Three of my Domains Were Stolen

[die()]

I am a website developer, and can tell you, it is probably a security vulnerability of the host that has caused your problems. I have had first hand experience of how easy it can be to gain access to other accounts on a webserver. Many webservers can have upwards of 2000 sites on the same server. All it takes is a few lines of code from one account to "browse" the whole server, edit files, delete files, etc. etc. Especially if you are on a Windows server, you are not safe on many shared hosting environments.

[Ken Strong]

Quote:

Originally Posted by ramone_johnny

Ken sorry mate, Im a little confused...

You say you can still FTP to the domains, what exactly are you FTP'ing to? The domain itself or an IP? What do you see when you establish a connection? Your files or someone elses? If they are your files, have you checked for a redirect?

My hosting and my domains are at different companies -- it's my Namecheap domains account that got hacked, not my hosting account. So all my website files are still on my hosting server, although they're not live anymore -- that's what I can FTP to, sorry if I wasn't clear on that.

[mayapearl]

Wow, this is all a bit scary! I hope it all gets sorted out for you real quick.

[joyfulwraps]

Ken

You have been given some excellent advice....sorry I have nothing to add. I did want to offer my sympathy that you were hacked. The "good" side is that someone recognized the value in your domains that made them worth hacking. Small consolation I know but it sounds like you are doing what needs to be done to put a halt on the present hacker and to prevent this from occurring again.

Just changed my password where my domains are thanks to this thread; so thanks Ken for sharing your pain and for all those who gave Ken such good advice so that all warriors can benefit.

[dectomax]

I had something similar happen to me with Namecheap. It turned out that the DNS pointers had been changed in MY account. I set them back to point to my hosting and changed my Namecheap password for a very elaborate one. The problem has never returned.

Have Namecheap got a security problem??

[babushka99]

Quote:

Originally Posted by KenStrong

This is just great -- two of my domains were somehow stolen from me. When I go to the sites, someone else's content is there. The domains are still listed as being in my Namecheap account, and there's no record there of any transfers or sales taking place, but when I click on the domain names I get a message that "Domain not found."

The online chat support person at Namecheap basically shrugged his shoulders and said to file a ticket with their fraud department. I filed an abuse complaint with the new listed domain registrar and with privacyprotect.org, which is protecting the current owner's Whois info.

One of the sites I don't care about, but the other is one of my main sites, and it's going to be a big pain if I can't get that back.

This happen to anyone else here?

Domains usually don't get hacked that easily. Here are some pointers which I am sure you are already aware of, and some step you could take.

1. Run an online AV/Spyware scan to make sure no key stroke recording spyware is on your machine. Don't run a single scan, run multiple times and by different vendors.

2. Change the password of your domain registrar - make sure it is long (12 characters, UPPER/Lower case, numerals and a few characters like &$%#), and it is NOT saved on your computer. If your computer is compromised, little good will this do.

3. You can do step # 2 from another computer that is not in your house, etc. (more safer from a security viewpoint) if your entire network is compromised.

4. Make sure all your domains have a Registrar Lock enabled on them.

5. Change the password to the email address where you receive such information - same scenario - keep the password long and complex.

6. Go through all your domains and ensure the ownership information that is reflected is yours.

7. Send a 'Standing Instructions" (via fax, email and registered post), that the Domain Registrar is NOT to transfer/change ownership of any domain in the event they receive instructions in writing (like fax/letter). The only method they should accept is the one outlined in the website and what you use. Your goal is to have credible evidence of you having informed the Domain Registrar prior.

8. Make sure if you have assigned Authorization Codes to your domain to be transferred that they are 'reassigned'

9. If you have a Reseller Account, domains can come with a User ID and Password, have this changed immediately.

10. Send a copy of the letter to IANA.

11. Send a copy of the letter to the registrar where you deem the domains have been transferred.

12. You can file for a case at IANA/WIPO (it will cost money)

13. Take any and all snapshots of the domain before it was transferred, Internet Archive: Wayback Machine is a good point: Internet Archive: Wayback Machine

14. Keep all the transactions you have completed on that domain (FTP logs, Web Logs, Blog logs, etc. and save them onto a USB memory stick and a CD).

15. If you even 'suspect' your computer to have been compromised, until and unless you are very good with the security aspect of it (for example can you definitively tell what traffic is traversing through your modem and on what ports? by what application?) - it would be suggested to take a back up for your data and reformat the machine. This IS, I will admit, a little drastic, but if you have digital property and that property is managed by that one machine of yours. I'd have it cleaned.

16. If you have a habit of storing your passwords on a file, on your computer, a notepad or Excel or Word file, assume it HAS been compromised and change all this information. Tedious, but would you want a repeat of what just happened to you.

17. Keep sending a daily reminder, fax, email, letter to the registrar until the issue is resolved. The goal is to show you actively pursued this wrongful transfer. It helps provide weight to your case.

Hope it helps.

[Ken Strong]

Well, here's an update -- the thief has contacted me via email offering me at least one of the stolen domains back (the most valuable of the three) for $2000 via Western Union.

I'm sure I can trust him, right?

[ramone_johnny]

You're joking...

Has anyone been of assistance yet?

Quote:

Originally Posted by KenStrong

Well, here's an update -- the thief has contacted me via email offering me at least one of the stolen domains back (the most valuable of the three) for $2000 via Western Union.

I'm sure I can trust him, right?

[Ken Strong]

Quote:

Originally Posted by ramone_johnny

You're joking...

Has anyone been of assistance yet?

I'm in regular contact with the Namecheap fraud people, who say they are conferring with the eNom fraud people, who are conferring with the fraud people at the receiving domain... but haven't heard anything else yet.

[rosetrees]

I wonder if you could enlist the help of Western Union. If you send some money - someone, somewhere must claim it. I wonder if they would be interested in tracking that person. Don't you have to turn up at a WU office in person to claim the money?

Then again, could you (or WU) trust the staff in their local offices?

Can you ask the thief for a phone number. Maybe their mobile phone company might be interested in helping trace the calls you make to them?????

[Robyn8243]

Quote:

Originally Posted by KenStrong

Well, here's an update -- the thief has contacted me via email offering me at least one of the stolen domains back (the most valuable of the three) for $2000 via Western Union.

I'm sure I can trust him, right?

WOW!! That's messed up!

Ken, you should offer to pay them $10,000 with one of those infamous cashier checks, and just ask them to send you the balance of $8,000 by Western Union.

Seriously though, if they are located anywhere this kind of fraud is taken seriously, I would try to contact law enforcement to set them up...by offering to sell you the domain for $2,000 they just upped the ante. The consequences of stealing something with $2000 value are much greater than stealing something of $10 value. Something law enforcement might be willing to help with.

I really hope that you will ultimately get some satisfaction with this.

Robyn

[Ken Strong]

Quote:

Originally Posted by rosetrees

Can you ask the thief for a phone number. Maybe their mobile phone company might be interested in helping trace the calls you make to them?????

He sent the email through his mobile phone, so I already know what provider he's using... I have no idea what country he's in, though -- I'm going to guess it's one where I don't know if I can trust the WU staff or not. Might be worth contacting the phone company, though...

[Thomas Wilkinson]

You might contact Lee McIntyre about this. He went through the
same thing a year or so ago. Some guy in Turkey offered to sell him
back his own name for big bucks. He finally got it resolved but I don't
know the details. (I think he was doing business with Go Daddy)

Tom

[himanuzo]

Ken,

Of course you don't know detail profile of the thief. So please DON'T use WU. Because the thief can hide his/ him real profile and make fake address.

Maybe bank transfer is good way because you can know the detail of the thief through his/ him bank. Note: If anyone want to open a new account at a bank, he/she must show ID card/passport/SSN to a customer service so he/she has difficulties to hide the real profile. This is applied to trustable countries.

[Ken Strong]

Quote:

Originally Posted by himanuzo

Of course you don't know detail profile of the thief. So please DON'T use WU. Because the thief can hide his/ him real profile and make fake address.

Just to clarify, no, I'm not going to be sending any money to this thief, even if it's for an attempted sting.

[scattered]

come on, post up any information you have on this guy. He is obviously in it for some money, thus the offer to return the domain for $2,000.

Bait this schmuck along. Get whatever information you can out of him and make it public here. There are some very good interweb detectives out there who get off on finding people hiding behind emails/domains and the like.

[sbucciarel]

I hope the people in "fraud" get this resolved for you. After reading this, I changed all my passwords to email and name registrars.

[Jeffrey Arthur]

Wow what a scary thing to happen. Best of luck Mate, i'm sure something good will come of this. Karma always comes back to bite.
I too am quite interested in how this all comes to an end. Any idea how the thief knew to contact you? Might be that they are still hacking one of your accounts.

[Niche Me]

I just came on and read this. WOWZER! And to think I've been stressing about all the steps to promote my sites. Certainly puts things into perspective.

I never knew this type of crime existed or was even possible and adds another element of stress to IM.

I can't imagine the level of stress this has caused you and am soooo.... sorry.
I really hope the next time I check this thread that there is a happy outcome.

[Floyd Fisher]

Quote:

Originally Posted by KenStrong

Well, here's an update -- the thief has contacted me via email offering me at least one of the stolen domains back (the most valuable of the three) for $2000 via Western Union.

I'm sure I can trust him, right?

Where does he live? I might pay them a visit if they are close enough to touch.

[Richard Tunnah]

Oh dear sorry Ken. That's not good. I presume these domains were locked? If so then I agree with Martin there may be something maybe more serious like an email hack.
Hope you get this sorted ASAP.

Rich

[Ken Strong]

Quote:

Originally Posted by scattered

come on, post up any information you have on this guy. He is obviously in it for some money, thus the offer to return the domain for $2,000.

Bait this schmuck along. Get whatever information you can out of him and make it public here. There are some very good interweb detectives out there who get off on finding people hiding behind emails/domains and the like.

Well, if anyone's interested PM me and I'll pass on what I have. While I certainly wouldn't feel bad if somebody did him some damage, I think it's a better use of my time and energy to work through the registrars involved.

Quote:

Originally Posted by Floyd Fisher

Where does he live? I might pay them a visit if they are close enough to touch.

I wish I knew -- although I have a hunch it's not in my hemisphere of the planet.

[rbabi18]

I read an article in playboy a couple of years ago about how someone stole the domain sex.com and was making almost a million a month off of someone elses domain. Millions of dollars in legal fees later, the original owner got it back but the whole situation was a total mess. You may be able to empathize with that lol. Good luck for the future and thanks for the domain advice guys!

[sbucciarel]

I don't know how these things happen but it's really scary. I read about the sex.com thing too. Unbelievable that such a high value domain could be stolen ... not only stolen but used to make the money that the owner should have been making.

[davezan]

Quote:

Originally Posted by KenStrong

I'm in regular contact with the Namecheap fraud people, who say they are conferring with the eNom fraud people, who are conferring with the fraud people at the receiving domain.

Forward that latest offer from the thief to NameCheap while you're at it, Ken.
That can help in your recovery of those domain names.

You did the right thing contacting NameCheap ASAP. It's sometimes a pain to
have a so-called "middleman" rather than deal directly with the actual provider
(eNom) itself, but...NameCheap's an exceptional reseller in the sense they do
work on hijacking cases.

Chances are, the PublicDomainRegistry/DirectI/PrivacyProtect folks locked up
all those domain names pending resolution with eNom and NameCheap. That'll
prevent the domain names from being changed or transferred out.

Meanwhile, they're likely sending and signing waiver forms with one another to
release themselves from liability. That's one of few things that's taking them a
bit long, but we did that ourselves when recovering stolen domains in my past
registrar life.

However, I'm optimistic based on what you've stated so far. It won't be solved
"immediately" or any faster than what NameCheap and eNom are doing, but do
keep at it.

Oh, and secure your domain's listed email and your computer, of course. That's
mainly how potential hijackers get through.

[Ken Strong]

Quote:

Originally Posted by davezan

Forward that latest offer from the thief to NameCheap while you're at it, Ken.
That can help in your recovery of those domain names.

Absolutely, I did that immediately. I'm debating whether to respond further and string him along a bit...

[derekwong28]

Ken, best of luck on getting the domains back.

I wonder if you have any idea how they were transferred out. Do you know whether the thief did hack into your Namecheap account?

Derek

[enterpryzman]

Namecheap is just an eNom reseller....when I had a problem with namecheap and they could not resolve it, I called eNom and they fixed it for me.

Enterpryzman

[Ken Strong]

Quote:

Originally Posted by derekwong28

I wonder if you have any idea how they were transferred out. Do you know whether the thief did hack into your Namecheap account?

The only answer I've gotten so far about how it happened is "We don't know," which I find difficult to believe. Getting the domains back is top priority right now -- after this, I'll be asking some pointed questions to prevent this happening again.

Quote:

Originally Posted by enterpryzman

Namecheap is just an eNom reseller....when I had a problem with namecheap and they could not resolve it, I called eNom and they fixed it for me.

The Namecheap people are talking to eNom, and I'm talking to both of them, and eNom is talking to the receiving registrar.

[Diana Lane]

Quote:

Originally Posted by KenStrong

Absolutely, I did that immediately. I'm debating whether to respond further and string him along a bit...

I don't think I've posted to this thread yet because I felt there was nothing I could contribute to it, but I've been following this saga from the start and really rooting for you even before the latest twist, which was quite a shocking one.

One thing I would say is to be careful about outlining your plans to deal with this on here in case your thief is a Warrior (I'm using that term in the loosest sense possible!), or watches the boards. I know it's unlikely, but it's not outside the realms of possibility either.

Take care, Ken. Right is on your side with this one, and even if it does take some time, you'll win out in the end. Don't let it stress you out - it's not worth a heart attack, and the thief is not worth any more of your mind-space than what the circumstances are already asking you to give him.

[Robyn8243]

Quote:

Originally Posted by KenStrong

Absolutely, I did that immediately. I'm debating whether to respond further and string him along a bit...

I would try to get a clue as to where he is located. In all likelihood, he is located somewhere where domain stealing is an honorable line of work, but there are scammers here in the US, and if that were the case, you might be able to get law enforcement involved and get this --------locked up. Of course, I am not remotely suggesting that you risk any of your money in a sting. That is up to law enforcement to deal with the details.

I can't imagine that you won't eventually get your domains back. You seem to have found out right away, so it will just be you versus the thief. It just sucks that you need to deal with all this unnecessary, time wasting BS.

In the meantime, this jerk has probably been trying to resell your domains to other victims. I hope that the registrars can sort things out quickly.

Robyn

[Ken Strong]

Quote:

Originally Posted by Diana Lane

One thing I would say is to be careful about outlining your plans to deal with this on here in case your thief is a Warrior (I'm using that term in the loosest sense possible!), or watches the boards. I know it's unlikely, but it's not outside the realms of possibility either.

Take care, Ken. Right is on your side with this one, and even if it does take some time, you'll win out in the end. Don't let it stress you out - it's not worth a heart attack, and the thief is not worth any more of your mind-space than what the circumstances are already asking you to give him.

Yes, I thought of that -- that's why I didn't want to put his email address in the thread. I'll shut up now just in case.

I'm not really stressing out. I am going to keep pursuing this. Thanks everybody for the good wishes and good advice.

[Buster Iversen]

Most people here seem to think that the only way this could have happened is if hacking was involved, really if there is no trace then it was properly done the old fashioned way.
The thief could simply have phoned a person at the registrar with sufficient access and asked for the transfer to be made (it is called social engineering and is properly the most efficient form of "hacking" ever invented). If this is how the transfer happened then the person who got tricked will have to make a decision of either risk their job by admitting thy made a mistake or cover up their involvement by deleting any evidence.

So you may never really get to know how this happened or how to prevent it in the future.

[Ken Strong]

Due to the investigation and the most recent evidence, the current registrar has now removed privacy protection from the whois records for all three stolen domains.

Still don't have a name, but the email address listed matches the one I received from the thief. The records say he's in Jakarta.

[sbucciarel]

Good ... sounds like they're on it ... hopefully you will get them all back.

[Floyd Fisher]

Quote:

Originally Posted by KenStrong

Due to the investigation and the most recent evidence, the current registrar has now removed privacy protection from the whois records for all three stolen domains.

Still don't have a name, but the email address listed matches the one I received from the thief. The records say he's in Jakarta.

Jakarta eh?

Contact these guys, and have them tell you exactly who in law enforcement to talk to in Indonesia about this:

Embassy of The Republic of Indonesia - Washington DC



Also, I would recommend getting an online virus scan done asap, just to make sure you're not infected with some backdoor stuff.

[Steven Wagenheim]

Ken, I'd report this b*****d to the FBI and let them string him up by his
toes.

What I wish to happen to this scum I can't post in a family forum so I'll
just keep my mouth shut.

Hope you get things back to "normal" soon.

[chibobski84]

wow, sorry to hear that your domain is stolen ken,

Hope you can get it back.

my 2009 were not good as well, my gmail and my paypal has been hacked... shish..

Good luck ken!

[himanuzo]

Jakarta??? Jakarta is capital of Indonesia. Indonesia is located between Australia and Malaysia. Cyberlaw of Indonesia is weak, because its lawmakers have little knowledge about internet.

Indonesia telephone country code is 062. You try to ask the thief to phone you, you can track his/him location. And you can see the telephone country code.

Please don't send the money to the thief. Maybe you need to report this case to FBI/ CIA.

Quote:

Originally Posted by KenStrong

Still don't have a name, but the email address listed matches the one I received from the thief. The records say he's in Jakarta.

[babushka99]

If I were I'd report this to WIPO and ICANN. ICANN keeps a check on the registrars, and if the registrars are not being helpful, you would have done your duty to inform ICANN, the basic question you should be asking in writing again and again of your registrar and all those associated is how did it happen? Why are they being lax about it? Do tell them if they fail to get your domain back, you WILL file charges and any/all legal fees would be borne by them.

Also, pressurize ICANN and WIPO on stepping in and aiding you.

I would also advise you have ONE chance/shot to get your domain back.

Do not take steps without having first discussed it with an attorney or equivalent who knows this area very well, and you certainly do not want to be contacting the person who wants to sell it back you without having thought this thing over and having discussed it with someone who would know what the repercussions are of the action you would take.

As knowledgeable as all the members in the Forum are, it is still advisable to talk to / deal with someone who does this for a living and knows the law and tactics.

I cannot stress enough that you need to nearly peg the scale as far as putting pressure on the Registrars are concerned.

[Lee McIntyre]

Quote:

Originally Posted by Thomas Wilkinson

You might contact Lee McIntyre about this. He went through the
same thing a year or so ago. Some guy in Turkey offered to sell him
back his own name for big bucks. He finally got it resolved but I don't
know the details. (I think he was doing business with Go Daddy)

Tom

Hi Tom

Either I've been drinking too much and my memory has deserted me (possible)... or you have me mixed up with someone else!

To the best of my knowledge, none of my domains have been stolen, though if I've now jinxed myself and wake up to an email from Turkey then I'm blaming you

Cheers

Lee McIntyre