How to recover a stolen domain name

This happened to many sites, and recently to the webrankinfo.com forum for webmasters (Alexa rank 2300), victim of Hijacking. The regulars on board were surprised to see a parking page displayed rather that the website. The domains was suddenly moved from the original registrar to Godaddy!

How to have its domain name hijacked

The technique is to crack the password for the email address of the administrative contact. It is simplified if this e-mail is a Gmail or Hotmail or similar account.
The hacker installed a filter based on the words "domain", "DNS". When mail containing these words were received they were redirected to another e-mail address, perhaps temporarily, so that the legitimate owner is not aware of the messages that pass on the account.

Then the hacker requested a change of registrar. It seems that Godaddy is preferred by hackers probably because it allows for free accounts (no payment, no identity). Note that only the registrar and DNS was changed and not the owner, in this case a payment is made and the identify of the perpetrator of the abuse unveiled.

The hacker, examples of exchanges of messages with victims shown it, suggests him that he could recover control over domain only after a lengthy judicial process and ask him a few hundred dollars for the domain returned to it. We will see further than paying money to the thief is not only immoral but unnecessary.

How not to have a domain name stolen

Unless the hacker have chosen your email by chance, the task is made more difficult if the contact emails are hidden in the whois.

Avoid consulting webpages while a connection to an email account is still open. This is not only for Gmail, in 2003, researchers claimed that 8,000 Hotmail accounts were pirated per day.

You must also avoid to use for contacts e-mail accounts which offer an opportunity to redirect emails according to a filter, to another e-mail account, as happened in this case. Verify in the panel of the account.

Avoid also to use as a contact, an email address displayed on the site or easy to guess, such as the name of the site associated with the name of the service as mysite@gmail.com or mysite@hotmail.com.

We must never to stay connected on an e-mail account and load a Web page. This rule applies more generally to any service that requires a login and a password.

Do not install the GreaseMonkey plug-in for Firefox which allows scripts to run directly in the browser.

The use of webmail (managed on the server) could facilitate piracy. The use of software such as Thunderbird in secure mode (SSH) would be more secure.

You can also use a POP account that is offered by most hosts and registrars for contacts.

How to recover a hijacked domain

As David Airey case shown it, it may take a few days, but it is quite possible to recover control on a domain which is hijacked while you remain the owner.

  1. Sign up on the registrar which now holds the domain, Godaddy in our example (you could be liable for the account).
  2. Download and fill out a paper form Undo of Change. Sign the form.
  3. Make a copy of your identity card or driving licence.
  4. Scan and send them as attachments via e-mail.

This document allows to cancel the transfer of registrar if it is under way, or to give control on the domain otherwise. Note that it will take longer if the transfer is completed rather than under way.

If the cracker has managed to become owner of the domain, a procedure with ICANN will be necessary, it is longer.

How to recover a stolen email account

This is made by a claim to the host, but more easily by taking certain precautions. On a sheet of paper, note the following information:

And if your account is on Gmail, be sure to check often the IP address of previous connections in footnote, which should always be yours: change the password otherwise.

More infos