On October 24th 2012, Diigo, a social bookmarking website allowing signed-up users to bookmark and tag web pages, had its domain, diigo.com, stolen by a domain name thief. . As a result, Diigo’s more than 5 million registered users were not able to access the website.
Domain theft, also known as domain name hijacking, is not a new phenomenon. Back in 2005, the ICANN’s Security, Stability and Advisory Committee (SSAC) issued a Domain Hijacking report outlining several incidents of domain theft. The report defines domain name hijacking as “wrongful taking of control of a domain name from the rightful name holder.”
The present contribution describes the types of domain thefts (Section 2) and explains the possibilities for recovery of stolen domain names (Section 3). Finally, a conclusion is drawn (Section 4).
Types of domain theft
The Domain Hijacking report differentiates five basic types of domain theft, namely: impersonation of a domain name registrant in correspondence with a domain name registrar (Subsection 2.1); forgery of a registrant’s account information maintained by a registrar (Subsection 2.2), forgery of a transfer authorization communication from a registrant to a registrar (Subsection 2.3); impersonation or a fraudulent act that leads to the unauthorized transfer of a domain from a rightful name holder to another party (Subsection 2.4), and unauthorized DNS configuration changes that disrupt or damage services operated under a domain name (Subsection 2.5).
Impersonation of a domain name registrant in correspondence with a domain name registrar
This type of domain theft includes using forged fax or postal mail requests to modify registrant information. In some cases, stolen or copied company letterheads may be also used.
The www.hushmail.com incident is a typical example of impersonation of a domain name registrant. Hushmail was launched in 1999 by Hush Communications. In April 2005, a domain name thief convinced the support staff of Network Solutions, Inc. to modify the administrative email contact information in Hush Communications’ registration record. Then, the attacker used the administrative contact email to submit a password reset request for the Hush Communications account to Network Solutions, Inc. Afterwards, the attacker logged into the Hush Communications account, changed the password, and altered the DNS configuration to point the domain name to his own server. At the end, the thief posted a new home page demonstrating his achievement and embarrassing Hush Communications.
Forgery of a registrant’s account information maintained by a registrar
Domain name thieves may forge the account information associated with a domain name registration to conduct malicious activities, such as reselling the domain. For instance, the forged information may be used by a thief to deceive a buyer that the thief is the actual owner of the domain name.
Forgery of a transfer authorization communication from a registrant to a registrar
This type of domain theft includes acts where the domain name thief submits a fake transfer authorization communication to the registrar. The communication appears to be sent by the registrant, which would allow the thief to take control over the domain name.
For example, in the U.S. case Kremen v Cohen 2001, the California District Court found that the defendant fraudulently obtained the registration of the domain name sex.com by sending a forged letter to Network Solutions, Inc., the domain registrar. As a result, the court awarded $65 million for damages resulting from the fraud.
The court justified the award by stating that, in the five years the defendant operated the “sex.com” website, he reaped profits amounting to more than 40 million dollars. The damage award also included $25 million in punitive damages.
2.4 Impersonation or a fraudulent act that leads to the unauthorized transfer of a domain name from a rightful name holder to another party
This type of domain name theft includes actions that may or not may lead to changes in the DNS configuration. If the theft does not lead to changes in the DNS configuration, it could remain undetected for a considerable period of time. In this case, the motive of the thief is not to immediately disrupt the domain holder’s operation, but to acquire and resell the domain name.
An example of such a theft is the blogtemplate4u.com and dhetemplate.com incident. Both domain names were previously registered and managed by a U.S. company and registered through Go Daddy Operating Company, LLC. Suddenly, an unidentified and unauthorized person used the name and the password of the company manager to log into his account and transfer the Domain names to another Registrant and Registrar (OnlineNIC, Inc.). In this incident, no changes had been made to the DNS configuration, and the services of the two domain names had not been affected.
The manager of the company submitted a Uniform Domain Name Dispute Resolution Policy (UDRP) claim to the online ADR Center of the Czech Arbitration Court requesting the transfer of the domain names to his company. UDRP is an administrative procedure allowing trademark holders to submit complaints to ICANN-accredited dispute resolution providers for disputes involving domain names that have been registered by an ICANN-accredited registrar. On November 21, 2012, a panelist of the Czech Arbitration Court delivered a decision transferring the domain names to the manager of the company.
Unauthorized DNS configuration changes that disrupt or damage services operated under a domain name
Unauthorized DNS configuration changes can be a result of DNS spoofing attacks (also known as DNS cache poisoning). In this kind of attack, data is introduced into a Domain Name System (DNS) name server’s cache database that results in the domain name server returning an incorrect IP address, diverting traffic to another computer (often the computer of the domain name thief). A typical example of DNS spoofing occurred in 1997 when Eugene Kashpureff redirected users attempting to connect to the InterNIC website to his own website.
Possibilities for recovery of stolen domain names
At present, victims of domain name theft can re-take control of the stolen domain names through dispute resolution procedures (Subsection 3.1). In addition, ICANN also considers the use of an emergency action channel (Subsection 3.2) between registrars that will be used in cases where an urgent response is required.
Dispute Resolution Procedures
The Uniform Domain Name Dispute Resolution Policy (UDRP) and the Transfer Dispute Resolution Policy (TDRP) established by ICANN are designed to impartially assess the factual circumstances of the case with the aim of determining the appropriate outcome of a dispute.
The Uniform Domain Name Dispute Resolution Policy (UDRP)
The Uniform Domain Name Dispute Resolution Policy (UDRP) is an effective means for recovery of stolen domain names. The total cost of UDRP (including attorney’s expenses) may vary between $1,000 and $2,000. The procedure will take at least two months to reach a decision. In order to succeed in a UDRP proceeding, a complainant must establish three elements: (1) the domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; (2) the registrant does not have any rights or legitimate interests in the domain name; and (3) the registrant registered the domain name and is using it in “bad faith.”
A party who lost the proceedings may file a lawsuit in a national court against the domain name registrant.
In order to establish whether a domain name has been registered in “bad faith,” the UDRP panel will examine several factors, such as (1) whether the registrant registered the domain name with the aim of selling the domain name registration to the complainant, (2) whether the registrant registered the domain name to prevent the owner of the trademark or service mark from using the mark corresponding to his name, (3) whether the registrant registered the domain name primarily to disrupt the business of a competitor, and (4) whether the registrant tried to attract visitors by creating a likelihood of confusion with the complainant’s mark.
The Transfer Dispute Resolution Policy (TDRP)
The Transfer Dispute Resolution Policy (TDRP) is used for resolving disputes between two registrars engaging in Inter-Registrar domain name transfers. A TDRP dispute can be brought to the registry for a decision, or to a third-party dispute resolution service provider. In case that a registry operator is chosen, the decision of this registry operator may be appealed by the registrars to an independent dispute resolution provider. A decision made by an independent dispute resolution provider may be appealed only before a court.
3.2 Emergency action channel
The emergency action channel will provide 24/ 7 access to registrar technical support staff who are authorized to assess the situation and establish the magnitude and immediacy of harm. They are also entitled to take measures to restore registration records and DNS configuration to “the last working configuration.”
The emergency action channel will be supported by a contact directory of parties who can be reached during non-business hours and weekends and a companion policy. The companion policy will identify evaluation criteria (including circumstances and evidence) that a registrant must provide in order to obtain an immediate recovery of the domain.
The following circumstances will be taken into account when distinguishing when an urgent recovery policy may be a more appropriate action than the TDRP: (1) immediacy of the harm, (2) the magnitude of the harm, and (3) escalating impact.
This article has shown that domain name theft is a serious issue that can lead to the loss of the domain name and the interruption of services operating under it. It has also shown that domain name theft is a broad term that encompasses several acts of wrongful takeover of a domain name. While domain name thefts that interrupt services will probably be immediately noticed by the legitimate domain name holders, those that do not lead to changes in the DNS configuration may remain unnoticed for a long period of time.
At present, the people/organizations whose domains were stolen may rely mainly on the dispute resolution procedures established by ICANN and on the use of litigation. The UDRP and TDRP procedures are relatively quick and cheap (compared to litigation). However, it should be noted that many victims of a domain name theft may not be able to pay the dispute resolution fees. This is especially true for people in developing countries for which a dispute resolution fee of $2,000 could be equal to their annual salary.
In order to prevent thefts of domain names, companies and individuals may take the following four preventive measures. First, they should not use Hotmail, Gmail, or other free email services as the contact email on the domains. Because free email services have many security vulnerabilities, thieves often hack them and authorize a transfer. Second, companies and individuals need to create as secure a password as possible at their registrar. The use of a completely random password containing upper and lower-case letters and numbers is desirable. Third, in order to ensure the best protection of their domain name, companies and individuals are advised to use a trusted registrar. The well-known registrars provide adequate security precautions. Lastly, when selling domain names, it is advisable to use escrow services. Using an escrow service is a good way to prevent fraud schemes.
Daniel Dimov is a security researcher for InfoSec Institute. InfoSec Institute is a security certification company that has trained over 15,000 people including popular CEH and CCNA certification courses.