What You Should Learn from the Diigo Domain Hijacking incident

2 November 2012

By

Dave Piscitello

Dave Piscitello, Sr. Security Technologist, for the ICANN Security Team

Diigo is a social annotation and bookmarking service that millions of individuals, educators, and students use daily to manage and share information, conduct research and collaborate. On October 24th, an attacker gained control of Diigo’s domain registrar account. Domain was hijacked away from Diigo’s control, into the hands of an attacker and Diigo’s services were lost to an estimated five million users for more than two days. TechCrunch has published a detailed account of the incident which should serve as a sobering reminder for everyone who registers a domain: your domain name is a critical component of your online presence and you must take measures to monitor and safeguard against attacks that can disrupt the services you offer, impede research, cause you material loss or reputational harm.

Domain hijacking is not new. ICANN’s Security, Stability and Advisory Committee (SSAC) began raising awareness of the threat in 2006 in its first Domain Hijacking Report. Since 2006, SSAC and members of ICANN’s Security Team have recommended measures registrants can take to protect their domain name registration accounts and ways that registrars can assist them (SAC040, SAC044).

The Diigo incident is a case involving user account compromise, extortion, and unauthorized transfer of domain. Among other measures recommended, these reports emphasize the importance of protecting accounts with credentials (usernames and passwords) that are not easily guessed or obtained through social engineering. Remember: any party who has access to your credentials – you, staff you contract with to host your web site, or registrar staff – can be a target and victim of a social engineering attack.

The reports also explain the importance of using “locks” to prevent unauthorized transfers. Another SSAC reports explain how a domain name can be hijacked by a phishing attack: here, a registrar-impersonating phisher lures a registrar’s customer to a bogus copy of the registrar’s customer login page, where the customer may unwittingly disclose account credentials to the attacker who can then modify or assume ownership of the customer’s domain names.

Our “short list” of measures all registrants should take to protect against domain hijacking or other domain name attacks includes:

Protect domain name account credentials. Most registrar account portals are password protected, so create strong passwords, and safeguard them. You may also want to shop for a registrar that offers multi-factor authentication (e.g., token).
Use SSL (HTTPS) when you access your domain name registration account.
Use ICANN accredited registrars. Ask about the reputation and service record of registrars. If you’re not entirely comfortable with a registrar, you can and should consider transferring your domain to a party you trust.
Ask your registrar to apply registrar locks on your domain names. Locks (formally, status codes) prevent changes to your domain name registrations, and block attempts to transfer or delete your domain names (see SAC044, pp 22-23). A number of TLD registry operators offer registry lock to prevent unintended changes to registry accounts. This service is offered in addition to lock services offered by registrars, and often includes manual support (1, 2).
Pay attention to “routine” registrar correspondence, as these may be phishing emails. In these email messages, phishers often use HTML to embed malicious links in seemingly innocuous or “safe” links. Don’t click on a hyperlink; instead, type the link in manually.
Monitor your domain’s WHOIS and DNS information. Check both routinely so you can detect any unauthorized or suspicious changes (see SAC044, pp 20-22).
Keep your domain name registrant account information private, secure, and recoverable.