Security Risks From Expiring Domain Names

December 20, 2021

Return to Learning Center

Don't forget your expiring domain names.

No matter their size, businesses ranging from large corporations to small local stores are facing unprecedented information security challenges with regards to securing their users' private data. There are sophisticated malware botnets, a large number of hacks, data breaches that are exposing customer data, highly sophistated phishing attacks, and numerous ways that scammers are taking advantage of clever tricks and social engineering to violate their targets. One underrated attack vector stems from businesses neglecting their expiring domain names.

Managing domain names in a business can be tricky: particularly if you're not a technology company with dedicated processes in place to secure your digital assets. You might only ever do that once a year or less frequently, so it's easy to get forgotten or tangled up in the paperwork of a bureaucracy. The reason that this is so tough is that in many organizations, the domain names might be procured by a marketing department trying to come up with brandable domain names and they don't have sophisticated processes in place to keep track of their digital assets. Or it might be one employee's job to track this, but if they ever move on to a new job, the replacement might not have been trained how to go about monitoring this infrequent, yet incredibly important task. Or even something as simple as a credit card on file with a registrar expiring might trigger some error. Even technology companies as sophisticated as Google have accidentally let key domain names expire: such as when web designer Nicolas Kurona managed to buy Google's Argentina domain name legally for a few dollars when they seemingly forgot about it. Though there's usually a grace period or redemption with domain name registrars when the expiration date is reached, it might be possible to lose your domain name from a bad actor who acquires it before you renew it.

How are expired domain names used? In some cases, the damage is limited to benefiting from that prior business' search engine optimization (SEO) activity. If they have links from other credible blogs and news sites to that domain, they could rake in money from your potential customers. Of course, the damage can be far more significant as a bad actor can use your hijacked domain name to perform industrial espionage or blackmail by setting up a catch-all email server, reset and hijack your social media accounts, credibly engage in phishing attacks from a formerly valid domain, and perform ransomware and other supply chain attacks. This can all ruin your business reputation from an increasingly security conscious public so putting in place a plan of action to monitor and purchase your domains, if you don't have one, is critical to your organizational security. Make creating a plan to deal with this part of your 2022 New Years Resolution.

If you're not a business owner and don't maintain any personal Internet domain, do you still have to worry about domain-hijacking in this fashion? Well, it's not the biggest responsibility you have in managing your personal life: your main focus should still be your own and your family's online footprint and preventing your personal information from being exposed. But you should always be aware of how clever phishing attacks can be. Even a domain name that is seemingly 100% accurate and verified can still be used to perform an attack if the domain name has been hijacked by a bad actor. This isn't to dissuade you from ever using email again, but when dealing with the most important aspects of your life, it pays to be very cautious and verify exactly which company you're interacting with. The pain of dealing with identity theft afterwards makes prevention the best strategy you can take.

We hope you enjoyed reading this guide and learned something new! Check out our Learning Center to learn more about online privacy and security or consider subscribing to our Online Privacy Service to remove your phone number, name, and address from Google, Bing, Yahoo, and DuckDuckGo search results and hundreds of data broker sites.