Over the past year, SEAL has assisted numerous projects who had their primary domain stolen by an attacker, and we did so again recently for a project that is currently conducting a post-mortem. In each case, the story is the same: the attacker takes the domain from the project’s domain registrar, and in doing so, gains access to their emails, messages, social media accounts, and much more. With no recourse from the registrar, the project is often forced to concede to the attacker’s demands or risk losing all their data forever or even being the subject of an embarrassing public leak.
Given that projects can spend upwards of hundreds of thousands of dollars on code audits, it’s important to not overlook something which is conceptually simple and easy to blend into the background, but serves as keys to a project’s entire Web2 kingdom.
Methodology
The root cause in each incident is holding a high value domain in a consumer-grade domain registrar. These registrars are not designed to protect your domains against the barrage of modern threat actors and often have support staff who are at risk of being socially engineered, or even bribed, into leveraging their internal access to transfer domains between accounts. Once the threat actor has established this foothold, all it takes is one message to their double agent and they receive ownership of any domain they want. Historically, users of registrars such as GoDaddy, SquareSpace, and Namecheap have all reported having their domain inexplicably transferred away from them with no warning or ability to react.
Once the domain has been hijacked, the original owner can only watch helplessly while the attacker updates the A/AAAA records in order to host malicious content, such as a crypto wallet drainer, on the trusted domain. Even worse, the attacker is able to update the MX records in order to intercept emails sent to the domain. This means that most accounts registered using an email address on the domain can now be compromised via a simple password reset. Some accounts with 2FA enabled may be protected, but this varies on a case to case basis.
Even if the domain is recovered, the team must now spend considerable time ensuring that the attacker didn’t insert any backdoor admin accounts into their infrastructure, costing precious time and energy. Overall, it’s a high stress situation that can be easily avoided by following a few simple steps.
Recommendations
SEAL will be publishing a thorough Framework to cover the topic of domain security in the near future, but in the spirit of optimizing for progress rather than perfection, we urge all projects who want to avoid a potential nightmare scenario to review their domain portfolio and transfer any domains currently held at a consumer-grade registrar to one of the following alternatives. While not a guarantee against the threat of domain hijacking, these registrars have a proven track record in security and transferring can significantly reduce the risk of domain hijacking.
Regardless of whichever registrar is chosen, we also recommend projects use a separate email when creating an account on the registrar in order to avoid any recursive dependencies, and to set up all available account security measures such as TOTP 2FA or security keys.
For further questions, or assistance in verifying domain configuration, please contact [email protected]. If your domain has been hijacked and you need urgent assistance, contact SEAL 911.
