Beware: more stolen domain names.
Yesterday I reported about the theft of YH.com. It turns out another valuable domain, VL.com, was also recently stolen. In this case it appears the weak link was web hosting company Dreamhost. That’s also the host in the YH.com case, although the actual weak link in that case hasn’t been determined.
It wasn’t Dreamhost’s automated systems that are to blame. It was a human mess up, just like when Baidu’s DNS was hijacked. A number of registrars and web hosting companies add human elements to security systems, thinking this will improve security. In reality, it is often the weak link.
Here’s the story, as Tom Metro of Venture Logic relayed to me via email. You can read a more in-depth account here.
In brief, a directed attack using social engineering was perpetrated against my domain registrar, Dreamhost, and due to multiple failures on their part, they granted the attacker access to my account, froze me
out, and hampered my ability to halt the attack.
This started Saturday night, and by Sunday afternoon, given lax response from Dreamhost, the attacker had succeeded in transferring my vl.com domain, which is considered of high value due to being only two letters,
to a foreign registrar located in the Bahamas.
See this mailing list thread for an “as-it-happened” account:
Included in my posts are laughable chat transcripts between the attacker and the Dreamhost support personnel, where support people were more than happy to update contact info, supply plain text passwords, and force through a domain transfer.
Clearly, humans were the weakest link in this system.
The good news is that the attacker never succeeded in compromising my email account used as the domain contact (despite a few attempts) and the foreign registrar has been convinced that there was enough fishy about the transfer to put modifications on hold. So for the time being my name server records are safe, and they haven’t gained access to my vl.com email traffic. (Though I’m pretty sure they only care about the domain itself.)
Monday the attackers made attempts to reset the password on my Google hosted account used as the contact address for the domain. Undoubtedly so they can leverage it to send a forged letter to the
foreign registrar. This attack included another attempt to socialengineer the Dreamhost support people (where the DNS was hosted for this other Google hosted domain; Google uses your ability to add a CNAME
record to a domain’s DNS as proof of account ownership), but fortunately by this point Dreamhost was wise to the trick. Amazing they hadn’t yet disabled the “live chat” support feature that enabled key parts of the
forgery (though it appears to be disabled now).
Tuesday morning the foreign registrar concluded their investigation, agreeing that it was fraudulent circumstances and started the return process. And currently the return is still being processed by Verisign.
I’ve reported the attack to the local police and the FBI, and had a long conversation with the supervisor of the FBI Cyber Squad in Boston.
Dreamhost reports that there were other customers of theirs victimized (who also had domains stolen, but from other registrars). There is indeed a rash of domain thefts happening.
On Tuesday I was contacted by someone from Iran using the same anonymiser IP address as the attacker offering to help recover or purchase my domain. He curiously had a portfolio of 2-letter domains.
I would be happy to share forensics with any other victims.
There is a 5 day wait period for a domain to be transferred between registrars.
If they got into the acct saturday night/sunday morning (which is when most of these hijackings happen), how did the Bahamian registrar have access to the whois?
The losing registrar can manually override the 5 day wait period if the registrar manually logs into their V-sin acct.
This is not good news for domainers.
I will keep changing my logins every 3 months or more often.
How much is “whois” a player in these hackings? I am starting to think more and more the key factor here is whois!
For an example.. how would the hacker know What Registrar the domain name was registered with, without whois! Without knowing what registrar the domain was with… they wouldn’t know where to try and steal it from!
This problem here with YH.com and VL.com may be a “DreamHost” situation even though YH was registered with GoDaddy.
For all the money “non profit” ICANN rakes in, I believe they’re well-heeled to set up a center to IMMEDIATELY handle domain hijacking claims, as a precursor to UDRP.
A lot of these thefts are instances of very low level hackers who would simply abandon the name and scurry back into the shadows if confronted with an investigating arbiter.
Sure, there are some remote abuses that might occur with such a system and in cases of a thief who actually decided to articulate a defense on a name he stole, it would probably have to wind up in UDRP, but I’d wager that for 90% of the stolen DN cases, a real human being looking into matters would result in the name quietly and quickly being transferred back to it’s original owner (when a six figure domain owned and operated by the same business for 13 years is suddenly transferred to the godaddy account of a 19 year old kid from India…)
Recourse for a stolen domain ultimately lies at the ICANN level (in the face of lazy and negligent registrars like Godaddy who do nothing themselves)- some sort of “fast response” system should be put in place. We’re all paying ICANN gracious plenty for what they actually provide. We should demand this.
Amazing there still isnt a secured registry of domain names as with other forms of property.
Try Fabulous.com with their new physical USB security key. They also have an “enterprise” lock which locks the domain down and can only be “manually” over written through special instructions setup between you and the Fabulous guys.
Even though they are in Australia, they’re ICANN registrar and won’t dare to do any funny business. They hold over tens of millions of dollars worth of domains due to their security efforts.
-Attila
“the foreign registrar has been convinced that there was enough fishy about the transfer to put modifications on hold.”
The vl.com owner lucked out that the thief transferred the name to Internet.bs. They will do the right thing. I doubt the yh.com owner will be so fortunate.
Are these domains singled out due to their presumably high value? Hundreds of domains are being stolen monthly, using a variety of methods. The weak link appears to be the hosting provider & social engineering. Kevin Mitnick showed the way.
vl.com owner is indeed lucky. I emailed the owner of Internet.bs. vl.com is already headed back to the losing registrar. Although if I were the vl.com owner, I’d cancel the transfer and leave the name at Internet.bs and ask for the second factor login authorization they offer.
At least noone is hacking my account trying to get at my domains!
The safest registrar is your own private registrar.
If you lock down all of your domains in your registrar, you can get all of the transfer request possible and the domain isn’t going anywhere.
That is why guys like Frank Schilling, Mike Berkins and others have their own private registrar.
If you have over 10K domains or very valuable domains, it pays to have your own registrar.
This is bad news definitely.
@LS Morgan,
How does India even picture in the conversation? You meant to say Iran? Yes all countries in Asia are the same. What benefit does ICANN have to help with hijacked domains, such that it would give higher priority than UDRP? If you read the thread of emails you would see that a “real” human was looking into the issue. The case was really complicated because DreamHost for all their mistakes, couldn’t make out if they were talking to the real owners or not. No sympathy for DH though.
“I’ve reported the attack to the local police and the FBI, and had a long conversation with the supervisor of the FBI Cyber Squad in Boston.”
The fact that this owner reported the theft, and the miracle that the FBI is finally willing to listen, are the only two bright spots in this story for the domaining community.
@bad news “The safest registrar is your own private registrar.”
Not always. Your own registrar server presumably connects to registry servers. I’d think a registrar with a million plus registrations would be much more hacker proof than a domainer with only his portfolio.
When it comes down to it, no domain name is 100% thief proof.
The majority of the hijackers gain control of a domain thru compromising a gmail acct or by talking his way into an acct.
When it is your registrar they can’t talk their way into the registry. Verisign has security procedures that a public registrar does not.
And, I will assure you that I wouldn’t use a gmail acct to control anything important.
I also had bq.com and js.net stolen by way of a hacked mail.com email account back in 2000, from my Network solutions account.
Several months ago a hijacker successfully compromised my computer by installing a key logger (presumably by sending me an email, maybe even an inquiry about a domain I own).
Anyhow, they were able to log into my account at Godaddy and quite easily steal one of my domains (a 3 letter .COM), and push the domain into their account.
The problem had NOTHING to do with Godaddy, the hijacker had my username and password and went right in the front door.Lucky for me, I discovered the issue before the domain could be transferred away from Godaddy.
My account executive locked down the domain until they completed an investigation and I was lucky enough to get the domain back in 12 hours.
Godaddy offers to their executive customers a special security measure which I won’t discuss in depth here. But this measure makes it impossible to be impersonated or for a hijacker to transfer a domain away from your account.
Domain theft is on the rise. Hijackers are only targeting domains which are highly liquid. They depend on the ability to quickly sell a domain. So essentially they target 2 & 3 letter .COM domains as well as strategic one word .com domains.
Anyhow, victims need to be outspoken and aggressive. And contacting the FBI is critical even if they are not yet very responsive. As the number of victims increases, they will be forced to improve enforcement of these crimes.
Personaly, I think we should consider as an industry starting an organization (maybe 5-10 people) who’s only purpose is to track and enforce these types of crimes. By enforce, I of course mean vigilante style…track them down and castrate them if need be. Going rate these days is only about $500 per head (times are tough…).
I had deleted.com stolen a few times…
Subbing to thread
verisign offers a registry lock service through its regisrars. You should definitely ask your registrars about this service because this is a lock at the registry level and not reistrar level.
Unless they’ve changed it within the last couple of weeks anyone can steal a domain name from Nominet so long as they’ve got access to the domain contact email of their intended victim. That can be from packet sniffing or a Trojan on a local network (e.g. a hotel or place of work) or from insecure Wi-Fi or from a stolen computer.
How’s it done?
You go to the login page and simply enter the contact email address and then claim to have lost your password. Immediately – and I mean immmediately – a link to a secure page is sent to you. You go to that page. You are NOT – repeat NOT – asked for your old password. You enter your new password. You go to the log in page. You log in with your new password. You now have control of that account.
Once in, you head straight over to the ‘cancel domain’ page. You cancel that domain. It takes no more than 12 hours, maybe less, and then that domain is on the market. No email is sent to the victim asking for confirmation. There are no built-in delays and double-checks.
Yes, you might not believe me. I couldn’t believe it. But until a few weeks ago this was true.
I just found out by mistake that NAME.com registrar has a security key that uses two authentication to gain access and do anything (transfer or push).
Since they don’t openly advertise this, I have snapshot this trojan, er hem, I mean jpeg of their website in my account.
http://attila.com/pics/name-com-security-key.jpg
For some reason my print screen isn’t working so I had to use my CLIQ mobile to photo it.
This alone is great security effort by a registrar.
Fabulous also has one, but its more of a USB key with different types of security matching protocols.
-Attila
Quote-
“packet sniffing or a Trojan on a local network (e.g. a hotel or place of work) or from insecure Wi-Fi”
I had that problem when I attended one of the major domain meetings. Fortunately, I caught it by accident and quickly re-changed the password over a secure network.
I learned my lesson. I refuse to use wifi at any events.
I never use public wifi — get your own 3G EVDO card.