Skip to main content
  • Cybersecurity

Domain Hijacking — Worst-case scenarios and how to protect yourself

Hijackers can have varying motives to take over a domain, we look at some.
By Rob Williamson
Marketing Manager

Hijackers can have varying motives to take over a domain, we look at some.

What is domain hijacking?

Domain name hijacking is when a hacker wrongfully gains control of their targets’ complete Domain Name System (DNS) information, enabling them to make unauthorized changes and transfers to their advantage. 

How does domain hijacking work?

There are a few different methods in which your domain name can be hijacked; however, the easiest and most common way is by changing the administrator’s handle information through social engineering or hacking into the administrator’s email account.

The first piece of information that an attacker needs to access their targets’ domain control panels is the administrative contact email address. This can be found in public records via WHOIS for the domain. Or in some cases, a disgruntled employee may simply already have the necessary information.

Once the hacker has obtained the email address, they are just an email hack or phone call away from taking over their targets’ domain. Seems simple, doesn’t it? 

Why do domains get hijacked?

Motives vary, and it is critical to understand the severity of the outcomes that can occur from their particular intentions. Hijackers can be motivated by money, whether it’s for resale of a valuable domain or blackmail. They can also be in it purely for the challenge, have malicious intent, or for hacktivism

Worst case scenarios —most common types of hijacks:

  • Domain Name transferred:

    Once a hacker has accessed their targets’ domain control panels, a common tactic is to transfer the domain name to redirect traffic through external hosts. This can be particularly damaging when an eCommerce business is the target, given their website is their most valuable asset, and can result in their business losing thousands of dollars in revenue. This can explain why eCommerce sites have become a popular target for hackers.

    For example, if a luxury merchandising company had their website hijacked and transferred to a fake website, they would not only lose revenue, but would also damage their superior luxury brand image, and trust from their loyal customers. This occurred in February 2015 to, when their domain name was transferred to an account in China, which sold counterfeit merchandise. Hackers got into their registrar account and managed to manipulate all their information and transferred the domain. They lost all their website traffic, thousands of dollars lost in revenue, and their trusted image not to mention the cost in IT and management time in sorting out the problem.

  • Communication disruption:

    When taking over a domain, hackers have the ability to disable and interfere with communication channels, including web and email. Oftentimes, a hijacker will take a sneakier approach by taking over a target’s email without their knowledge. The attacker can remain hidden while receiving all the target’s incoming emails. To understand the severity of this kind of situation, an extreme example would be if an attacker hijacked the Toronto Stock Exchange or perhaps an investment banking site. Once given access to all incoming emails, the hijacker would be privy to secret information and could make millions with this confidential information. 

    Additionally, an attacker can take a more aggressive approach by sending out fake emails from the target’s address. For instance, they could use the database of customer emails to their own advantage by sending out spam or trying to sell another product/ service.

  • Pharming:

    When the hijacker points the current website being attacked to a malicious site, or takes control of the site and posts offensive content, this is called pharming. Companies are vulnerable to new content put on their site, and this can result in severely damaging their reputation, and the loss of customers.

    When Air Malaysia’s domain name was hijacked and replaced with a picture of a tuxedo-adorned, pipe-smoking, monocled lizard. This type of nuisance hijack had a measurable and costly impact in damaging the reputation and trust of the airline just as they were grappling with some high-profile air disasters.

  • Phishing:

    A more advanced form of domain hijacking, which can be extremely detrimental to customers, is phishing. Phishing refers to when a hijacker replicates a company’s website (aka pharming) to collect valuable information, for example, credit card and social security numbers. The attacker is able to send emails by legitimate authority to customers with the aim of gaining valuable personal and financial information, for instance, credit card numbers, and passwords.

    For instance, imagine if a hacker got into a university’s site and began sending out emails from an administrative account to all students requesting that they update their account information and passwords. They could even point the request to a seemingly legitimate domain name. The hacker could then have access to thousands of students’ personal information, including grades and billing information as they enter it. 

  • Domain takeover:

    Domain names are a valuable asset, and the high prices attract not only companies but can also attract hackers. Once a hijacker takes over your domain they have complete control and can sell your domain leaving you with nothing, or blackmail you for ransom.

    For example, Micheal Lee was the owner of the website which he bought in 1997 for only $600, and the website was recently valued at $47,000. Importantly he was also using it to run his business (Michael Lee and Associates) so the value included an operational website and email addresses. In 2014 a hacker stole his website and there was little he or GoDaddy, his domain registrar, could do. While this story has a happy ending, it took almost two years for Michael to get it back and illustrates a number of important administrative and security measures to remember when managing a domain.

    The situation with a .CA domain would be quite different because CIRA has Nexus requirements for both domain holders and their registrars. This means that you and domain registrars need an attachment to Canada to be granted a .CA domain (or to sell them). It makes it easier to track down, fix, and even prosecute fraud for the parties involved. However, even the simple act of updating domain records requires us to follow very careful protocols to avoid being victims of social engineered ourselves. Your site will be down for an indeterminate period while we conduct careful verifications. 

How to recover after a domain hijacking attack

If you find yourself one of the many unfortunate victims of domain hijacking, the first step is to immediately contact your domain registrar, and change all passwords to prevent the hacker from getting into any other accounts. Your registrar will work with the .CA registry to help track down where your domain was sent, and if it has been registered somewhere else. 

After your domain hijack is hopefully resolved, depending on the severity of the hijack, it can be beneficial to share your story to build back your reputation and trust. In any scenario, whether your site was shut down, directed to malicious content, or your emails were interfered with, it is important to explain the situation to maintain customer and user trust.


Now you know the various worst-case scenarios so that you make take appropriate steps to mitigate them. Registry Lock is a service offered by CIRA and available through some domain registrars. When a domain is in Registry Lock, you (as the authorized Registry Lock user) and only you must go through additional administrative processes to lock (and unlock) the domain with CIRA.

Another option is to add CIRA Domain Lock for your website. Domain Lock is a simple click of a button available only to delegated authorized user profiles within your organization. It is available to those who are using the CIRA Anycast Secondary DNS Service. If your DNS service doesn’t include the ability to implement this important security feature then please take the time to contact us to learn more about secondary DNS services and more about Domain Lock. Together they are powerful protection for your most important domain assets.

Registrars often also have some form of locking mechanism within their software tools; available as an up-sale or with their higher level packages.

CIRA Cybersecurity Services

Did you know that CIRA has a suite of cybersecurity services that are helping protect millions of Canadians? Learn more about DNS Firewall and Cybersecurity Awareness Training.

About the author
Rob Williamson

Rob brings over 20 years of experience in the technology industry writing, presenting and blogging on subjects as varied as software development tools, silicon reverse engineering, cyber-security and the DNS. An avid product marketer who takes the time to speak to IT professionals with the information and details they need for their jobs.