//Blogs - 19 Oct 2018

What Scotty Didn't Know – your guide to domain takeovers

Last night, a domain belonging to our PM lapsed, resulting in a cheeky citizen snapping it up [1]. If your business lost control of its domain, what would you do?

Losing your domain can greatly impact business operations – email will stop working, customers won’t be able to access your website, soon calls and tweets start coming in. In a worst case scenario, someone with malicious intent can claim the domain, start receiving sensitive business emails, receive password reset emails for online services, and start sending emails as you. Not only does this look unprofessional, but can significantly impact service to your clients, your access to other services (via email password resets), and impact business revenue.

Fortunately, prevention is as simple as not letting the renewal get lost in a sea of tasks:
– See if your registrar allows automatic renewal, and make sure your payment details are kept up to date
– Set an alert far enough in advance to get the expense approved and paid
– Don’t ignore emails from your registrar, but also don’t click links in the email. It is always safer to go directly to their website
– Related to the previous point, watch out for scam emails claiming to be from a registrar. They often use urgent wording to try get you to click

ICANN is the Internet Corporation for Assigned Names and Numbers. They control generic top level domains (gTLD) such as .com, .net, .space. The number of gTLDs is expanding, but there are currently over 1900 that have been delegated. ICANN policy allows a 30 day redemption grace period where the registered name holder can renew a lapsed gTLD.

The .au TLD is a country code top level domain (ccTLD). In Australia, the .au top level domain, which includes .com.au, .gov.au, .net.au, .edu.au, is controlled by auDA – .au Domain Administration Ltd [2]. auDA’s domain name renewal policy for lapsed domains is also 30 calendar days after expiry.

Conveniently, for potential scammers, there is a public list of expired domain names, updated daily. [3]

If someone has taken your .au domain and is trying to sell it back to you, this is called cybersquatting, and not allowed according to auDA’s policies:
“A registrant may not register a domain name for the sole purpose of resale or transfer to another entity.” [4]
In this scenario, you would be able to file a complaint with auDA.


Registering similar domains

So you have awesomebusiness.com.au … but what if someone buys awesomebusiness.com? Or awesomebusiness.tk? Domains are fairly cheap, so it often doesn’t hurt to buy the more common ones, like .com or .net If you follow this route, try not to let them lapse as well!

If someone does register a domain that infringes on your trademark, it may be possible to have it de-registered. We recommend speaking with your legal department for advice. AusCERT is only able to issue takedowns for malicious domains that are used to distribute malware or phishing campaigns.

Subdomain takeovers

It would be remiss to have a post about domains but not mention subdomain takeovers. This often occurs when CNAME records aren’t kept up to date. For example, say you have campaign.awesomebusiness.com.au which points to hosting.cloud.com. After the campaign ends you take down the site, but forget remove the CNAME record. This would allow someone else to establish a service on hosting.cloud.com, and set up a phishing site for your users at campaign.awesomebusiness.com.au. To prevent this, include updating DNS in your decommissioning process, and periodically check your DNS zone file.

While domain threats are not often at the forefront of our minds, a little bit of housekeeping can go a long way to prevent an embarrassing incident in the future.


[1] https://web.archive.org/web/20181018222134/http://www.scottmorrison.com.au/
[2] https://www.auda.org.au/
[3] https://afilias.com.au/about-au/domain-drop-lists
[4] https://www.auda.org.au/policies/index-of-published-policies/2012/2012-04/