Cybercriminals Are Misappropriating Businesses’ Web Addresses
March 13, 2015 | Business Crime
Cybercriminals targeting businesses are stealing more than customer passwords and credit-card numbers these days. Some are misappropriating the very Web addresses—or domain names—of the businesses themselves.
When Pablo Palatnik of Miami glanced at a Google analytics report showing Web traffic on his office TV monitor one day last month, he was alarmed to discover that traffic to his business website, Shadesdaddy.com, had plunged 80% from its usual level of as many as 10,000 visitors a day.
At first, the 32-year-old entrepreneur suspected a server had gone down. But after digging further, he discovered a more serious problem. A cyberthief had diverted his company’s domain name—the very Web address that’s critical to his firm’s online sales—to China.
That meant that potential customers surfing the Web for Oakley, Ray-Ban, Versace and other popular sunglass brands couldn’t find his eight-year-old Internet retail business. “I never thought someone could steal the domain from us,” he says.
Mr. Palatnik’s experience underscores a little-noticed and growing security risk for business owners. Thieves can hijack domain names and transfer them to such places as China, Eastern Europe and Russia in what appears to be “organized criminal activity,” says Philip Corwin, counsel to the Internet Commerce Association, a trade association for domain-name investors and developers.
The nonprofit Internet Corporation for Assigned Names and Numbers, or ICANN, coordinates how Web addresses are allocated, and it has gotten over 140 complaints about domain-name thefts in the past 20 months.
The thief might hold the domain name for ransom, resell it or use the information to get access to personal or company data, says David Weslow, an Internet attorney in Washington. Thieves may “also be interested in other means for monetizing the stolen domain name, such as the display of pay-per-click advertisements, display of a website that downloads malware, or use of the domain name to send legitimate-looking emails containing spam, viruses and/or phishing correspondence,” he says.
At least 15 cases seeking the return of domain names were filed in U.S. courts last year, up from five in 2013 and 10 in 2012, according to Stevan Lieberman, a Washington attorney who represents domain-name holders. The figures don’t include state-court cases or disputes that didn’t result in litigation.
Small firms with memorable domain names—as well as entrepreneurs who snap up particular domain names with plans to resell them—can be especially vulnerable because they tend to have less sophisticated Internet security systems.
Entrepreneurs routinely pay thousands of dollars to obtain their domain names, or Web addresses. The most sought-after domain names can fetch millions of dollars, but the median price for a domain name was $3,000 in 2014, up 9% from a year earlier, according to DNJournal.com, an industry magazine.Earlier this year, an eight-person home-health-aide startup in McLean, Va., paid $350,000 to acquire homecare.com.
Cybercriminals sometimes hijack domain names by scraping public directories listing contact data for domain owners. These hackers then send out phishing emails designed to surreptitiously capture a domain owner’s keystrokes or passwords, according toEnrico Schaefer, a Traverse City, Mich., attorney who specializes in Internet law. Using that data, the hackers can take control of the business domain name by transferring it to another registrar using an account controlled by a cybercriminal.
“Your GoDaddy service(s) shown below has been suspended because some of the purchases on your account remain unpaid,” said a recent e-mail to a GoDaddy customer. The email, which appeared to be part of a phishing scam, told the reader to click on a link “to make payment and reinstate your services.”
A spokeswoman for GoDaddy Inc., the technology company that helps individuals and businesses create an online presence, says it is investigating the notice, adding that it “clearly appears to us to be a scam email.”
At 14-employee Premier Machine Products Inc., in Kirtland, Ohio, e-mail traffic suddenly dried up in mid-November. Soon, its customers complained that emails and purchase orders to the maker of custom screw-machine products had bounced back.
In fact, Premier’s domain registration had expired after someone shifted the email associated with it to “a weird, shady Hotmail account” overseas, Premier co-owner John Reed says. Premier didn’t receive notices to renew its domain registration because of the email-address switch, he says.
The Federal Bureau of Investigation says it has opened roughly 26 complaints involving domain-name theft or hijacking in the past year. In addition, the Internet Crime Complaint Center, a partnership between the FBI and the nonprofit National White Collar Crime Center, has received 17 complaints of domain hijacking or theft. Nine of those reported a combined $3.5 million in losses.
Some argue that ICANN itself should do more to monitor—and address—the illegal transfer of stolen domain names to registry holders abroad. “If they find there are bad registrars working with bad folks to facilitate domain hijacking,” taking steps to “put them out of business would send a very strong message,” says Mr. Corwin of the Internet Commerce Association.
The registrar-accreditation agreement between ICANN and the registrars—the companies responsible for domain-name registration—gives ICANN enforcement powers to stop reported domain-name abuse, says a law-enforcement official with knowledge of the issue. But ICANN denies that it has that power. “ICANN is not a regulatory authority or a law-enforcement agency,” says Gwen Carlson, the agency’s communications director. “We do not regulate content, and we do not have broad general rights to police domain-name abuse.”
In Burr Ridge, Ill., Michael Lee, the owner of the five-person Michael Lee + Associates advertising agency, spent roughly $15,000 and 19 months to regain control of MLA.com after it was hijacked and shifted to a registrar in the Bahamas in May 2013. Revenue fell 30% during the period because clients had difficulty reaching the company. Shortly before the judge’s ruling in Mr. Lee’s favor, someone claiming to have legitimately purchased the domain offered to return it in exchange for $15,000 or $20,000, he says.
In Miami, ShadesDaddy.com was offline for 11 days. It lost about $50,000 in revenue, Mr. Palatnik estimates, prompting him to lay off six of his eight employees. He finally regained ShadesDaddy.com after filing an administrative action proving he was the rightful owner with VeriSign Inc., which maintains the definitive list of domain names that end in .com, his attorney says.
Mr. Palatnik recently rehired the laid-off employees and is trying to regain the business’s search-engine rankings.
“It’s like your house got stolen,” he says.
Click here for more information on our Electronic & Forensic Services. We can help secure you against cyber-threats. Contact us on 0800 747 633, or click here to email us for more information.
- Article originally on WSJ.
