Hey, where’d my website go? Or: how domain hijacking can ruin your e-business.

16 April 2015

It all started with a great idea scribbled on a napkin, and six months later you’re the proud owner of an e-commerce web shop generating a healthy weekly revenue. You’ve invested in redundant systems and even implemented data recovery and business continuity plans. All the bases are covered, right?

Then one evening you get the phone call that every online entrepreneur dreads, the e-shop has been hacked. You quickly log on to see the damage for yourself and are confronted with a politically inspired message.

What happened? Didn’t you invest in firewalls, intrusion detection systems and plenty of other technology precisely to prevent disasters like this?

The IT guys quickly figure it out. Somebody hijacked your domain name! It’s now using other name servers, which point to political rhetoric instead of your e-shop. Your daily revenue statistics are already down by 50% and IT say they will hit zero in four hours when the Time To Live has expired. You start to lose the Will To Live.

As night turns into early day, you learn that the hacktivists have hijacked thousands of domain names, not just yours. You don’t care; you just want that daily revenue statistic to jump from zero to… something.

Finally, 48 hours later, the flat line that is your revenue trembles and starts showing signs of life. Customer Care and Sales and Marketing are doing overtime to reassure worried customers. But three weeks on, despite all your damage control, your turn over still hasn’t reached pre-hijacking levels. You realise that when your domain name left your control, so did some of your customers.

So what happened?

A domain is hijacked when someone changes the name servers for your domain name at the registry level without your permission. Such a change doesn’t show up immediately because DNS information is cached and only refreshed when the caches expire. That’s why the change will only be noticed gradually and also why it takes time to fix.

Help is at hand

Is there any way to protect your domain name from this fate? Thankfully, yes.

A number of registries, the organisations that manage the world’s top level domains, like .eu or .com, offer a locking mechanism for their domain names, which prevents changes being made to domain name data without


EURid, the registry for the .eu top-level domain, implemented its Registry Lock in 2012, effectively preventing automated changes to domain names on the Registry level.

But! Take note! To benefit from this feature, your provider (registrar) needs to support it. If they do, you’ll need to explicitly enable it as domain names are only ‘locked’ at the request of their registrants.

So do yourself and your revenue a favour: contact your registrar and lock your domain name. It’s a small change that could make a big difference.

Dirk Jumpertz
Security Manager