Understanding Domain Hijacking

A domain name is one of the most valuable property for any person or business. As the value of the domain name continues to increase, so do the risks of it being hijacked. Domain hijacking, also known as domain spoofing, refers to a malicious attack that takes over a domain, transferring control to a party associated with the attack. This might be done by means of fraudulent transfers, mistakes in registration, or social engineering against your DNS provider or team. Once in control, the attacker can further exploit the domain for an array of activities: blocking the legitimate owner’s access or performing unauthorized changes.

The results of domain hijacking are usually very devastating and cause massive losses in money and reputation for both individuals and companies. Hackers use different ways to hijack domains—phishing, system vulnerabilities, and social engineering. Recovery of a hijacked domain can be a daunting task, hence awareness and prevention are critical measures.

Examples from the Past

High-profile entities like Google, Yahoo, and Craigslist have fallen victim to domain hijacking, demonstrating the widespread vulnerability. Similarly, the crypto sector has witnessed considerable thefts, affecting platforms like Balancer, Ankr, and Pancake Swap, where substantial amounts were stolen due to domain hijacking. These incidents underscore the fact that even the most secure and well-funded organizations are not immune to domain hijacking, highlighting the importance of adopting more secure domain management practices.

Balancer (2023)

Balancer, a DeFi protocols, suffered a very significant attack the night of September 19, 2023, at the hands of DNS hijackers. Using social engineering tactics, hackers were able to gain unauthorized access from EuroDNS, the domain registrar for Balancer’s .fi domain. Attackers changed the Domain Name System, through which Balancer’s traffic was going, to point at their infringing servers, which they used to inject malfeasant code into the Balancer frontend. This code was forcing unsuspecting users to execute approvals for transaction facilitation, which were being sent to a rogue contract, creating a loss of $238,000 in cryptocurrency. Shortly after, Balancer’s team recovered domain control and took steps to lock the domain down against another attack. The company asked users to avoid using the interface they offer until they could resolve the situation, with the team saying that this incident has them rethinking their strategy of having the .fi TLD and having a registrar to .fi. They hope their example will lead others to do the same. The attack is just the latest in a series of bad news for Balancer in the security department. About a month earlier, it had suffered a similar exploit, which once again only goes to show the continued security challenges facing the DeFi sector.

Twitter (2009)

In 2009, a group of hackers, calling themselves the “Iranian Cyber Army,” broke into the domain of Twitter. They had successfully hacked into the company that had registered its domain, Melbourne IT, into an administrative control panel and manipulated the DNS records. They could therefore direct all the traffic coming to the site to their very own message page, thus bringing down Twitter and causing a major service disruption.

This means the hackers did a social engineering attack against the vulnerability of the registrar’s system, which was never publicly identified, or compromised the registrar’s credentials in a reseller account. They further went to affect changes in the domain name system settings of the system. That way, every time one visited the site, they were served a politically based attacker message.

Threat landscape

The maturity in cyberattacks has reportedly grown, evident in the 2023 DNS Threat Report, hence broadening the attack landscape. Organizations are now scrambling, so to speak, to acquire greater visibility and control over their networking activities; this way, the DNS data can be a real intelligence source in dealing with threats.

Statistics from the 2023 DNS Threat Report

Keeping Your 3DNS Domain Safe

Your 3DNS domain is like a valuable digital collectible. It’s essential to protect it well. The main risk is someone stealing access to your wallet, where your domain is stored. There have been many cases of wallet theft in the crypto world. However, with the right steps, you can keep your domain secure.

• Private Key Security: Your private key is the gateway to your wallet, and subsequently your domain. Treat it with utmost confidentiality. Never share it. Consider writing it down on a durable medium, like paper or a metal plate, and storing it in a secure location. For added security, you might divide the key into several parts and store them separately.
• Cold Wallet Storage: High-value domains should be stored in cold wallets, such as hardware wallets like Ledger, rather than in more accessible, online wallets like MetaMask. Use this wallet exclusively for managing your domain to reduce risk.
• Multi-Signature Wallets for Organizations: For businesses, a multi-signature wallet adds an extra layer of security. Requiring a consensus (e.g., 3 out of 5 or 4 out of 7 signatures) to enact changes ensures that no single point of failure can compromise your domain’s security.

The Shift Towards Secure Domain Management

The persistence of domain hijacking underscores the need for robust security measures. Blockchain technology, as exemplified by 3DNS, leads the charge against these threats. By decentralizing domain registration and management, 3DNS offers a fortified defense mechanism against traditional vulnerabilities.