A stolen domain name can reveal sensitive business information to the thief.
Lots of three letter domain names have been stolen over the past few years. A stolen domain lawsuit (pdf) filed in U.S. District Court in Virginia on Tuesday should provide warnings to all companies that use a domain name, as well as domain name investors.
GMF, Inc. alleges that the domain name GMF.com was stolen from its 123CheapDomains.com account. We’ve seen this sort of thing many times, but there are special warnings in this case.
The suit states that for many years, GMF Inc. held a Top Secret Facility Clearance providing hardware and technical services under contract to the U.S. Air Force, U.S. Navy, and other elements of the U.S. Department of Defense. It seems to have moved into military education since then.
And yes, it used the GMF.com domain name to send email. You can bet that some of that email had sensitive information in it given what GMF does. According to the suit, “thousands of emails were sent and/or received through gmf.com prior to the theft of the domain name by Defendant John Doe and Defendant John Doe’s disabling of GMF, Inc.’s email server settings.
The website at GMF.com was no technical marvel, but a thief can intercept important emails when he steals a domain name.
(I want to be clear that the suit doesn’t state that sensitive emails have been incercepted since the alleged theft. But, should such emails have been sent to GMF, they could have been intercepted by a thief.)
There’s also a warning for domain investors here. The alleged thief subsequently sold the domain name. The current owner, FinLead, is not alleged to have stolen the domain name. It might end up being victim, too.
This is one reason I believe that domains that have changed hands multiple times are worth less.
Here’s how the theft went down, according to GMF:
On March 5, 2016, GMF, Inc. received an e-mail from 123CheapDomains.com indicating that “a request has been received to have the password for gmf.com reset.” GMF, Inc. had not requested to have the password reset and immediately advised 123CheapDomains.com that no such request had been made and requested that 123CheapDomains.com prevent any password changes not directly authorized.
Later that day, Jonathan Lee, Tech Manager for 123CheapDomains.com, responded that merely requesting a password reset “wouldn’t work, and is pointless” and indicated that he was “enabling ‘locking’ on your domain as an extra security measure.”
Nevertheless, on April 18, 2016, GMF, Inc. was unable to access or use the gmf.com e-mail server maintained with FASTWEBHOST.
Upon discovering that it could not access or use the gmf.com e-mail server, GMF, Inc. immediately contacted FASTWEBHOST. A customer service representative for FASTWEBHOST informed GMF, Inc. that the server setting maintained by 123CheapDomains.com had been changed from their proper settings for GMF, Inc.’s account with FASTWEBHOST.
GMF, Inc. then discovered that it was unable to gain access to its domain name management account with 123CheapDomains.com.
A search of GMF, Inc.’s administrative e-mail account reveals that GMF, Inc. never received a notification that the gmf.com domain name was being transferred. Such a domain name transfer notification email is required by the Internet Corporation for Assigned Names and Numbers (ICANN).
On information and belief, John Doe obtained unauthorized access to GMF, Inc.’s domain registrar account and manipulated the computer records to obtain the transfer of the gmf.com domain name through an “account transfer” within Tucows or other surreptitious manner intended to avoid detection by GMF, Inc.
On information and belief, John Doe prevented GMF, Inc. from receiving electronic communications seeking approval for the transfer of the gmf.com domain name and obtained unauthorized access to such electronic communications so as to approve the transfer.
John Doe transferred the gmf.com domain name from Tucows to Dynadot, LLC, a common destination registrar for stolen domain names.
David Weslow of Wiley Rein is representing the plaintiff.
As far as I can see, Whois showed at least two “different” John Doe (but probably it’s just a fabrication), a Dmitry Baynurlatov, email [email protected], allegedly from Astana, Kazakhstan, with Dynadot as Registrar (April 2016), and a Oleg Belan, email [email protected], allegedly from Krasnodar, Russia, with Evoplus Ltd as Registrar (Dec 2016).
IMHO this shows the importance of a proper, in-depth due diligence before buying any domain. 🙂
The domain ELW.com was stolen too and sold thru Sedo. The lady that owned it can’t really afford to go after it.
Maybe you shouldn’t hold your domains at 123CheapDomains if you such a big contractor, maybe something a bit secure.
Agree with you, IMHO 123CheapDomains doesn’t look a so safe choice. 🙂
Ron, please do not jump to invalid conclusions based on a single side of what you read. 123cheapdomains is an extremely reliable company that customers trusts for over 19 years. Domains there are extremely safe and secure. Please read, the other side of the story, The story is at the very bottom of this comment page, which explains the other-side of the story in detail that you are not getting. The truth was that this guy could have easily gotten his domain back very quickly and easily. He just refused that option for whatever strange reason, even when it costs him nothing.
So, top secret security contractors were using a Yahoo! email address as the admin contact for their domain name – [email protected]. Brilliant.
“Yahoo Says 1 Billion User Accounts Were Hacked”, New York Times, 14 December 2016.
Exactly my point. He has a yahoo email. No registrar can protect your domain if your email has been hacked or compromised. It’s not a security problem at the registrar. It’s a security problem with the user, who do not know how to protect access to own email account.
Clearance investigations ought to go beyond employee trustworthiness and include some assessment of infrastructure and procedures for handling classified material. But I wonder if anybody’s thinking about domain theft.
Obviously the U.S. government and surrounding institutions are flunking cybersecurity right and left. Not just the DNC hacks and leaks during election. Today, for instance, it looks like Kremlin gremlins jabbed their fingers in our eyes twice!
First, while congress was vetting Trump’s pick for the new CIA director, Pompeo, just as a senator was bringing up Russian hacking … the lights mysteriously go off during the Senate Intelligence Committee heraring!
Second, just when a different senator is talking about SEC oversight and Russian interference, the C-Span broadcast is replaced by happy-go-lucky music and a broadcast from state-run Russian Television:
https://www.youtube.com/watch?v=kQ52dG11rs8
It’s unbelievable how clumsy we are! If the U.S. Senate can’t keep its lights on and C-Span can’t mention the word “Russia” without Russian government propaganda replacing their own broadcast, then OF COURSE domain names will get stolen.
This domain has been sold few times. Why they are not immediately go to the UDRP, if the domain really been stolen?
Not a good way to recover a stolen domain if it has already been sold
Good way sell & recover domains.
As an option, saying “all russians – thieves” (not see concrete proofs – registrar/email logs, ip’s, etc. Only words.)
These guys (american lawyers) do not know what is “good” and “bad”, know only “money”. And, really, where they were a ALL YEAR?
If domain really has been stolen, it’s very funny. Shame. Inc.: we can not defend his domain, but we will defend United States.(“Top Secret Facility Clearance providing hardware and technical services under contract to the U.S. Air Force, U.S. Navy, and other elements of the U.S. Department of Defense.”)
I just found this today, and work at 123cheapdomains. You are only hearing one side of the story. 123cheapdomains has been operational over 19 years, and is a very safe and secure place for domain names. This is about the only case this has ever happened, and is primarily due to the owners own negligence.
I remember this case pretty clearly. My instincts told me that there was something suspicious about the victims claims. Either he either knew the person who stole his name, sold it and gave access without admitting it, or either he had is email hacked, and his account compromised that way. I will never know, as this person has been withholding details to questions, and was not committing to detailed answers, and very defensive when we tried to help him.
The only way a transfer or password reset can ever happen is if the aggressor has access to your email address. In other words, your email account has been hacked, and the attacker has used their access to authorize the transfer out to a different registrar. No registration provider can protect against that. Either that, or he might have knew the person and gave access to the domain management, but am not telling us the complete story.
Either way, Paul at Tucows got involved. And Paul contacted him, and told him that he can easily get his domain name back. All he had to do, is to agree to indemnify Tucows via contract, and he would get it transferred back to him as the owner. The reason for the indemnification is because the registrar does not know if he sold the domain, and then claimed that it was stolen to get it back. If Tucows gets the domain name back for him, and it turns out he sold in deed sold it, but was lying, then it could mean trouble for Tucows. Very logical.
But the person that owned GMF refused. So basically, he could have gotten the domain back very easily, but he did not want to agree to that. Maybe he knew something a bit more than he let on. Like he had a relationship with the person who he claims stole his domain. Why else would he not agree to indemnify Tucows so he can easily get his domain back quickly.
I have everything on saved transcript.