24
Jan 20

Does Your Domain Have a Registry Lock?

If you’re running a business online, few things can be as disruptive or destructive to your brand as someone stealing your company’s domain name and doing whatever they wish with it. Even so, most major Web site owners aren’t taking full advantage of the security tools available to protect their domains from being hijacked. Here’s the story of one recent victim who was doing almost everything possible to avoid such a situation and still had a key domain stolen by scammers.

On December 23, 2019, unknown attackers began contacting customer support people at OpenProvider, a popular domain name registrar based in The Netherlands. The scammers told the customer representatives they had just purchased from the original owner the domain e-hawk.net — which is part of a service that helps Web sites detect and block fraud — and that they were having trouble transferring the domain from OpenProvider to a different registrar.

The real owner of e-hawk.net is Raymond Dijkxhoorn, a security expert and entrepreneur who has spent much of his career making life harder for cybercrooks and spammers. Dijkxhoorn and E-HAWK’s CEO Peter Cholnoky had already protected their domain with a “registrar lock,” a service that requires the registrar to confirm any requested changes with the domain owner via whatever communications method is specified by the registrant.

In the case of e-hawk.net, however, the scammers managed to trick an OpenProvider customer service rep into transferring the domain to another registrar with a fairly lame social engineering ruse — and without triggering any verification to the real owners of the domain.

Specifically, the thieves contacted OpenProvider via WhatsApp, said they were now the rightful owners of the domain, and shared a short screen grab video showing the registrar’s automated system blocking the domain transfer (see video below).

“The support agent helpfully tried to verify if what the [scammers] were saying was true, and said, ‘Let’s see if we can move e-hawk.net from here to check if that works’,” Dijkxhoorn said. “But a registrar should not act on instructions coming from a random email address or other account that is not even connected to the domain in question.”

Dijkxhoorn shared records obtained from OpenProvider showing that on Dec. 23, 2019, the e-hawk.net domain was transferred to a reseller account within OpenProvider. Just three days later, that reseller account moved e-hawk.net to another registrar — Public Domain Registry (PDR).

“Due to the previously silent move to another reseller account within OpenProvider, we were not notified by the registrar about any changes,” Dijkxhoorn said. “This fraudulent move was possible due to successful social engineering towards the OpenProvider support team. We have now learned that after the move to the other OpenProvider account, the fraudsters could silently remove the registrar lock and move the domain to PDR.”

REGISTRY LOCK

Dijkxhoorn said one security precaution his company had not taken with their domain prior to the fraudulent transfer was a “registry lock,” a more stringent, manual (and sometimes offline) process that effectively neutralizes any attempts by fraudsters to social engineer your domain registrar.

With a registry lock in place, your registrar cannot move your domain to another registrar on its own. Doing so requires manual contact verification by the appropriate domain registry, such as Verisign — which is the authoritative registry for all domains ending in .com, .net, .name, .cc, .tv, .edu, .gov and .jobs. Other registries handle locks for specific top-level or country-code domains, including Nominet (for .co.uk or .uk domains), EURID (for .eu domains), CNNIC for (for .cn) domains, and so on.

According to data provided by digital brand protection firm CSC, while domains created in the top three most registered top-level domains (.com, .jp and .cn) are eligible for registry locks, just 22 percent of domain names tracked in Forbes’ list of the World’s Largest Public Companies have secured registry locks.

Unfortunately, not all registrars support registry locks (a list of top-level domains that do allow registry locks is here, courtesy of CSC). But as we’ll see in a moment, there are other security precautions that can and do help if your domain somehow ends up getting hijacked.

Dijkxhoorn said his company first learned of the domain theft on Jan. 13, 2020, which was the date the fraudsters got around to changing the domain name system (DNS) settings for e-hawk.net. That alert was triggered by systems E-HAWK had previously built in-house that continually monitor their stable of domains for any DNS changes.

By the way, this continuous monitoring of one’s DNS settings is a powerful approach to help blunt attacks on your domains and DNS infrastructure. Anyone curious about why this might be a good approach should have a look at this deep-dive from 2019 on “DNSpionage,” the name given to the exploits of an Iranian group that has successfully stolen countless passwords and VPN credentials from major companies via DNS-based attacks.

DNSSEC

Shortly after pointing e-hawk.net’s DNS settings to a server they controlled, the attackers were able to obtain at least one encryption certificate for the domain, which could have allowed them to intercept and read encrypted Web and email communications tied to e-hawk.net.

But that effort failed because E-HAWK’s owners also had enabled DNSSEC for their domains (a.k.a. “DNS Security Extensions”), which protects applications from using forged or manipulated DNS data by requiring that all DNS queries for a given domain or set of domains be digitally signed.

With DNSSEC properly enabled, if a name server determines that the address record for a given domain has not been modified in transit, it resolves the domain and lets the user visit the site. If, however, that record has been modified in some way or doesn’t match the domain requested, the name server blocks the user from reaching the fraudulent address.

While fraudsters who have hijacked your domain and/or co-opted access to your domain registrar can and usually will try to remove any DNSSEC records associated with the hijacked domain, it generally takes a few days for these updated records to be noticed and obeyed by the rest of the Internet.

As a result, having DNSSEC enabled for its domains bought E-HAWK an additional 48 hours or so with which to regain control over its domain before any encrypted traffic to and from e-hawk.net could have been intercepted.

In the end, E-HAWK was able to wrest back its hijacked domain in less than 48 hours, but only because its owners are on a first-name basis with many of the companies that manage the Internet’s global domain name system. Perhaps more importantly, they happened to know key people at PDR — the registrar to which the thieves moved the stolen domain.

Dijkxhoorn said without that industry access, E-HAWK probably would still be waiting to re-assume control over its domain.

“This process is normally not that quick,” he said, noting that most domains can’t be moved for at least 60 days after a successful transfer to another registrar.

In an interview with KrebsOnSecurity, OpenProvider CEO and Founder Arno Vis said OpenProvider is reviewing its procedures and building systems to prevent support employees from overriding security checks that come with a registrar lock.

“We are building an extra layer of approval for things that support engineers shouldn’t be doing in the first place,” Vis said. “As far as I know, this is the first time something like this has happened to us.”

As in this case, crooks who specialize in stealing domains often pounce during holidays, when many registrars are short on well-trained staff. But Vis said the attack against E-HAWK targeted the company’s most senior support engineer.

“This is why social engineering is such a tricky thing, because in the end you still have a person who has to make a decision about something and in some cases they don’t make the right decision,” he said.

WHAT CAN YOU DO?

To recap, for maximum security on your domains, consider adopting some or all of the following best practices:

-Use registration features like Registry Lock that can help protect domain name records from being changed. Note that this may increase the amount of time it takes going forward to make key changes to the locked domain (such as DNS changes).

-Use DNSSEC (both signing zones and validating responses).

-Use access control lists for applications, Internet traffic and monitoring.

-Use 2-factor authentication, and require it to be used by all relevant users and subcontractors.

-In cases where passwords are used, pick unique passwords and consider password managers.

-Review the security of existing accounts with registrars and other providers, and make sure you have multiple notifications in place when and if a domain you own is about to expire.

-Monitor the issuance of new SSL certificates for your domains by monitoring, for example, Certificate Transparency Logs.

Tags: , , , , , , , , , , , , ,

42 comments

  1. Really happy that Brian choosed to talk about Registry Locks today ! It is a feature that I find too little known and promoted by registrars, although it is one of effective yet simple ways in reducing the risk of compromising a domain name, for example through social engineering techniques like in e-hawk.net story.
    (By the way, Afnic does support registry lock for .fr domains, so ask your registrar about it !)

  2. The Sunshine State

    My domain name provider provides 2FA , Registry Locks and DNSSEC which are all enabled.

  3. Excellent talk by PCH here on this topic and what they faced in 2018: https://youtu.be/oNF6TE75mzg

  4. crazy that not everyone uses the domain registry lock setting. its domain security 101

  5. Great article Brian; this will be an education for KOS readers who may not have heard how the mechanics of their favorite web sites work.

    Social engineering can be a CIOs worst nightmare – it is difficult to train staff on just how to resist it. After all, it is only human to strive to make customers happy in every instance – but can become a disaster for them so quickly!

  6. You write:

    “Dijkxhoorn and E-HAWK’s CEO Peter Cholnoky had already protected their domain with a “registrar lock,” a service that requires the registrar to confirm any requested changes with the domain owner via whatever communications method is specified by the registrant.”

    Registrar lock can be turned off with a simple click of a button if someone has access to the registrar account. I’m not aware of any registrars letting the registrant specify a communication method for this.

    As you write, Registry Lock is much more secure but more work to make changes.

    For those with a lot of domains, GoDaddy offers a free service to high spend customers in which they will call a phone number on file and verify a pin before approving any outbound transfers.

  7. Kenny Blankenship

    Maybe someone can help shed some light onto this for me, but a registry lock isn’t going to matter in the case of a subdomain takeover vulnerability, right? For example, if abc.xyz.com has a CNAME pointing to abc.xyz.github.com, what would stop me from registering that Github pages site? My thinking is that the registry lock wouldn’t carry over to the service that the subdomain is pointing to (i.e., abc.xyz.github.com), only the main subdomain (i.e., abc.xyz.com). At that point, the service would still be registered to the attacker and they’d have control of the original subdomain anyways. Heck, a registry lock would only help them out in that case.

    • Not a DNS expert by any means but name probably would not resolve without the root entries in the server and to have those you need the redirect to the address and its probably not going to replicate to the backbone servers that build on the root hints.

      A way to protect against Domain Name hijacking is to use a subdomain for a high level domain that is owned by the registry that you want to use. Of course this means that you have to trust that the registry will not profiteer unfairly because you really are locked in with them if you take this route.

    • Correct. subdomain hijacking due to poor DNS hygiene or a misconfigured CNAME is something different entirely.

  8. You know I was thinking about exact same thing. Social engineering is the weakest link of this entire process, and unfortunately there’s not much you can do about it for as long as the registrar company wants to make it “convenient” to reset your password via a phone call or a chat room.

    So having that in mind I have recently transferred my domains to Google Domains. At least they provide known means of 2FA and are themselves well known for not having easily available “human” tech support.

    Do you guys have any other registrars in mind that could beat Google?

    • I like the recovery proces of namesilo, where they require payment details, such as order numbers, for verification that you cannot know as an outsider. But I dont use them, because I figured my best defense against stolen domains would be a language barrier. So I picked a local registrar that would probably be more suspicous of English requests and could just call me in my own language.

      Oh, and they are a reseller of Openprovider.. Woopsie.

  9. Therein lies one of my biggest pet peeves about this industry: the difference between the terms “registry lock” and “registrar lock” seem to be significant. The credit reporting agencies play similar games with credit lock, report freezing, report locking and account lock. Only if one sees both terms together and recognizes that they in fact mean entirely different things, can one possible decide if they are doing the right thing, or the resultant behavior is what was anticipated.
    There are so many nuances to the use of similar terms, which I’m sure the lawyers intended, precisely to cause confusion, that many of us end up disgusted, and poorly served by the companies that play these games.
    It is difficult to teach unsuspecting enterprise account managers, and far less consumers, about how to secure their assets properly when they are not given all the information they need in a clear concise fashion with the differences between all similar terms explained.

  10. Did you know that Domain(.)com doesn’t offer 2FA? How can a registrar with that domain name not offer 2FA in 2020??????? It’s disturbing.

  11. Unfortunately registry locks aren’t offered by many companies (which causes kind of a catch 22 scenario), and due to the way they work it’s probably too expensive for all but the largest companies to protect all their domains with a registry lock.

    • Yes the fact that they’re not offered by all registrars is noted in the story. If anything it’s a few hundred bucks. That’s a rounding error if you’re a large company. I’m not a large company and we have one, and I don’t recall it costing much.

      • It’s a few hundred bucks *per year*. While this is indeed affordable for just one domain name, or perfectly affordable if you are a big company raking in the profits, it may not be so affordable if you have several domains as a small or midsized company or as an individual. It balloons the cost of a domain name portfolio.

        I feel blamed for “not taking every precaution possible” to protect our domains, and if a takeover were to happen to my portfolio, I wonder if they’ll say “well, you should’ve bought the registry lock.” It’s as if bad things are going to happen to your domains if you can’t afford to pay Big Louie when he comes along to collect the money for his “protection services.”

        I wonder if the cost was the reason why E-HAWK didn’t have the registry lock.

  12. It’s an unfortunate reality that many domain registrants won’t add “registry lock” even when it is available.

  13. I remember that you wrote an article about Registry lock (and DNSSEC) a few years ago.
    That advised me to set it up for my domain.

    Even if I am not a primary target, registry lock and DNSSEC are essential to our on-line well-being.

    Thanks Brian!

  14. Are there any downsides to DNS SEC? Like lack of support from older software, etc.

  15. That WhatsApp was the vector through which the malware operated in both this case and the MBS hack of Jeff Bezos’ phone is a real eye-opener, which underscores the continuing value for an updated version of that old “think before you click” maxim specifically tailored for phones: THINK BEFORE YOU TAP!

  16. Only slightly relevant…

    Some years ago, i had a domain spnet.com

    There was a lawsuit involving ESPNET.COM, and some clerk at the court or NSI mistyped ESPNET.COM as spnet.com, and NSI locked my domain. It took me YEARS to get NSI to recognize that my ‘spnet.com’ had no relationship to the court action, and then unlock the domain.

  17. We only have Verisign COM and NET domains. Our primary domain registrar, which also happens to have one of the most significant market shares in the industry, doesn’t offer the Verisign registry lock.

    Our alternative registrar does, but charges 2500% of the cost of the standard domain registration for registry lock, per year of course. In addition, they also charge a one-time setup fee. That is too cost-prohibitive for us.

    So while we are willing to heed the advice in this article, we are unable to for the time being. I wish that those who advise the registry lock would do the research and discuss the availability and pricing issues.

  18. Seems like it should be impossible to get hijacked if you use a 2FA device even if the password gets changed so long as the customer service representative isn’t so helpful as to take 2FA off the account. Or am I missing something?

    They would say now we have changed the password for you, go ahead and log in now. Without the device, it won’t work.

  19. I am a bit confused as @Dick Hacking said in the above comment that there is a difference between “registry lock” and “registrar lock”. Most of the providers give locks that we have to deactivate for transfers. Can a customer care rep deactivate this by a call? I as far as I know domain hijacker work on creating confusion.

    Godaddy calls it “Domain lock”
    Google also calls it “Domain lock”

    Can we assume that these locks are good enough?

    • A registrar lock is the same as a domain lock. The point of the story was that if all you have a domain/registrar lock, your site could still get stolen if the attackers can trick some customer service person at your registrar into bypassing that, as happened to E-HAWK. The idea behind a registry lock is that it takes that capability away from the registrar.

  20. What would happen if a website was PCI Compliant, and something like this happened?

    • Same. Total request interception.

      PCI is a minimum standard and has nothing but it’s vagueness to protect from technical attacks that poke out of scope controls. DNSSEC is not mandated.

      • Yep, minimum security and sometimes hoops to go thru.

        Credit card companies make plenty of money collecting the fees, and do nothing otherwise.

        When Y2K came around, our IT idiot told us that ICVerify would work with no issues: His test: roll the clock over to the year 2001 and try it…..The software duplicated settlements for over 6 months, because he wouldn’t patch the coftware.

        He would have been fired if it was up to me…..

  21. Nice share Brian, going to look into enabling this across more of my domains.
    Thanks

  22. To me, registry lock comes with a bit of a trade-off. Maybe it’s because I look at everything through the lens of being a DNS provider, what’s important to me is being able to switch your namservers, fast, even on-the-fly if you’re using something like nameserver failover.

    But if you’re using registry lock, you can’t do that.

    So what’s more likely? That some exogenous event will impact your DNS vendor (think Mirai), or that somebody will specifically target you to hijack your domain and none of your other defences (2FA, event notices, account ACLs and a half-clueful registrar) won’t be adequate?

  23. We were very lucky to avoid this kind of attack at Fastmail a few years ago:

    https://fastmail.blog/2014/04/10/when-two-factor-authentication-is-not-enough/

    The attackers sent the registrar a fax with a faked passport page and a faked company registration, while signing up our hostmaster address to tons of poorly setup mailing lists to hopefully hide the confirmation email in the flood! We were really lucky that we noticed. Humans definitely are the weak point in most security.

  24. guess I should give up on an online business already. if you can register a domain they will just take it. if you put up content they will deface it, if you process money they will rob it. if you make a product they will sell fakes of it. Better off leaving computers and washing dishes. nobodys going to want to take that from me.

  25. Being working in this space, we always have some kind of fear of losing our data. Privacy on the internet is already a myth. Things are getting worse. Thanks for sharing that.

  26. I think Domain registrar makes sure about that? If no, then it is open for anyone and that is not cool.

  27. Thank you soo much for the Highlight I have applied all your suggestions on my domain. I never new such a thing can even happen.

  28. Social engineering is a huge vulnerability. We’ve migrated large domain and DNS portfolios to our platform in which our clients have given us permission to call registrars on their behalf to facilitate (forgotten) account access. It typically takes us one phone call and maybe an email to gain full access to domain and DNS accounts – often using made-up 2FA phone numbers that simply sail through and work!

  29. I think sometimes this is the fault of providers, too.
    I am with a rather good hosting provider, their data centers are very good, their IT guys know what they are doing.

    Yet their domain panel lacks overview information, for all of my domains they show 3 things: next due, auto renew, active and a button for more.

    Also no export function.

    So I have to click, wait for it to open, then check.
    Arrghhhhhh.

    I did send them some feedback just a minute ago.

  30. So I have to click, wait for it to open, then check.
    Arrghhhhhh.

    I did send them some feedback just a minute ago.

Leave a comment