So, I stumbled upon an interesting article over Labor Day weekend (do I know how to party OR WHAT?) that warned businesses of the risks that come with letting domain names expire. It’s a side of buying expired domains that most domain investors will never think of: the fact that expired domains, despite not having traffic coming to them, still could have emails with incredibly sensitive information attached. The piece gives a very solid example of domains from law firms that expire after the firm takes part in a merger:

To test just how bad the problem is, [security researcher, Gabor] Szathmari re-registered old domain names for several law firms that had merged, set up an email server, and without hacking anything, he says he received a steady stream of confidential information, including bank correspondence, invoices from other law firms, sensitive legal documents from clients, and updates from LinkedIn (Szathmari is working to return the affected domain names to their original owners).

Well, not too surprisingly, it turns out that some of these expired domains are used for fraud since the new owner could essentially gain access to a large amount of sensitive data.

This got me thinking about whether or not there’s an entire market of expired domain buyers; fraudsters and scammers that aren’t looking to resell the name, but instead are looking to use the domain to gain access to email.

It certainly sounds like that might be the case.

Email holds the keys to the kingdom. All your password resets go through email and abandoning an old domain name makes it easy for attackers to re-register the old domain and get your stuff.

According to the article, it appears that the technique of re-registering old domain names could also be used for collecting money. “By reinstating an online web shop formerly running on an abandoned domain name,” Gabor Szathmari writes, “Bad actors could download the original web pages from archive.org, then take new orders and payments by posing as a fully functioning web shop.”

“If the former web shop had a CRM system or MailChimp running marketing campaigns,” he adds, “criminals could access the list of the former customers by taking over those accounts with an email-based password reset. They could offer them a special discount code to encourage them to submit orders which would never be delivered. The sky is the limit.”

Expiring domain names are published daily by domain name registries in the form of domain name drop lists. It doesn’t take a criminal mastermind to download those lists daily and cross-reference them against news of mergers and acquisitions in the relevant trade pubs, or just re-register any domain name that catches their fancy.

So how long should you hang onto those old domains for?

Better to be safe than sorry in this case. Domain names aren’t expensive, and keeping old domains in your possession is the cheapest cybersecurity insurance policy you’ll ever purchase. I mean, is it really worth it to sell at the expense of fraud? I wouldn’t take that chance.

Szathmari recommends setting up a catch-all email service that redirects all incoming email to a trusted administrator, someone who can review correspondence addressed former and current staff, and password reset emails for online services.