Partner
Not many people question the value of domain names. Multi-million dollar domain names are nothing new. But as we grow more comfortable understanding the true value of domain names, the steps users take to secure those domain names is severely lacking.
This can lead to the stunning realization that a domain name has been transferred out of your possession. You didn’t feel it, you didn’t see it, and there is next to no evidence readily available to figure out what happened. You are a victim of domain name theft.
Over the past year, we have noticed a considerable rise in instances of domain theft, often emanating from overseas hackers. Owners of valuable domain portfolios need to pay attention to this trend and take the steps necessary to reduce the risk of losing valuable property. It’s time to treat your domains like the valuables in your home.
The best advice to preventing domain theft is using a registrar that requires two-factor authentication (2FA). Registrars that do not use 2FA could be opening themselves up to liability. However, you should avoid the problem altogether by ensuring your registrar requires two forms of authentication to alter a domain’s settings. This is especially important given the phishing scams arising from ICANN’s relatively new WHOIS accuracy program, explained below.
Phishing is generally referred to the attempt to acquire information by masquerading as a trustworthy source. ICANN’s “WHOIS Accuracy Data Specification” requirement, while well intended, has opened the door for phishing attacks. This requirement states that within 15 days after changes to a WHOIS record, the registrar must verify the changes. The registrar will then send the registrant an email requiring them to verify the WHOIS information. This process has created the perfect cover for phishing attacks: hackers now send emails that look exactly like a registrar verification email in order to steal credentials.
Most registrars offer a domain transfer lock (also called a registrar lock or domain lock) that prevents your domain from being transferred to a different registrar without your explicit authorization. When a transfer lock is enabled, any attempt to initiate a transfer will be rejected until you disable the lock through your registrar account. For domains you do not intend to transfer in the near future, transfer locks should always be enabled. Disabling a transfer lock requires action through your registrar account — an additional step that gives you notice of and control over any pending transfer.
The single most common attack vector in domain theft is the registrant’s email account. Most domain registrars allow password resets and other account changes to be authenticated through the email address associated with the account. A hacker who gains access to your email account essentially gains access to your registrar account.
The most effective mitigation is using a dedicated email address for your registrar account — one that is not publicly associated with your name or organization, not used for any other purpose, and not listed in WHOIS records (most registrars now offer WHOIS privacy protection). A dedicated, private email address is much harder for hackers to target through social engineering or brute force attacks.
For domains with significant commercial value, standard registrar-level security may not be sufficient. Some registries — including Verisign for .com and .net domains — offer enhanced registry-level locking services that prevent transfers even at the registry level, regardless of what happens at the registrar level. These services require direct interaction with the registry to modify or release the lock, providing a security layer that cannot be bypassed through registrar account compromise alone.
For a domain portfolio worth millions of dollars, the cost of registry-level lock services is negligible compared to the value being protected.
Regular monitoring of your domain’s WHOIS records can provide early warning of unauthorized changes. Changes to registrant contact information, changes to name servers, or changes to the registrar — all of which appear in WHOIS records — can signal that your domain has been tampered with. Some registrars and third-party services offer automated WHOIS monitoring that alerts you to changes in your domain’s registration record.
When a domain is stolen, one question that always arises is whether the registrar bears any liability for the theft. The answer depends on the specific facts — particularly on whether the registrar followed its own policies and ICANN’s requirements when processing the transfer that resulted in the theft.
ICANN’s Transfer Policy requires registrars to implement certain security measures before processing domain transfers, including sending a transfer authorization email to the registrant’s email address on file. If a registrar fails to comply with these requirements and facilitates an unauthorized transfer, it may face liability to the affected registrant. Courts have found registrars liable in domain theft cases where the registrar failed to follow required transfer procedures.
More broadly, the failure to offer two-factor authentication — when 2FA has become a standard security measure that is available at trivial cost — may support a negligence claim against a registrar whose platform is used to steal a registrant’s domains. As 2FA becomes the industry standard rather than a premium feature, registrars that do not offer it are increasingly exposed to negligence claims from theft victims.
Despite best precautions, domain theft can still occur. If you discover that a domain has been transferred without your authorization, the following steps are critical:
Speed matters enormously in domain theft cases. The faster you move to lock down the stolen domains through legal process, the better your chances of recovery before the thief transfers them to a jurisdiction where recovery becomes impractical.
Revision Legal has successfully recovered hundreds of stolen domain names for clients worldwide. Our internet attorneys understand the technical and legal dimensions of domain theft, and we have the registrar relationships and litigation infrastructure to move quickly when time is critical. Contact us today to discuss protecting your domain portfolio or recovering stolen domains.
For certain types of domain disputes — particularly cases involving cybersquatting or bad-faith registration — the Uniform Domain Name Dispute Resolution Policy (UDRP) offers a faster and less expensive alternative to federal court litigation. UDRP proceedings are administered by approved dispute resolution providers, including the World Intellectual Property Organization (WIPO) and the Forum (formerly NAF), and can result in the transfer or cancellation of a disputed domain name without the need for a full federal court action.
To prevail in a UDRP proceeding, the complainant must prove three elements: (1) the disputed domain name is identical or confusingly similar to a trademark in which the complainant has rights; (2) the registrant has no rights or legitimate interests in the domain; and (3) the domain was registered and is being used in bad faith. UDRP proceedings are conducted on a written record without live testimony, with a typical timeline of 60 days from filing to decision.
UDRP is most appropriate for cybersquatting cases where someone has registered your trademarked brand name as a domain to extort money or divert traffic. It is generally not appropriate for domain theft cases where the domain was legitimately registered by the victim and stolen by a third party — those cases require the full injunctive relief and damages remedies available in federal court. Revision Legal handles both UDRP proceedings and federal court domain litigation and can advise which approach is most likely to achieve a fast, favorable result in your specific situation.
Facebook agreed to pay $550 million to settle a class action lawsuit under Illinois’ Biometric Information Privacy Act. Here’s what the case means for biometric data law.
Read more about Facebook’s $550M Illinois Biometric Settlement
Seizing an infringer’s domain name is one of the most effective ways to stop IP theft online. Here’s how courts order domain transfers and what rights holders need to show.
Read more about Seizing an Infringer’s Domain to Stop Infringement
Recent court decisions on what counts as an ‘autodialer’ under the TCPA suggest restrictions may be loosening. Here’s what businesses using automated texts need to know.
Read more about TCPA Autodialer Decisions: Are Restrictions Easing?