Attempts to illegally take over Internet domains are common today. Examples of such activities can be multiplied – cybersquatting, typosquatting or phishing. Sometimes a domain can be lost through your own inattention, sometimes as a result of armed robbery.

Domanier or cybersquatter?

Domaniers are people who buy, sell, park and collect Internet domains. They are often and wrongly confused with cybersquatters, whose operation consists in intentionally registering domains with extensions not used by a given company, in order to resell them at appropriately inflated prices.

Cybersquatters act in bad faith, relying on the reputation of the company using a given name or trademark. So what should you do if you fall victim to them? It all depends on the priorities you set. If the domain extension is not very popular (e.g. “.net.pl” or “.co”), it may be worth accepting the loss. The second option is to negotiate with the cybersquatter and buy back the domain. The third solution is to refer the dispute to a court. If it is proved that the person who seized the domain violated the right of protection for the trademark or the claimant’s personal rights, acted in bad faith or committed an act of unfair competition, such registration may be withdrawn.

How to avoid cybersqatting? It is best to take preventive measures and buy all the most popular extensions for a given domain, so not only “.se”, but also “.com.se”, “.com” and “.eu”.


Typosquatting, i.e. a deliberate typo

In this case, the scam consists in registering a domain with a name very similar or almost identical to the name of a given company or brand.

Why do cybercriminals use typosquatting? Because by using a domain with a similar-sounding name, they can intercept Internet traffic, directing it to pages with advertisements or their own portals (thus increasing the number of visits and deriving financial benefits). Fortunately, the courts are putting more and more emphasis on issues related to the protection of intellectual property on the Internet, treating typosquatting as using someone else’s brand and reputation for your own gain.

How to avoid typosquatting? You must register all alternative names with possible typos. The allegro.pl auction site has secured itself well for this occasion. After entering the address with a typo – anazon.co.uk in the search engine, the correct redirection to the address amazon.co.uk takes place.

Remember that the mere fact of registering a domain does not mean that you become its owner. Formally, you get a temporary opportunity to use it. Therefore, if the domain is not renewed in due time, it will go to the stock exchange, from where it will be available to anyone, in accordance with the principle: “first come, first served”.

An example is the situation that happened when Microsoft’s failure to renew hotmail.co.uk in 2003. In 2003, Hotmail was one of the most popular free email services in the UK, with likely hundreds of thousands of accounts using “@hotmail.co.uk” domains.

On April 13, 2013, Regions Bank customers in 16 states found their bank’s website offline because the financial institution forgot to renew their domain name.

In September 2015, former Googler Sanmay Ved was checking out Google Domains when he saw that google.com was for sale. Incredulous, Ved tossed one of the most valuable domain names in the world into his cart to see if he really could buy it.

So how to avoid such a situation? It’s easy – just set a reminder to renew your domain.


Domain shadowing

Domain shadowing involves gaining control of a registered domain by obtaining administrative credentials, to create DNS records for new subdomains. By creating an infinite number of subdomains, the attacker sets up the largest possible list. This behaviour has proven to be very effective in bypassing typical blocking techniques, such as blacklisting and/or monitoring of websites or IP addresses.

Threat analysts at Palo Alto Networks (Unit 42) discovered that the phenomenon of ‘domain shadowing’ might be more prevalent than previously thought, uncovering 12,197 cases while scanning the web between April and June 2022.

Domain shadowing is a subcategory of DNS hijacking, where threat actors compromise the DNS of a legitimate domain to host their own subdomains for use in malicious activity but do not modify the legitimate DNS entries that already exist.

These subdomains are then used to create malicious pages on the cybercriminals’ servers while the domain owner’s site’s web pages and DNS records remain unchanged, and the owners don’t realize they have been breached.

In the meantime, the threat actors are free to host C2 (command and control) addresses, phishing sites, and malware-dropping points, abusing the good reputation of the hijacked domain to bypass security checks.

The attackers can theoretically change the DNS records to target users and owners of the compromised domains, but they typically prefer to take the stealthy path described above.

In conclusion, how to secure a domain?

  • Register a domain with all popular extensions (LINK)
  • Register alternative domain names with possible typos  (LINK)
  • Pay attention to e-mails with attachments, especially invoices to be paid
  • Remember to renew your domains regularly
  • Do not give in to domain fraudsters by reporting the problem to the appropriate court

Finally, a rather interesting example from real life. A few weeks ago, 43-year-old Sherman Hopkins from Iowa in the United States attempted to take over the domain by threatening its owner with… a firearm. As a result of the shooting, both men were injured. Unfortunately, the address was not found.

“The domain market is developing dynamically, and with it the inventiveness of cybercriminals who are looking for ways to earn money easily and quickly. Currently, the most popular practices of domain hackers are cybersquatting, typosquatting and phishing, although a domain can also be lost as a result of one’s own negligence. It is worth protecting yourself against all these situations in order to avoid financially and image-related painful consequences” – sums up Jakub Dwernicki, president of Hekko.pl.