Have you ever wondered what happens to domain names that you let lapse after you rebrand and change to a new domain name? This salutary tale highlights why you should never let a domain name lapse.
Have you ever wondered what happens to domain names that you let lapse after your business is bought/sold or you rebrand and change to a new domain name?
I admit to being one of those people who didn’t think too deeply of the implications when I let an old domain name that I had traded under for many years go.
After all, I had been trading under the new domain name for a few years, and the only emails that were going through to my old email address were spam, so no biggie if I just let it lapse. Right?
Scammers and hackers are always looking for new ways to do their thing, and re-registering lapsed domain names is simply the latest in their long arsenal of ways to stuff-up business owners.
In my case, the scammers found a way to circumvent the auDA domain name registration rules to re-register my expired domain name.
They then organised hosting with an hosting provider with a murky reputation, and proceeded to scrape a full copy of my website from many years ago, and make it live once again in a zombie parody of what it once was.
The scammers then filled the zombie site choc-full of malware and had the e-commerce component of the site redirected to their personal PayPal accounts.
For good measure, they added a stack of add-on domains selling male enhancement medications under my old domain name.
Why is this an issue?
Remember when I said that they scraped my content? This included photos of me and all of my marketing wording.
If someone searched for my name, my company or my services, the zombie site would pop up in the Google’s search results, and legitimate clients checking out my business would either pick up a dose of malware for their troubles, or potentially buy a product and get nothing in return leaving them less than impressed with my business.
But wait. There’s more.
They also added in a catchall email to the account, which meant that anyone sending email to the old email address communicated directly with the scammers and not me.
A growing security problem
The zombiing of websites as a way to either deliver malware or access old emails is rapidly becoming a significant security issue for business.
Gabor Szathmari, a cyber-security expert in Australia, had his company re-register six domain names of law firms in Australia that had re-branded to test the scope of the problem.
They then set up catch-all email accounts to monitor emails coming into the old domain names.
As part of the research, they were able to:
- access confidential documents of former clients;
- access confidential email correspondence;
- access personal information of former clients;
- hijack personal user accounts (LinkedIn, Facebook, etc.) of former staff working in their new jobs; and
- hijack professional user accounts (Commonwealth Courts Portal, LEAP, etc.) of former staff of the businesses.
In other words, if you let your domain name lapse and at any time you had an email account attached to the domain, you are potentially leaving your business wide open for disaster.
What happened in my case?
I would like to tell you that getting the domain name back from the scammers was super simple and straightforward. It wasn’t!
Stopping the scammers had more twists, turns and heart-stopping moments than a Marvel movie.
Getting the scam site taken down, the domain name registration cancelled and getting it back under my name took loads of paperwork, legal advice, a battle with an SEO company who got in the middle at the wrong time, and a few too many late nights and alcoholic beverages.
However, finally good prevailed, and my old domain name is back under my control. Sure, it is now radioactively toxic from an SEO perspective, so will never again be used to host a site, or be redirected to my new site, but at least that is one cybersecurity gap closed.
Should you let your domain name lapse?
Domain Names are the new cyber vulnerability. The new rules for every business, no matter the size, is if you have ever had a domain name registered that had a website on it and/or an email account linked to it, NEVER LET IT LAPSE.
Domain names are something that you need to keep for life. Yes, you can let your hosting lapse if you don’t need a live site anymore, but never let your domain name lapse. Keep it under your control at all times.
And if you have changed your domain name and let your old one lapse, your first task for today is to see if you can re-register your old domain name. Do this before you take the first sip of your coffee (it is THAT serious)!