Warning: YH.com Domain Name Stolen
Friday, April 2nd, 2010
Valuable two letter domain name YH.com has been stolen.
The domain name YH.com has been hijacked from its owner and the thief is trying to sell it.
The domain’s owner is Jaynell Hogan, who was properly identified in the whois database until March 26, when the domain name was suddenly transferred from Go Daddy to DOMENESHOP AS. The whois record changed to “Domain Administrator”. The thief then created a Gmail address using Hogan’s name, which is currently listed as the administrative contact.
T.M. Camp, Web Strategist for Hogan’s company Gazillion & One, explained what happened in an interview with Domain Name Wire.
“Early last week I started to get some notifications from our hosting provider Dreamhost and from Go Daddy that someone was attempted to transfer a couple of our domains, one of which was gazillion1.com,” explained Camp. He said he replied to the emails stating not to transfer the domains.
Camp explained that the company uses Gmail (Google Apps) for its email. Later in the week Camp realized that someone had compromised the Gmail accounts. They changed the administrative passwords, which locked them out of their accounts. They also got access to the company’s hosting accounts.
YH.com wasn’t connected to any of that hosting. But with access to the corporate accounts, the thief was then able to access the account connected with YH.com. From there, transferring the domain was simple.
Companies with valuable domain names should consider extra locking and security services offered by domain name registrars. Go Daddy offers such a service, and VeriSign now offers “registry lock” service that can also add protection.
Remember, if someone approaches you about buying a domain name quickly at a discount price, be wary. Especially if it’s a two or three letter domain name. If you see any forum postings offering YH.com for sale, please comment with the information.
Further Reading:
Tags: domain theft
Why do people continue to reg their names at GoDaddy?
Shaun – I don’t think it has anything to do with Go Daddy. Could happen to anyone who has their email compromised.
People should use a registrar like Internet.bs or Name.com that offers two factor authentication from Verisign. http://www.verisign.com/authentication/two-factor-authentication/vip-authentication/index.html
@Shaun
Has nothing to do with Go Daddy it has to do with people using free email addresses that can be hacked. I use an email from my own domain behind an ssl and haven’t had a problem with Go Daddy since they opened. Fabulous is another good one as they provide domain locking for free compared to Moniker which charges for it. Most of these theft stories involve using gmail or having a weak password or having a keylogger on your computer. Good email address, good virus protection and good passwords and no problems.
@Shaun – It’s got nothing to do with GoDaddy, but as is often the case with stolen names, more to do with using web based email accounts. After all the postings/threads/bloggings noting ‘not to use’ web based emails for one’s domain names, the lessons go on…
Hope they get it back!
don’t use gmail.
If you use godaddy and you have valuable domains. Demand an account executive.
Have them lock it so only that account executive can unlock it. Your domains will then be safe.
I’d like two factor authentication that sends a text message to my phone with a one time use PIN. That way I don’t need to carry around an extra key fob.
I’ve said this before (on Larry’s blog, but he didn’t seem to give a damn), but there is a MAJOR assault on domains lately. I’ve uncovered five very premium stolen domains by this thief in the past month alone (four of which I have helped the owners recover). This makes six. I’m guessing there are many, MANY more under his control now. The pattern to look for is this: He emails you with a firstname.lastname@freeemail.com (usually AOL or Gmail). The names used (of course) are the same names of the original owner. He also uses very few words in his emails. The occasional awkward word is another giveaway. English is not the first language.
If you are an active domain buyer, you really need to subscribe to the DomainTools Whois History tool. Otherwise, you’ll surely buy a name that has been stolen.
GoDaddy has a domain transfer validation service if you have an Executive Account.
They have to call you at your contact phone number and you have to give them your set pin number.
This has given me some comfort after several hacking attempts on my GD account.
I have not heard of the domain locking service though by GoDaddy that Steve Fox above mentions.
bvx.com is also stolen. Don’t know if it is the same guy. He is offering very low prices but will only take Paypal Mass payment.
I received this:
from: Jaynell.Hogan@Gmail.com
Hello,
It seems you are owning 2Charracter domain name, I have “YH.COM” for sale, are you intersted in buying this name?
Let me know ASAP.
Regards,
J Hogan.
Tim,
Maybe they changed it. What you describe is one of their methods. Maybe the no longer do the method I was told about. But they are both similar in that they force verification.
Mike, thanx for relaying email message. Isn’t there a division of internet security that could create a sting to retreive the domain name?
An honorable person would not purchase a
domain that might have a questionable
history.
But, there are a couple unethical people
in our industry that would buy it and flip
it. They will buy it using a private whois.
Sit on it for a while and then sell it.
Hoping it will not be taken away from them.
UDRP will not help. And, many of the registrars will not intercede. Not sure if
the U.S. federal courts will help.
U.S. law enforcement can’t help because most
of these hijackers are outside the U.S.
Since, Icann is quick to create rules to injure us. Maybe, they should establish some
rules about stolen domains.
Oh, I forgot. That doesn’t put any money in
Icann’s pocket.
Depressing.
$10 says this was a weak password on a gmail account.
Again.
The story of the theft of vl.com on 3/28/2010:
http://blog.jtimothyking.com/2010/03/31/grand-theft-internet
Message thread with “as-it-happened” updates, including the transcripts of the social engineering exploits used to breach the registrar account:
http://old.nabble.com/Dreamhost-account-hacked-td28062149s24859.html
From what I read here, I think it likely that the attacker tricked the hosting company into giving him access to the hosting service, then used that to give himself access to the Google Apps account, then used that to steal the domain name away.
I just finished writing up a detailed account of a very similar incident, the theft of VL.com, which happened March 27-28. It looks like the name will be recovered, because the registrar (DreamHost) gathered forensic evidence and reconstructed the attack. (They are also currently looking at their policies, in order to try to prevent similar thefts in the future.) But also because DreamHost was forthcoming with these forensics, we are able to see exactly what tactics the attacker used, and how we might guard against them.
BTW, in the VL.com story, the owner also used Google Apps for email. But the attacker was unable to crack into his Google Apps account, even though he tried. I think this was partially because of luck: the attacker didn’t try the weak link until it was too late.
-TimK
“An honorable person would not purchase a
domain that might have a questionable
history.”
There is no shortage of hopelessly naive buyers.
I had a call recently about two three-character domains someone had purchased and was confused because they were transferred back as stolen.
WHOIS showed two different registrants on opposite sides of the country.
“Seller” contacted buyer on a forum. They exchanged PM’s on the forum and MSN chat. “Seller” pushed the domains to buyer’s account and then accepted Paypal payment.
At no time did the buyer even bother with a cursory check of any kind, and was shocked that the domains were stolen.
Sometimes it is just hard to know where to start with some folks.
If a theif is smart enough and prepared they can just about fool the best around. It sometimes take a gut check to set off on a search to discover the truth.
Someone needs to go to jail.
Unlucky.. No sympathy for anyone holding valuable names at slowdaddy
@Andrew “I’d like two factor authentication that sends a text message to my phone with a one time use PIN. That way I don’t need to carry around an extra key fob.”
I use the Iphone app for Internet.bs and have a $5 Paypal card as a backup.
@Domainer ” I use the Iphone app for Internet.bs and have a $5 Paypal card as a backup. ”
Well arn’t you fancy, must have some portfolio
I used to warn against using hosted email accounts. But I don’t think that is a reasonable expectation anymore. More and more people are relying on the cloud, and Gmail is a major force behind hosted email. In this case, it was a paid Google account that was originally broken into, giving the thief access to other accounts.
As Tim said above, Domain Transfer Validation is an added optional service on Executive Accounts at GoDaddy. It is a great program and I think GoDaddy should offer it as an addon for people who don’t quality for Executive Accounts as well.
What is an executive account at godaddy? Never heard of that one before, but then again I only hold a few domains with them. I certainly wouldn’t use them as my main registrar, I don’t want to be funding superbowl adverts
There are several registrars that are secure as standard, no need for executive status. Moniker and Fabulous spring to mind.
You should also use whois privacy. Makes it harder for the thief to figure out which email account to hack. When you reply to an email forwarded to your registrar account email address, reply using a different email address.
Side note: Godaddy sucks.
I think whois privacy should be abolished across the board
If you don’t want anyone to know you own a domain then don’t buy it 
Drew wrote:
> $10 says this was a weak password on
> a gmail account.
As Tim King mentioned, that wasn’t the case in my situation. Though they certainly tried to break into a Google Apps. account. First they had Dreamhost give them the plain text for all users on the account (which they did), but these were useless random strings unique to these accounts.
Later, when they had lost control of the Dreamhost account, they tried using Google’s procedure of adding a CNAME to the domain for the Google Apps. account, which then permits you to create a new administrator account. Fortunately the Dreamhost reps were wise to their tactics by that point.
Pretty much everything you outsource to the cloud depends on a chain of security, and you need to understand the extents to which that chain extends. For example, your Google Apps. account is only as secure as your DNS provider.
Given that DNS is subject to cache poisoning, Google really shouldn’t hand out reset CNAMEs to any random user who has provided *no* identifying information. (Note that Google doesn’t even send an email to the administrator when a reset CNAME is requested.) Using this approach a sophisticated and determined attacker could gain control of any Google hosted domain.
-Tom
Jim writes:
> I think whois privacy should be
> abolished…
Unfortunately that leaves you to be abused by spammers and scammers. Any contact info you do list, becomes so drowned in noise that you can’t see the important communications that might arrive via whois.
However, what should be possible, is for the domain owner to obtain a periodically changing code, give it to a third party, which then permits the registrar to reveal full contact information. This would be a helpful way to prove ownership to third parties.
And there should be a “partial privacy” option, where you identify the owner (company or individual), and approximate geographic location, but not an email (still proxied) or mailing address. This thwarts automated use, but provides enough info to validate (to a degree) ownership.
-Tom
Or perhaps make the Nominet system standard worldwide
.com and other TLD’s have been open to abuse since forever.
I’m a Nominet accredited registrar for UK domains so maybe I’m biased, but I think we have the best system in place. Nominet have partial privacy as standard for individuals, and the only details shown on whois is the name. You can opt in or out. I’m an individual but also a registrar. I choose to opt out of the privacy. I can’t trust an individual or company that wants to hide behind privacy, so I don’t do it myself.
Everyone is at risk from digital theft, but that does not mean we need to walk about in the shadows with dark clothing on
Warmly hope the rightful owner will get this true gem back.
So what do you suggest? Even standard email can be compromised if your webhoster gives the information to the thief.
Do you suggest using Hosted DNS with Fabulous or Moniker account and point them to Google apps? What is the safest procedure for safe email?
“You should also use whois privacy. Makes it harder for the thief to figure out which email account to hack.”
…and also makes it harder to prove it was your domain name in the first place…
“…and also makes it harder to prove it was your domain name in the first place…”
If you prevent a theft, that’s not an issue.