Don’t abandon your internet domain name to cybercriminals

Australian Cyber Security Centre

It can also cause lasting reputational damage to individuals and businesses, leaving your online presence vulnerable. Losing control of your website and email service is devastating, even if your company has merged or shut down.

A domain name is the bedrock of every business and email is an essential service. The time and money spent renewing your domain name is minimal, typically about $15 a year to renew. However, if your business fails to do this, your domain name can easily end up on a ‘dropped domains’ website, for others to register and sell. Around a thousand Australian domain names currently fail to be renewed each day.

Abandoning your domain name either accidently or deliberately means you not only lose your website, but potentially also any emails subsequently sent to the same domain name.

Pandora’s box

The flow-on effect can allow cybercriminals to gain access to, or reset passwords for, online services and profession-specific portals where email is required for signing up, according to independent cyber security researcher Gabor Szathmari. The risk is even greater where these sites, or the accounts you’ve established, only require a single factor of authentication to reset passwords (e.g. receipt of an email to regain access where a password is forgotten).

Whoever has control over the domain name and is able to set up a basic email service can capture your password reset emails. By taking full control over previously abandoned domain names formerly belonging to legal practices, Szathmari’s research demonstrated how cybercriminals could access:

  • confidential documents of the former clients
  • confidential documents of the former practice
  • confidential email correspondence
  • personal information of former clients.

Further, it was possible to:

  • impersonate legal practitioners to defraud former clients and fellow practitioners
  • regain access to the former legal practices’ Office 365 and G Suite account, potentially gaining access to any email and documents not deleted on the platforms
  • hijack personal user accounts, such as LinkedIn and Facebook, of the legal professionals practising in their new jobs.

Protect yourself and your clients

To prevent this from happening to your business, the ACSC recommends you:

  • keep renewing your business’s domain name indefinitely. You can search the details of your domain on the .au Domain Administration Ltd (auDA) website at https://whois.auda.org.au/. Type in your domain name (minus the ‘www’) in the ‘Lookup address’ box, and the CAPTCHA word in the ‘Control text’ text box. The ‘Registrar Name’ shown is the organisation that your domain is registered with. That’s who you should contact to determine when your domain name is due to expire and requires renewing.
  • Implement the ACSC’s other Quick Wins for Your Website, including securing your website with strong passphrases and enabling multi-factor authentication (MFA) – as well as online services where MFA is supported. If you have closed your business, make sure you:
    • close user accounts that were registered with the business email address (e.g. Dropbox, Commonwealth Courts Portal, PayPal)
    • change or remove the business email address from online user accounts (e.g. LinkedIn, Facebook)
    • unsubscribe from email notifications that usually features sensitive data (text-to-email services, mobile phone billing notifications)
    • advise your clients to update their address book.

Essential mitigation strategies can be found in our Essential Eight.

/Public Release. The material in this public release comes from the originating organization and may be of a point-in-time nature, edited for clarity, style and length. View in full here.