Domain hijacking

How it works

Attackers gain access by phishing the registrar login, social-engineering support staff, or exploiting weak account security, then change nameservers or transfer the domain. Because it is your real domain, the hijacked site inherits all your trust and email.

Registrar locks, two-factor authentication, and DNSSEC reduce the risk, and fast detection of unexpected DNS or WHOIS changes is the key to recovering quickly.

How it relates to brand impersonation

Unlike a lookalike, domain hijacking turns your own domain against you, which makes it one of the most damaging impersonation scenarios. Watching for unexpected changes to your domains is part of monitoring.

How nebty helps

nebty monitors your domains and their lookalikes for the DNS and registration changes that signal hijacking or abuse, so you can react before the damage spreads.

How to harden a domain against hijacking

Hijacking almost always comes through the registrar account, not the website, so that is where to harden. Turn on multi-factor authentication for the registrar login and use an account that is not a shared inbox. Enable the registrar and transfer locks (clientTransferProhibited), which stop a transfer from being initiated without an explicit unlock. Add DNSSEC so forged DNS responses are rejected. Keep the registrant email on a domain you fully control, not the one being protected, so losing the domain does not also lock you out of recovery. Then watch for the warning signs: an unexpected change to nameservers, registrant details, or DNS records is often the first visible evidence of a hijack, and catching it within hours is the difference between a quick reversal and a long recovery.