Domain Hosting Hijacking
I’ve heard of Domain Hijacking where hackers will attempt and sometimes succeed in stealing ownership of a domain name. However, I can’t find much posted about Domain Hosting Hijacking. That’s precisely what happened to me.
I have an old domain that I don’t use anymore and I had cancelled my hosting plan for that domain. Unfortunately, I forgot to update the nameservers in the registrar and just left it pointed to the hosting company.
A couple of years later, I was curious about the domain and decided to check up on it. I saw the nameservers were pointed to a specific hosting company and thinking I still might host it, I typed in my domain name. Sure enough, my old website came up! But, something was off. Some of the links were dead and hovering over other links, it looked like they might be malicious.
It quickly became clear that someone had figured out I was no longer hosting the site, but saw the nameservers pointed to a specific host and registered their own hosting for my domain. It appears they used the WayBack Machine to scrape an old snapshot of the site and updated it with their malicious links. They also had full DNS control over email as well so they had hijacked all of the email that went to that account. I have no idea if any of my internet accounts I used for that email were compromised. There’s no way to tell since it’s been years since that email was active.
I quickly changed the nameservers to the parking lot of my registrar and cut off their capabilities to use that domain name. I also contacted the hosting company and asked them to remove that user account. They have their process of domain ownership verification that I have gone through, but it was still a bit of a pain and ate up some of my free time.
So, how did these guys figure this out? This happened because people are scraping public WHOIS data, storing it in local data stores, querying that data internally, and running reconnoissance on millions of domains. They can see the IP of the host, send a GET request to see if they get a 200 OK. If not, they can then check if the nameservers are pointed somewhere. If so, they have free access to register that website on the specific host. This is a perfect plan to slip under the radar and take over hosting, email, and do all sorts of mischief while you hold the bag of domain ownership.
What I’ve learned from this:
- Never outsource your DNS to your hosting provider. Use a long-term, trusted DNS provider.
- Instead of farming out your entire DNS zone to the host, point your A records to the box IP your host gives you, or better yet, use a CDN.
- Take inventory of your domains every few months to make sure no one is using a mistake you made to bring harm to the internet
- Always point unused domains to a secure parking nameserver from your registrar or remove appropriate records in your DNS.
In this situation, I opened the door, and some malicious actor from Lithuania walked through it. Hopefully this helps save someone some grief.
Someone is always, always watching your WHOIS data.