Beware: more stolen domain names.
Yesterday I reported about the theft of YH.com. It turns out another valuable domain, VL.com, was also recently stolen. In this case it appears the weak link was web hosting company Dreamhost. That’s also the host in the YH.com case, although the actual weak link in that case hasn’t been determined.
It wasn’t Dreamhost’s automated systems that are to blame. It was a human mess up, just like when Baidu’s DNS was hijacked. A number of registrars and web hosting companies add human elements to security systems, thinking this will improve security. In reality, it is often the weak link.
Here’s the story, as Tom Metro of Venture Logic relayed to me via email. You can read a more in-depth account here.
In brief, a directed attack using social engineering was perpetrated against my domain registrar, Dreamhost, and due to multiple failures on their part, they granted the attacker access to my account, froze me
out, and hampered my ability to halt the attack.
This started Saturday night, and by Sunday afternoon, given lax response from Dreamhost, the attacker had succeeded in transferring my vl.com domain, which is considered of high value due to being only two letters,
to a foreign registrar located in the Bahamas.
See this mailing list thread for an “as-it-happened” account:
Included in my posts are laughable chat transcripts between the attacker and the Dreamhost support personnel, where support people were more than happy to update contact info, supply plain text passwords, and force through a domain transfer.
Clearly, humans were the weakest link in this system.
The good news is that the attacker never succeeded in compromising my email account used as the domain contact (despite a few attempts) and the foreign registrar has been convinced that there was enough fishy about the transfer to put modifications on hold. So for the time being my name server records are safe, and they haven’t gained access to my vl.com email traffic. (Though I’m pretty sure they only care about the domain itself.)
Monday the attackers made attempts to reset the password on my Google hosted account used as the contact address for the domain. Undoubtedly so they can leverage it to send a forged letter to the
foreign registrar. This attack included another attempt to socialengineer the Dreamhost support people (where the DNS was hosted for this other Google hosted domain; Google uses your ability to add a CNAME
record to a domain’s DNS as proof of account ownership), but fortunately by this point Dreamhost was wise to the trick. Amazing they hadn’t yet disabled the “live chat” support feature that enabled key parts of the
forgery (though it appears to be disabled now).
Tuesday morning the foreign registrar concluded their investigation, agreeing that it was fraudulent circumstances and started the return process. And currently the return is still being processed by Verisign.
I’ve reported the attack to the local police and the FBI, and had a long conversation with the supervisor of the FBI Cyber Squad in Boston.
Dreamhost reports that there were other customers of theirs victimized (who also had domains stolen, but from other registrars). There is indeed a rash of domain thefts happening.
On Tuesday I was contacted by someone from Iran using the same anonymiser IP address as the attacker offering to help recover or purchase my domain. He curiously had a portfolio of 2-letter domains.
I would be happy to share forensics with any other victims.