Hackers Exploit Expired Domains to Steal Vital Data

Domain name change is something we often have to do especially when our business purpose changes and we need a new extension to reflect the changes. When businesses and blogs rename or merge, old domains sometimes get left behind. Security researchers say expired domains can put data at risk. In this post, we take a look at that in greater detail.


Further reading:

How Does the WWW and Non WWW Domain URL Impact Your SEO?

Does domain age and registration period affect SEO

4 Things That Will Make Your Website Unhackable

Keep Your Website Safe From Hackers with these Easy Steps

How to Prevent the most common Application Attacks against websites

6 Ways to Protect Your Website From Security Hacks

Guard Your Website Reputation: Stay Protected with SSL

How to Combat Credit Card Fraud

How to Find and Clean Backdoors in a Hacked WordPress Site

How to Fix The WordPress White Screen of Death


Scammers may set up fake shops on expired domains and use them to steal credit card data from unwary bargain hunters. Or they may target email accounts linked to the domain to scam clients, steal company secrets and break into employees’ shopping and travel accounts.

Prevention is as easy as renewing and protecting all your domains—but that’s not always simple, especially if you own a lot of domains. Here’s what you need to know about your risks when a domain expires and how to keep yours current.
register domain name.


Further reading:

10 Ways You Can Build Online Trust and Reputation

6 steps to clean and harden your Wordpress website Security with the Free Sucuri plugin

A checklist against cybercrime

Best Brute Force Protection Plugins For WordPress


What Happens When Domains Expire?

The first thing you need to know is that when domains expire, they’re available to anyone who wants to pay to register them. They’re also easy to find online, through sites that offer expired domain name searches and lists of recently expired domains to bid on. Some buyers buy expired domains for legitimate projects. Others are not so ethical.
Your expired domain could end up as a fake online store

Criminal gangs snap up expired domains to turn them into phishing sites. That damages the brands that lose their domains, the brands impersonated by the scammers, and shoppers who fall for the scam.

Security blogger Brian Krebs profiled a photographer whose old portfolio domain was turned into a fake athletic shoe store after her registration lapsed. Thieves used it to steal credit card data for resale on the dark web.
example of expired domain used to steal credit card data

For the photographer, the damage went beyond the loss of her website. She had no way to access social media accounts that were linked to her domain email address, because the scammers changed her passwords. Now the domain that used to host her portfolio redirects to the official adidas website, after adidas and Reebok sued the scammers who exploited her expired domain along with hundreds of others.


Further reading:

Best Drupal Security Modules

Best Practices for Magento Website Security

Best Practices for OpenCart Website Security

Common Problems with WordPress Websites and How to Fix Them

Guard Your Website Reputation: Stay Protected with SSL


There are a variety of steps that will occur during a domain name expiration:

Step 1:

Domain expiration alerts: Prior to domain name registration expiration, Todhost.com will begin sending reminders to you via email. At least two alerts will be sent before expiration, and one within seven days of expiration.

Step 2:

Domain name registration expires: If the domain has not been renewed by the owner prior to the expiry date, the domain’s status will be changed to what is called a Renewal Grace Period. Under this status, you can still renew the domain name without incurring additional fees for a grace period of thirty days. As early as one day after expiration, your domain name will be deactivated and replaced with a parking page indicating the domain name has expired, and other services you have associated with the domain name may no longer function.

Step 3:

Renewal grace period ends: Once this period ends, the expired domain name’s status is changed to Registrar Hold. During this thirty-day period, the original domain owner may pay a redemption fee as well as the renewal fee.

Step 4:

Registrar auction: While under the registrar hold status, the registrar tries to sell the domain name in an option auction to the highest bidder. If it does indeed sell, the highest bidder will then have to wait the full thirty days of the registrar hold before they own the domain name. If the original owner decides to renew during this period, the bidding fee is refunded and the original owner retains control of the domain name. If the original owner does not renew the domain name and the thirty days pass, the auction winner is transferred control of the domain name.

Step 5:

Closeout sale: If the domain name is not purchased at auction or renewed by the original owner, a registrar will often list it as a closeout sale, where it can be bought for a cheaper ‘buy it now’ price, on top of the domain name registration fee. If a name is bought during a closeout sale, the registrar hold period remains applicable, which allows the original owner the opportunity to regain ownership within the thirty days.

Step 6:

Redemption period: After the registrar hold ends, and if the domain name has neither been purchased nor renewed, the domain name is released back to the registry. Upon release, the domain name is put under redemption period status, meaning it cannot be changed or deleted for thirty days. During this time period, the original owner can pay the redemption fee, plus the renewal fee in order to restore the website and the email.

Step 7:

End of registry grace period: If this grace period ends without the domain name being renewed, it will then be put under the status of pending delete. If no actions of restoration occur on the part of the original owner, registry or registrar, the domain will eventually be deleted. This deletion will then release that domain name back for general registration.


What about when you fail to renew your expired domain?

Domains are very important and they could be taken away if not properly protected.

A simple example will help us here:

XYZ domain could be a ell known, for good reason, in the world of web hosting. After building a strong reputation, the domain name expires and not renewed believing that no one else would want the unique name.

First the domain went through the deletion cycle. As soon as the name become available, someone purchased xyz domain again. Let us assume the new owner is ABC.

What could make it worse is that the new domain owner decides to scrap the information from Archive.org. We learned afterwards that scraping old content is a popular tactic for cybersquatters. Once they grab your domain, they then also grab your old content. Archive.org is the ideal source from which to steal your content.

The site is now owned by a "ABC", The old domain name now ranks #1 when searching Google for the personal name.

What does the original owner do? He or she may decide to buy an alternative domain: let's say xyzonline and create a new landing page.


Your expired domain could let data thieves into your business

Last year, security researchers with Australian cybersecurity firm Iron Bastion proved that registering abandoned business and law firm domains could give criminals access to insider data.

By setting up a catch-all email forwarding service for domains they re-register, criminals can access confidential client data and emails. They can run scams using this information or sell it on the dark web. They can also take over former employees’ social media, banking, and professional accounts by changing the passwords linked to the old domain’s email addresses.
What should you do with domains you don’t use anymore?

Security experts say the best way to safeguard your old domains is to keep renewing them, even if you’re not currently using them. Then you should close the email accounts associated with those domains and unlink those email accounts from alerts sent by banks, airlines, and other services that handle sensitive (and valuable) information.

If you must let your old domains go, you’ll need to be thorough about updating any online accounts you and your employees set up using old domain email addresses. Then you’ll need to close those email accounts.

In either case, it’s wise to let your customers and vendors know about your change of email address. Give them some advance notice, ask them to whitelist your new email address, and then ask them to delete the old address when you’ve closed that account.

For any email account on any domain, it’s always a good idea to set up two-factor authentication (2FA). By requiring a code from an SMS message or an authenticator app, you reduce the risk of someone maliciously changing your password on your email account and other accounts you set up with your email address.

And speaking of passwords, don’t make it easy for hackers to guess or brute-force yours. Every email address on your domains should have a strong password that’s not used for any other accounts.


How can you keep all your domains current and safe?

Follow these recommendations from domain security experts to keep your domains in your possession.

Give your domain registrations fewer chances to lapse. Start by registering or renewing for the longest amount of time you can, like three years instead of one. Then set your registrations to auto-renew.

Keep your registration information up to date. Update your domain registration accounts when your email address, phone number, or other contact information changes. Changed credit cards or online payment services? Make sure you change your domain payment information, or your auto-renewals will fail.

Keep your registration information private. Domain privacy protection costs a few dollars a year, and it’s worth it. If you add domain privacy when you register your domain, your registrar’s contact information is listed in the WHOIS public database. Without domain privacy, your name, email address, and other personal data are on display. That can put you at risk for spam, scams, and harassment.

Lock your domains. Domains must be unlocked when you’re transferring them to a new host. Otherwise, lock them to keep scammers from transferring them to a different web host without your consent.

In Todhost’s Customer Portal, you can lock your domains for free.

    Navigate to Domains in the left sidebar.

    Under Manage Domains, you have the option to lock all your domains at once.

Todhost manage domains and lock

    You can also click the More button for any of your domains to lock one at a time. Under Domain Overview, click the Change link next to Locking. That takes you to Domain Locking. Then you just move the switch to Locking ON and click Save Domain Locking.

Now your domain is protected against theft by unauthorized transfer. And with auto-renew in place and good cybersecurity practices, your domains are safe from expiration and exploitation.


Why your domain name might expire

It is all too easy to overlook the fact that a domain name registration is a temporary thing. Even though at the time, the domain name is yours, and could be for years, there is still a chance for that domain to pass out of your control. There are a variety of ways this might occur:

  • Renewal reminder notices: If you have switched off renewal reminder notices, you could be setting yourself up for disaster. While auto emails and notifications can clutter your inbox, they can also be lifesaving. Even if you manually switched off renewal reminders (for whatever reason), Todhost will begin sending reminders by email to your listed email address approximately 30 days from the domain expiration date. We guarantee you will receive at least two reminders before the expiration date and one within seven days after expiration. So, pay attention to your inbox, or alter your settings to flag the words, “expiration,” or “renewal,” to ensure you don’t miss these important reminders.


  • Auto-renew is not enabled: By going by your account information and switching your domain name to auto-renew, you save yourself from possibly forgetting. When auto-renew is in use, it will automatically renew your domain name prior to the expiration date, generally a day before expiration. This feature will continue to run and auto-renew unless changes are made or if there are issues with your billing information.


  • Outdated billing information: When you lose a credit card, or it expires naturally, it is easy to forget all of the sites, services, and subscriptions you have tied into that specific card and had previously set to auto-bill. In such cases, the last thing on your mind will be to update the billing information on a domain you rented a years ago and then set to auto-renew. If you do lose or obtain a new credit card, be sure to comb through your bills and see what will need to be updated with proper billing. With Todhost, if your auto-renew runs into an issue with billing, we will try multiple times to send alerts and reminders that the payment was unsuccessful and that the billing must be updated in order to prevent the domain name from expiring. You may need to manually renew your domain if it is less than 15-days before expiration.


  • Multiple domain providers: The more you spread out your domains, the easier it is to forget about them or mix them up, especially if you have invested in a plethora of different website domain names. It is all too possible to have a domain name slip through the cracks and expire because they were scattered across registrars. At Todhost, we suggest you consolidate your domains into one service. By doing so, you have all of your domains concentrated in one place and linked to one billing account. It makes it much easier to make payments, check domain name expiration dates, or make alterations from a centralized platform.


  • Contact email connected to domain: At Domain.com, we encourage you to begin using your brand new domain email address as your primary email source. This is a great thing, except when it comes to domain expirations. If you select your domain email in order to manage the domain name it is linked to, you create a dilemma in that if you forget the account’s password, you will be unable to enter the email in order to retrieve the forgotten password. Further, if the expiration date does pass, you will not be able to use that email during the renewal grace period. For this reason, you should think about adding a secondary email address to your account.


  • An expired organizational email address: A problem we encounter all too often with the process behind registering a domain name is that a person will use a work or school email account that requires them to still be actively involved with those organizations in order to access the email account, such as a work, or club email. So, if a person registers a domain name with such an email then graduates school or leaves their job, they will no longer have access to the email address associated with the domain name. In many cases, it will be impossible to be re-granted access to that email due to security issues or a deletion of the account as a whole. While it may still be possible to renew your domain without logging into the account, it makes life far harder on you and increases the likelihood that you miss a domain expiration alert.


  • Waited too long to renew: Even though they may have received ample renewal reminders or alerts, some people simply wait too long to renew their domain and pass the point where anything can be done to remedy the situation. On the day of expiration, be assured, you will lose the domain name ownership.


Keep your domain name and website up and running

Domain names play a crucial on the virtual marketplace. Choosing a creative domain name is a time-consuming and important aspect of giving your business the tools to thrive. Such an investment is essential for success, which is why a domain name expiration can be a demoralizing and business-crippling issue, that is only made worse if a competitor manages to snatch up your domain name. All the time and effort spent on building that brand and linking it to the domain name might be all for naught.

The best way to prevent this issue is to do everything in your power to prevent such a disaster from occurring in the first place. This includes regularly checking your email and spam folders for renewal notices, setting personal alerts of expiration, always ensuring that your domain’s billing info is up to date, and setting your account to auto-renew. If you take the right steps, you can save yourself a serious headache, so, do not be anything less than proactive when it comes to one of your domain names possibly expiring. With the right infrastructure in place, this should never be an issue!

Todhost.com has the tools you need to continue building your business into a success.


Ready for a new domain?

Todhost now offers domain registration with selected hosting packages and top-level domains. Sign up for 12 or more months business hosting, register a .com, .net, or .org top-level domain, and get the first year’s domain registration for free. See complete details here.

Comments (0)

Leave a comment

Powered by Simple Blog