Hijacking vs Theft
Hijacking means unauthorized changes (DNS, ownership) while domain stays at registrar. Theft is transfer to another registrar/account. Both can destroy brand value overnight.
Attack Vectors
- Phished registrar credentials
- Compromised email → password reset
- Social engineering phone call to support
- Outdated WordPress → malware → cookie steal
- Cell SIM swap → SMS 2FA bypass
Layered Defense Checklist
- Registry lock + registrar lock
- TOTP 2FA (not SMS) on registrar and email
- Unique 20-char password in password manager
- IP-whitelist for registrar API
- Monitor WHOIS changes daily
Email Hygiene
Use a dedicated Gmail/Google Workspace with Google Advanced Protection: requires hardware security keys, blocks OAuth downgrades, and adds account recovery review.
Phone/Social Engineering
Set registrar “security word” or PIN required for phone support. Add note: “No changes without video call verification.” Some registrars (MarkMonitor) enforce out-of-band call-backs.
Registry Lock Deep Dive
Server-side locks (clientDeleteProhibited, clientTransferProhibited, clientUpdateProhibited) require both registrar and registry approval—usually fax + phone + dual signatures. Lifts in 24-72 hours, preventing knee-jerk hijack.
DNS Hijack Protection
Use DNSSEC to prevent cache poisoning. Monitor authoritative NS records; if they change without ticket, freeze account and call registrar fraud desk immediately.
Corporate Structures
Hold domains in an LLC separate from operating company. If operating entity is sued, domains remain shielded. Add legal counsel as emergency contact for expedited court orders.
Incident Response Playbook
1) Lock account, 2) Change all passwords, 3) Remove unauthorized nameservers, 4) File ICANN Registrar Complaint within 5 days, 5) Engage lawyer for UDRP if ownership changed.
Insurance & Recovery
Domain hijack insurance riders cover legal fees and brand damage up to $1 M. Cost is ~0.3% of portfolio value annually—cheap peace of mind for high-value names.