Domain Hijacking and How to Protect Yourself
When a criminal gains control of your domain name, they do not just steal an address. They take over your email, your customer trust, your search rankings, and often your business. Domain hijacking is one of the most damaging cyber incidents a UAE business can face, and the recovery process can take weeks or even months.
This guide explains how domain hijacking works, reviews real cases including recent attacks on UAE brands, and walks through the exact steps you can take to protect your .ae and international domains. It also covers what to do in the first 24 hours if your domain is already compromised.
What Is Domain Hijacking?
Domain hijacking, also called domain theft, is the unauthorised transfer of a domain name away from its rightful owner. The attacker ends up controlling the registration, which means they decide where the website resolves, who receives email sent to the domain, and whether to hold the domain for ransom or sell it on a marketplace.
A successful hijack gives the criminal everything the domain unlocks: website traffic, email accounts, cloud services tied to the domain, SaaS integrations, and the brand reputation attached to the name. The original owner is locked out until a formal recovery process restores ownership.
Domain Hijacking vs DNS Hijacking vs Subdomain Takeover
These three terms are often confused, but they describe different attacks with different recovery paths. Understanding the difference helps you pick the right defences.
| Attack Type | What Is Compromised | Typical Vector |
|---|---|---|
| Domain Hijacking | The registration itself at the registrar | Phishing, social engineering, registrar account takeover, email compromise |
| DNS Hijacking | DNS records while registration stays intact | Compromised DNS provider account, BGP routing attack, router malware |
| Subdomain Takeover | Individual subdomain pointing to an abandoned third-party service | Forgotten CNAME records, dangling DNS entries, expired cloud resources |
Domain hijacking is the most severe of the three because it requires a formal dispute process to reverse. For a deeper technical comparison, the Cloudflare Learning Center guide on domain name hijacking and the Wikipedia entry on domain hijacking both give excellent background on how these attack classes differ at a protocol level.
Real-World Cases You Can Learn From
Abstract warnings rarely change behaviour. These documented incidents show exactly how hijackings unfold, what the damage looks like, and what recovery takes.
Case 1. Perl.com (January 2021)
Perl.com is the main information site for the Perl programming language, managed by The Perl Foundation since 1997. In late January 2021 it was hijacked and pointed to a parked page tied to a Google Cloud IP address with a history of malware distribution.
According to the detailed post-mortem published by editor Brian Foy at perl.com, forensic analysis by intellectual property lawyer John Berryhill showed the compromise actually happened in September 2020, four months before anyone noticed. ICANN has a 60-day lock that prevents transfers right after registration changes, so the attackers waited out that window, transferred the domain to a Chinese registrar on Christmas Day, then moved it again to Key Systems in Germany in late January. Shortly after the final transfer, BleepingComputer reported the domain was listed for sale on Afternic for $190,000.
The Perl Foundation recovered the domain within roughly a week with help from Network Solutions and Key Systems, but only because the community rallied quickly and the domain had famous rightful owners. The Perl.com editors explicitly note that a less well-known domain would have had a much harder time proving ownership.
Case 2. Sitting Ducks: 70,000 Domains Hijacked
In November 2024, Infoblox Threat Intel published a report on one of the largest domain hijacking campaigns ever documented. Researchers identified roughly 800,000 domains vulnerable to an attack vector they named Sitting Ducks, and confirmed that around 70,000 of them had already been taken over, as reported by The Hacker News.
The crucial detail from the original Infoblox disclosure: Sitting Ducks does not require any credentials. Attackers never touch the registrar account. Instead, they exploit lame DNS delegation, where a domain points to an authoritative name server that the owner no longer controls. By claiming the DNS zone at a vulnerable DNS provider that allows free sign-ups, the attacker takes over the domain’s DNS without the owner ever knowing.
Victims included well-known brands, non-profits, government entities, and even a McDonald’s-registered domain that has been hijacked repeatedly over several years. Russian-nexus threat actors tracked as Vacant Viper, Horrid Hawk, Hasty Hawk, and VexTrio Viper used the hijacked domains for malware distribution, phishing, investment fraud, and large-scale spam.
Case 3. SubdoMailing: 8,000 Hijacked Subdomains
Starting in 2022 and publicly exposed by Guardio Labs in early 2024, the SubdoMailing campaign compromised more than 8,000 domains and 13,000 subdomains of trusted brands including MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, eBay, ACLU, Lacoste, Pearson, PwC, Swatch, Symantec, and UNICEF. The full Guardio Labs investigation documented the attack in detail.
Attackers did not hijack main domains. They hunted for dangling CNAME records and SPF includes pointing to services that had been abandoned years earlier, re-registered those forgotten third-party domains, and inherited the SPF reputation of the main brand. Once the hijacked subdomain could send authenticated email on behalf of a trusted brand, they pushed up to five million spam and phishing messages per day, according to BleepingComputer’s coverage.
One striking example: a subdomain called marthastewart.msn.com had a CNAME pointing to msnmarthastewartsweeps.com, registered briefly in 2001 and abandoned for 21 years. In September 2022 the attacker privately registered it and gained the ability to send email that passed all authentication checks as if it came from msn.com.
Case 4. Dubai Police Impersonation Campaigns
While not a classic domain hijack, these campaigns affecting UAE residents show how attackers weaponise domain infrastructure specifically against the local market. As HackRead reported, BforeAI researchers documented 268 fraudulent domains impersonating Dubai Police through SMS phishing, analysed over a two-month period.
The attackers registered typosquatted names such as “dubaiploce” using .xyz, .top, and .click extensions, which require less verification, and cycled through short-lived domains to stay ahead of blocklists. DarkReading’s analysis noted that most of these domains originated from Tencent servers in Singapore previously linked to malicious activity.
This ties into an alarming structural weakness documented by EasyDMARC’s 2024 research on the .ae email ecosystem: out of 37,926 analysed .ae domains, only 420 (1.11%) had implemented DMARC, leaving 99% of UAE domains vulnerable to email impersonation. Of that 1.11% with DMARC, only about a third had it set to strict “reject” enforcement.
How Domains Get Hijacked in Practice
Most hijackings are not dramatic technical exploits. They are boring, repeatable attacks on human beings and forgotten infrastructure.
🎣 Phishing the Registrar Account
The attacker sends a legitimate-looking email from “your registrar” warning about expiration, a policy update, or a required action. The link leads to a cloned login page that captures your credentials. Once in, the attacker changes the registrant email, waits out the 60-day ICANN lock, then transfers the domain to another registrar, often in a jurisdiction that makes recovery harder.
📧 Email Account Compromise
This is the most common path. The attacker compromises the email address listed as the registrant contact (often via password reuse or a previous data breach), then uses “forgot password” on the registrar to take over the account legitimately. Because the attacker now receives all registrar notifications, the victim often does not realise until the domain has already moved.
🎭 Social Engineering the Registrar Support Desk
Attackers call or email registrar support posing as the domain owner, sometimes with forged business licence scans or other fake documents. This is exactly what happened in the Perl.com case, where the team confirmed a social engineering attack using fake documents against Network Solutions.
⏰ Expired Domain Snipers
Attackers monitor domains approaching expiration and scoop them up the moment they drop. They are particularly valuable if the domain was tied to active email accounts, because the new owner can then reset passwords on linked services (banks, SaaS, social media) through “forgot password” flows.
🦆 Sitting Ducks (Lame DNS Delegation)
Covered in Case 2 above. If your domain delegates DNS to an authoritative name server that no longer resolves your zone, and that DNS provider allows the attacker to claim the zone, the attacker takes over without touching your registrar at all.
🔗 Subdomain Takeover (Dangling DNS)
Covered in Case 3 above. Forgotten CNAME records pointing to expired cloud resources (Heroku apps, AWS S3 buckets, Azure endpoints, marketing platforms) let attackers claim the endpoint and inherit your subdomain’s trust and authentication reputation.
How to Protect Your Domain: Prevention Stack
No single control stops every attack. Real protection comes from layering multiple measures so that the attacker has to defeat all of them. Work through this stack in order.
Choose an ICANN-accredited registrar you can actually reach
When a domain is in trouble, the speed of your registrar’s response determines whether you get it back in days or months. Prefer registrars with 24/7 support, phone verification for account changes, and physical offices in jurisdictions you can reach legally. For .ae domains, use a .aeDA accredited registrar based in the UAE, so disputes stay under local jurisdiction.
Enable Registrar Lock (Client Transfer Prohibited)
This is the basic, free protection every registrar offers. When enabled, the domain’s status includes “clientTransferProhibited,” and any transfer request must first be unlocked from your account. Most reputable registrars enable this by default, but you should verify it is on for every domain you own by checking your WHOIS record through AEserver’s lookup tool.
Add Registry Lock for critical domains
Registry Lock goes beyond Registrar Lock. It applies a lock at the registry level, not just the registrar, and any unlock requires out-of-band verification (phone call, signed paperwork) between the registry and a pre-authorised contact. This is the protection used by banks, payment processors, and critical infrastructure. It is not free and typically requires a business case with your registrar, but for any domain that earns you revenue it is worth the cost.
Replace SMS two-factor auth with TOTP or a hardware key
SMS 2FA is no longer considered safe for high-value accounts. SIM swap attacks, where a criminal convinces your mobile operator to port your number to their SIM, have become routine in the UAE and globally. Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) or, better, a FIDO2 hardware key such as YubiKey for both your registrar account and the email address tied to it.
Use a unique, strong password in a password manager
Every registrar credential should exist only in a password manager (1Password, Bitwarden, Dashlane, Keeper) and never be reused on another service. The point is not just length, it is isolation: if any other site leaks, your domain account stays safe.
Enable DNSSEC
DNSSEC signs your DNS records cryptographically so resolvers can verify they have not been tampered with. It does not prevent registrar-level hijacking, but it does defeat DNS spoofing and cache poisoning. If your registrar and DNS provider both support it, turn it on.
Lock down the registrant email address
Never use an email address that depends on the domain itself as the registrant contact. If the domain is compromised, the registrar will send recovery emails into the attacker’s hands. Use a dedicated email on a completely separate domain (for example, a Gmail account or a separate company domain used only for registrar correspondence) and protect that email with the same hardware-key 2FA.
Protect the EPP Auth Code like a password
The EPP auth code, sometimes called the authorisation code or transfer key, is the secret that authorises a domain transfer between registrars. Never share it, never paste it in email, and regenerate it after any transfer so the old value cannot be reused.
Set auto-renewal and long registration periods
Domains go to hijackers most often through neglect, not hacking. Set auto-renewal, register for multiple years (3 to 10 where allowed), and keep your billing payment method current. For .ae domains, missing renewal triggers a grace period followed by redemption, and after 60 days the domain drops back to the public pool.
Audit your DNS for lame delegations and dangling records
At least quarterly, run a check on every domain and subdomain you own. Verify that every CNAME points to a service you still control, every NS record points to an active name server, and every SPF include reference is still a domain you or a trusted partner owns. The Sitting Ducks and SubdoMailing campaigns show what happens when this hygiene lapses.
Deploy DMARC with p=reject
Given the EasyDMARC finding that 99% of .ae domains lack DMARC, this single step puts you ahead of almost every UAE competitor. DMARC with strict enforcement prevents attackers from forging email from your domain even if a subdomain is compromised, and it generates reports that flag hijacking attempts early. AEserver’s DMARC Force simplifies the rollout for UAE businesses.
Enable WHOIS privacy where supported
Public WHOIS data feeds social engineering. Where your ccTLD supports it (most gTLDs do post-GDPR, though .ae does not support full WHOIS privacy), use it. You can verify the current WHOIS status of any domain through the AEserver WHOIS Lookup.
Monitor for unauthorised changes
Enable change notification alerts in your registrar. Every contact change, every name server change, every transfer request should notify you through a channel that is not tied to the domain itself. For high-value portfolios, consider services that monitor WHOIS, DNS, and certificate transparency logs and alert you on anomalies.
UAE Advantages: Why .ae Domains Are Easier to Secure
UAE businesses using .ae domains have meaningful structural advantages compared to generic TLD owners.
In practical terms, this means:
- Direct regulatory recourse, complaints about .ae registrars can be escalated to TDRA, which can take action against accredited registrars that act negligently.
- Local arbitration, disputes are resolved in English, in the UAE, under UAE law, often within weeks rather than months.
- Strict eligibility and verification, the .aeDA performs registrant verification checks, which raises the bar for impersonation attacks.
- Cultural and legal protection, .ae registration must comply with UAE law, meaning names used for fraud can be suspended by the registry directly.
You can review all current .aeDA policies on the official .aeDA Policies page.
What to Do If Your Domain Is Already Hijacked
Speed matters more than anything else. The first 24 to 48 hours determine whether recovery takes a week or several months. Follow this protocol in order.
Lock down every related account immediately
Change passwords and revoke sessions on: your registrar account, every email address that receives registrar mail, your DNS provider, your hosting panel, and any SaaS account whose password reset goes to that email. Rotate 2FA seeds where possible. Assume the attacker has full access to everything tied to the compromised email.
Contact your registrar through verified channels
Call the registrar’s published support number, do not reply to any email. Explicitly state that you believe a fraudulent transfer is in progress or has just completed. Ask the registrar to place a Registrar Hold on the domain, which freezes all operations, and to escalate to their abuse or fraud team. Document every communication with dates, times, and names.
Gather proof of ownership
Collect: original registration receipts and invoices, historical WHOIS records (use the AEserver WHOIS Lookup and third-party history services), trademark registrations, business licence documents tying you to the name, archived screenshots of your website from web.archive.org, and any email correspondence with the registrar predating the compromise. Save all of this to a location not tied to the compromised email.
File a TDRP complaint (for gTLDs like .com, .net, .org)
If the domain has already moved to a new registrar, your “losing” registrar (the one you registered with originally) can file a Transfer Dispute Resolution Policy complaint under ICANN’s TDRP. This is the formal process for reversing fraudulent inter-registrar transfers. TDRP is different from UDRP, which covers trademark disputes, not theft. The statute of limitations is 12 months, so do not delay.
For .ae domains: contact TDRA directly
After trying to resolve the issue with your registrar, UAE residents can escalate directly to TDRA through the .aeDA. TDRA handles domain-related complaints and has a defined Complaints Handling Policy. The Disputes and Complaints service and the Report Domain Abuse service are the correct entry points.
Communicate publicly from a clean channel
Set up a temporary communication channel (a status page on a separate domain, a LinkedIn post, an SMS to your customer list) to warn users not to visit the compromised domain or trust emails from it. The Perl Foundation used perldotcom.perl.org; your equivalent might be a .ae subdomain of your company name or a dedicated status page.
Notify your bank, customers, and partners
If the domain is used for invoicing, notify your bank and customers that any payment instruction received during the incident window is suspect. This is especially important in UAE business culture where vendor email compromises can lead to large wire fraud losses.
Engage legal counsel if necessary
For high-value domains or domains the attacker refuses to release, you may need UAE legal counsel experienced in intellectual property and cybercrime. Cases can be escalated to UAE courts or prosecuted under the UAE Federal Law on Combating Cybercrimes.
UAE Recovery Playbook: TDRA vs ICANN
Choose your recovery path based on the TLD of the affected domain. These processes are different, and filing the wrong complaint will slow you down.
| Scenario | Correct Channel | Typical Timeline |
|---|---|---|
| .ae or .امارات hijacked | Registrar first, then TDRA .aeDA complaints process | Days to weeks |
| .com, .net, .org fraudulent transfer | Losing registrar files ICANN TDRP complaint | Weeks to months |
| Trademark infringement (cybersquatting) | UDRP through WIPO | 2 to 3 months |
| .ae trademark dispute | .aeDRP through WIPO Arbitration Center | 4 to 6 weeks |
| Criminal prosecution needed | UAE Police cybercrime division, Dubai Police e-crime unit | Variable |
Frequently Asked Questions
Can someone steal my .ae domain if I use 2FA?
Two-factor authentication makes the direct registrar account path very hard, but it does not protect against social engineering of the registrar support desk, DNS-level attacks like Sitting Ducks, or subdomain takeover through dangling DNS records. Use 2FA as a baseline, not as your only defence.
Is WHOIS privacy available for .ae domains?
.ae does not support full WHOIS privacy in the way gTLDs like .com do, but the .aeDA does hide most individual registrant details by default and displays organisation information for business registrants. You can always check the current published record through the AEserver WHOIS tool.
How long does domain recovery take?
Best case, if caught within 60 days and before an inter-registrar transfer: a few days. Average case, with a successful TDRP filing: 4 to 8 weeks. Worst case, involving multiple international registrars and legal escalation: 3 to 12 months. Some stolen domains are never recovered.
What is the difference between UDRP and TDRP?
UDRP (Uniform Domain Name Dispute Resolution Policy) covers trademark-based disputes like cybersquatting. TDRP (Transfer Dispute Resolution Policy) covers fraudulent or improper registrar-to-registrar transfers. If your domain was stolen and moved to another registrar, you need TDRP. If someone registered your trademark as a domain, you need UDRP. Panels have often ruled that UDRP is not appropriate for theft cases.
Should I enable DNSSEC?
Yes, if your registrar and DNS provider support it. DNSSEC does not stop registrar-level hijacking, but it does prevent a class of DNS spoofing attacks and demonstrates security maturity to enterprise customers and search engines.
My website is small. Am I still a target?
Yes. The Sitting Ducks and SubdoMailing campaigns specifically target lower-profile domains because they have weaker defences and attackers can use them quietly for years. High reputation is not a prerequisite for being targeted; being exploitable is.
Who enforces .ae domain policies?
The .ae Domain Administration (.aeDA), a department of the UAE Telecommunications and Digital Government Regulatory Authority (TDRA), sets and enforces all policies for .ae and .امارات. You can review current policies on the .aeDA policies page.
Summary: 10 Things to Do Today
- Verify Registrar Lock is enabled on every domain you own through your registrar’s control panel.
- Replace SMS 2FA with TOTP or a hardware key on your registrar account and the email tied to it.
- Move the registrant email off the domain itself onto a separate, protected mailbox.
- Enable auto-renewal and extend registration to the maximum period your registrar allows.
- Audit DNS for lame delegations and dangling CNAME records across all subdomains.
- Deploy DMARC with p=reject to prevent email impersonation of your brand.
- Enable DNSSEC if your registrar and DNS provider support it.
- Request Registry Lock for any domain tied to revenue or sensitive operations.
- Document ownership evidence (receipts, business licences, trademarks) in a secure backup location.
- Put recovery contacts on file with your registrar so support knows how to reach you out-of-band.
Domain security is not a one-time setup. Review this list every six months, immediately after any personnel change, and whenever you acquire a new domain. The cost of prevention is a few hours of admin; the cost of recovery is weeks of business disruption and possible permanent brand damage.
