Site Hijacking: The Ultimate Content Theft

Lock ImageOn this site, we’ve talked a great deal about ways that spammers, scrapers and others can (and do) steal content. There are human plagiarists that are quick to copy content from one site and put it on another, there are RSS scrapers that lift the entire content of many blogs and other sites through the RSS feeds, and there are even whole-site scrapers that simply clone an entire site, including the template and all of the content on it.

However, all of these these types of content theft have had one thing in common: They involve the copying of text. While these types of infringement can result in serious problems with search engines, confusion about ownership and can give competitors an unfair advantage, they leave the original content alone.

Unfortunately though, a small group of fraudsters are taking content theft to the next level. Not only are they claiming the work others to be their own, but they are doing so by hijacking the original site, taking it away from the author’s control.

These attacks are every author’s worst nightmare. Losing control and access to your own work and not being able to do anything about it is terrifying and the law isn’t always very helpful. Such frauds are often not a copyright infringement and, instead, such attacks deal more with fraud, hacking, cybsersecurity and other, related issues.

Still, every webmaster should be aware of what is going on and take the steps that can help keep them, their sites and their work safe.

A Frightening Case Study

GoDaddy LogoJoran Reid runs the fashion site Ramshackle Glam. Last week she discovered that her site was listed on the auction site Flippa and that someone was attempting to sell her site and her domain for $30,000.

Domain hijacking is a fairly common problem. It’s where an attacker gains access to a site’s domain registrar account and is able to transfer the domains away, taking ownership of them and pointing them where they please, often with the intent to ransom off the domain’s return.

However, Reid’s case went beyond that. The person auctioning off the site was promising more than just the domain, but was also promising all of the content on the site and even promised that Reid was willing to provide “high quality articles” and “SEO advice” to the winner after the sale.

Fortunately though, Reid’s case had a happy ending. Despite frustrations with both HostMonster and GoDaddy, her host and the company that the domain was transferred to, she was able to get control of her site back and without paying the $30,000 demanded.

Unfortunately though, other webmasters might not be so lucky. They might not learn that their site was taken over until it’s too late and could wake up to find themselves wondering why a stranger has control of their domain, their site and all of their content.

How it Can Happen

Reid doesn’t say how the attackers got in and it’s unclear if the attackers just had control of the domain and were lying about selling the content or if they had control of the site as well. However, given that both the domain and the hosting were through Hostmonster, it’s likely that they did have control over everything.

But regardless of her specific case, such an attack is both very possible and, in some cases, very likely.

The easiest attack vector for such a hijack is actually the site owner’s email account. Since password confirmations are usually sent via email, it’s easy to reset the passwords to any other accounts connected to it once you have access. Simply reset the password, respond to the prompt and delete the message before the legitimate owner knows. In an instant, the rightful owner is locked out of all of their own accounts.

However, such attacks are also sometimes the result of weak passwords or phishing attacks that fool users into giving up their passwords by creating convincing, but fake, login pages.

Regardless of the initial vector, to pull off a site hijack, an attacker needs one, possibly two things. First, they need access to the hosting account, where the content of the site is stored. This way, they can move and duplicate the content of the site, from one hosting provider to another as needed.

Second, they need access to the domain registrar, the company that registers the domain of the site and points it to the web host. If the site doesn’t have a domain, such as with a Tumblr, a WordPress.com blog or something similar, or if the two companies are the same, then an attacker only needs access to the host to get everything.

If a domain is involved, the attacker will usually transfer it to their own registrar quickly in a bid to get it outside of the rightful owner’s control. However, as was the case with Reid, they’ll leave it pointing to the same host so the owner will be unaware they’ve lost control over their site.

Then the attacker will either attempt to auction the site off, as with Reid’s case, or will come around to the owner and threaten to either delete the site or sell it off if a ransom isn’t paid.

Either way, the site owner and author is forced to either pay to get their site back or risk losing it completely.

Preventing Site Hijacking

Preventing your site from being hijacked is not much different from preventing any other personal information from being accessed. Whether it’s your bank account, tax records or your personal documents.

While the truth about security is that there is no such thing as a perfectly secure site, if someone wants your site bad enough and is skillful enough they will be able to get it, there are things that you can do to make sure your site is not an easy target.

  1. Choose Good Passwords: Good, strong, difficult-to-guess passwords are your first line of defense (after your username). Check your passwords to make sure they are strong.
  2. Use Two-Factor Authentication: Many sites, including Google, offer two-factor authentication on accounts, meaning that an attacker needs both your password and a second item (in most cases your cell phone) to access your account. If it is available, enable it.
  3. Use a Hidden Email: Don’t use your public email with your domain registrar, your host and other key accounts. Keep a second, private email that no one knows about for those accounts.
  4. Have a Separate Host and Registrar: Don’t register your domains with the same account that hosts your site. It’s a small layer of protection, but if one is compromised you don’t want the other to be as well.
  5. Lock Your Domains: Another small layer of protection, but you should lock your domains with your registrar if you aren’t actively transferring them. This makes them more difficult to transfer away.
  6. Backup Regularly: Keep regular offline backups of your site, including the database and all of your files. This way, if something does happen, you won’t completely lose your work.

While these steps won’t keep you completely safe, they will help protect your site from being hijacked and make you a more difficult target.

Given that most people who are looking to hijack domains are simply trying to get as many as possible, they usually start with the easiest ones to access, making a more secure domain one that’s less likely to even see a serious attempt.

Bottom Line

Webmasters and content creators online already see a wide variety of threats to their content. Between plagiarists, pirates, spammers and scrapers, there are many ways a webmaster can have their content threatened.

But the idea of site hijacking is on another level. It doesn’t just copy the content or devalue it, it destroys it. Site hijacking removes it completely from the control of the creator and effectively erases all of the work that they have put into it, often years worth.

If you’re concerned about your content being infringed, it makes sense to worry about the possibility of site hijacking and it makes even more sense to take steps to prevent it.

After all, a little bit of prevention can save you from having years worth of your work disappear overnight.

Want to Reuse or Republish this Content?

If you want to feature this article in your site, classroom or elsewhere, just let us know! We usually grant permission within 24 hours.

Click Here to Get Permission for Free