How Do I Protect My Domain?

Concerns about protecting our most valuable assets live rent-free in our collective conscience these days, and our domains are no exception. Domain names in and of themselves have intrinsic value beyond high-value keywords. Our domain space is a multi-tool that connects our websites, custom emails, and cloud services all in one place. It’s both a digital identity and a revenue stream.

Opportunistic hackers and cybercriminals are online in droves, sniffing out security vulnerabilities and using social engineering tactics, or manipulation that exploits human error (like phishing). So, who exactly are these scammers, and what are the best practices to minimize risk to your domain?

 

What you’re protecting against in a domain-based cyberattack

In today’s cyberthreat landscape, statistics are painting a grim picture as most types of cyberattacks are growing—in frequency and in sophistication. And while it’s all well and good to learn the best security practices to protect your domain, the toughest part of these practices is maintaining the motivation to implement these practices each and every day.

It’s difficult to stay motivated if you don’t have a full understanding of the harsh reality of a single cyberattack—irreversible fraudulent money transfers, your database locked for ransom, or a fatal loss in revenue and customers. That’s not even mentioning the increase in cyber insurance premiums or legal liabilities of a data breach. The ripple effect can last for years, or shutter your business.

Understanding who cybercriminals are and what motivates them will, in turn, motivate you to maintain up-to-date domain security protocols and team training.

Who are cybercriminals?

Cybercriminals are individuals or groups of people with varying levels of technology and programming skills who use computers or network devices to commit malicious activities. The typical intent is financial gain and theft of data or digital property (for example, your domain).

In the realm of domain cybercrime, criminal intent and capability varies. Cybercriminals may be out to hijack your domain, or steal the traffic to your website. A cybercriminal either indiscriminately targets as many victims as possible to maximize potential payouts, or attempts a targeted approach at a high-profile domain. Some criminals are capable of compromising your domain server infrastructure, while others just want to spam you with ads.

What does a cyberattack look like?

Cyberattacks are any action from a cybercriminal towards a user with malicious intent—and these criminals have a big bag of tricks, making them tough to spot.

As far as cyberattacks go for small to medium-sized business domains, the most widespread is phishing.

Phishing looks like a message from someone or something you trust, trying to get you to interact with a malicious attachment or link that goes to a fake website. If that phishing attempt is successful, the user has either unintentionally handed over sensitive data (such as domain login credentials) on a fraudulent website, or become infected with malware. Malware, or malicious software, is an umbrella term for the execution of unauthorized actions on the user’s system. These actions include illegitimate password changes, your important information being held for ransom, stolen data, adware—the list goes on.

Less commonly, cyberattacks happen when attackers exploit a security vulnerability with your registrar or DNS server and take control of your domain. Once inside, they can do serious damage to your finances, reputation, or just steal your domain altogether.

Does my registrar help protect my domain?

Yes. Assuming you’ve chosen a trustworthy (and probably ICANN-accredited) registrar, you can expect them to follow the rules for governing your domain and to have sophisticated systems in place.

That being said, you are ultimately responsible for the security of your domain. So long as hackers can find vulnerabilities in both digital defenses and human nature, it can be enough to collapse an otherwise secure system.

Is it expensive to protect my domain?

Security costs vary, depending on the size of your domain portfolio and each website within. Consult with an IT firm or conduct further research to determine which security measures you need, and to what capacity.

Small businesses are a breeding ground for cyberthreats, owing to their smaller security budgets or inability to prioritize security over other business aspects—and cybercriminals know it.

 

Practices for each and every domain owner

With a more discerning grasp on digital threats, protecting your domain is the next focus. Stolen or manipulated domains all have something in common—they happen suddenly and more often than you think. Starting out isn’t always intuitive, but you don’t need to be a cybersecurity expert to protect yourself online.

List an email with your registrar that’s not connected to your domain

Your domain’s WHOIS record may be available for public viewing—and cybercriminals know it. If a scammer hijacks your domain, by stealing your password via database hacking, or through a successful phishing email, they can remove you as the domain name registrant. If this happens, you’ll be able to provide ICANN with an established email, outside of that domain, as proof of your rightful ownership.

Establish communication with your registrar via this email to ensure that important account updates aren’t going to spam.

Switch on domain privacy for your WHOIS record

Registering a domain means providing personal contact information to the registrar (barring those who use third party proxy services), creating a public WHOIS record. During signup, the registrar usually offers “domain privacy,” which hides your WHOIS record from public view.

WHOIS searches are fueled almost entirely by those looking to purchase your domain, sell you something, or scam you. With domain privacy active, your registrar will use their own company contact information, and sometimes a randomly generated email address, instead of yours.

If you’d like to toggle on this convenient privacy feature, most registrars have this function available for you to manage yourself from your online account.

Check out our blog What is Domain Privacy? for more.

Create passwords that are long, strong, and complex (and then don’t share them)

We’ve heard it countless times: the stronger the password, the safer the account. Despite this well-known advice, passwords remain the weakest link in most security defenses. Human error is responsible for password blunders, such as reusing, sharing, or failing to regularly change passwords.

A strong password has complexity, changes regularly, and is kept private. The complexity component has these important characteristics:

• It’s long. The longer the password, the tougher it is to crack.

• It’s unique. It’s exclusively for your domain name account, and doesn’t use common words or simple phrases or keystrokes.

• It uses different characters. Uppercase, lowercase, numbers, and special characters make for a robust password.

Enable multi-step authentication when available

Despite your best efforts at online safety, malicious hackers will never stop trying to break into databases and steal passwords to use in scams or sell on the dark web.

With a multi-step (or “two-factor”) authentication in place, a password alone won’t be enough for an interloper to pass the authentication check—two layers are needed to verify identity. This second layer is usually a code sent via text message or generated through an authenticator app.

More than likely, your domain-related services offer a multi-step authentication. If not, there are many trustworthy authenticator apps available on the market.

Double check that your domain lock is active

Registrars impose a transfer lock on your domain name, keeping your cyber doors closed by default. This lock is one of many status (EPP) code locks placed on your domain to “freeze” your key domain configurations, safeguarding you against domain hijacking—fraudulent parties who gain access to your registrar account to steal your domain by transferring it to another registrar, or make DNS modifications that redirect users to malicious sites.

Our article What is Domain Locking? dives further into this subject.

Monitor expiration dates on domain operations

All domain registrations and SSL certificates come with an expiration date. If you let your domain name registration lapse, users can’t interact with your website, you’ll lose access to your custom email, and you can lose your domain name permanently after the expiration grace period. As far as an expired SSL certificate goes, your website will scream a “not secure” warning message at any user who visits your site, and both you and your users are at risk over an unsecured network.

By ICANN requirement, all registrars send two domain renewal reminders before your expiration date. Most registrars offer a domain auto-renewal as well. Following a cue from registrars, the Certificate Authority (CA) you’ve purchased your SSL certificate through will more than likely follow suit with renewal reminders and auto-renewal features.

As long as you’ve ensured email communication with your registrar and CA, and check your email consistently, you’re off to a good start in keeping control of your domain registrations. As an extra precaution, you can employ online tools for tracking your website statuses to help ease you into a routine.

Check out our blog What is Domain Monitoring? for more.

Educate your partners or employees on safety and security

Human error is the undisputed cause of most data breaches and security failures, and a vast majority of the digital population will experience at least a flurry of phishing.

Educating your employees or business partners on safety risks and practicing healthy security habits every day reduces your risk of someone in your company putting their credentials into a fake website or downloading an innocuous email attachment that’s actually 12 viruses in a trench coat.

Defensively register or block variations of your domain name

“Defensive” domain name strategies include registering or blocking variations of your own domain name to prevent cybersquatters, specifically typosquatters, from using those names. Typosquatters rely on users being inattentive to a typo in their intended URL, whether it’s a misspelling, extra character, or different TLD, with the nefarious goal to siphon off the sales traffic to their own site or defraud the users at a phishing website.

With potentially thousands of name variations per domain name, defensive registration quickly becomes cost-prohibitive. Domain blocking is an alternative service that can help achieve the same goal in the vast domain namespace without breaking the bank. It gives domain owners authority over the blocked domain by not allowing any third parties to register it.

Look into trademarking your domain name

There’s no shortage of cybersquatters looking to cash in on your hard-earned reputation by registering a domain name confusingly similar to your own.

Trademarking your domain name adds a layer of federal protection against these shady pursuits. You won’t need to prove you owned a registered trademark before the copycat domain was registered, plus a decreased chance of trademark infringement.