Skip to main content

Documentation is Key to Recovering Hijacked Domain Names

When victims of domain name hijackings contact our Security Team for guidance, we will ask about the circumstances relating to the attack. We'll ask whether they have contacted their hosting provider, registrar, or law enforcement. We next ask, "do you have any way to demonstrate to your sponsoring registrar that the registration or use of the domain is rightfully yours?"

Sadly, many parties who contact us haven't considered that they will have to prove that the domain is theirs to use. Some parties contact us only after they've already experienced difficulties when they've tried to recover their domain names. They'll ask, "Why is the recovery process so hard?"

In this post, we discuss domain name hijacking or domain registration account hacking and identify documentation that you might use should you or your organization fall victim to either of these attacks.

The Threat Landscape

Domain hijacking, theft, or registration account attacks typically result in one of two types of consequences: (1) the attacker changes DNS configuration, so that name resolution for the domain is performed by a name server not operated by (or for) the victim, or (2) the attacker alters registration contact information and effectively takes control of any domains registered under the compromised account.

In cases where the attackers want to keep the name, domain thieves may alter the registration data (WHOIS) associated with a domain name, because this is the immediate, most accessible "proof." They may alter payment information. They may transfer the domain name to a new registrar: the new registrar will have information about its customer, but may not have any registration activity history. Any of these factors can make the recovery process long and trying.

Recovery Procedures

You should first contact your domain registrar. You can use ICANN's WHOIS service to identify your registrar and the accredited registrar list to obtain additional contact information. Additional information is available at the Domain Name Holders FAQ. In other cases, procedures for resolving domain name disputes are well defined; for example, you can submit a complaint regarding an unauthorized transfer of your domain name to another party, a trademark infringement, or a dispute between you and your registrar.

You will need to provide documentation to registrars or dispute resolution service provider that proves an association existed between you, the complainant (the one who has legitimately registered the domain name) and the hijacked domain name or account, prior to the incident. (Note that the UDRP is a forum for trademark disputes.)

Documentation is Key

Some or all of the following "paper trail" can serve as proof that you have a prior claim to the rights to use a domain name over a party or organization identified as the registrant in a hijacked domain name registration record:

  • A domain history, i.e., copies of registration records that show you or your organization as the registrant of record for the hijacked domain.
  • Billing records or email receipts demonstrating that you or your organization has maintained account currency.
  • System or web logs, or archives illustrating that the hijacked domain name has been associated with content published you have published on a web or other form of hosting site.
  • A history of financial transactions that associate you or your organization with the hijacked domain name. Increasingly, credit cards or bank statements provide purchase details: merchandise– along with the merchant name, business address and contact phone numbers. The hijacked domain name may appear as the merchandise, and the registrar as the merchant name.
  • Telephone directories (Yellow pages), marketing material, etc. that contain advertising that associate the hijacked domain name with your organization.
  • Correspondence from registrars relating to the hijacked domain name; for example, the annual WHOIS reporting notice, renewal notices, notices of DNS change, telephone call records, etc., or generally any correspondence sent or placed to email or postal addresses or telephone numbers of you, your employees or your legal agents.
  • Legal documents, for example, a contract for the sale of a business that contains a clause such as "as a condition of sale, seller agrees that the domain name <hijacked domain name> shall be transferred to buyer".
  • Tax filings, business tax notices, etc. that associate you or your organization with the hijacked domain name.

This list is representative of the type of information that might be useful. Some or perhaps all of these documents might require corroboration from other parties (i.e., credit card companies, tax collectors/IRS etc.) or a notary stamp or equivalent. Presenting these kinds of documentation to the current sponsoring registrar of the hijacked domain may be sufficient to justify a return of the domain or restoration of correct DNS configuration data.

If you haven't prepared for the possibility of a domain hijacking by gathering proofs of your rights to use, we encourage you to do so now.

Comments

    a.bdelaziz  02:17 UTC on 18 April 2016

    Well, after reading the tree experiences (panix.com, hushmail.com,HZ.com), I am surprised that something like that could happen. Thank's for the advices, I will archive the online documentation (bill, email, ...) !

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."