[gnso-pednr-dt] domain hijacking story
- To: Gnso-irtp-b-jun09@xxxxxxxxx, PEDNR <gnso-pednr-dt@xxxxxxxxx>
- Subject: [gnso-pednr-dt] domain hijacking story
- From: "Mike O'Connor" <mike@xxxxxxxxxx>
- Date: Wed, 2 Dec 2009 08:16:55 -0600
sorry about the cross-posting, but this is relevant to both working groups...
this really isn't anything new, but a nice chronology of a domain theft and
GoDaddy's actions to fix the situation. Several interesting points...
- reenforcement of the notion that single-mode authentication (web, in this
case) presents a relatively easy attack vector (PEDNR)
- slowing down the process of inter-registrar transfer is helpful when domains
need to be recovered (IRTP)
- responsive registrars are a critical success factor (IRTP and PEDNR)
- domain-forums are enablers (I wish there was something we could do, but I
can't dream up a way that ICANN contracts intersect domain forums -- except
through law enforcement, education and persuasion)
here's the link to this fellow's blog;
here's a link to his article;
It won’t happen to me, right?
That's what I thought! As many of you have probably already read in DNJournal
or elsewhere, last week was a rough week for me. I awoke Monday morning to
discover that I had been hacked. Someone had stolen my domain name, CFJ.com ,
from my Godaddy account. At the time, we didn’t know if it was isolated to
that name or even just to Godaddy. So of course, wide spread panic ensued.
To clarify, the thief did not hack into Godaddy. It appears that they
installed a keylogger on my computer, most likely by sending me an email which
I in turn opened (although not necessarily with an attachment). The keylogger
then tracked my keystrokes for an uncertain period of time and relayed the
information back to the thief until he/she had all the information they need
(i.e.- my Godaddy Username and Password).
The whole thing was well planned and carefully orchestrated. The thief never
even took possession of the domain name him/herself. The domain was sold on
NamePros.com through private messaging on the forum prior to them logging in to
my Godaddy account and pushing the domain to the account of the unsuspecting
(perhaps naïve) buyer. The whole thing only took a couple of minutes.
The transaction, as I said, took place on NamePros.com. The thief sold/traded
CFJ.com for a sum of cash plus 15 other domain names, mostly 3 Character .NET,
.ORG and .COM domains. What boggles my mind is how someone could think they
could buy a 3 Letter .COM for a bag full of mediocre domains and a small amount
of cash? The buyer didn’t even take the time to check the WHOIS first and see
if they were actually negotiating with the owner of the domain or an authorized
representative! Please, do us all a favor (as well as yourselves) and when you
see a 3 Letter .COM domain name being advertised for sale on DNForum or
NamePros at $3,000 or less, use your better judgment and take a pass. At least
do your due diligence to make sure you aren’t buying stolen goods. If we all
took some precaution it would make it a lot harder for these criminals to
resell the stolen domains in the short window that they have to offload them
and we could start making some progress towards stopping them.
I have to give a big applause to Godaddy, and specifically to my Executive
Account Manager Tess Diaz, for the way that this situation was handled. They
acted fast, were able to lock down the domain so as to prevent it from being
transferred out of Godaddy, and everything was surprisingly non-bureaucratic,
contrary to what people often believe Godaddy can be. I actually find it hard
to believe that any other registrar could have, or would have, acted in such an
effective manner. In the end, we were able to recover CFJ.com safely back in
to my account in just about 12 hours! Record time for a domain theft recovery.
However, I can tell you that those were a rough 12 hours. Although they don’t
advertise it, Executive Account customers are eligible for a free security
service at Godaddy called “Domain Transfer Validation Service”. This service
does not allow any domains to be transferred away from your Godaddy account
without verbal authorization and a separate, secure authorization PIN from the
account holder and can only take place at a pre arranged phone number which is
not stored in your account (necessarily). Further, the only person authorized
to transact these transfers at Godaddy is your account manager. Of course, I
have now entrusted my portfolio of domains to this service and will begin
migrating many of my domains not registered at Godaddy over to my Godaddy
account. To my knowledge, no other registrar offers such a service.
I must aslo give a special thanks to Warren Weitzman whose advice on this
matter was crucial in my timely recovery. Warren, unfortunately, was recently
victim of an even larger hijacking when 12 of his most valuable domain names
were stolen from his Enom account. It took 2 weeks to recover all of his
domains, but luckily they were recoverable. Warren’s advice to publicize the
theft as broadly as possible was critical in the recovery process. Informing
other domain investors, who are in general the only on demand buyers for these
stolen names, is very important in order to prevent further reselling of the
domain and complicating of the recovery process. It is also important to
broadcast the theft because these are rarely isolated incidents and often, as
was the case this time, there are other stolen domains also being marketed and
often the owners haven’t even discovered the theft yet. Awareness is a key
element in prevention.
Domain Hijacking is on the rise, whether it’s due to the depressed economy,
ever increasing domain values or simply that these cyber criminals see the
security weakness in the domain registration and registrar model and are
exploiting it while they can, I’m not certain, but it is likely a culmination
of all of these factors. These guys are clever, and unfortunately by
definition, they are always one step ahead of the security software such as
Anti-Virus and Firewall protection. Updates are created in response to new
types of attacks.
I’d like to make one last note. Although I don’t often like to speak badly
about anyone as it doesn’t reflect well, in this case something needs to be
said and I can only hope it gets a reaction. NamePros.com was entirely
uncooperative and unresponsive in this incident. Despite multiple phone calls
and emails, I received no response and no assistance in this matter from them.
The thief used NamePros to transact the stolen domain name(s) and the whole
thing is well documented through private messaging and a forum string which I
do not have access to without the help of NamePros. This information is
critical to law enforcement in finding the identity of the thief, yet NamePros
refuses to cooperate in any way whatsoever. As one of the leading forums in
the domain industry, NamePros has a responsibility to help protect the
community from these criminals. NamePros.com has often been the platform of
choice for these criminals to offload their stolen goods and yet NamePros does
nothing about it and takes no action in assisting the victim’s (who represent
their community) or law enforcement. I am sad to say that this time around,
NamePros.com has failed me…shame on you!
Protect yourself the best you can with good antivirus software and firewall,
but remember that awareness of your domain activity and having good contacts at
your registrars is essential for protecting your domain investments.
- - - - - - - - -
handle OConnorStP (ID for public places like Twitter, Facebook, Google, etc.)