The availability of cheap domain and website hosting services like Wix, HostGator and GoDaddy have made website ownership as common as cellphones. However, if not managed carefully, owning a domain or website can make you a target for hackers, and in some cases, things can get ugly.
The main challenge with domain ownership is that it’s managed by companies which employ regular people like you and me. Some of these companies are well-managed and secure, while others are more susceptible to various types of attacks. Using different techniques, from cracking a user’s email through advanced social-engineering attacks, crackers have been hijacking domains for years, often causing huge damages to the original domain owners. For example, this story describes the battle Diigo had to go through when their domains was hijacked for ransom.
Even when a domain registrar has strict and secure policies regarding domain transfers, this doesn’t guarantee our safety. For example, in the case of one of CreateHive’s own customers (who shall remain anonymous), a Canadian company used a legal loophole to forcefully and secretly take over an American domain named owned by a former-partner.
The big question, of course, is what can we do to prevent this from happening. Well, ultimately, if the hijacker is willing to go to any length, not all attacks can be prevented, and that is a risk we need to learn to live-with (similar techniques can and have been used to hijack phone numbers, and even mailing addresses). However, there are a few best-practices we should all follow to make us lesser-desirable targets.
First, for any account that supports it (especially email), enable two-factor authentication (2FA), as well as any other security features that are available. For example, Gmail supports two-factor authentication, so that’s a no-brainer, even if it does make life a little more complicated. When setting up accounts, make sure you use long and complex passwords that can’t be easily guessed. Try to avoid using similar or identical passwords across multiple services, and avoid setting your account-recovery questions to something that’s easy to find (that’s how the Fappening happened!).
Another thing to avoid is using your domain for your email, or at least, use an external email (like gmail) for the primary and administrative accounts. The reason for this is because if someone hijacks your domain, that gives them control over your email as well, which would allow them to harvest sensitive business data, block major operational work, and even use the account to crack other services.
When buying domains and setting up hosting, make sure you use a well-known and large provider which is in your own country, and prefer one that has a good reputation for customer support. I know that it’s tempting to choose a 10$/year hosting instead of $100/year, but those 90 bucks could be the difference between sleeping well at night and losing thousands of dollars while your domain is pawned. Also, try to avoid sub-registrars and hosters (those are companies that pretend to be a hoster or registrar, but actually just re-sell a service by someone else). Yahoo does this, for example, as well as 1dollar-webhosting.com. Another thing that could help is buying a domain-privacy, if the registrar allows it (most do, and it’s not expensive). This isn’t a real blocker for any serious attacker, but it will deter many who are looking for easy prey.
Finally, one thing that may be harder, but worth considering, is trying to design your business in a way that doesn’t make you too dependent on your digital assets. It’s the classic idea of not putting all your eggs in one basket. One step could be using multiple email addresses and making sure customers know them all (as well as your phone number). If you sell online, offer your products through multiple venues like eBay and Amazon, instead of only via your site. Also, if you do have multiple online presence points, make sure you monitor them all routinely (for example, if you are listed on google maps, check the listing at least twice a month).
In closing, it becomes apparent that in today’s world of cyber crime, owning a domain and website is not as simple and trivial as it may seem. However, the answer is not to shy away from the internet, but to realize that security planning needs to be part of our routine. Just like we install locks on our doors and alarm systems in our offices and stores, so must we invest thought, time and money in securing our digital assets. With some clear thinking and planning, most of us will never fall victim to cyber hijackers.