with ICANN’s “Policy on Transfer of Registrations between Registrars.” This policy provides that transfers are done based on the regularly relied upon form of authorization (FOA). Holder-Authorized Transfers, Section A. 2.1.3, of the policy states as follows (with emphasis added):
“In the event that the Gaining Registrar relies on an electronic process to obtain this authorization the acceptable forms of identity would include:
Electronic signature in conformance with national legislation, in the location of the Gaining Registrar (if such legislation exists).
Consent from an individual or entity that has an email address matching the Transfer Contact email address.
The Registrar of Record may not deny a transfer request solely because it believes that the Gaining Registrar has not received the confirmation set forth above.
A transfer must not be allowed to proceed if no confirmation is received by the Gaining Registrar. The presumption in all cases will be that the Gaining Registrar has received and authenticated the transfer request made by a Transfer Contact.” http://archive.icann.org/en/transfers/policy-12jul04.htm.”
In other words, the gaining registrar’s acceptance that the transfer is authorized must be taken unless there is substantial evidence to the contrary.
Paragraph 3 of the policy further states:
“A Registrar of Record can choose independently to confirm the intent of the Registered Name Holder when a notice of a pending transfer is received from the Registry. . . Upon denying a transfer request for any of the following reasons, the Registrar of Record must provide the Registered Name Holder and the potential Gaining Registrar with the reason for denial. The Registrar of Record may deny a transfer request only in the following specific instances [which are relevant to domain name theft]:
- Evidence of fraud
- UDRP action
- Court order by a court of competent jurisdiction
- Reasonable dispute over the identity of the Registered Name Holder or Administrative Contact
- Express written objection to the transfer from the Transfer Contact. (e.g. – email, fax, paper document or other processes by which the Transfer Contact has expressly and voluntarily objected through opt-in means)(There are other non-relevant reasons)”
Accordingly, if you can convince the losing registrar to raise any of the above objections, then the gaining registrar must listen and respond. This does not mean that the gaining registrar must return the domain name, just that they have to listen and keep copies of all documentation upon which it relies for its decision. If the gaining registrar states that it will not return the domain name then only two options remain. The better option for the domain name holder is to convince the losing registrar to file a dispute resolution procedure against the gaining registrar.
The inter registrar dispute resolution policy (https://www.icann.org/resources/pages/tdrp-2012-02-25-en) identifies the process for a registrar to file a dispute against another registrar which is relatively straight forward. The real issue a registrant must face is convincing the registrar to take this step when the transfer / loss of the domain(s) is clearly not the registrar’s fault.
Relief via the Federal Courts
Every registrant has the right to file suit over the loss of one or more domain names so long as the Court has jurisdiction over the defendant. If the thing (the domain name), otherwise known as “the res” in legal terms, is located in the state where the registry or registrar is located, then any suit filed may be an in rem law suit. If the domain name is a .com then, as Verisign is based in Virginia, an in rem lawsuit against the domain name may be filed in Virginia. Of course, one may also file suit against the domain name thief, but sometimes service of process (ability to properly serve the complaint) can be a challenge. Some federal court allow service via email if the standards for service of process are not met.
The law suit should be filed as soon as possible though in most states the statute of limitations is three years. It is difficult to estimate the cost for such a law suit, although you should expect to spend at least $10,000 and $20,000 depending on the facts and assuming the other side (the thief) does not respond to the complaint.
Domain-name hijacking prevention—like any type of identity-theft prevention—requires scrutiny and vigilance by the owner and the utilization of reasonable security measures in order to protect one’s valuable Internet assets. We advocate working hard to prevent the theft in the first place instead of having to pay to retrieve your valuable domain name.
Please call Greenberg & Lieberman, LLC to discuss your domain name situation now. Toll free 888-275-2757