A number of weeks ago, a customer of ours reached out to us upset – she discovered an imposter website posing as her former business that was created by scammers on her old domain. After two years of responsibly forwarding her old domain name to her rebranded business website, she decided not to renew it. They were fraudulently using her identity, images, original content, logo and more. When the company hosting the website wouldn’t take action, she had to get the RCMP involved, and eventually the account got suspended
Sounds like a nightmare, doesn’t it? It was, but sadly, her story is becoming increasingly common. Expired domain names that have a legacy of use and traffic are hot commodities for cyber-criminals who use them to steal personal data and defraud online shoppers, with potentially devastating impact on your brand, business and reputation. Follow along to learn about how this happens and what you can do to prevent being victimized.
What Happens to Domains After they Expire?
Every domain name has an “expiry” date that you can see on its WHOIS record, but that date is different from the actual date when it’s officially deleted by the registry, making it available for registration by others. When a domain expires, it first enters something called the Renewal Grace Period. Registrars may do things a little differently during the Grace Period, but generally speaking, the domain will typically be pointed to a parking page and can still be renewed from within your account. At Webnames our Grace Period is 30-days, but some registrars provide just two weeks or even less. The Grace Period ends with the registrar sending a delete request to the registry.
After the Grace Period comes the Redemption Period. The Redemption Period is controlled by the TLD’s respective registry – for example, CIRA for .CA or Verisign for .COM.
During this period, only the former registrant can still recover the domain name and the process must be initiated through the previous registrar. Because of the work involved, registrars charge a fee that ranges between $75 (Webnames) up to $200, not including the domain renewal cost.
Finally, 60-days post expiry (and if the domain was not renewed or redeemed in that period), the domain name enters a Pending Delete period that lasts for 5-days. Once the registry deletes the domain, it becomes available for registration on a first-come-first-served basis to anyone — but before this happens, that domain gets published to what’s known as domain drop lists which are scoured by domain investors, search marketers and, yes, cybercriminals who are looking for quality domains they can legitimately and illegitimately profit from.
Not all users of domain drop-catching services are ill-intentioned. Mosy are are simply prospectors looking for a high-quality, brandable domain that was not actively used, while others may be opportunistic marketers looking to take advantage of any users that may type in the domain name directly. Prospective registrants of expiring domains will research and place bids often using multiple backorder services to try to win the domain names that meet their specific criteria – including maybe your old domain.
What Makes an Expired Domain Attractive to Cyber Criminals
Our customer did the right thing. She renewed her old domain for 2-years after rebranding her business and transitioning to a new web address. I mean, how long do you continue to pay to forward your old mail after you move? Unfortunately, as with most things when it comes to the Internet, sensible real-world analogies don’t readily apply.
During its lifetime, a domain name accumulates a history that can make it valuable to different people with different motivations. A domain investor, for example, might flip a domain for profit by selling it to another party; whereas an SEO specialist might use it to drive traffic to a different website or to build a brand new website. The cyber criminal, on the other hand, can view the same attributes as a solid foundation for creating a phishing or ecommerce fraud website. There are a lot of blogs that explain in-depth how to discover and evaluate the quality of expiring domains, but that’s not the goal of this article. It is important however that domain owners understand what qualities make their old domains attractive for reuse, for example:
- Contains keywords that have good search volume
- Authority built up from years of prior use, most notably pre-existing backlinks pointing to the domain, but also things like quality content and preexisting traffic
- Prior history of email accounts used with the domain
- Associated with an established or reputable brand or business of any size
- Not blocked by Google or other search engines
If your domain names meet any of these criteria, you’ll really want to think carefully before letting them expire.
How Scammers Commit Fraud with Lapsed Domain Names
Ecommerce and Phishing Websites
There is no shortage of ways to nefariously use an expired domain name. The case of our customer is not unique. A small reputable business with established traffic and a domain that was used for 10+ years made her old business a perfect target for use in fraudulent activity. Countless businesses have their content assumed in this way, most likely harvested from Archive.org or a similar web archive website, with fake online web stores set-up on the expired domain that offer deeply discounted, frequently unrelated products all in a ruse to capture credit card information from naive bargain hunters to sell on the dark web.
Data Harvesting and Account Takeovers
Another huge threat that comes with domain expiry is the risk of having your email assumed. Email is the crown jewel and the entry point to not only a treasure trove of confidential information but also control over online services from social media platforms to online shopping sites and banking. Criminals can pretty quickly set-up catch-all email forwarding to harvest incoming emails to your expired domain, as well as initiate password resets to any services that utilize email at that domain. It doesn’t take much searching to find countless stories of business owners losing access to social media accounts in this way.
Malvertising and Malware
Malvertising is another peril associated with expired domains, even ones considered “low quality”. Expired domains are sometimes registered en masse, then set up with parked pages to generate low-quality traffic to malicious sites, or worse, to spread malware. While this does not really affect you directly, the former domain owner, it adds insult to injury if you inadvertently lost your domain only to find it being used in this way, with visitors seeking out your website being sent to properties with malicious intent.
What Should You Do with Domains You No Longer Want to Use?
Letting a domain name that’s seen active use expire, especially one that is tied to your brand or business, can be a risky proposition because you never know who might wind up registering it and what it will be used for. If the domain name you are considering letting lapse exhibits any of the attributes listed above, you should simply renew it. You might think that’s self-serving coming from a registrar, but it’s also the recommendation of leading web security experts. Keeping old domain names under your ownership, even if you no longer intend to use them, constitutes an inexpensive and highly effective cybersecurity insurance policy that also safeguards your reputation.
While you’re at it, you’ll also want to change your email address or delete inactive accounts for any service that uses an email associated with an old domain, and when you’re done, permanently close down those email accounts. As you update your credentials across various services, be sure to set up Two-Factor Authentication everywhere you can, including any email accounts. 2FA is inordinately more effective than any password a person can conjure up, blocking 99.9% of automated attacks and curtailing the risk that someone might change your password on an email account or other service.
Take Steps to Prevent Domain Lapses
Sometimes domains expire accidentally. Renewal notifications might go to unmonitored or inactive accounts and get missed, or maybe a credit card expires causing an auto-renewal failure. Whatever the reason, it happens, and valuable – even business critical – domains end up getting snapped up by another party.
Three Tips to Prevent Inadvertent Domain Expiry:
Renew for a Longer Term This most effective action to prevent domain expiry is to max out your renewal term for your domains. If you can afford to, renew your domain for 5, or 10 years right off the bat.
Ensure Email, Contact and Credit Card Info is Up-To-Date – The email address and contact information associated with your domain need to be current at all times so that you never miss a renewal, or other important registrar communication. In addition to three email renewal notifications, Webnames also attempts to contact registrants by phone 24-hours ahead of their domain expiry in the event the emails were missed.
Enable Auto-Renew – The next best thing to maxing out your renewal term is to set-up auto-renewals – this is a feature all registrars should have. To ensure continuity of service, Webnames processes all auto-renewals 30 days in advance of the domain renewal date. If it doesn’t work, we will try again 2-weeks, 1-week, 24-hours and the day off expiry. Auto-renewal can only work if your credit card info is up-to-date, so it’s good to have a personal or business policy to confirm this on critical accounts a couple times a year.
“Nobody seems to know of this danger”
That’s what our customer told us when she asked if we could do more to notify domain registrants of this risk. In her case, the new domain owners attempted to extort her and have her pay them to regain control of the domain (cheaper than legal fees, they told her). She opted instead to engage cyber fraud agencies to have it taken down. It eventually was, but it took months and months for it to happen. At her request, we’ve added some text in our final renewal notification to advise people of the risk posed by expiring domain names, that said, we hope you never see it because your domain is already renewed.
Increase your cybersecurity awareness by also reading our top-ranking post: How to Determine if a Website is a Fake, Fraud or Scam – updated for 2020