

Ask HN: Hijacked domain via hacked Gmail - advice? - hijackedStartUp

1. A VC funded startup registered their domain name a few years ago with a small reseller for a larger domain name registrar.<p>2. Contact information for the registration account was the founder's personal Gmail account.<p>3. An attacker gained access to the founder's Gmail account, probably via a successful Phishing attempt.<p>4. The attacker moved the domain to another domain name registrar and changed the Whois to junk. The e-mail address in the Whois is a Gmail account.<p>5. Attacker deleted all messages related to the transfer in the founder's Gmail account except the last one sent from the reseller that confirmed a successful transfer.<p>6. This has happened about 48 hours ago. So far the DNS info for the domain has not been changed and the Startup's service is uninterrupted<p>7. According to Whois data, several domains with the same Gmail account as the attacker, changed Whois info over the past week. This suggests they may be victims of the same attacker and may or may not be aware of it.<p>Any advice on course of action would be much appreciated. Specifically, what are the registrar's responsibilities? How to best approach them? and can Google (as operator of Gmail) help in any way?<p>(note: new HN account to keep anonymity)
======
DanBlake
The good news: You will get the domain back. Contact both the winning and
losing registrar immediately and explain the situation. Document everything.
This is not a new situation to them and they will have step by step procedures
to follow to allow you to regain control of said domain.

The bad news: Depending on the registrars, it can take a stupid amount of time
for the process to complete. A friend of mine had a similar situation (albeit
with his personal blog domain, not a VC funded business) and it took him 60
days to regain control.

Your best bet right now is putting direct, immediate pressure on both
registrars that this is a serious deal (not a blog about cats) and you are
ready to write press releases stating how incompetent they are for this and
that. I expect others may chime in on this thread saying you should just be
nice and not come off aggressive, however I must caution you on that approach.
In any other industry, honey gets your more flies than shit but domain
registrars are unlike other business's - They can and will take their sweet
ass time for any reason. Keep in mind this is the land of 7 day domain
transfers and archaic systems. Unless you apply direct, constant pressure to
as many people as you find, you may be in limbo with the domain for a long
time. Start flexing your might a little bit (which I suspect you have, since
you are a VC funded startup) and you might find the domain back in your
account in 24 hours.

 _edit below_

One important thing I forgot to mention. I know you said it was likely
phishing, but make sure the machine isnt infected. Changing the gmail password
and going through this huge process isnt going to be fun to do a second time.
That and depending on the timelines the registrars give you when you contact
them, you might want to contact any customers or clients that your domain
might be hijacked shortly. Last thing you want is your customers getting
malware trying to visit your site.

~~~
hijackedStartUp
Some additional info:

\- Not my domain. I'm the "sunshine cleaner".

\- The startup, VC and both registrars are not American (though some of the
investors are well known).

\- The domain is a dot com.

\- Support line has been opened with the "loosing registrar" (some time was
lost on figuring out the original registrar is just a reseller).

\- There is an emergency plan in place for moving service to another domain.
It is not simple as it is a fairly big service.

I'm a little concerned about contacting the "winning registrar" before getting
some traction at the "loosing registrar" given that it might "wake up" the
attacker and that this registrar is known to be problematic (and thus was
probably chosen as landing).

Comments?

------
imp
I don't have experience with this, but you've reminded me to rotate the
password to my Gmail account :)

