Random domain name hijacking at DigitalOcean DNS as easy as ABC

Domain name hijacking
Photo by https://unsplash.com/@darbonville

Domain name hijacking is not some new or unknown problem. Cybercriminals are always looking for a way to take over a valuable and trusted domain name. As long as a domain has  trust in Google eyes it can be used to drain traffic to black niches, phishing, social engineering, etc. As a result of such actions, the domain name quickly loses its trust. It can take several years of hard work to restore the original reputation of a domain name.

In this article, I’ll tell you how I came across the extremely obvious way of hijacking a random domain name at Digital Ocean DNS, and how to protect your domain from this kind of attack.

And as a bonus, I’ll tell you how I succeeded by chance in replicate the attack on the domain of the famous Russian rapper Oxxxymiron.

How I first faced the problem of domain hijacking

I have an active SEO project which required a domain rating increase. I found a good dropped domain with an impressive backlink profile for use as a PBN. I registered it with the name registrar nic.ru (please, never use this service). Then I pointed domain nameservers to DigitalOcean DNS.

Why did I specify nameservers immediately? Firstly, I did it because I have VPS at DigitalOcean especially for hosting PBN sites. And secondly, I didn’t want to see anymore the nic.ru annoying frontend 🤢.

I was kind of hoping to quickly restore site content from the WebArchive and wanted to push it to my VPS. But the freelancer to whom I assigned the recovery task said it would take time.

Ok. At that moment, I decided not to manage DNS records at the DigitalOcean control panel. I have decided that I will do everything when the restored archive will be ready. After that, I put the task on the calendar and continued to do my own stuff.

The problem

A day later, my freelancer wrote me that the website he was working on was already running.

Sure, I checked his words. I wrote the domain name in the address bar... and got right into the casino advertisement. 😲 Wow! WTF?!

This meant that someone sneaky quickly pointed my domain name to his server IP address in the DigitalOcean control panel. He did it because I didn’t specify my server address immediately. Of course, this is completely my mistake! But at that moment I couldn't even think about it.

Quick decision

I didn’t really want to waste time with support of the DigitalOcean. I just went to my domain registrar and changed the NS records to another hoster that I use. And I tell you! I immediately bound the address of my server 😜.

It is good that the problem was detected quickly enough and the reputation of the domain was not seriously damaged.

How did I replicate the hijacking attack on the domain of famous Russian rapper Oxxxymiron

In the fall of 2020, I read the news that a famous rapper's Oxxxymiron store in Moscow had closed. I was interested to see the traffic dynamics on this store's website before it closed. I didn't find anything interesting there and decided to look at the official website oxxxymiron.com.

And I saw this (in November 2020):

Ahrefs screenshot oxxxymiron.com
Screenshot from Ahrefs tool

Clearly, there were some problems with the site traffic and it wouldn't open. I checked the WHOIS records and they pointed to Digital Ocean. BINGO!

I just opened my control panel in Digital ocean and linked the domain to the IP address of my server:

Digital ocean control panel screenshot oxxxymiron.com
Screenshot from Digital Ocean control panel (activity history on my VPS)

Of course, I immediately contacted the owners of the site (found in the web archive) and reported the problem.

But assuming I was the black hat I could do a lot of very bad things. From simply redirecting traffic to using the famous rapper domain name to scam.

How to prevent the described way of domain name hijacking

As the Group-IB writes, the problem is much more serious on a scale. They checked 3.2M domains and found that 30K domains are vulnerable to this attack.

Roughly speaking, every hundredth domain name can easily be exploited by attackers! Any script-kiddie can write a simple python script that checks nameservers WHOIS-data and domain availability to attack.

To prevent this kind of attack, some hosters use a wide mesh of nameservers with random choice. Other hosters maintain their own customer’s domain databases. Why one of the most popular hosters DigitalOcean has not taken care of it? I don’t understand.

As for a regular user, it is enough not to make my mistake. Do not point NS-records to the hoster until you connect the domain name to IP at the hoster control panel.

And of course, If the payment deadline for a hosting account is coming and you don’t have a plan to renew it, you should completely remove the current NS-records at the domain name registrar.

Siarhei Palishchuk

Siarhei constantly looking for exploiting google with the best SEO practices. A lifelong tech geek and cryptocurrency enthusiast.