Domain registration hijacking

Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant. [1]

ID: T1326
Tactic: Establish & Maintain Infrastructure
Version: 1.0

Procedure Examples

Name Description
APT1 APT1 hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be “hijacked” since they were originally registered for a legitimate reason but are used by APT1 for malicious purposes. [2]

Detection

Detectable by Common Defenses (Yes/No/Partial): No

Explanation: Generally not easily detectable unless domain registrar provides alerting on any updates.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Requires adversary to gain access to an email account for person listed as the domain registrar/POC. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or take advantage of renewal process gaps.

References

  1. ICANN Security and Stability Advisory Committee. (2005, July 12). DOMAIN NAME HIJACKING: INCIDENTS, THREATS, RISKS, AND REMEDIAL ACTIONS. Retrieved March 6, 2017.