TL;DR
A social engineering attack targeted our domain registrar, attempting to transfer our domain to an attacker. They used publicly available information from WHOIS records and our website to convince support staff they were us. We caught it during the 5-day transfer waiting period and implemented registrar lock, privacy protection, and 2FA to prevent future attempts.
Your domain is the foundation of everything. Lose it, and you lose your email, your website, your customer trust, and potentially your business. This is the story of how we almost lost ours.
The Suspicious Email
It started with an email I almost ignored. Our domain registrar sent a notification that a transfer had been initiated. I assumed it was spam at first since we hadn't requested any transfer.
"Transfer request received for yourdomain.com. If you did not initiate this request, please contact support immediately. Transfer will complete in 5 days if no action is taken."
My stomach dropped. I hadn't requested any transfer. Neither had my co-founder. Someone was trying to steal our domain.
How the Attack Worked
The attacker had done their homework. They gathered information from:
- Our WHOIS records (registered name, email, address)
- Our LinkedIn profiles (job titles, work history)
- Our company website (team page, about us)
- Previous data breaches (email/password combinations)
Armed with this information, they contacted our registrar's support team claiming to be us. They said they'd lost access to the account email and needed to verify identity another way. Using the personal details they'd gathered, they convinced support to initiate a transfer.
Red Flags We'd Missed
- WHOIS privacy protection was not enabled
- Registrar lock was not enabled
- 2FA was not set up on registrar account
- Account email was a personal Gmail, not company domain
- We hadn't reviewed registrar security settings in years
The Recovery Timeline
Received email about transfer initiation. Initially thought it was phishing.
Logged into registrar directly (not via email link). Confirmed transfer was real.
Called registrar support. Explained the situation, provided verification of our identity.
After extensive verification, registrar cancelled the fraudulent transfer.
Enabled registrar lock, WHOIS privacy, changed password, enabled 2FA.
What Would Have Happened
If we'd ignored that email or noticed it too late, here's what the attacker could have done with our domain:
- Redirected all traffic to a phishing site that looks like ours
- Intercepted all emails sent to our domain, including password resets
- Held the domain ransom, demanding payment for return
- Damaged our reputation by associating our domain with malicious content
- Taken over other accounts using password reset emails
Protection Measures We Implemented
After this scare, we took domain security much more seriously:
- Registrar Lock: Prevents any transfer without explicit unlock
- WHOIS Privacy: Hides personal information from public records
- Two-Factor Authentication: Required for all registrar account access
- Email on Company Domain: Changed account email from personal Gmail
- Transfer Notifications: Alerts go to multiple team members
- Regular Audits: Quarterly review of domain security settings
- Enable registrar lock on all important domains
- Use WHOIS privacy protection to hide personal information
- Set up 2FA on your domain registrar account
- Use a company email address for registrar accounts
- Actually read emails from your registrar - they're not always spam
- Review domain security settings regularly
What is registrar lock and how does it protect me?
Registrar lock (also called domain lock or transfer lock) prevents your domain from being transferred to another registrar without you explicitly unlocking it first. This adds a critical barrier against unauthorized transfers.
How do social engineers get my personal information?
They gather data from WHOIS records, social media, company websites, LinkedIn, and previous data breaches. With enough details, they can convincingly impersonate you to customer support.
What should I do if I receive a transfer notification I didn't initiate?
Don't click any links in the email. Go directly to your registrar's website, log in, and check your account. Contact support immediately to cancel any unauthorized transfers. Document everything.
Protect Your Digital Assets
Scan your vibe coded projects for security vulnerabilities before attackers find them.
Check Your Vibe Now