By Tom Wells
What is registrar hopping?
Registrar hopping is the strategic transfer of domain name registrations between registrars at low or no cost. Registrants utilize the technique to limit domain name expenses or avoid repercussions for malicious activities like trademark infringement or malware. The exploitation of these registrar transfers allows bad actors to remain hidden after a domain name is reported for abuse. While the original registrar would have the opportunity pull information about the malicious registrant and work to prevent that individual from continuing to register and operate harmful sites, it no longer possesses that authority when the domain name is transferred to a new registrar.
How are the registrars identified?
Generally, registrars offer low or no-cost registration and transfer fees to entice new users. Pricing aggregators, such as domcomp or TLD-List, have filters and sorting tools that are useful for fast identification of ideal registrars for cheap registrations and/or transfers. The prices on these aggregator sites are updated on a semi-hourly basis to provide a comprehensive and accurate portfolio of options.
How do bad actors avoid paying fees?
Bad actors require a large volume of malicious domain name registrations to make the practice profitable. So, they take advantage of promotional rates or low cost registrars to register large volumes of domain names. For example, a registration under .COM can be obtained at a promotional price of $0.99, compared to a standard fee of $8.39. Other TLDs, like .TK, .ML, .GA, .CF, and .GQ, allow free domain registrations. When paired with free domain hosting or advertising, a nefarious website generates risk to brand owners at little or no cost to the registrant. Should a domain name be reported for malware, the problematic registrant will utilize the registrar hopping technique to avoid repercussions and perpetuate the threat.
How do you detect registrar hopping?
Registrar hopping is difficult to detect immediately, or by viewing a snapshot of domain registrations at one specific time. The preferred method is regular monitoring of domain name registrations to identify distinct trends. Domains which repeatedly show up in brand monitor reports should be checked for registrar changes within the WHOIS information. Additionally, domains that appear to be registered and lapsed repeatedly may be part of a registrar hopping or similar scheme. Once a malicious scheme is detected, close attention should be paid to all registrations using similar strings and/or registrant details.
How can brand owners mitigate the risks?
The Internet Corporation of Assigned Names and Numbers (ICANN), the organization that develops regulatory policies for the internet’s domain name system, has created the Transfer Dispute Resolution Policy to prevent rapid transfers of domain name registrations and deter domain name hijacking. Despite this, most registries allow registrants to opt out of this protection, along with other registrar implemented protections (e.g., domain name locks, access codes, etc.). However, these protections are only effective for protecting domain names that are rightfully owned.
When a problematic third-party registered domain name is identified, it is important to act quickly. Brand owners should capture any available evidence of infringement or malpractice (e.g., registration data, MX records, screenshots of infringing content on associated websites, etc.) to aid legal recourse. Depending on the situation, one or more of the below legal mechanisms are available to mitigate the risk:
- Cease & Desist Letters – served to the registrant when contact information is available to demand the infringing activity cease
- DMCA Takedown – served to the registrar, hosting provider, or other service provider demanding the service to the domain name be halted
- UDRP – filed against the registrant demanding the return of the branded domain name
- Court Proceedings – filed in the appropriate jurisdiction (e.g., host country of problematic registrant) to legally demand the nefarious activities cease
In the event that a problematic domain name becomes available, brand owners may elect to defensively register the domain name to eliminate the possibility of further misuse. Given the volume of possible targets, it is advised that brand owners strategically focus their efforts on high-risk domain names that are more susceptible to user access.
Finally, brand owners should proactively educate their employees, partners, and customer base how to identify nefarious schemes perpetuated through domain names. The best offense is a strong defense.