On the night of Monday, January 23, the hacktivist group UGNazi hijacked Coach.com, the Internet domain name of luxury goods manufacturer Coach. For several hours, fashionistas who wanted to ogle Coach's new Willis handbag on Coach.com or get a deal on its Penelope shoulder bag at Coachfactory.com were redirected to UGNazi's cryptic website. Imagine the confusion—and frustration—the redirect must have caused in their coiffed little heads—not to mention the wear and tear on their manicured nails as they typed and retyped coach.com and coachfactory.com into their browser windows.
Coach was lucky that its hackers' motives were political rather than financial. UGNazi targeted Coach because the company, whose exclusive products are heavily counterfeited, supports the controversial Stop Online Piracy Act (SOPA). If UGNazi wanted to do more harm to Coach and its customers, it might have taken control of incoming email to Coach.com or redirected customers to a phishing website. UGNazi stated on its website, "We don't steal users' data, only here to make them aware [of the dangers SOPA, PIPA and ACTA pose to the Internet]."
A spokeswoman for Coach told CIO.com that the domain (or DNS) hijacking had a "de minimus impact on our business."
Other companies that have had their domains hijacked haven't been so lucky. In 2008, for example, when hackers hijacked CheckFree.com, they redirected traffic to a website in the Ukraine that downloaded malware on CheckFree customers' computers. (The malware was designed to steal usernames and passwords.) CheckFree customers weren't the only individuals vulnerable to the attack. Also susceptible were customers of small banks that had partnered with CheckFree to provide online bill payment services, since their sites directed to the checkfree.com domain, says Lars Harvey, CEO of Internet Identity, a security company based in Tacoma, Wash.
Domain hijacking is also serious because it puts sensitive corporate information at risk. It compromises all of the normal ways by which confidential information is shared by giving the hacker access to all of the company's incoming email, says Ram Mohan, CTO of domain registrar Afilias.
Mohan says he knows of a company that had its domain hijacked for nearly five months without even knowing it. The company didn't realize its domain had been taken over because the hackers were so subtle: Instead of redirecting visitors to another website, they sent users to the intended domain, but they "listened" to all the traffic, he says. During that time, all of the company's website traffic and emails were routed through a set of servers that the hackers had set up.
"It was a major compromise," says Mohan, who is also a member of ICANN's board of directors and co-authored an article on domain hijacking for the organization in 2005. "That's one of the worst cases because it's disguised and hidden and nobody knows unless you notice where the address is going."
Domain Hijacking: A Rising Threat
Harvey and Mohan say that domain hijacks are growing more prevalent because they're so damaging, because so much commerce is moving online and because they can be so easy to execute.
"Criminals have figured out that the value of hijacking a [domain] name is far greater than many other forms [of attack]," says Mohan. "Hackers have now effectively done the online equivalent of identity theft. They've taken over an organization's online identity and the organization's brand is now solely in the hacker's control."
Mohan adds that his company has seen the number of domain hijackings triple since 2005. In fact, the rate at which domain hijacking has grown has outpaced the growth of domain names. In 2005, says Mohan, fewer than 100 million domain names populated the Internet. By the end of 2011, there were more than 220 million.
Despite the damage domain hijacking can unleash, many companies neglect to adequately protect their domains from attack, says Harvey. He suspects this may be due to the fact that domain registrations have traditionally been the responsibility of corporate legal departments rather than security departments.
Mohan adds that even when someone in an IT department has to purchase a domain name, they may decline all protections the provider has to offer either because they don't want to spend extra money or because they don't realize they need it.
"Companies need to treat domains as the valuable assets they are and the vulnerable assets they are," says Harvey.
Some Domain Registrars Make for Easy Exploits
Hackers can employ a number of techniques to hijack a domain. One way is to enter through a company's domain registrar. If the registrar has poor security and allows an invalid password to be entered any number of times, says Mohan, a hacker who knows the administrator's name can "brute force" his way into the system by trying different user name and password combinations.
"Something secured by username and password is not that secure" adds Harvey. "Username and password can be socially engineered out of the person who had it with a spear phishing email. That happened at Comcast. For a determined bad guy, it's pretty easy."
Hackers can also try the old "forgot password" trick, says Mohan. To obtain a password, they can pretend they're a registered user who doesn't remember it. They click the "forgot password" link on the registrar's website, and if the registrar allows them to enter an email address where the registrar can either send the password or reset instructions (as opposed to sending it to the email address it has on record or asking for greater authentication), a hacker can easily take control of a domain that way.
A third method is to exploit known security vulnerabilities of the servers on which the websites are running. Mohan says that just last week an Afilias client's website was hijacked because the tech department forgot to upgrade to the latest MySQL patch. The hackers obtained the username and password for the domain name and got access to the entire site by exploiting a weakness in the client's MySQL database.
4 Ways to Protect Your Domain
Domains wouldn't be nearly as easy to hijack if the companies that owned and registered them better protected them, says Harvey. Fortunately, IT managers can take a few simple steps that will go a long way toward preventing their companies' domains from getting hijacked.
1. Pick an enterprise-class domain name registry. Some domain name companies target consumers and small business. Consequently, they don't offer the security protections that corporate focused domain registrars provide.
"Companies often make a decision to go with the lowest-cost provider or with someone who's offering a special," says Mohan. "It may cost you $20, but the actual cost when your domain is hijacked is far greater."
Adds Harvey, "When you're running millions of dollars through your website, you should have another level of security."
He notes that Coach.com was maintained at Network Solutions, a domain name registrar and hosting provider that, according to its website, targets small businesses. CIO.com tried to contact Network Solutions for this article; a PR person for the company said that corporate representatives couldn't speak with CIO.com in time for its deadline.
Some specific security practices you should seek out in a domain name registrar:
Two-factor authentication or call-back authentication. Harvey says most hijacks his company has seen would have been prevented if the domain registrars had enhanced authentication in place.
The capability to place various locks on your domain. Harvey says to make sure registry locks and registrar locks are on. Mohan says businesses can have their actual domain name locked down. Some registrars also offer lock downs to protect against domain hijacking, he adds.
A registrar that automatically locks people out after entering, say, three invalid passwords and doesn't send log-in credentials to any email address.
2. Keep up-to-date with security patches. Make sure you apply the latest security patches to your web servers so that hackers can't exploit known software vulnerabilities. "If you don't," says Mohan, "you're asking for trouble. In that case, it's not a matter of if [your domain will get hijacked], it's a matter of when," as his client learned by not applying the latest MySQL patch.
3. Monitor where site traffic is going. If you see that traffic to your website is mysteriously going to a server in the Ukraine, as it was in the CheckFree case, you know something is wrong. Very wrong.
4. Request DNSSEC from your registrar. DNSSEC—which adds security extensions to your Domain Name System—won't prevent domain name hijacking, but it's the only technology known to guarantee that once a user clicks on a link to your website, he or she won't be hijacked between the time they click and the time they reach your site, says Mohan.