© 2017 The Texas Lawbook.
By Craig Carpenter and Fred Fulton of Thompson & Knight
(July 6) – One hacking trend that is often under the radar, but which can be devastating on businesses, is domain name hijacking. In today’s online world, a company’s domain name can be one of its most valuable assets. Catchy domain names are often valued in the millions of dollars, and e-commerce websites can be a company’s primary or sole revenue generator. And when a company loses control of that asset, recovering it can be very expensive and difficult (if not impossible).
• Vandalizing the website with disparaging content or materials;
• Using the website for other hacking activity, such as phishing or distributing malware or spam;
• Diverting income from the website to the hacker; or
• Shutting down the company’s e-commerce operations.
Domain name hijacking occurs when an unscrupulous person exploits a vulnerability to steal a company’s domain name. The unauthorized access can relate to a vulnerability in the domain name registrar’s system, a password hack of the administrative email associated with the account, social engineering, keyloggers or a disgruntled employee with access to the administrative email. Once the hacker has access to the administrative email account or the registrar account through one of these means, the hacker can take control of the domain name and lock out the true owner.
Once a domain name has been hijacked, it can be difficult for the true owner to recover access to it. With enough documentation, the owner may be able to recover access from the registrar, but this may be ineffective if the domain name has been transferred to another registrar or another country (frequently China), or if the registrar just declines to help. If the registrar cannot or will not help, companies may try to recover stolen domain names through legal action, either in the form of a Uniform Domain Name Dispute Resolution Policy through the Internet Corporation for Assigned Names and Numbers (or ICANN), or a lawsuit based on theft. These actions have a better chance of succeeding when the stolen domain name includes the owner’s registered trademark or service mark.
1. Careful registration
In the domain name world, the “WHOIS” field in the domain name registrar’s database is analogous to the title to the domain name, so it’s critical that the correct information be entered there. When registering your domain name with a registrar, be sure to follow these tips:
• Enter correct and valid information in the WHOIS (registrant), administrative, technical and billing contact fields.
• The entity listed as the registrant in the WHOIS field is the entity that will have the legal right to transfer the domain name, acting through any individual who has been designated as an administrative contact with respect to it. So make sure all of those individuals are trustworthy employees.
• After the initial registration has been completed, continue to update all of the administrative, technical and billing contact information in your domain name customer account.
2. Limit access to the administrative contact email address
Each employee who has access to, and thus the ability to send email to the domain name registrar from, the administrative contact email address associated with your domain name will have the ability to effect the transfer of the domain name to another registrar or owner, or to make other changes to the domain name customer account.
Accordingly, it is extremely important to limit access to the administrative contact email address to trustworthy employees. Do not give your domain name customer account login, password, username, user ID, credit card number or shopper PIN information to anyone, including your webmaster.
Do not allow the administrative contact email address to expire, as this could make it possible for an unauthorized third party to sign up for that email address. That would provide access to your domain name customer account and the ability to transfer the domain name or make other changes to the domain name customer account.
3. Agreements with employees
The entity in whose name your domain name is registered, and so owns it, should enter into written agreements with all employees who have access to the administrative contact email address wherein they acknowledge and agree that the domain name is
a. Owned exclusively by their employer, and
b. Cannot be transferred, nor can any change be made in the related domain name customer account, without prior authorization from specified senior officers of their employer.
4. Monitoring and documentation
Regularly log in to your domain name customer account to confirm that the registrant and the related administrative, technical and billing contacts are listed correctly, reflecting all changes that have been made with proper authorization and no others.
Keep records of your account information to help show that you have a prior claim to the rights to the domain name. Records could include registration records, billing records, web logs, correspondence from the registrar and third-party directory information.
5. Lock your domain name
Lock your domain name from within your domain name customer account. Your registrar may provide an option to purchase additional features to help prevent your domain name from being transferred, or changes being made to your domain name customer account, without proper authorization.
6. Use secure email
Keeping secure the email through which you administer the registration of your domain name is important to preventing unauthorized changes to the registration. Consider the following precautions:
• Use a secure email address. Free email accounts can be easy targets for those seeking unauthorized access to your domain name customer account.
• Create passwords to limit access to the administrative contact email address associated with your domain name, using a complex series of letters, numbers and symbols.
• Use two-factor authentication when it’s available.
7. Antivirus and antispyware
To prevent keylogging software from capturing your account logins, usernames, user IDs and passwords, and forwarding the information to unauthorized persons, install antivirus and antispyware software and update it periodically.
8. Register your domain name as a trademark
If, despite your best efforts, your domain name is stolen, you may have to seek legal recourse to recover it if other means fail. However, if the stolen domain name comprises a trademark or service mark that is registered in the name of your company, you will likely have more options for recovering it and preventing further unauthorized use of it, which can make the process easier, faster and less expensive.
To learn more about Data Privacy and CyberSecurity, visit the T&K CyberSecurity Blog.
© 2017 The Texas Lawbook. Content of The Texas Lawbook is controlled and protected by specific licensing agreements with our subscribers and under federal copyright laws. Any distribution of this content without the consent of The Texas Lawbook is prohibited.
If you see any inaccuracy in any article in The Texas Lawbook, please contact us. Our goal is content that is 100% true and accurate. Thank you.