TL;DR
A social engineering attack targeted a travel booking startup's domain registrar, attempting to transfer the company's domain to an attacker. The attacker used publicly available information from WHOIS records and the company website to convince support staff they were the rightful owner. The team caught it during the 5-day transfer waiting period and implemented registrar lock, privacy protection, and 2FA to prevent future attempts.
A domain is the foundation of everything for a web business. Lose it, and you lose email, the website, customer trust, and potentially the entire company. This is the story of how one travel booking startup almost lost theirs.
The Suspicious Email
It started with an email the CTO almost ignored. The domain registrar sent a notification that a transfer had been initiated. At first it looked like spam since no one at the company had requested any transfer.
"Transfer request received for yourdomain.com. If you did not initiate this request, please contact support immediately. Transfer will complete in 5 days if no action is taken."
The CTO's stomach dropped. Neither the CTO nor the co-founder had requested any transfer. Someone was trying to steal the domain.
How the Attack Worked
The attacker had done their homework. They gathered information from:
- The company's WHOIS records (registered name, email, address)
- LinkedIn profiles of the founding team (job titles, work history)
- The company website (team page, about us)
- Previous data breaches (email/password combinations)
Armed with this information, they contacted the registrar's support team claiming to be the domain owner. They said they'd lost access to the account email and needed to verify identity another way. Using the personal details they'd gathered, they convinced support to initiate a transfer.
- WHOIS privacy protection was not enabled
- Registrar lock was not enabled
- 2FA was not set up on registrar account
- Account email was a personal Gmail, not company domain
- The team hadn't reviewed registrar security settings in years
The Recovery Timeline
Received email about transfer initiation. Initially thought it was phishing.
Logged into registrar directly (not via email link). Confirmed transfer was real.
Called registrar support. Explained the situation, provided verification of identity.
After extensive verification, registrar cancelled the fraudulent transfer.
Enabled registrar lock, WHOIS privacy, changed password, enabled 2FA.
What Would Have Happened
If the team had ignored that email or noticed it too late, here's what the attacker could have done with the domain:
- Redirected all traffic to a phishing site mimicking the real booking platform
- Intercepted all emails sent to the domain, including password resets
- Held the domain ransom, demanding payment for return
- Damaged the company's reputation by associating the domain with malicious content
- Taken over other accounts using password reset emails
Protection Measures the Team Implemented
After this scare, the startup took domain security much more seriously:
- Registrar Lock: Prevents any transfer without explicit unlock
- WHOIS Privacy: Hides personal information from public records
- Two-Factor Authentication: Required for all registrar account access
- Email on Company Domain: Changed account email from personal Gmail
- Transfer Notifications: Alerts go to multiple team members
- Regular Audits: Quarterly review of domain security settings
- Enable registrar lock on all important domains
- Use WHOIS privacy protection to hide personal information
- Set up 2FA on your domain registrar account
- Use a company email address for registrar accounts
- Actually read emails from your registrar - they're not always spam
- Review domain security settings regularly
What is registrar lock and how does it protect me?
Registrar lock (also called domain lock or transfer lock) prevents your domain from being transferred to another registrar without you explicitly unlocking it first. This adds a critical barrier against unauthorized transfers.
How do social engineers get my personal information?
They gather data from WHOIS records, social media, company websites, LinkedIn, and previous data breaches. With enough details, they can convincingly impersonate you to customer support.
What should I do if I receive a transfer notification I didn't initiate?
Don't click any links in the email. Go directly to your registrar's website, log in, and check your account. Contact support immediately to cancel any unauthorized transfers. Document everything.
Protect Your Digital Assets
Scan your vibe coded projects for security vulnerabilities before attackers find them.