Three of my Domains Were Stolen

[Ken Strong]

This is just great -- two of my domains were somehow stolen from me. When I go to the sites, someone else's content is there. The domains are still listed as being in my Namecheap account, and there's no record there of any transfers or sales taking place, but when I click on the domain names I get a message that "Domain not found."

The online chat support person at Namecheap basically shrugged his shoulders and said to file a ticket with their fraud department. I filed an abuse complaint with the new listed domain registrar and with privacyprotect.org, which is protecting the current owner's Whois info.

One of the sites I don't care about, but the other is one of my main sites, and it's going to be a big pain if I can't get that back.

This happen to anyone else here?

[Fernando Veloso]

Never heard of. But if those are in your Namecheap account how can they be changed?

[Paul Becky]

How is that supposed to be?
Does that means your site being hacked?

[enigma2k]

maybe the nameserver is pointing to his host? have a look in the namecheap control panel.

[Paul Becky]

Quote:

Originally Posted by enigma2k

maybe the nameserver is pointing to his host? have a look in the namecheap control panel.

Yeah that would be a case too, but not supposed to be
but nothing impossible

[derekwong28]

Ken, is it possible that you have forgotten to renew these domains?

[Ken Strong]

Quote:

Originally Posted by derekwong28

Ken, is it possible that you have forgotten to renew these domains?

No... one is good until October, and the other one until next May.

They're still listed in my Namecheap account, but I can't access any nameserver listings or anything -- I get an error message that says "Domain not found."

Namecheap's fraud department got back to me a few minutes ago and said

Quote:

We will contact eNom as upper registrar so that they will file a transfer dispute.

So we'll see what happens. I need to get some sleep, it's 3AM here.

[Jon Steel]

wouldn't that be a hack?

js

[Danny Turner]

It happen to me once - a hacker had placed a script in my public html - I got onto the web host support and they fixed it - hope you sort it out
cheers
Danny

[derekwong28]

Ken, it looks like your domains were transferred out of Namecheap/eNom altogether to another Regsitrar, possibly Directi

I hope this gets sorted out. You should change the password of your Namecheap account just in case it was hacked.

Derek

[sbucciarel]

Let us know how this turns out. Very interested in knowing how they managed to steal your domains. I have quite a few in Namecheap myself and a lot in Godaddy.

[dave147]

That's unbelievable!

Could be nothing and not what happened to you but, did you ever get one of those emails from "namecheap" asking you to click on the link and confirm your details? this type of email does not use your account user name, while any other email from namecheap does - makes me wonder about that type of email so I don't click the link - If I want to confirm my details I will go to my account.

[ramone_johnny]

Can you still FTP to the domains?

I would try that and ensure you dont have a hidden IFRAME redirecting users to an external site.

[debra]

This is why I use NetworkSolutions for my main sites. Everything else gets registered at NameCheap but I've never heard of any monkey business going on there.

[Dan C. Rinnert]

Quote:

Originally Posted by KenStrong

This is just great -- two of my domains were somehow stolen from me. When I go to the sites, someone else's content is there. The domains are still listed as being in my Namecheap account, and there's no record there of any transfers or sales taking place, but when I click on the domain names I get a message that "Domain not found."

About a month ago, you had a problem with someone ordering hosting under your account. Was that ever resolved? I'm thinking maybe that's related to the current issue?

[Ken Strong]

Quote:

Originally Posted by Danny Turner

It happen to me once - a hacker had placed a script in my public html - I got onto the web host support and they fixed it - hope you sort it out
cheers
Danny

The problem isn't in the hosting (I don't think), it's at the domain registrar...

Quote:

Originally Posted by derekwong28

Ken, it looks like your domains were transferred out of Namecheap/eNom altogether to another Regsitrar, possibly Directi

That's it exactly -- I have changed my password.

Quote:

Originally Posted by WordPro

If you have security issues / concerns after this event, may I suggest that you switch to the most secure of all domain registration companies - Moniker http://Moniker.com -- They charge a little bit more than your average domain registration company but are known to be the most secure in the domain industry overall.

This question might also be worth asking over on the NamePros Forum where someone will be certain to be able to help you, with this question.

http://NamePros.com

PS Try Whois.sc they can often dig a bit deeper that your average WHOIS searching tools...

http://WHOIS.sc

Thanks for the info, Mark -- I will look into Moniker. I have sent abuse complaints to their new registrar and their current host, for whatever good that will do...

Quote:

Originally Posted by dave147

Could be nothing and not what happened to you but, did you ever get one of those emails from "namecheap" asking you to click on the link and confirm your details? this type of email does not use your account user name, while any other email from namecheap does - makes me wonder about that type of email so I don't click the link - If I want to confirm my details I will go to my account.

I did get emails with transfer authorization keys for the two domains -- I contacted Namecheap support right away. They told me it did appear someone was trying to hijack the domains and I should make sure they were locked (which they were). I changed my password at the time and then basically forgot about it until now... not sure how a locked domain got transferred...

Quote:

Originally Posted by ramone_johnny

Can you still FTP to the domains?

I would try that and ensure you dont have a hidden IFRAME redirecting users to an external site.

Yes, I can still FTP -- the problem is that the domain name itself has been stolen... not a hosting problem, as far as I can tell.

Quote:

Originally Posted by Dan C. Rinnert

About a month ago, you had a problem with someone ordering hosting under your account. Was that ever resolved? I'm thinking maybe that's related to the current issue?

That happened at aPlus, where I have an old account I'm not using at the moment...

Thanks everybody for your feedback and advice...

[Mohsin Rasool]

Hi Ken,

This is very strange and difficult situation.
Buddy i wish you GOOD luck and hope you get your domains back.

Please keep us updated.

Thank you,
Mohsin

[Ken Strong]

Now it appears both domains have moved and and are being hosted on Google's servers now... at least that's where the IP resolves to. WTF?

[Martin Luxton]

Quote:

Originally Posted by KenStrong

I did get emails with transfer authorization keys for the two domains -- I contacted Namecheap support right away. They told me it did appear someone was trying to hijack the domains and I should make sure they were locked (which they were). I changed my password at the time and then basically forgot about it until now... not sure how a locked domain got transferred...

So maybe it is your email account that has been hacked as well. Then they changed the notification email address so you were left in the dark.

Martin

[B3n]

Ken - PM me the domain names and I'll check the domain history of them (I've an upgraded account at DomainTools.com) - it might show who has taken them...

[MeCanX]

Quote:

Originally Posted by KenStrong

Now it appears both domains have moved and and are being hosted on Google's servers now... at least that's where the IP resolves to. WTF?

Honestly, that's why I always register at Godaddy...
I've never had any problems with something like that...
The only thing I can think of with your issue is the question of:

Did someone back order your domain names?

I know a lot of times if you don't pay for the name once it expires that the backorder will beat you to the punch...

But you said they were still valid so I'm not really sure then...as it could only lead to a hack of some sort...especially if now the IP's seems to be moving...

[B3n]

Just figured out which domains they are and they haven't expired - one was due to expire in September and one in October.

They've both been transferred from your account - yesterday was the last time they were updated.

Looks like you've been hacked...

[Ken Strong]

Quote:

Originally Posted by Martin Luxton

So maybe it is your email account that has been hacked as well. Then they changed the notification email address so you were left in the dark.

Yah -- about a month ago my Gmail password was suddenly changed without my knowledge -- I switched to the secure settings. That might have something to do with it, but I received transfer authorization keys for those domains to my email address, so that wasn't changed in my Namecheap account. As I noted above, I immediately told Namecheap support about those emails.

Quote:

Originally Posted by .Ben.

Ken - PM me the domain names and I'll check the domain history of them (I've an upgraded account at DomainTools.com) - it might show who has taken them...

Thanks, Ben, I've sent you a PM.

[Ken Strong]

Quote:

Originally Posted by .Ben.

Looks like you've been hacked...

Yes, I know.

Found another one gone -- three domains stolen.

[Dan C. Rinnert]

Quote:

Originally Posted by KenStrong

Yah -- about a month ago my Gmail password was suddenly changed without my knowledge -- I switched to the secure settings. That might have something to do with it, but I received transfer authorization keys for those domains to my email address, so that wasn't changed in my Namecheap account. As I noted above, I immediately told Namecheap support about those emails.

Check your Gmail settings. If it was hacked, perhaps they set up a forwarding address, where incoming mail is also forwarded to a different account. Then, when you received the transfer authorization keys, they could have received them as well at the forwarding address, allowing them to authorize the transfer.

Check under the "Forwarding and POP/IMAP" tab in Gmail.

[Dan C. Rinnert]

BTW, if you look at the ad pages currently on those domain names, you can see the publisher ID in the AdSense code.

I don't know if that can be used to identify the culprits or not, but thought I'd throw that out there.

[Ken Strong]

Quote:

Originally Posted by Dan C. Rinnert

Check your Gmail settings. If it was hacked, perhaps they set up a forwarding address, where incoming mail is also forwarded to a different account. Then, when you received the transfer authorization keys, they could have received them as well at the forwarding address, allowing them to authorize the transfer.

Check under the "Forwarding and POP/IMAP" tab in Gmail.

Thank you for suggesting this -- I checked and don't see anything there.

They could have downloaded the settings and configured their mail client, but I changed the password, so I hope that's OK...

[scott_krech]

Wow...that sucks!

This exact thing just happened to one of my clients a few weeks ago. He's a home builder and had a site with hundreds of backlinks.

Hope this never happens to me!

But it is an interesting idea for a product, is it not?

Title could be:

How to Quickly and Easily Secure YOUR Website
to Make You Impenetrable to Hackers!

I'm sure there's a ton of products like it already.

Sorry for your loss Ken!

[MikeHumphreys]

Ken,

If you haven't done so already, run malware and spyware removal software on your computer.

My preferred 1-2 punch is Malwarebytes Anti-Malware and avast Anti-virus. If you have a keystroke/password logging trojan, it will catch them and stop them cold.

Good luck,

Mike

[Ken Strong]

Quote:

Originally Posted by Dan C. Rinnert

BTW, if you look at the ad pages currently on those domain names, you can see the publisher ID in the AdSense code.

I don't know if that can be used to identify the culprits or not, but thought I'd throw that out there.

Excellent! I sent an abuse complaint to AdSense with the Publisher ID, for whatever that will be worth. Worth a try, anyway... Thanks!

[Ken Strong]

Quote:

Originally Posted by MikeHumphreys

Ken,

If you haven't done so already, run malware and spyware removal software on your computer.

My preferred 1-2 punch is Malwarebytes Anti-Malware and avast Anti-virus. If you have a keystroke/password logging trojan, it will catch them and stop them cold.

Good luck,

Mike

Thanks, Mike -- I'm running an A-squared scan right now, and have Online Armor running (from the same company, I believe)... I think that looks for malware, not sure. Maybe I'll check out your recommendations, too.

[Robyn8243]

Ken:

First, let me say, I am sorry for the aggravation this must be causing you. Its amazing the kind of destruction and chaos hackers can cause their victims.

It would seem that if you had the domains registered with namecheap and
you did not authorize their transfer (and in fact you advised namecheap when they first sent you an email about a proposed transfer) it should be up to namecheap to contact the new registrar and resolve this.

Unless the new owners/thieves can show proof of how they obtained the rights to these domains that were indisputably owned by you, I would think that it would be pretty straight forward to establish that you are in fact the legal owner. You can prove you bought domains from Namecheap...and what can they prove? The only way they could have obtained rights to the domains would be through some transaction/payment made to you...which does not exist.

Of course common sense does not always prevail.

I think everyone would benefit by seeing how this is ultimately resolved, and I am curious as to whether other people have had this issue, and how different registrars
have responded to back up their customers.

I hope that this gets resolved in your favor asap.

On a different note, every time I see one of your posts, your avatar makes me smile...and I want to see a close-up.

Robyn

[Asher]

Hi Ken,

Woah... your sites are gone. Hope you get it back real
quick! I'd be stressed out totally if this happened to me.

Quote:

Originally Posted by KenStrong

Thank you for suggesting this -- I checked and don't see anything there.

They could have downloaded the settings and configured their mail client, but I changed the password, so I hope that's OK...

If you want to protect your Gmail account, here's a blog
post I came across some time back that could help:
Your Gmail Account Can Be Hacked. Here’s How to Protect It… :Asher Awesome Blog

Hope you get your site back soon!

Asher

[Raydal]

Hi Ken,

Sorry to hear this. These type of stuff can only be a distraction but
you learn from them and move on stronger than at the beginning.

Hope things resolve in your favor.

-Ray Edwards

[MDalton10]

Sounds like a Trojan/Virus. I'm sorry to tell you but all the best anti-virus software in the world does not mean you don't have one. I found a Trojan about a month ago that was out for over 7 months before I submitted it.

"Dear Sir/Madam,

thank you for your email.

Please let us inform you that the file attached to your previous e-mail was really infected with a new variant of Trojan horse. The detection will be available with the next AVG virus definitions update.

Thank you for your cooperation.

Please feel free to contact us if we can be of further help.

Best regards,

Ondrej Ploteny
AVG Technical Support"

So the only way you can be safe is to format. If someone REALLY wanted your domain they couldn have created a virus just for you. And depending on your OS you don't even have to download it.

[DougBarger]

I'm also sorry to hear about this Ken. It couldn't have happened to a better guy.

Is there anything we can do to help you with this?

[monsur]

I think that it will be better if you contact namecheap and take their suggestion.

Thanks

Monsur

[A Bary]

So Scary...
I'm sorry for your loss, but we need security professionals here to give us some tips to protect ourselves,

[stevendennis]

i don't know that this things also could happen....

[MDalton10]

I will give you tips. Buy a computer for all your secure internet actions. Don't use the same computer you facebook and myspace for credit cards and domain administraton. Its just not safe. And don't think that because you have a mac "They can't get viruses http://antivirus.about.com/od/macintoshresource/Macintosh_Viruses_and_Mac_Virus_Resources.htm". Pretty much having a work computer and a play computer is the best you are going to get unless you unplug from the internet. You can also get some firewall software and make sure only IP addresses you are approved for can be connected to, but gets kind of tiresome.

[Martin Luxton]

Ken,

Done some checking and this guy

Cybersquatting & Domain Name Dispute Attorneys - Trademarks, Domain Theft

seems to have experience in this area.

Or you could try contacting internet lawyer and fellow Warrior Brian Kindsvater. I've been told that, even when it might not be a specific area of expertise or geographical location he deals with, he knows the right person to go to.

Martin

[Rich Struck]

I bet you a dollar you have a keylogger on your computer. You need to get on a clean machine and change every password you've ever created.

[Ken Strong]

Quote:

Originally Posted by Rich Struck

I bet you a dollar you have a keylogger on your computer. You need to get on a clean machine and change every password you've ever created.

I just installed a brand new hard drive and did a clean install about two weeks ago...

[kf]

Ken - I hope you're able to get this resolved and get your domains back.

[mr.schutz]

Its not possible that your site got hacked. I hope and pray that you will be able to resolve this problem soon. The sooner, the lesser stress.

I can't imagine how much stress this is giving to you.

[phylma]

That's scary. All of my domains are through NameCheap. In fact I just renewed one two days ago. I'm going there right now to change my password.

Good luck getting your sites back.

[Martin Luxton]

Quote:

Originally Posted by KenStrong

I just installed a brand new hard drive and did a clean install about two weeks ago...

Ken,

I have a suggestion.

To help you figure out what could have happened (and to have something concrete to show Namecheap) why don't you do a timeline of notable and unusual events?

e.g.

21st October 2008: registered domain
23rd October 2008: put up site
5th January 2009: Added Avast antivirus
11th February 2009: Google password changed by hacker
2nd March 2009: Got strange email about authorization keys
3rd March 2009: contacted John B at Namecheap
10th July 2009: Last recorded backup of site with my content
11th July 2009: installed new hard drive

Basically, everything you have in data form and everything you can remember. A pattern might emerge that could help you work out exactly what happened and will help you get your sites back.

And when the whole mess is resolved you've got the material for a really useful ebook on computer security.

Martin

[dnka]

A number of valuable domains seem to have been stolen from Enom recently, check
Major Domain Hijacking Alert: Industry Pioneer Warren Weitzman Has Over a Dozen Domains Stolen From his Enom Account

[ramone_johnny]

Ken sorry mate, Im a little confused...

You say you can still FTP to the domains, what exactly are you FTP'ing to? The domain itself or an IP? What do you see when you establish a connection? Your files or someone elses? If they are your files, have you checked for a redirect?

[MSGeek]

Considering DNKA info, your computer was not a problem at all, and probably not even your email. It seems that either ENom was hacked, or connections between registars that allowed then transfer domains without triggering the mail, at least not to your account.

By the way, if you worry about trojans, a great way is to run browsers as virtual appliances. Just get VMWare client and an Internet browsing "virtual appliance" -- virtual machine image. Both are free. That's a little too heavy handed approach IMHO, but then nothing really get's out of browser to your machine. Of course, there is still a risk that you voluntary and accidentally install something from Internet that looks like a great idea...