I live on an island off South Carolina situated in what is referred to as the Hurricane Belt, where many Islanders appreciate and practice hurricane preparedness. Documentation is an important aspect of being prepared. The principle is that you collect all documentation you might need in advance of a possible evacuation. My family keeps a portable file cabinet that contains our home, flood, wind and rain insurance information, photos of our possessions, automobile titles, the deed to our property, CDs burned with financial records, etc.
If we evacuate, this "evacuation kit" is the first thing that goes into our car.
I'm frequently asked what measures I'd recommend to domain name holders (in the ICANN parlance, registrants) to protect and prepare against domain name hijacking or domain registration account hacking, and I'm reminded of our evacuation kit. Here, I discuss documentation that might be useful should you or your organization experience a domain name hijacking or account attack.
First, let's consider the threat landscape. Domain hijacking or registration account attacks typically result in one of two types of consequences: (1) the attacker changes DNS configuration, so that name resolution for the domain is performed by a name server not operated by (or for) the victim, or (2) the attacker alters registration contact information and effectively takes control of any domains registered under the compromised account.
To recover from either of these events, you will need to provide documentation (evidence) to a registrar or dispute resolution service that proves an association existed between you, the complainant (the one who has legitimately registered the domain name) and the domain name or account, prior to the incident. Imagine if you were tasked with proving that Example, Inc. was the legitimate registrant of example.com Some or all of the following "paper trail" could serve as evidence to corroborate this claim:
- A domain history, i.e., copies of registration records that show Example, Inc. as the registrant of record
- Billing records demonstrating that the registrant has maintained account currency,
- System or web logs, archives illustrating that example.com has been associated with content published (and perhaps copyright or otherwise protected) by Example, Inc.
- A history of financial transactions that associate example.com with the registrant. Credit card and other customer invoices often record the merchant name, address, phone numbers and *domain names*
- Telephone directories (Yellow pages), marketing material, etc. that contain advertising that associate Example, Inc. with example.com. (Here, I'd want as many prior years' directories as I could present to illustrate that the domain name has been associated with my company.)
- Correspondence from registrars and ICANN (annual Whois reporting, renewal notices, notices of DNS change, telephone call records, etc.) sent or placed to email or postal addresses or telephone numbers of employees or legal agents of Example, Inc.>
- Legal documents, for example, a contract for the sale of a business from Acme, LTD. to Example, Inc. that contains a clause such as "as a condition of sale, Acme, LTD. agrees that the domain name example.com shall be transferred to Example, Inc.".
- Tax filings, business tax notices, etc. that associate the example.com with Example, Inc.
This list is representative of the type of information that might be useful. I'm neither an attorney nor a dispute resolution arbitrator, and I am not suggesting that all of these documents would meet legal criteria as evidence. Some or perhaps all of these documents might require corroboration from other parties (i.e., credit card companies, tax collectors/IRS,...) or a notary stamp or equivalent. I do suspect that presenting this kind of documentation to a registrar may be sufficient to justify an immediate return of a domain and restoration of correct DNS configuration data in many cases. I also suspect that, just as many of my fellow islanders aren't prepared to recover from losses resulting from a hurricane, many domain name holders won't be prepared if they are targeted for a domain hijacking. Consider my list and prepare an emergency domain recovery kit.