Skip to main content

What You Should Learn from the Diigo Domain Hijacking incident

Dave Piscitello, Sr. Security Technologist, for the ICANN Security Team

Diigo is a social annotation and bookmarking service that millions of individuals, educators, and students use daily to manage and share information, conduct research and collaborate. On October 24th, an attacker gained control of Diigo’s domain registrar account. Domain was hijacked away from Diigo’s control, into the hands of an attacker and Diigo’s services were lost to an estimated five million users for more than two days. TechCrunch has published a detailed account of the incident which should serve as a sobering reminder for everyone who registers a domain: your domain name is a critical component of your online presence and you must take measures to monitor and safeguard against attacks that can disrupt the services you offer, impede research, cause you material loss or reputational harm.

Domain hijacking is not new. ICANN’s Security, Stability and Advisory Committee (SSAC) began raising awareness of the threat in 2006 in its first Domain Hijacking Report. Since 2006, SSAC and members of ICANN’s Security Team have recommended measures registrants can take to protect their domain name registration accounts and ways that registrars can assist them (SAC040, SAC044).

The Diigo incident is a case involving user account compromise, extortion, and unauthorized transfer of domain. Among other measures recommended, these reports emphasize the importance of protecting accounts with credentials (usernames and passwords) that are not easily guessed or obtained through social engineering. Remember: any party who has access to your credentials – you, staff you contract with to host your web site, or registrar staff – can be a target and victim of a social engineering attack.

The reports also explain the importance of using “locks” to prevent unauthorized transfers. Another SSAC reports explain how a domain name can be hijacked by a phishing attack: here, a registrar-impersonating phisher lures a registrar’s customer to a bogus copy of the registrar’s customer login page, where the customer may unwittingly disclose account credentials to the attacker who can then modify or assume ownership of the customer’s domain names.

Our “short list” of measures all registrants should take to protect against domain hijacking or other domain name attacks includes:

  1. Protect domain name account credentials. Most registrar account portals are password protected, so create strong passwords, and safeguard them. You may also want to shop for a registrar that offers multi-factor authentication (e.g., token).
  2. Use SSL (HTTPS) when you access your domain name registration account.
  3. Use ICANN accredited registrars. Ask about the reputation and service record of registrars. If you’re not entirely comfortable with a registrar, you can and should consider transferring your domain to a party you trust.
  4. Ask your registrar to apply registrar locks on your domain names. Locks (formally, status codes) prevent changes to your domain name registrations, and block attempts to transfer or delete your domain names (see SAC044, pp 22-23). A number of TLD registry operators offer registry lock to prevent unintended changes to registry accounts. This service is offered in addition to lock services offered by registrars, and often includes manual support (1, 2).
  5. Pay attention to “routine” registrar correspondence, as these may be phishing emails. In these email messages, phishers often use HTML to embed malicious links in seemingly innocuous or “safe” links. Don’t click on a hyperlink; instead, type the link in manually.
  6. Monitor your domain’s WHOIS and DNS information. Check both routinely so you can detect any unauthorized or suspicious changes (see SAC044, pp 20-22).
  7. Keep your domain name registrant account information private, secure, and recoverable.

For more information, you may also find these articles helpful:

Measures to protect (University) domain registrations and DNS against attacks
http://securityskeptic.typepad.com/the-security-skeptic/2011/07/measures-to-protect-university-domains-against-attacks.html

Podcast: How to protect your domain registration accounts against attack or misuse
http://securityskeptic.typepad.com/the-security-skeptic/2011/02/podcast-how-to-protect-your-domain-registration-accounts-against-attack-or-misuse.html

Why You Need To Add “Protect Domain Name” To The Security Checklist
http://www.networkcomputing.com/data-protection/why-you-need-to-add-protect-domain-name/229616011

How To Protect Yourself Against Domain Name Hijackers
http://www.informationweek.com/how-to-protect-yourself-against-domain-n/170000337

Want to Register a Domain Name? Easy Consumer Advice
http://blog.consumerwebwatch.org/2007/12/want_to_register_a_domain_name_1.html

Top Ten Things to Consider when Registering A Domain Name
http://www.consumerwebwatch.org/pdfs/domainname.pdf

Comments

    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."