stolen web site domains

[auntnini]

Did you see Chris Coyle's CSS TRICKS newsletter about his and several other web-help-related sites having their domains hacked and transferred to another host?

How can that be prevented? How can the hacker be caught?

This Site’s Domain is Stolen Posted: 02 Dec 2011 08:07 AM PST

Hey ya'll. This is (really) Chris Coyier. I had css-tricks.com registered on GoDaddy. It recently came to my attention that the ownership of this domain has been transferred away from my ownership to PlanetDomain. For now, thankfully the nameservers still point to MediaTemple, so the site is still up. That could change at any time.

I'm going to keep track of all this.

Timeline of Events
Friday 7:30am - I found out about all this from emails from David Appleyard. I immediately thought of David Walsh who this is also happening to. It's also happening to instantshift.com and sohtanka.com. None of us share a GoDaddy hosting account. These are all separate instances. Important to note: I received no email or phone call verifying the transferring of this domain. The email address in my GoDaddy account was unchanged.

Friday 7:45am - Called GoDaddy support at (480) 505-8877. Was not helpful. Was told just to email domaindisputes@godaddy.com (which I did immediately).

Friday 8:06am - I tweeted about the problem. GoDaddy sent me a DM saying to fill out a form, but the form was a 404 page.

Friday 8:30am - I got the correct link to the domain disptute form and filled it out. This included a scan of my driver's license. The website says it will be 3 days for an initial response. I hope it's sooner than that.

Friday 9:00am - I went to my banjo lesson because at least nobody can take that away from me.

Friday 10:10am - Trying to contact PlanetDomain (just assuming this is them). They don't seem to have an active Twitter account. Just sending an email through the contact form for now.

Friday 10:15am - Got generic email back from GoDaddy:

We have reviewed your claim and we will contact PlanetDomain and request an FOA (Form of Authorization) for the transfer. If their records also show the same registrant at the time of transfer, we will work with them to see if they can transfer the domain name back. However, they are not required to transfer the domain name back.
If they are unwilling to transfer the domain name back you will need to contact the current registrar or registrant for further assistance.

Friday 11:50 - Just got off the phone with GoDaddy (Tony in domain disputes and Alon in customer service, I think). The current status is that they have already sent a request to PlanetDomain, and the next step is to wait for them to do the due diligence and get back to GoDaddy with an answer on whether or not they will return the domain. This be a matter of days, or a week (sine it's Friday, very likely won't be until early next week). Other facts about GoDaddy:

So far they have found this has happened to around 12 accounts, all within the "Web Design" genre (so most likely a targeted attack).
There is no accessible log from with your GoDaddy account to see what/when things happened.
They do have access logs, but they can't share that information with me.
The domain was transferred away from GoDaddy the evening of Nov 20th
They have, but cannot provide me with, the email address used to transfer the domain away.
GoDaddy confirmed my global account email has never been changed, but it WAS changed for the domain css-tricks.com prior to the move.
The request to unlock the domain happened on Nov. 14th at 4:30pm Mountain Time. Normally there is a 5-7 day waiting period, but GoDaddy offers instant transfer and they remarked that it was unusual that the hacker chose not to do that.
They confirmed no other domains have left my account.
Friday 12:15pm - I asked VaultPress if they could tell me the IP address of the person who changed the index.php file, but they don't have that information. It might be in my server logs if I have them from that long ago.

Friday 1:05pm - Former employee of PlanetDomain tells me that it looks as if the hacker attempted to remove the nameservers, but the PlanetDomain system for that failed. (This line in the WHOIS: "No name servers present.") The hacker would have to call PlanetDomain to "fix" this, which they have not (thank god).

Friday 5:25pm - About the end of the work day here and heading in to the weekend, so it's unlikely anything will happen until early next week. I'd love to get at least an acknowledgment from PlanetDomain / NetRegistry that they've gotten the domain dispute from GoDaddy. But no such luck.

Friday 7:10pm - Send off an email to MediaTemple letting them know the issue. They aren't really involved, but if they can find for me the IP address that changed that file on the server on Nov 21st, that might be helpful.

Other News
This happened to David Airey as well. He attributes a Gmail Security Flaw (this particular flaw has been fixed) as to why he was never notified of the domain transfer.
November 21st was the last update to my sites WHOIS data. On that day, I had a minor site hack. VaultPress caught it. In my index.php file in the root (effects the entirety of WordPress) a link was added to 8oc.com. This same thing happened to Kirupa Chinnathambi of kirupa.com.
David Walsh received two emails on November 28th from moya.server@gmail.com. One said: "trust me godady can't help you," the other: "pay 2k to get ur domain back .."
This is not isolated to GoDaddy. Original registrants varied, see below.
A former employee of PlanetDomain tells me that PlanetDomain is owned and operated by a Sydney company called NetRegistry(NR). He also tells me the domain is in "active" status which is good news for the possibility of moving it back.
Official rules on Domain-Name Dispute-Resolution.
Sites with Same Problem
davidairey.com - Resolved
css-tricks.com - Unresolved Originally at GoDaddy - Bad Guy moved to PlanetDomain
davidwalsh.name - Unresolved Originally at GoDaddy - Bad Guy moved to Name.com then to 1and1
scriptandstyle.com - Unresolved Originally at GoDaddy - Bad Guy moved to PlanetDomain
sohtanaka.com - Unresolved Originally at 1and1 - Bad Guy moved to PlanetDomain
designshack.net - Unresolved
instantshift.com - Unresolved Originally at GoDaddy - Bad Guy moved to PlanetDomain
kirupa.com - Unresolved Originally on NetworkSolutions - Bad Guy moved to PlanetDomain
shiachat.com - Unresolved
abduzeedo.com - Was able to stop domain transfer before it happened, but all signs indicate the same hacker tried to steal it (forserver@yahoo.com) - Originally on DreamHost

This Site’s Domain is Stolen is a post from CSS-Tricks

[djr33]

Weird. I have no idea, and that's worrying. The two things I can think of to fix the problem are:
1) Ask your domain company to lock your domain-- don't let it be moved unless you give them specific permission (something beyond their usual requirement). Or similar set up a system that doesn't allow you to move it except in specific circumstances. For example, only on the first day of each month, or only if your website's homepage displays a certain message. I don't know if the hosts would allow this.
2) Improve domain security in general-- it sounds like it's time to make a more centralized system so that individual hosts aren't dealing with these problems. I don't know exactly what laws exist, but, for example, telephone numbers are yours to keep, even if you change phone companies (at least in the US), so maybe there's some way to make the same apply with domains so that you can dispute the domain being stolen at a level beyond the hosts.

[azoomer]

What a scary story. I really hope Chris gets his domain back, considering how much work he has put in the site over the years. I am reconsidering using a product from my registrar (name.com). It is called "namesafe VIP service". Google it if you are interested. It gives you an electronic password creating device that you carry with you, adding another layer of security against transfers ( supposedly ?). Does anyone believe it would help against these smart hackers ?

[auntnini]

Web Design Tutorials & News Blog of Soh Tanaka
My Domain Name Has Been Stolen

Posted:
This is going to be a super quick alert to everyone who visits my site. Unfortunately my domain name www.sohtanaka.com has been stolen by someone who uses planetdomain.com, and has hijacked my account. The site is a bit spotty at the moment so please be aware and alert. You can check with me on twitter [...]

This is awful. Can anyone stop this attack?

[auntnini]

In case you missed CSS TRICKS post

This Site’s Domain is Now Safe - CSS-Tricks


This Site’s Domain is Now Safe

Posted: 09 Dec 2011 12:14 AM PST

css-tricks.com is now back under my ownership. Yay!

Quick review of what happened

A criminal stole the ownership of css-tricks.com. They transferred it from GoDaddy to PlanetDomain. I got it back. You can read a whole saga of the events.

This wasn't just css-tricks.com, this happened at the same time to many other domains that were all "Web tech related blogs."
How did it happen?

From the perspective of GoDaddy, where the domain was registered, the transfer looked completely legitimate. The criminal logged into my GoDaddy account, unlocked the domain, and transfered it away.

How did they get into my GoDaddy account? To this day, I don't know.

I do know that they got into my GMail account. By doing this, they were able to delete any emails about the transfer, so I was unaware it even happened. I don't have proof of the deletions, but I have proof the criminal was in my GMail account. My GoDaddy account password was never changed and didn't exist in my GMail account, so the criminal was able to get that password another way. On the first day of the hack, a file was also changed on my server, which suggests they had my FTP password as well, which also did not exist in my GMail account. All three were also different. I wish I could tell you exactly how all three of these passwords were hacked. I cannot.
How did it get returned?

I spoke with GoDaddy about the theft. They spoke with PlanetDomain. PlanetDomain agreed to give the domain back to GoDaddy. In my case, both companies were helpful and did all the right things. I actually did very little. I spoke with GoDaddy, filled out their Domain Dispute form, wrote a blog post, did my fair share of worrying, and ultimately it got resolved.
Who is to blame here?

The only person I can find to blame is the criminal (there has been some contact with this criminal, see video).

It's not GoDaddy's fault. From their perspective this looks like a standard domain transfer, thousands of which happen every day. They didn't simply allow a criminal into my account. It's also unlikely that the criminal broke into my GoDaddy account via a specific GoDaddy weakness. There were many domains affected here from many different registrars. I think it would be nice if GoDaddy offered two-step authentication, but their lack of that didn't cause this.

It's not GMail's fault. Yes, my account was hacked into. I have no idea how. I know the password was reset, but I don't know if that was a part of the criminal getting in, or because they wanted to keep me out afterward. Once in, theoretically the criminal could have gained access to anything else of mine by resetting passwords, but that wasn't the case. My GoDaddy or MediaTemple passwords were never changed. Again, there were many domains affected here and the owners of those domains didn't all use GMail. So it wasn't GMail specifically that was the vulnerability that caused all this.

It's not other random technologies fault. I heard some people blaming WordPress, which is just weird.

I'm willing to take some blame here myself. Perhaps I used an unsecure network or something. I'm just not sure.

It's hard to figure out exactly what happened. You might think that since so many of us were affected we could find the commonality. But unfortunately that has made it harder since we've been able to discover so little in common between our situations. It seems to me the most likely case is that the criminal is just damn good at being an internet criminal. Unfortunate that kind of talent is going toward making the world worse instead of better.
What can you do to protect yourself?

This is the section I was looking forward to writing the most. Sadly, I have little to say.

I think you should use really strong passwords that you change frequently. You should probably run antivirus stuff and make sure you don't have anything nasty like a keylogger. I think you should use 2-step verification if you use GMail, which should theoretically make it much harder for a criminal to get in.

The thing that allowed this to happen under my nose was that the email notifications I should have gotten were deleted. So one thing I have done was to start using Domain Monitor and having it notify and alternate email address of changes.

I've also enabled GoDaddy's Domain Protection. css-tricks.com is now about as protected as can be. Nobody, including myself, can transfer the domain. The only way it's possible to transfer is to cancel the service, and part of that process is legally proving my identity with official documents.

So yes, I'm going to keep css-tricks.com on GoDaddy. They were the folks that were with me during all of this and now, especially with the protected registration, I feel secure there.
How are the other people doing?

It's mostly good news. There are only three unresolved cases that I know of.

The worst of which is Soh Tanaka's sohtanaka.com. Soh needs 1and1 to start being responsive and cooperative and accept the domain back from PlanetDomain who is ready to give it back. Soh's site has been offline for days which is super uncool.
A similar situation is Ali A.'s shiachat.com. Ali needs 1and1's cooperation but doesn't have it. At least Ali's nameservers are pointed to the correct place.
Kirupa Chinnathambi is waiting for Network Solutions to get rolling on getting kirupa.com back to him. Apparently the two companies are talking though.

I think it may be of benefit to apply a little social pressure to @netsolcares and @1and1 on these folks behalf, if you are up for it.
Thank you

I'm also quite sure that each of you helped. The community outpouring of support got the attention of the companies involved and surely expedited things. css-tricks.com is now safe. I'm very grateful for that. Now back to your regularly scheduled programming. There is many more articles and screencasts to come!