
Hackers Stole My Website - vezycash
https://medium.com/@ramshackleglam/hackers-stole-my-website-and-i-pulled-off-a-30-000-sting-operation-to-get-it-back-143d43ee3742
======
tobyjsullivan
It sounds like the core of this hack was an attack on her email (followed by
password resets for registrar, etc.).

So the #1 step to reducing your risk of an attack like this would be setting
up 2FA on your email account. The industry standard is password resets via
email. If an attacker has access to your email, they have access to every
online account you own.

Stealing email passwords is easy. So easy. No matter how complicated your
password is or how often you change it. 2FA is an easy, reliable way to make
it orders of magnitude harder for any attacker to breach your account.

I know I'm preaching to the choir here on HN but I'm just flabbergasted this
didn't make it into the article.

~~~
x0x0
Except 2fa doesn't work in practice unless you're an expert.

See eg gmail: you can't set up 2fa without supplying a cell (you will be
allowed to remove it later, but how many know to do this?) Your phone number
is trivially stealable -- see eg youtube video of people just stealing phone
numbers with a crying baby and a sob story.
[https://youtu.be/F78UdORll-Q?t=133](https://youtu.be/F78UdORll-Q?t=133)

Also, lots and lots of places have trivial routes around 2fa because people
losing their password and/or 2fa is an order of magnitude more common than
theft.

~~~
striking
2FA works in practice against people who don't have physical contact with you.
For most people, that's the only threat vector they're worried about.

It hardly makes your life more difficult, and it does help at least a little
bit. So it's worth setting up.

~~~
x0x0
Not really; sms as 2fa has regularly _enabled_ people to steal accounts they
otherwise couldn't have gotten by allowing password resets by stealing your
phone number.

See eg @deray getting hacked.

~~~
erroneousfunk
If a password reset is allowed by pin that's not two factor authentication,
that's SINGLE factor authentication. I know we tend to think of 2FA as
anything involving a pin sent to your phone, but it does require two factors.

GMail, for instance, will not allow a password reset with just a phone pin.

------
ploggingdev
> 1\. Have a really, really good password, and change it often.

Even better, use a password manager.

> 2\. If possible, use a separate computer (an old one or a cheap one
> purchased for this purpose) for things like banking; if your family computer
> is the same one that you use for bank transactions you risk having your kids
> click on a bad link that results in a hacking.

Not necessary, use an up to date computer with Windows defender turned on and
create a non-admin account for your kids.

> 4\. Have antivirus software on your computer

Only use Windows defender, which is what the security community recommends.

Also use 2FA on all services which offer it.

Regarding the domain registrars, I would recommend Namecheap. They have a
great support team and also offer 2FA, but I think it's only SMS based 2FA.

~~~
brianmartinek
I really wish domain registers offered a Google Authenticator option for 2FA.
All of the ones I have seen that offer 2FA are SMS based.

~~~
altano
www.nearlyfreespeech.net (mainly a host but you can register domains with
them) offers Google Authenticator 2fa _and_ control over what recovery options
are allowed, including none, which is something I wish anyone that supports
2fa would offer.

~~~
orthecreedence
NFS also emails you if someone tries an incorrect password on your account.
Kind of a nice feature.

------
_eht
>3\. Turn off your computer and personal devices when they’re not in use.

This article reads like an AOL scare from 1995 directed at my grandma.

~~~
discreditable
> 3\. Turn off your computer and personal devices when they’re not in use.

Even Bruce Schneier recommends you do that[1]. The idea is that if your
machine is a spambot and you don't know it, there are fewer windows of time
where your machine can be blasting the Internet with spam. Or if there's some
network-based exploit, you're not vulnerable while your device is off.

1\.
[https://www.schneier.com/blog/archives/2004/12/safe_personal...](https://www.schneier.com/blog/archives/2004/12/safe_personal_c.html)

~~~
Ajedi32
> Turn off the computer when you're not using it, especially if you have an
> "always on" Internet connection.

How old is that article? Sounds like this is from the days back when dial-up
was still popular.

I guess there may be some marginal increase in security by turning off your
computer like this, but I don't think it's the kind of thing most users should
be worried about.

> if your machine is a spambot and you don't know it, there are fewer windows
> of time where your machine can be blasting the Internet with spam

If your machine is part of a botnet, you're already compromised and turning it
off when you're not using it isn't going to fix that. It might marginally help
_other_ people getting DDoSed or spammed by your PC, but it won't improve your
own security.

> Or if there's some network-based exploit, you're not vulnerable while your
> device is off

I guess. But unless you become aware of the exploit and take measures to
mitigate it before turning your PC on and connecting it to the internet,
leaving it off when you're not using it is unlikely to help with this - you'll
just be compromised as soon as you turn your PC on. Not to mention that the
kind of zero-day that would allow compromising a fully up-to-date PC with
nothing more than network access to it is extremely rare.

I'd argue the security benefits of leaving your computer on so it can auto-
install security updates while you're away probably outweighs any marginal
benefits you might get from turning it off when not using it. (Though either
way the difference is extremely minor.)

~~~
discreditable
The article is from 2004. Keep in mind it's geared towards being very simple.
I don't think some of the advice is good, such as deleting cmd.exe and
command.com.

------
cityzen
I'm a skeptic and stuff like this always seems like marketing to me. This
happened back in/before 2014 and her article on mashable from april 2, 2014 is
almost the same: [http://mashable.com/2014/04/02/ramshackle-glam-
hacking/#j.mb...](http://mashable.com/2014/04/02/ramshackle-glam-
hacking/#j.mbLiAEpsqT)

Looks like it got a good number of shares and good velocity so makes sense to
keep milking it for what it's worth i suppose.

Btw, GoDaddy's response: [http://news.softpedia.com/news/GoDaddy-Defends-
Itself-in-Ram...](http://news.softpedia.com/news/GoDaddy-Defends-Itself-in-
RamshackleGlam-com-Hacking-435991.shtml)

------
twostorytower
The most surprising thing is how helpful (and immediate) the FBI was. Wouldn't
have guessed that.

Can you really stop a wire transfer? I thought the whole point of wires is
that they are immediate and irreversible?

Also, couldn't the FBI track the bank account info back to the thief? Or I
guess it's possible the bank account is opened through a stolen identity. I
guess the smartest thing the thief could do is then use that money to buy
crypto and eventually funnel that back to his real identity.

~~~
akcreek
Money was wired to an escrow service who was informed of the situation ahead
of time and expecting the incoming wire.

------
trevyn
_And then I called the wire transfer company and placed a stop on the
payment._

How do you place a stop on a wire transfer? I thought irreversibility was the
whole point of wire transfers.

~~~
appleiigs
The whole point of wire transfers is traceability. The banks can watch it very
closely. I've been able to reverse wire transfers the next day, with a back-
date (ie. pretend it never happened).

However, author seems to know wire transfers as well as she knows internet
security - which is not very well. You can trace the wire into the destination
account, but if that person moves it immediately and eventually withdraws it
out of the banking system, then it's gone. The hacker wouldn't release the
domain unless they had control of the funds. I doubt her claims that the
hacker doesn't have the money.

~~~
mustacheemperor
Yeah, I think there's either missing details regarding the attorneys, etc
(which is possible) or this is really "How I Paid $30,000 for My Website."
Either way the lack of customer protection from the host and registrar is
appalling to me.

------
johnmoore
Anyone who uses godaddy add 2FA now and i mean now.

This is my story

I enabled 2FA i don't why. I think i read somewhere, how someone got there
domains stoled.

Last month ago, I got a text message out of the blue, I googled the number and
it was godaddy service.

So this person had got my username and password in godaddy and hit the 2FA,
godaddy uses customer IDs and the password i use was a old password but one i
didn't use in any other service.

So someone is running through all the customers Id numbers with a password
dictonary because i knew this password was on one of those leaked password
dictionaries.

They can do this because the godaddy site doesn't lock the account out for 24
hours after 5 wrong times. The hacker can try different combinations multiple
times.

This is a major flaw on there site.

------
shendu
Want to share a strange experience I had: in the year 2014, I was looking for
buy a .io domain and was surprised to find that citi.io was available, so I
bought it in domains.google.com with an expiration date in 5 years and I also
noticed that there was a website called citi.io that I could still visit. I
didn't change the DNS settings of the new domain I bought and didn't use the
domain.

Then sometime in 2016, I noticed that the domain didn't belong to me. I tried
to look up my history of purchase, there was no such purchase record in my
account.

Unless my memory fooled me (which I just can't believe), the whole experience
made me really confused.

~~~
jacquesm
Maybe you remembered a very vivid dream? The lack of purchase history is a
tell that it probably didn't actually happen.

------
vezycash
>I’ve heard of identity theft, and of cyber hacking, but honestly, my
attitude... was “it could never happen to me.”

>I didn’t exactly understand why it was such a huge deal.

>Couldn’t you just explain to people what had happened, prove who you were,
and sort it all out?

>it seemed completely impossible to me that someone could actually get away
with pretending to be someone else with any real consequences beyond a few
phone calls and some irritation.

I have nothing to hide...

"The only thing necessary for the triumph of evil is for good men to do
nothing." \- Edmund Burke

------
jeremyt
So let me get this straight, her domain got hacked, transferred to a hacker,
who proceeded to sell it.

Then, she contacted the FBI, who gave her an interview and basically did not
much, and then she got her domain back by paying for it and then putting a
stop on the money transfer? And this is worthy of a Sandra Bullock movie?

Yeah, real nail biter there.

This is just content hacking to get me to read more of the article so she can
make more money on medium. I feel a bit cheated.

~~~
cityzen
Not to mention this was written up by her on mashable back in 2014.... (I
commented elsewhere in the thread about it). But yes, I agree completely.

------
emanreus
> I don’t have my money back yet, but the man who stole my site from me
> doesn’t have it, either, and won’t be getting it, ever.

How did she found out it was a man?

------
rb808
I had a boss who had a domain stolen from him too and never got it back. I
realize its handy to be able to easily move registrars whenever you want but
can we have it more difficult? Eg it would be nice if a registrar would only
transfer a domain if it gets a signed letter which it follows up with a phone
call then a 3 month delay. With the cut throat competition out there I'd have
thought this would be available by now.

After the loss I moved my own domains to google domains which at least has 2fa
to access.

------
meow_mix
Crazy experience --very surprised the FBI was as helpful as you described. I
definitely wouldn't have considered that move but I'm glad the author mentions
it.

------
najajomo
Pardon my cynicism but is there any actual verifiable third party evidence for
this.

------
mehdym
Most important security measure : Enable 2FA on all your accounts.

------
_cairn
Her password advice is literally the opposite of the classic
[https://xkcd.com/936/](https://xkcd.com/936/).

~~~
magic_beans
Whom should I trust?

~~~
_cairn
Well, I am not very well informed on this topic, however, I tend to believe
that the math checks out in the "correct horse" principle. This is a vast
oversimplification, but basically longer passwords are better - the brute
force complexity of additional length is in the exponent, the character
diversity (special chars/numbers/upper+lower case) is in the base. Therefore,
make your passwords as long (and randomly chosen - i.e. selection method
should not be easy to guess!) as you possibly can.

------
passivepinetree
As others have noted, her advice seems to be a little suspect. I took issue
with the following:

> Your password should not contain “real” words (and definitely not more than
> one real word in immediate proximity, like “whitecat” or “angrybird”), and
> should contain capital letters, numbers and symbols. The best passwords of
> all look like total nonsense.

Isn't it generally accepted that the XKCD-style "correct horse battery staple"
passwords are more secure?

~~~
emanreus
One downside of xkcd style passwords is that they are not accepted everywhere.
Many websites have a list of characters you must and must not include in your
password.

~~~
passivepinetree
Right, but a good password manager (like 1pass) will have both options
available to generate so you can do XKCD-style where possible and randomly
generated characters elsewhere.

------
EdSharkey
Great job, FBI!

------
theamk
> If possible, use a separate computer (an old one or a cheap one purchased
> for this purpose) for things like banking; if your family computer is the
> same one that you use for bank transactions you risk having your kids click
> on a bad link that results in a hacking.

So true! A $100 unrooted Android tablet is almost infinitely more secure than
the windows/mac, even with the best antivirus. Or if you like physical
keyboard (I do), get a $300 Chromebook and do all your banking there. Just
don't login with your primary google account, or someone may install evil
chrome extension on it.

~~~
fiddlerwoaroof
If you want to go down this route, I'd just use qubes os to run each set of
apps in its own vm. Sure, you have issues with vm escapes but it's a lot more
convenient than switching devices.

~~~
theamk
Well, qubes requires technical expertise, and a lot of people have a tablet
anyway.

My point is, if you want to check online banking, your tablet (ipad|android)
is much more secure than your (windows|linux|mac) laptop. For example, here is
how I would explain Android security to someone non-technical: "Do not ever
enable 'unknown sources' setting, and always refuse if it asks you something
about installing a keyboard". Try doing the same for full-featured laptop.

