Domain Name Hijacking [Podcast]
Welcome to Lawyers.com Radio. Your legal solutions start right here. We’ll help you understand your legal issues, find a lawyer in your area, and suggest legal forms or legal self-help.
Matt: I’m Matt Plessner and today’s show is sponsored by Traverse Domain Law. We’re going to be discussing domain hijacking, today, with Attorney-at-Law from Traverse City, Enrico Shaefer.
Two Types of Domain Name Hijacking
Matt: Exactly what is domain name hijacking?
Enrico: Domain name hijacking is a term of art. People contact our law office, and will often say, “Hey, my domain name has been hijacked,” or “I’m the victim of domain name hijacking.” They mean two different things.
In some instances, when someone says that his or her domain name has been hijacked, that means someone, typically inside their company or who used to be associated with their company or their webmaster, has literally stolen their domain.
So even though the company controlled it for a period of time, because a person had access to the registering account with the registrar, such as GoDaddy, that person was able to log in and literally change the name and contact and email address for the person who owns the domain to his or her information. So, it is very much like someone stole your domain.
The other instance where domain name hijacking occurs is when a person believes someone else is controlling a domain name, which violates the victim’s trademarks rights. Even though this person never registered the domain, he or she will often times view that as domain name hijacking because someone is stealing the victim’s customers and their traffic using the victim’s trademark, pushing viewers into a domain name or website that violates a trademark.
Someone Abuses Access and Takes Control of the Domain Name
Matt: What usually happens when a domain name is hijacked?
Enrico: What we often see, especially on the domain theft side or stolen domain name side, happens when the IT person or a business partner or a key employee ends up having a falling out with the company, and gets fired or quits. What happens next is pretty predictable. The person is angry. The person might believe that since he or she registered the domain name he or she should own it.
The person still has access to the registrant account with the registrar, which could be GoDaddy or one of the other registrars. He logs in and they literally takes control of that registering account of that domain name and moves it into his own name, perhaps turns off the DNS and shuts down the website.
Here’s what you need to understand in those situations. The person who controls the registrant account login at GoDaddy or one of the other registrars, the person who can log in to that account can control that domain name. She can control the listing of who owns it to herself, and she can also control where the DNS points.
The DNS is the domain name server, and so essentially, this person can turn off your website by pointing the domain somewhere else or turning it off altogether. So domain name theft to hijacked domain names often occurs internally because companies or people fail to maintain security and control over their registrant account. That’s something that you would think would be less common than it is. You might think that people would take their domain name more seriously.
A lot of business comes through a domain name. It’s a critical company asset. But all too often, the top people at the company don’t even know how to log into the registrant account and control the domain name. When they fire someone, they forget to remove that access and to change the login information for the registrant account so that nothing bad happens to the domain name.
Cybersquatting on Your Trademark
On the other side, the cybersquatting side, there are probably dozens or hundreds of variations of your trademarks as domain names. If someone registers one of those domain names in order to steal your traffic or steal your customers, then that is also considered domain name hijacking. If they try and sell it back to you at an inflated price, that’s called cyber-extortion. These are things that you always have to be aware of if you do any business off of the Internet.
Matt: So, often the root of the problem, be it from a business or any other kinds of cybersquatting, has a lot to do with the login, whether somebody hacks in or already has access?
How to Protect Your Domain Name
Enrico: Yes, so much of this involves internal processes. The web world is still a little bit foreign to people at many companies. Even though they will tell you that their website is critical to their business, if they lost control of their website they’d be out of business and could literally have to shut down their company, they do very little to actually protect their domain name and protect their registrant account.
It’s because of the disconnect between technology and people, right? You have the guy in the IT department handling all that, or one of your business partners who thinks the web was handling all of that. So, the lack of internal controls within a company often results in loss of control of the domain name, and that’s a big issue. If someone hacks into your account, that’s a big problem.
There are registrars that are more secure than others. You need to make sure that you’re changing your username and password, and using really good passwords in order to preclude someone from hacking into the account. The variations are infinite here.
You might receive an email that appears to be from GoDaddy, and it’s really a phishing site looking to get your login information so that they can then log into your account and steal your domain name. There are a lot of hazards out there for your website and domain name, and you, as a company, as a business, as a business person, need to be extremely careful about that business asset.
Matt: So would you say it would be a good idea, if you’re a company owner or supervisor, to change the password after somebody is terminated?
Enrico: Absolutely. The most common thing that happens is there’s a falling out between business partners, or the IT person gets let go, or you hire a web development company and they actually register your domain name, which is your trademark, and put it in their own name. These are the silly things that happen, where companies fail to protect themselves.
There are easy things to get out in front of where you can protect yourself from harm. But companies are not yet at the point where they’re actually thinking, “Hey, my domain name is critical. It’s of critical importance to me and my company and our revenue. What are we doing to protect that domain name? What are the ways that our domain name could be lost, and how do we go about making sure those things don’t happen?”
Companies need to be very aware that these domain names that are accessed through logins are subject to hijacking, theft and attack.
Matt: Of course, hacking does happen, though not quite as common. Are there ways to make the hacking harder or impossible?
Enrico: Not impossible, but there are certainly levels of security that you can add to your registrant account at your registrar to make sure that your domain name is protected. Obviously, you need to have a username and a password which is unique – caps, numbers, nonsense words, non-dictionary words. These things are all important.
But there are also registrars out there, like Moniker, which provide extra security above and beyond, say, a GoDaddy or TuCows. So if your domain name is really that important to you, then you might want to have a surrogate. As attorneys we control some clients’ accounts. That way, as employees come and go, we’re acting as a trustee for those domain names so that the clients know that they can always get access.
We’ll periodically change the usernames and passwords for them to protect the domain names from theft. But these are the types of controls and systems and processes that you need to put in as a business owner to make sure that your domain name isn’t hijacked.
What To Do if Your Domain Name Is Hijacked
Matt: Finally, if you discover that your domain name has been hijacked, what steps should you take?
Enrico: Well, there are any number of possibilities. If it’s a business partner and he’s trying to extort you on the way out the door, then obviously there are going to be threat letters and potential litigation. Typically, in almost all instances, that domain name is a company asset, and anyone that converts it for personal use is essentially guilty of domain name theft.
You might have to get an immediate court order to move the domain back or to lock down the DNS to make sure that no-one turns off the website. The other possibility is that you could work with the registrar. If you can prove that your account was hacked and that you are the owner of the domain, in some limited circumstances, a GoDaddy or another registrar will get involved and return the domain to your control.
Typically, they just want to stay out of it, as you might imagine, because they don’t want to have to sort things out. If someone is using your website to divert your customers, to use your trademark for their benefit, you might have a Uniform Domain Name Dispute Resolution Policy Arbitration or an Anti-cybersquatting Consumer Protection Act Litigation claim that you can file.
The main thing is to act quickly, meet with your attorney, make sure your attorney understands how the domain name system, the DNS system, and the registrar registry systems work, so that she can navigate it and quickly get things back, turned on, and in order.
You’ve been listening to Lawyers.com Radio, where legal issues and solutions are always the topic of conversation.