How to recover a stolen domain name
This happened to many sites, and recently to the webrankinfo.com forum for webmasters (Alexa rank 2300), victim of Hijacking. The regulars on board were surprised to see a parking page displayed rather that the website. The domains was suddenly moved from the original registrar to Godaddy!
How to have its domain name hijacked
The technique is
to crack the password for the email address of the administrative
contact. It is simplified if this e-mail is a Gmail or Hotmail or similar
The hacker installed a filter based on the words "domain", "DNS". When mail containing these words were received they were redirected to another e-mail address, perhaps temporarily, so that the legitimate owner is not aware of the messages that pass on the account.
Then the hacker requested a change of registrar. It seems that Godaddy is preferred by hackers probably because it allows for free accounts (no payment, no identity). Note that only the registrar and DNS was changed and not the owner, in this case a payment is made and the identify of the perpetrator of the abuse unveiled.
The hacker, examples of exchanges of messages with victims shown it, suggests him that he could recover control over domain only after a lengthy judicial process and ask him a few hundred dollars for the domain returned to it. We will see further than paying money to the thief is not only immoral but unnecessary.
How not to have a domain name stolen
Unless the hacker have chosen your email by chance, the task is made more difficult if the contact emails are hidden in the whois.
Avoid consulting webpages while a connection to an email account is still open. This is not only for Gmail, in 2003, researchers claimed that 8,000 Hotmail accounts were pirated per day.
You must also avoid to use for contacts e-mail accounts which offer an opportunity to redirect emails according to a filter, to another e-mail account, as happened in this case. Verify in the panel of the account.
Avoid also to use as a contact, an email address displayed on the site or easy to guess, such as the name of the site associated with the name of the service as email@example.com or firstname.lastname@example.org.
We must never to stay connected on an e-mail account and load a Web page. This rule applies more generally to any service that requires a login and a password.
Do not install the GreaseMonkey plug-in for Firefox which allows scripts to run directly in the browser.
The use of webmail (managed on the server) could facilitate piracy. The use of software such as Thunderbird in secure mode (SSH) would be more secure.
You can also use a POP account that is offered by most hosts and registrars for contacts.
How to recover a hijacked domain
As David Airey case shown it, it may take a few days, but it is quite possible to recover control on a domain which is hijacked while you remain the owner.
- Sign up on the registrar which now holds the domain, Godaddy in our example (you could be liable for the account).
- Download and fill out a paper form Undo of Change. Sign the form.
- Make a copy of your identity card or driving licence.
- Scan and send them as attachments via e-mail.
This document allows to cancel the transfer of registrar if it is under way, or to give control on the domain otherwise. Note that it will take longer if the transfer is completed rather than under way.
If the cracker has managed to become owner of the domain, a procedure with ICANN will be necessary, it is longer.
How to recover a stolen email account
This is made by a claim to the host, but more easily by taking certain precautions. On a sheet of paper, note the following information:
- The date of the creation of the account.
- The addresses of your most important correspondents.
- The personal labels created on your account.
- The similar information on your other accounts with the same organization.
And if your account is on Gmail, be sure to check often the IP address of previous connections in footnote, which should always be yours: change the password otherwise.
- CSS Tricks experience. Mail boxes are the weak link for domain owners.
- ICANN transfers policy. It is possible to reverse a transfer.
- How I lost my $50000 Twitter account. Same story, involving GoDaddy again, in 2014. The attacker said he got the last numbers of a credit card from Paypal by a phone call (this is denied by Paypal) and used them as a proof of ownership to take control of the domain name at GoDaddy!