Tempted to let your old domain lapse? Read this first…

A business merger or restructure can leave existing Internet domains suddenly surplus to requirements. So what’s the harm in simply allowing them to expire? Recent research highlights the perils of letting old domains slip out of your control…

Domain registry and expiry: what’s the deal?

Technically, you never actually own a domain name outright; you only ever lease it. So if it doesn’t get renewed, a domain name eventually ends up back on a domain registry database. From here, it can be passed on to a reseller – and can ultimately end up in the hands of a completely new user.

For IT managers, renewal of active domains is a routine admin matter. And in fact, most resellers enable you to set up an auto-renew arrangement so there’s no action required at your end. Even after the expiry date has passed, all major registries give you plenty of prompts and a generous grace period to re-register.

So it’s practically impossible to let a domain name expire ‘by mistake’. For it to fall out of your control, there has to be a conscious decision on your part not to renew it.

The problems with domain abandonment laid bare…

Of course, for most businesses, as well as your Web pages, your domain also hosts your email services. But if you have closed down the old Website – and those old emails are no longer in use, then what’s the problem if the domain were to simply expire?

Threat 1: The Resurrected Website

After expiry and beyond the grace period, your old domain becomes available for re-registration. A threat actor takes charge of the domain and uses it to host a series of pages to pass themselves off as your company (bearing in mind that not all your customers will be aware of your recent rebrand).

Savvy scammers could even go a step further here. Let’s say they take a guess that you were using a marketing automation platform on the old site (MailChimp, for instance). Using an email-based password reset, they gain access to a contact list of former customers and send out some amazing special offers to encourage a flurry of payments.

Chances are, either you or someone else would pick up on this fraud attempt pretty quickly before notifying your local law enforcement agency. But this was a smash and grab raid. The scammers fully expected to be shut down within a short period – but not before they managed to elicit a batch of fraudulent payments – damaging your reputation in the process.

Threat 2: The Email Treasure Trove

A team headed up by security researcher, Gabor Szathmari recently carried out an experiment to see how much information they could glean simply by re-registering the domain names of businesses.

The team focused on law firms; the reason being that last year saw a record number of law firm mergers – and with a new business comes a rebrand and, inevitably, the need for a new domain.

The team re-registered six abandoned business domains. They were then able to change the MX records of the domain to set up catch-all email services. From this, they were able to receive all email correspondence sent to the addresses linked to the domain.

In total, the team got hold of about 25,000 messages. Along with lots of spam, this also included a treasure trove of sensitive information relating to the firms and their clients, communications to staff and valuable financial information.

What’s more, by registering to breach notification websites, the researchers were also able to gain access to passwords used by staff at the former firms. Given that so many people are still guilty of reusing passwords, it raised the possibility of logging into currently used services with the same passwords.

The fix

It’s simple: all of this could be avoided by continuing to renew redundant domain names indefinitely. It costs next to nothing and it really couldn’t be easier to do.

Over-zealous asset management can sometimes cause you problems. With the likes of SaaS subscriptions, it’s good practice to keep an eye out for under-used subscriptions and remove them from your IT estate. But domains are a different story: just because they are no longer used doesn’t mean you should lose control of them.

  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

  • GWB says:

    For personal domains, I would assume some of the same potential issues apply, with “friends” and “family” replacing “customers”.

  • Eric says:

    I would like to take your course
    I have no experience in cyber security
    With this certificate Will it be possible to land a job without having any degree in cyber security ?


  • Alejandro says:

    Hello Nathan,

    What would happen with those website are closed and no longer used? Shoul be renewed even if not used, or there is a way to avoid this issue without to renew the domain and pay for something is no longer used?

  • Víctor Valentinuzzi says:

    Hi Nathan I recently left a domain behind for a web development bussines that never stared, and I`ll like to take another domain and bussines name, however the situation is that I tink that I don´t have sensible data there ¿It is risky anyways?

  • Alishia says:

    The lesson to learn here is to pay attention to your domain names and their expiration dates because it is costly to let them expire and the consequences can be irreversible.

  • >