
This Site’s Domain is Stolen - tbassetto
http://css-tricks.com/15377-this-sites-domain-is-stolen/
======
larrys
As a registrar I would like to point out that this is a good reason _to not_
have privacy protection on your domain.

It raises the chance of losing your domain greatly. (Even though you can argue
that having your email displayed exposes an attack vector).

Public info makes it much easier to recover a domain. And proper security on
the email is required as always obviously.

I've helped several people recover domains by going to contacts I have at
ICANN. Not having public info doesn't give me what I need to make a case. It's
a non-starter many times. And it just confuses the issue for you as well when
you are trying to correct things.

Registrars (we don't offer privacy by the way) want privacy because it is a)
something they can offer and charge for and b) allows them to lock the
customer in and create a barrier to exit. c) Many of them do this by changing
ownership to them for the domain and giving you a contract that you are the
beneficial owner. Not good for you. You want and need to be owner according to
whois. (Read this again.)

If you want a private domain use a po box or a work address etc or your
uncles's address. If you are a business you absolutely have no reason to have
privacy (and many many businesses do because they have been sold some bullshit
on this with respect to spam).

~~~
dissident
Public info also makes it easier to steal a domain.

Long ago, I (being childish) stole a domain from some random person who pissed
me off in a video game. I spent three days calling the registrar's offices
(along with a friend) over fifty times, writing the name of each service
representative down so that we didn't dupe up on anyone and raise any red
flags. (It was a huge registrar, though not GoDaddy.)

We were able to use the public info available on their whois records to weasel
our way into getting additional account information from the employees. We'd
simply call and ask for a small piece of the account information in a
nonchalant manner, they'd ask for info we've already obtained from previous
calls, and usually they'd either give us the info or say "we don't have access
to that information".

The hardest part was getting the last four digits of the credit card on the
account. Since we had all the rest of the user's information, we called maybe
twenty times trying to get those numbers. Some employees would say they can't
see them, but they could. All it took was one really stupid representative:

"Yes, I'd like to confirm the credit card on my account before I file a form
to retrieve my account back. I have two cards that end with the same last two
digits, what are the first two digits of the last four digits"

[she doesn't understand so we confuse the hell out of her for minutes on end]

"uh... 2... 6."

"And the last two?"

"82"

"Thank you, I have the right card. Good day."

Had a good laugh, filed a form, emailed it in, stole their domain before they
noticed, and never gave it back. I talked to the owner and eventually
redirected his website back, and he forgave me.

Keep your whois info private if you're on a crappy registrar. Likely, the OP
uses the same password everywhere and some random kid stumbled on his godaddy
account and took the domain from under his nose.

~~~
dandelany
Wow. As much as I appreciate you coming forward and telling a good story about
social engineering, this is really a total asshole move. I hope you look back
on this experience with with no small amount of shame.

------
someone13
I would warn everyone that reads this to be very careful. When a domain is
stolen, it's usually not used for "legit" purposes. Be very careful when
visiting this site - use a patched browser, Java + Flash + Acrobat, etc., in
case the new "owners" decide to stick an exploit kit here.

~~~
vegardx
Why would they need access to the domain to do that?

~~~
ek
Because they would mirror the site and then add bad stuff, so it looks legit,
and then change the DNS record to point to the mirror.

~~~
vegardx
I cannot really recall that ever happening for, like, the last 10 years. I
could see the case if they wanted to intercept mail or something, but then the
administrator would notice quite fast what was going on (ie. not receive any
mails...).

~~~
Maxious
I see this all the time with Twitter. These days you don't even need to mirror
the website; just run a proxy that edits the HTML on the fly. Of course, they
just use existing malware to edit hosts file but easy to translate to simply
stealing the domain.

~~~
almost
I have done this with Facebook as part of a prank on a friend, its not hard to
do!

------
bittermang
Problem goes beyond just css-tricks.com. I've been following David Walsh for a
while, and apparently his domain has been nabbed as well, along with
DesignShack.net, SohTonaka.com, and InstantShift.com

[https://twitter.com/#!/davidwalshblog/status/142645321791586...](https://twitter.com/#!/davidwalshblog/status/142645321791586304)

~~~
ecaron
It also happened to mckmama.com (a crazy popular blog my wife follows who
couldn't believe that domain hacking was even possible anymore.)

The more interesting aspect was that since mobile nameservers are slow to
update, the site worked on her phone still. That lead to the lovely "Where
does DNS come from" conversation we all have with our loved ones eventually:)

------
ImprovedSilence
Judging from the comments on his website, it sounds like everybody and their
grandma hates GoDaddy. I've recently been looking into getting a domain name
and starting a website, can anyone point me towards a more reputable site to
acquire a domain and host a site? (Yeah, I know, I read HN daily, and I'm
still clueless when it comes to actually putting up a website)

~~~
lhnn
name.com has been pretty good for me for the past few months. Very easy to
use.

Also: Don't get a .com/.net domain name. You don't want the US government
declaring your domain to be evil and taking it off the 'net.

~~~
bmj
Wait, I thought .com/.net (among others) were generic TLDs governed by ICANN?
I would assume .us might fall into this warning (as would other country code
TLDs), but .com and .net?

~~~
vidarh
What matters is whether or not the operator of the TLD is within US
jurisdiction, not the purpose of the TLD.

~~~
bmj
So, in that case, the FBI could seize any domain as long as the operator is
within US jurisdiction?

~~~
tristanperry
Yep, pretty much.

Not exactly fair, but that's the current 'system'..

------
libraryatnight
The only way the domain would be able to be moved from Go Daddy would be if
the person stealing the name had access to the account, that's the only way to
request the transfer authorization / epp code. Their support requires either a
pin or last 6 of a CC used on the account to validate callers, if you can
provide that they'll update the email on file and help reset the password, but
he said his account email is unchanged. So the person taking the name would
either have to know the account password, or have access to the email address
on file where the reset requests are sent.

Given that this would have to happen from inside the customer account, I can
understand why Go Daddy would want to confirm that this was indeed a nefarious
act and not something like a domain being sold, transferred, then reported
stolen to keep the cash and get the domain back. Or any number of other
scenarios one might think of - shady domain stuff happens a lot. I can only
imagine the hoops required to jump through for a registrar to get a domain
back from another registrar under these circumstances.

~~~
arn
"The only way the domain would be able to be moved"

Not sure that's the only way. That's like saying the only way you could get
credit card information from Sony's playstation servers was if you worked in
Sony's billing department.

Not saying this is necessarily a hack, as it most likely is insecure practices
on the part of the user, be it passwords or phishing. But seeing a cluster of
them raises some concerns that it could be some otherwise unknown method.

~~~
libraryatnight
Thanks, I agree, 'the only way' is probably too absolute a phrasing.

I do wonder if the reason we see clusters is because they are the largest, and
arguably the most publicized, registrar in the U.S., and in terms of market
share, the world.

~~~
SomeCallMeTim
He said on the page that it apparently involved a Gmail hack of some kind, so
even if it's not "the only way", it sounds like it was how it was stolen in
this case.

------
whileonebegin
There are a lot of posts blaming GoDaddy. Did anyone read the post by David
Airey, linked in the article? The reason for his lost domain was that his
Gmail account was hacked. The attacker performed a "legit" domain transfer
through his registrar. It wasn't the registrar's fault, in this case. The only
blame you could place was that perhaps the registrar didn't have enough
security check points.

GoDaddy is certainly annoying with their obnoxious web site and sometimes,
their tactics, but this could be another email-hijack attack.

~~~
calvin
One more great reason to set up two-step verification for your Gmail and
Google Apps accounts.

[http://googleblog.blogspot.com/2011/02/advanced-sign-in-
secu...](http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-
your.html)

~~~
brador
I've yet to do this. Reason being I wonder what will happen if I lose my
phone...

Is there a way to set up two-step without a phone?

~~~
cube13
Google provides a set of numerical codes for you to print out and store in
case you lose your phone. They're all one-time use, and allow you to get in
and change the settings.

~~~
pavel_lishin
Does that mean that if ANY of them are used, the rest are invalidated? Or just
that any one of them may be used once?

~~~
cube13
You get 10 codes per generation(and can regenerate them whenever you want),
and each code can be used once.

------
pud
This makes me worry about my own domains. I have about 180 domains with
GoDaddy (all registered for various projects -- I'm not a squatter). I wish
there were a tool that would verify that they're all still registered under my
account at GoDaddy. Especially since the "new owners" seem to keep DNS records
the same.

~~~
loopdoend
I transferred all my domains to moniker.com and have an account rep that calls
me if any odd activity occurs. I doubt this would happen with them. They allow
you to lock down your domains so that it requires offline authentication to
move them. Been with Moniker for 4+ years.

~~~
trafficlight
Another vote for Moniker. I transferred everything from GoDaddy to Moniker a
couple years ago after GoDaddy pulled some other asinine stunt.

------
larrys
Here's another tip when dealing with registrars that really relates to dealing
with any business or person when in this situation.

People have much discretionary power to help you depending on how you treat
them. While there are many people who get their way by instilling fear my
personal belief is that you get more by being nice to people and making them
want to help you (and this has always worked for me).

So when you have a problem with your registrar or hosting company or a meal at
a local restaurant don't go off on a rant and tell them

a) It's their fault

b) They suck

c) you will never use them again

d) You will tell everyone a&b&c

(Did I forget anything?)

This will only make them defensive and will alienate them and get them to form
a wall.

I'm not saying to not point out some truths about what happened. But do it in
a way that makes them think you will be a happy customer if they manage to
help you. Edit: And you still love them.

~~~
freejack
Yes, you are right - unless they are a service-oriented company, in which
case, they will jump through hoops to make it right for you, no matter how
surly you are when you present your issue.

------
VMG
In case the nameservers actually update: <http://64.13.251.230/>

~~~
benatkin
and if it updates add this line to /etc/hosts:

64.13.251.230 css-tricks.com

I _think_ I got that right. :)

------
cheald
Why is all the blame being put on GoDaddy here? The problem is that his email
account was compromised. Once that happens, it's game over. Everything online
linked to that account is likely up for grabs at that point.

Use two-factor auth on your Google accounts, people.

~~~
hetman
How does this look specifically with Google?

~~~
cheald
Two factor auth? You just go into your account settings, elect to turn it on,
it'll have you install the Google Auth app on your phone and scan a QR code,
which configures the app. Then, when you try to log into your account next,
it'll ask for the code generated by the app.

The authenticator itself is just HMAC-OTP with the seed as the current time
quantitized to 30-second intervals. Very straightforward.

~~~
jberryman
Also to use google services that don't support it (or can't, e.g. Smtp with
gmail), you can have google generate a new "throwaway" password which it will
display for you one time.

It was pretty straightforward and actual kind of fun to make the switch.

------
brokentone
With the number of domains that are being discussed here as recently stolen
(seemingly all from GoDaddy), I think we need some answers. How did this
happen? GoDaddy account hacked? GoDaddy account social engineered? GoDaddy
internal systems compromised? GoDaddy - person on the inside? New flaw/hack in
the ICANN registration methods?

------
dkersten
_They don't seem to have an active Twitter account. Just sending an email
through the contact form for now._

Wait, what? Since when is twitter a _replacement_ for email?

~~~
ceejayoz
Since major corporations started having turnaround times of minutes when
contacted in the public manner that is Twitter rather than days, weeks, or
never.

------
brokentone
I'm curious to know if the domain was in REGISTRAR-LOCK at the time. According
to GoDaddy's policies, they relock after 30 days, so it's likely it was
locked. <http://help.godaddy.com/article/410> (obviously an outside domain
transfer is not the only option for takeover)

------
orenmazor
heh, this happened to us a month or so ago. we even got a ransom note!

(TLDR: godaddy eventually came through for us)

~~~
pavel_lishin
That ... sounds ominous and fascinating. Would you mind writing about your
experience?

~~~
orenmazor
That was basically it, for the most part. I wasn't the one handling it, but
essentially the guy was trying to get some of our server configs for some
reason (I work on Postmark). We filed an FBI report and went back and forth
with GoDaddy until they got our domain back a week later.

So not really as exciting as Hackers, but sort of.

------
dredmorbius
If a business is unwilling to release information to you per a standard
request, look into filing a lawsuit and submitting a subpoena.

Even discussing that option with them may get them to disclose. Lawyering up
sucks for businesses as much as it does for you.

IANAL / IDEPLOTI, you may want to chat with one or several or even just find
folks who've disputed stuff themselves.

Additionally: register complaints with any and all consumer protections
services: BBB, chamber of commerce, your state's attorney general's office,
etc. And post to HN (OK, check that punchlist item).

------
farico
Godaddy stole phpiseasy.com from me too. Not sure who to trust anymore

------
bborud
I moved my domains away from GoDaddy primarily because I grew tired about all
the desperate upsell spam they sent me ALL THE TIME.

Secondarily I moved because they are so big that if anything happens to my
domains the chance I get to speak to a reasonable person are practically zero.

Find a smaller registrar, make sure you can get proper support from them, then
move your domains there.

(Recovering a domain you have lost is orders of magnitude more expensive than
taking steps to reduce the chance of it happening in the first place)

------
ereckers
I remember reading about this happening to a few other design blogger websites
over the last few weeks. I'm still trying to wade through the "I hate Godaddy"
posts to find if anyone has any idea why this might be happening. I'm guessing
weak passwords.

~~~
billpatrianakos
I waded through most of it and it seems as though the domain owner's email was
broken into which then allowed the thief to begin the transfer process. So
from what I'm reading here it actually wasn't GoDaddy's fault but just another
Gmail account broken into.

I hate GoDaddy more than probably anyone here but it looks like their
upselling and bad design didn't cause this one. Rats! I really wanted another
excuse to talk shit about GoDaddy.

------
TheENFORCER
Here's what we know: Their GMail accounts are the common thread here: even
Kirupa posts his addy with @gmail.com.

And we know that hackers have been all over Gmail. So obviously they got into
their account. Their account probably had links to the registration... or they
tried the same password, who knows.

But now they have them. I think the important thing is that the new
'Registrants' return them to Godaddy.com right now. They are trying to say
that these people have to prove fraud?

That's ridiculous. With easy to provide proof, get them returned.

Also don't use GMail for important stuff... maybe your own mail server? One
that you harden yourself? JK!

------
EGreg
Would locking your domain name at GoDaddy help?

<http://help.godaddy.com/article/410>

I am just wondering for my personal info, I have lots of domains hosted with
them

------
sloak
I mostly use Google Apps with enom, since it gives me the domain + email & all
other google apps goodies "for free".

That said, I want to move a few domains away from GoDaddy but I am a bit
confused how to do it the right way. Anyone have a good order-of-events list?
I'd hate to lose the domains over a technicality when transferring. [edit:
misspellings]

------
16s
Seems there is no idea how it happened yet. Perhaps a weak password... so weak
that it was easily guessed? That would be my first bet.

------
SahidK
This is scary, I have all my domains with godaddy!

------
drivebyacct2
First line: "... GoDaddy".

Laughed and closed the page. Even if it's not their fault for the original
transfer, the headache of support is on you.

edit: Sorry you don't like to hear it? You get what you pay for, and you get
what deserve for not shopping around and just going with the brand name that
stuck because their CEO shot an elephant.

~~~
ceejayoz
Once it's transferred away, GoDaddy has no power over it. Even the best
support team can't do anything more than "give it back, please, new
registrar".

~~~
larrys
I upvoted you but that's not true. The best support team can get on the phone
with the other registrar and do something. They don't have to but they can.
But sure they can just as easily go for the low hanging fruit.

As a registrar we have access to exclusive contacts at other registrars as
well as in many cases personal relationships. If we want to help you there is
plenty we can do. Yes in the end it's up to the other registrar. But there are
professional courtesies as well and other ways of getting things done.

~~~
ceejayoz
In no way have you disagreed with me. You just reworded my "Even the best
support team can't do anything more than 'give it back, please, new
registrar'" statement.

~~~
ceol
larrys' point is that there's a difference between begging the other registrar
and using professional connections to ask for favors. Your original comment
implied GoDaddy could do _nothing_ the previous owner of the domain could do
when that's not the case.

------
masenf
could it be related to this:

"After a series of one-sided hearings, luxury goods maker Chanel has won
recent court orders against hundreds of websites trafficking in counterfeit
luxury goods. A federal judge in Nevada has agreed that Chanel can seize the
domain names in question and transfer them all to US-based registrar GoDaddy.
The judge also ordered "all Internet search engines" and "all social media
websites"—explicitly naming Facebook, Twitter, Google+, Bing, Yahoo, and
Google—to "de-index" the domain names and to remove them from any search
results."

[http://arstechnica.com/tech-policy/news/2011/11/us-judge-
ord...](http://arstechnica.com/tech-policy/news/2011/11/us-judge-orders-
hundreds-of-sites-de-indexed-from-google-twitter-bing-facebook.ars)

~~~
cube13
Except... the domain was transferred AWAY from GoDaddy.

