Houses of Worship, Faith-Based Organizations, Charities, and Other Non-Profits: Yes, This CAN Happen to You.

by Jennifer Lyn Walker and Omar Tisza

This post was originally informed by a TLP: GREEN FB-ISAO Monthly Threat Overviewdistributed on 27 June 2019.

It’s easy to adopt the “this won’t happen to me” mentality when it comes to fighting cyber threats in the faith-based community, charities, and other non-profits. The reality is that cyber threats are everywhere, and manifest themselves in different ways, such as Business Email Compromise (BEC), clergy impersonation scams, phishing, and ransomware.

Certainly, the aforementioned attack techniques have been particularly prevalent within the faith-based community. However, there is another cyberattack tactic that is relevant to faith-based organizations and should not be overlooked. Domain hijacking.

What is Domain Hijacking?

Domain hijacking occurs when malicious actors fraudulently change the registration information for a website domain with the domain registrar, such as GoDaddy, Bluehost, Network Solutions, etc. The changes are typically made possible due to a compromise of the domain registrar account credentials through a successful phishing attack, or through a deceptive password reset request.

Domain hijacking is often the precursor to a website compromise; however, it has also been used to precipitate extortion attempts. Once a domain has been hijacked, miscreants are able to manipulate website content and/or redirect website traffic to another site under the attacker’s control. Content is often changed, or traffic is redirected, to display things that could damage the reputation of a faith-based organization, such as ideological statements contrary to an organization’s beliefs, or unsavory images. Likewise, malicious actors often set up phishing pages that mimic well-known and trusted sites, or install malware for other nefarious intent, such as spamming or credential harvesting. Furthermore, less sophisticated actors who do not have the skills to change content or redirect website traffic resort to the perception they are holding the domain hostage in exchange for ransom.

Unexpected and Disruptive

While domain hijacking seems like something only governments and major enterprises need to worry about, a church in Spring Township, PA recently learned otherwise. Church officials at West Lawn United Methodist Church (UMC) in Spring Township, PA said they never expected someone would target their church. But according to Jeff Raffauf, the church’s pastor, “hackers worked their way into the GoDaddy website server in March, changing all security information and transferring domains for the church’s two sites.” Fortunately, the attackers did not have a chance to do any damage, as administrative pastor, Carolanne Schneiderhan swiftly contacted the FBI to launch an investigation and immediately filed a transfer request with GoDaddy to regain control of the website domain. While the malicious actors did not take control or shutdown the website, or worse (for an FBO), redirect website visitors to something unsavory, not all was well. Despite the pastor’s diligence, “it took months before they got the domains back, and the sites still aren’t working right,” according to Raffauf. Even though West Lawn UMC is still recovering, the consequences of this attack could have been more severe if the incident had not been quickly identified and reported to the authorities and GoDaddy.

If your house of worship is anything like West Lawn UMC, you regularly tell congregants to check your website for information, to sign-up for events or programs, or make donations. For many organizations, websites are central points for sharing information and to provide visibility to their communities. Not only would it be inconvenient and embarrassing if your site was unreachable, being redirected to a website of ill repute or nefarious intent, or plastered with propaganda contrary to your FBOs beliefs, but the hours and money spent to set up a new website, email, and branding would subtract from the daily and vital operations within your organization.

While West Lawn UMC was able to stifle the attack, Faithful Friends, a nonprofit that fundraises for the church, was not so fortunate. According to the report, cyber attackers took control of Faithful Friends’ domain and asked for a $5000 ransom. These incidents further underscore the need for developing a cybersecurity strategy in houses of worship, faith-based organizations, charities, and other non-profits, and the infrastructures that support them. The benefits of establishing effective and proactive cybersecurity measures far outweigh the consequences of having to remediate the damages of a cyberattack against your organization and the community it serves.

Avoid Domain Hijacking

The best way to avoid becoming a victim of domain hijacking is to avail yourself to the domain security resources offered by your domain registrar. Most registrars offer domain monitoring and domain registry locking services. In addition, establish multifactor authentication on your domain administration account and set up notifications for any changes made to your domain.

Despite the challenges that befell West Lawn UMC, the pastors embody the mission of information sharing and increased resilience and have taken the time to share details about the attack in hopes others will heed their warning to be alert. “Make sure your information is current. Go in and change the password. Set up a two-step verify,” Schneiderhan said, “…very, very important. I learned the hard way.”

Remember, no matter how large or small your faith-based organization is:

  • You are always a target. In this day and age, cyberattacks are just as certain as death and taxes.
  • Your experiences are always valuable to help the community improve resilience and preparedness. Please share your successes and lessons learned with FB-ISAO for the benefit of the larger Community of Faith.

Jennifer Lyn Walker is a cybersecurity professional with over nineteen years’ experience supporting critical infrastructure and SLTT governments. As Director, Cybersecurity Services for FB-ISAO and Gate 15, she advises and consults on cyber threats related to homeland security for critical infrastructure and vital lifeline sectors, including WaterISAC. She is experienced in malware analysis, threat assessments, cyber threat intelligence, compliance, and cybersecurity awareness.

Omar Tisza graduated from American University in 2017 with a bachelor’s in International Relations. After a brief stint in business development on the federal market, he began his role as Jr. Risk Analyst at Gate 15 in 2018 and currently supports the Health Information Sharing and Analysis Center (H­ISAC) and the Healthcare Sector Coordinating Council – Cybersecurity under the leadership of Executive Director Greg Garcia, former Assistant Secretary for Cyber Security and Communications at DHS.

Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!