Hacker Newsnew | comments | show | ask | jobs | submitlogin
This Site’s Domain is Stolen (css-tricks.com)
353 points by tbassetto 953 days ago | comments


someone13 953 days ago | link

I would warn everyone that reads this to be very careful. When a domain is stolen, it's usually not used for "legit" purposes. Be very careful when visiting this site - use a patched browser, Java + Flash + Acrobat, etc., in case the new "owners" decide to stick an exploit kit here.

-----

vegardx 953 days ago | link

Why would they need access to the domain to do that?

-----

ek 953 days ago | link

Because they would mirror the site and then add bad stuff, so it looks legit, and then change the DNS record to point to the mirror.

-----

vegardx 953 days ago | link

I cannot really recall that ever happening for, like, the last 10 years. I could see the case if they wanted to intercept mail or something, but then the administrator would notice quite fast what was going on (ie. not receive any mails...).

-----

Maxious 953 days ago | link

I see this all the time with Twitter. These days you don't even need to mirror the website; just run a proxy that edits the HTML on the fly. Of course, they just use existing malware to edit hosts file but easy to translate to simply stealing the domain.

-----

almost 952 days ago | link

I have done this with Facebook as part of a prank on a friend, its not hard to do!

-----

ajross 953 days ago | link

Why would a mail interception not simply relay the mail back to the originally intended server (which, for obvious reasons, is happy to accept mail for the targetted domain)?

The point is very valid: someone who controls a domain can trivially MitM any communication with that domain over unencrypted HTTP. And given events of the past year, I wouldn't put it past them to be able to get a cert issued for the fraudulent domain too...

-----

pavel_lishin 953 days ago | link

Unless they were making copies and forwarding the e-mails on.

-----

SeoxyS 953 days ago | link

This is why we have SSL. SSL protects against exactly these kind of Man in the Middle attacks.

-----

tesseract 953 days ago | link

It's not a man in the middle, it's a new man on the other end, and since he has the domain he can get a legit SSL cert for it.

-----

SeoxyS 953 days ago | link

If he has control over the domain but not the server, it's man in the middle. He'd have to redirect the nameservers to a new server, which would either request html from the original server and add malware on the fly, or create a replica of the original site with extra added malware.

Either way, though, without the private key to the SSL certificate, which he won't have without the original server, he can't pretend to be the original site on the other end of an SSL connection.

-----

__david__ 952 days ago | link

It doesn't matter if he has the private keys of the original server. He can MITM it with a brand new fully authenticated official SSL cert because he now owns the domain.

   Orig. Server <-- SSL --> MITM Server <-- SSL --> Client
The only thing that usually prevents this is that the MITM Server normally can't get an authenticated SSL cert for the domain and so the client can detect the fake cert.

If SSL worked like SSH then your browser would whine that the cert changed but the browsers currently don't do that. I think even convergence (http://convergence.io/) wouldn't detect this case because it looks to the outside world to be totally legit. Scary.

-----

gospelwut 953 days ago | link

But I was told that Chrome will protect me and I don't need to whitelist content.

-----

bittermang 953 days ago | link

Problem goes beyond just css-tricks.com. I've been following David Walsh for a while, and apparently his domain has been nabbed as well, along with DesignShack.net, SohTonaka.com, and InstantShift.com

https://twitter.com/#!/davidwalshblog/status/142645321791586...

-----

ecaron 953 days ago | link

It also happened to mckmama.com (a crazy popular blog my wife follows who couldn't believe that domain hacking was even possible anymore.)

The more interesting aspect was that since mobile nameservers are slow to update, the site worked on her phone still. That lead to the lovely "Where does DNS come from" conversation we all have with our loved ones eventually:)

-----

SystemOut 953 days ago | link

I thought something weird was going on since the sohtonaka.com domain is available when I checked at namecheap.com. Then I noticed that both the tweet and the above message misspell sohtonaka.com - it should be sohtanaka.com.

-----

ImprovedSilence 953 days ago | link

Judging from the comments on his website, it sounds like everybody and their grandma hates GoDaddy. I've recently been looking into getting a domain name and starting a website, can anyone point me towards a more reputable site to acquire a domain and host a site? (Yeah, I know, I read HN daily, and I'm still clueless when it comes to actually putting up a website)

-----

ricardobeat 953 days ago | link

I've used and trust http://nfshost.com/ and http://asmallorange.com/

Big ones like MediaTemple and RackSpace seem good too. I used 101domain for international TLDs, not pretty but everything is going fine.

-----

Legion 953 days ago | link

NearlyFreeSpeech is wonderful. I drive people to them whenever I can.

Along with being trustworthy and protective of their customers, their web panel is simple and no BS. I don't know how people put up with other registrars with their upsell-threw-up-all-over-the-page web panels. Even "good" ones like NameCheap are eyesores.

I hope NFS never lets me down, because I talk them up like they walk on water.

-----

Lammy 953 days ago | link

I can second Nearlyfreespeech. They've been great as my registrar and DNS host for years. I host on http://prgmr.com VPS.

-----

jdpage 953 days ago | link

Plus one for Nearlyfreespeech. Their shared hosting is pretty nice as well, except for the fact that they don't have mod_wsgi.

-----

muraiki 953 days ago | link

I've used Dreamhost for years. They really work for their customers. Over time you accumulate points that you can use to vote for new features (which I just realized, I have never done... so I should have a decent amount by now!)

-----

Cyranix 953 days ago | link

Dreamhost is definitely fantastic for customer support, but after a recent email exchange, I learned that they don't have a timeline for when they'll upgrade their password system, which does not use one-way hashes. Password reminder emails contain the password in plaintext. If you're reading this thread and are concerned about domain security, I'd suggest looking somewhere other than Dreamhost for the time being.

-----

jacktoole1 953 days ago | link

I just recently found out that dream host stores it's passwords in plaintext! I'll probably be looking to transfer away from this simply for that reason. If you haven't set your panel security to use email confirmation to let new IP addresses log in, I would strongly recommend it.

-----

muraiki 953 days ago | link

Wow, that's horrible. I wasn't aware of that. I use them for hosting but I use Google Apps for email. I'm sorry for making a bad recommendation.

-----

eli 953 days ago | link

namecheap.com is good if you're looking for something cheap (e.g. you've got 50 domains to register).

Gandi.net is great if you don't mind spending $15 per domain.

-----

tdoggette 953 days ago | link

NameCheap is good.

-----

nicwest 953 days ago | link

second that, been using them for the better part of decade, never any problems.

-----

sunchild 953 days ago | link

Me too. No issues after many years of namecheap.

-----

JeremyBanks 953 days ago | link

Just to throw in a slightly differing opinion: I've been with Namecheap more than five years, and overall I've been very satisfied with them. However, I have had a couple of minor issues. Most recently, when making a minor change their support messed up something with my domain. They were slow to respond to my request that they fix it, and seemed far too confused about what was going on. The domain in question wasn't important to me, but if it had been I'd have been pretty pissed.

-----

hornbaker 953 days ago | link

Another vote for NameCheap. Have had ~50 domains with them for nearly 5 years now, never a problem.

-----

dctoedt 953 days ago | link

+1 for NameCheap.

(Not to beat a dead horse, but back when we could see the karma numbers for comments, it was possible to visibly "second" an endorsement comment by upvoting it, instead of posting separate +1 comments like this one ...)

-----

mikeleeorg 953 days ago | link

Another vote for NameCheap. And to make this comment more useful...

I especially love how easy it is to transfer domain names between NameCheap users. I had purchased a domain name once with my personal account. Then I created a company and wanted the domain to be officially owned by that entity and not me. So I created another NameCheap account for that company, then transferred it over very easily.

Of course, it's possible other registrars offer such a frictionless transfer process between account holders too. I've only used NameCheap for this and can say I was pleased with the results.

-----

peeplaja 953 days ago | link

+1 for namecheap

-----

mluggy 953 days ago | link

Also loving namecheap thought it sucks that they don't support all extensions, for example I have sampl.es which I cannot transfer from GoDaddy

-----

icebraining 953 days ago | link

Same here, although I've only been a customer for two years. Never had any problems with their website either, always fast and responsive.

-----

courtewing 953 days ago | link

I recently switched over all of my domains from godaddy to hover.com, and I have been pretty happy with them.

-----

danielhunt 953 days ago | link

This may not be suitable for everyone, but I've been recommending Blacknight ( http://www.blacknight.com/ , affiliate linkage: http://tracking.blacknight.com/aff_c?offer_id=5&aff_id=6... ) for quite some time.

They're an Irish hosting and domain name provider, and have a great name, a great support team and are a genuinely pleasant company to deal with.

(Disclaimer: I don't work for them, but do know 1 or 2 employees there. Also, I pasted my affilate link above)

edit grammar

-----

alanmeaney 953 days ago | link

I've used Blacknight.com for over 3 years and have found them very responive

-----

FraaJad 953 days ago | link

Gandi.net

-----

JoshTriplett 953 days ago | link

Seconding the recommendation for gandi. They have very strong policies in favor of the domain owner. They also provide nice services such as email hosting for your domain. I use their server hosting as well, which works quite well, though not fast.

Also, they support quite a few good causes (https://www.gandi.net/supports/); they fund Debian's DebConf every year.

-----

gujk 953 days ago | link

One flaw with Gandi's mail feature is that new accounts do not get wildcard accounts (forward all @example.com mail to.one address): you need to register each email address you want individually. Apparently they couldn't handle spam filtering.

-----

marquis 953 days ago | link

Easy enough to move to Google Apps and use their wildcard option.

-----

charliesome 953 days ago | link

I'm usually a tight arse but in the case of gandi.net, I have no problem paying a premium so I don't have to put up with all the bullshit that customers of other registrars have to put up with

-----

stock_toaster 953 days ago | link

I use dynadot as a registrar (couple of years). They have been good. Never used them for hosting actual sites though.

I used markmonitor at a previous gig (requirement of a parent company) and they were good, but a bit expensive.

-----

TorbjornLunde 953 days ago | link

When I researched what domain provider to use this summer I found many good words about EasyDNS. I’ve only used them a half year, but I am really happy so far.

-----

irons 953 days ago | link

I love EasyDNS for domain hosting. I can't quite bring myself to use the same company for DNS hosting and registration; I've used Dotster as a registrar since the 90's.

You couldn't pay me to use huge, inept outfits like GoDaddy or Dreamhost who compete primarily on price. I have a similar, though evidence-free aversion to companies which put words like "cheap" in their name.

-----

TillE 953 days ago | link

Namecheap is a pretty terrible name, and their site doesn't look great either. Still, the service is solid. Add me (five years, a handful of domains) to the list of satisfied users here.

-----

mattcofer 953 days ago | link

I have used Dotster for quite a few years also. I have zero complaints with them.

-----

ImprovedSilence 953 days ago | link

Is there a reason you avoid using the same company for hosting and registration?

-----

premchai21 953 days ago | link

One thing to note about EasyDNS is that last I checked, glue updates require human intervention, and IPv6 glue is a good way to confuse the humans on the other side of the support channel. If you don't use glueful delegations, then you probably don't care, but this is the sort of thing that's harder to tell upfront.

-----

jtap 953 days ago | link

Thought I'd mention softsyshosting.com. I've used them for a small IIS website, dataintegrationagent.com. Site setup was easier, and quicker than godaddy.com. They were also quick to answer my questions. I found that it was pretty difficult to find a place to host IIS websites, and I really recommend softsyshosting if your planing on using anything IIS related.

-----

trustfundbaby 953 days ago | link

1and1 might not be popular here, but they're pretty cheap ($8.99 for .com), they have sales regularly and they throw in private whois info for free, plus your domain is locked down by default so the sort of thing described in the OP shouldn't happen.

Never had a problem with them in almost 5 years.

-----

mikeleeorg 953 days ago | link

I've used them and didn't have a problem until I wanted to transfer to another domain registar. After painfully trying to find the transfer auth code and transferring the domain name, 1and1 continued to bill me for a couple of months. To their credit, they reversed the charges after I called them - but that didn't leave me with a satisfactory experience.

I can understand why a company might want to make it painful to leave their service, but continuing to bill me points to either incompetence (some bugs in their billing system) or a malicious act (doubt it though).

But otherwise, yea, a nice & cheap service.

-----

SkyMarshal 953 days ago | link

One problem with 1and1 is that when your domains are about to be autorenewed, you don't get an email notification till the day of. I prefer registrars that give a few weeks heads up on that so I can cancel the autorenew if I want to let the domain expire (even GoDaddy gives advance notice).

-----

russell 953 days ago | link

Likewise, I've had a good experience with 1and1 for something approaching a decade. My GF and I have a couple dozen domains. Whenever she has a new creative idea, she gets a new domain.

-----

damptrousers 953 days ago | link

1and1 is a terrible. Please do not listen to individual accounts of 'no problems'. If you do have a problem, you will be in trouble. 1and1 is a giant company that makes money by quantity, not quality. In other words, the majority will have no problem, so let's have millions of customers and screw those that have problems. Again, there's too many other good companies to use such a crappy company.

-----

paisible 953 days ago | link

I've tried a few, have to recommend internetbs.net The website might seem pretty crappy, but they have really good customer support, plus the best API I've found. If you're looking to register domain names programmatically, definitely check them out.

-----

zaphar 953 days ago | link

I use dyndns for both the registration and dns serving. They've always been good to me.

-----

grabble 953 days ago | link

Namespro.ca have excellent service and "not bad" prices. Highly recommended.

P.S. And yes, I despise GoDaddy with every molecule of my being.

-----

xyzzyb 953 days ago | link

Hover.com is awesome and they have actual friendly, knowledgable humans that answer the phone.

-----

protomyth 953 days ago | link

I've been using Domain Discover and I haven't had any problems.

-----

shiftpgdn 953 days ago | link

I have been using NixiHost.com for a few years without issue.

-----

rpicard 953 days ago | link

I've never had a problem with Name.com.

-----

lhnn 953 days ago | link

name.com has been pretty good for me for the past few months. Very easy to use.

Also: Don't get a .com/.net domain name. You don't want the US government declaring your domain to be evil and taking it off the 'net.

-----

jxcole 953 days ago | link

I used name.com for a website once. I used them for my DNS also (because I don't know how to set up a separate DNS) and they parked there own auto-generated crap at everything except the www subdomain. Apparently, if you are savvy enough to set up your own DNS this isn't a problem, but I wouldn't use them because of this.

-----

ww520 953 days ago | link

I think if you set up a wildcard *.mydomain.com rule to forward to your domain, you won't see their stuff.

-----

lhnn 953 days ago | link

I'm not quite sure what you mean (though I'm not arguing). I set up my own DNS manually.

Create a rackspace cloud server, grab that IP and use it in an A record on name.com.

-----

hayley 953 days ago | link

If you're using name.com's DNS, then they've basically got a wildcard subdomain that points to a spammy domain-parked page.

So, say you have valid records for .yourdomain.com and www.yourdomain.com. Those two hosts will resolve as you would expect them, but *.yourdomain.com will resolve to a spam page.

-----

cookiecaper 953 days ago | link

Wow, that's pretty evil. I definitely won't be using name.com (I've been happy with Dreamhost as a registrar for years anyway, but would be interested in trying someone else in the future). Thanks for the heads up.

-----

jxcole 953 days ago | link

So, if a user came and visited my site, which was www.zideck.com (It's not there any more), they would see my web page. If they were to visit http://zideck.com they would see auto generated spam garbage that said stuff like "What you need, when you need it." In fact, ANY subdomain would result in link spam trash.

Thanks for the tip on setting up DNS. If I create a rackspace cloud server, I imagine there is something special I have to do to make it a DNS server, right? Does it just work straight out of the box?

-----

bmj 953 days ago | link

Wait, I thought .com/.net (among others) were generic TLDs governed by ICANN? I would assume .us might fall into this warning (as would other country code TLDs), but .com and .net?

-----

vidarh 953 days ago | link

What matters is whether or not the operator of the TLD is within US jurisdiction, not the purpose of the TLD.

-----

bmj 953 days ago | link

So, in that case, the FBI could seize any domain as long as the operator is within US jurisdiction?

-----

tristanperry 953 days ago | link

Yep, pretty much.

Not exactly fair, but that's the current 'system'..

-----

vidarh 952 days ago | link

Yes, and be aware the operation of a lot of ccTLD's are outsourced to companies outside the country in question.

I don't know that much about how many are or aren't operated out of the US, but most of the generic TLD's are, and several ccTLD's definitively are too - for example .tv and .cc are operated by Verisign, and .co is operated by Neustar.

-----

burgerbrain 953 days ago | link

Yes.

-----

eli 953 days ago | link

http://news.ycombinator.com/item?id=2451302

-----

bmj 953 days ago | link

Thanks. I still have a question, though: if the FBI can seize these domain names, does that mean they can seize any domain names? I'm a little fuzzy on the control/management scheme here.

-----

uxp 953 days ago | link

As anyone has said elsewhere in this thread, all they are doing is strongarming the administrators of the TLDs that operate primary offices inside the USA to alter the DNS entries for specified domains they feel are being used to break the law, because that is their jurisdiction, and prevent the owner from being able to change it back.

One of the more controversial parts of SOPA is the ability of ICE/Customs to be able to "un-resolve" domain names under other TLDs and country codes. Since the USA does not have jurisdiction over Russia (as an example), there is no current way to block a filesharing or spammer operating with a .ru address without having a partnership with Russia. This aspect of SOPA would allow the USA Government to block all domain name servers from resolving that address properly, by basically poisoning the legitimate DNS entry with one that resolves to some landing page operated by ICE. They won't be able to seize the domain, but they'll make it just as worthless to anyone inside the USA.

-----

larrys 953 days ago | link

You're right. Anything governed by ICANN. And I'm not agreeing or disagreeing about the control issue just pointing out the for example .org .us .info etc. would be in the same boat.

-----

icebraining 953 days ago | link

On that note, does anyone know what's the case with .eu? Can ICE do the same as they've done with .com/.net?

-----

larrys 953 days ago | link

I don't agree with what you are saying but more importantly the same is true for .org .info .us and any tld overseen by ICANN.

-----

davidhansen 953 days ago | link

We use Network Solutions as our registrar for our "valued" domain names, and name.com or godaddy for everything else.

NetSol provides pretty good validation and security options for so-called "VIP" customers, but it's not perfect.

The next step up is paying exorbitant fees to a company like MarkMonitor for domain name management services. This is what the "big boys" tend to do.

-----

ecaron 953 days ago | link

Is NetSol still "reserving" any domain name that you search on their site (http://blog.domaintools.com/2008/01/network-solutions-steals...)? I swore I'd never go back there after that practice - and fortunately there are still enough better alternatives that I don't plan on it.

-----

libraryatnight 953 days ago | link

The only way the domain would be able to be moved from Go Daddy would be if the person stealing the name had access to the account, that's the only way to request the transfer authorization / epp code. Their support requires either a pin or last 6 of a CC used on the account to validate callers, if you can provide that they'll update the email on file and help reset the password, but he said his account email is unchanged. So the person taking the name would either have to know the account password, or have access to the email address on file where the reset requests are sent.

Given that this would have to happen from inside the customer account, I can understand why Go Daddy would want to confirm that this was indeed a nefarious act and not something like a domain being sold, transferred, then reported stolen to keep the cash and get the domain back. Or any number of other scenarios one might think of - shady domain stuff happens a lot. I can only imagine the hoops required to jump through for a registrar to get a domain back from another registrar under these circumstances.

-----

arn 953 days ago | link

"The only way the domain would be able to be moved"

Not sure that's the only way. That's like saying the only way you could get credit card information from Sony's playstation servers was if you worked in Sony's billing department.

Not saying this is necessarily a hack, as it most likely is insecure practices on the part of the user, be it passwords or phishing. But seeing a cluster of them raises some concerns that it could be some otherwise unknown method.

-----

libraryatnight 953 days ago | link

Thanks, I agree, 'the only way' is probably too absolute a phrasing.

I do wonder if the reason we see clusters is because they are the largest, and arguably the most publicized, registrar in the U.S., and in terms of market share, the world.

-----

SomeCallMeTim 953 days ago | link

He said on the page that it apparently involved a Gmail hack of some kind, so even if it's not "the only way", it sounds like it was how it was stolen in this case.

-----

whileonebegin 953 days ago | link

There are a lot of posts blaming GoDaddy. Did anyone read the post by David Airey, linked in the article? The reason for his lost domain was that his Gmail account was hacked. The attacker performed a "legit" domain transfer through his registrar. It wasn't the registrar's fault, in this case. The only blame you could place was that perhaps the registrar didn't have enough security check points.

GoDaddy is certainly annoying with their obnoxious web site and sometimes, their tactics, but this could be another email-hijack attack.

-----

calvin 953 days ago | link

One more great reason to set up two-step verification for your Gmail and Google Apps accounts.

http://googleblog.blogspot.com/2011/02/advanced-sign-in-secu...

-----

Matt_Cutts 953 days ago | link

I came here to say this, so thanks for saying it for me, calvin. Anyone reading on HN should probably set up two-step verification on their Google accounts.

-----

brador 953 days ago | link

I've yet to do this. Reason being I wonder what will happen if I lose my phone...

Is there a way to set up two-step without a phone?

-----

cube13 953 days ago | link

Google provides a set of numerical codes for you to print out and store in case you lose your phone. They're all one-time use, and allow you to get in and change the settings.

-----

pavel_lishin 953 days ago | link

Does that mean that if ANY of them are used, the rest are invalidated? Or just that any one of them may be used once?

-----

cube13 953 days ago | link

You get 10 codes per generation(and can regenerate them whenever you want), and each code can be used once.

-----

zecho 953 days ago | link

You can use an alternate number to have a text message sent to you and there are printable one-time pads. The one-time pads have come in handy for me, because I always let the battery on my phone die.

-----

JBiserkov 952 days ago | link

The recommended way is to use the Google Authenticator app - available on Android, iOS, and BlackBerry devices - doesn't require an Internet connection, mobile service, or a data plan to generate verification codes.

http://www.google.com/support/accounts/bin/answer.py?answer=...

I'm using it on my iPod.

-----

bjcubsfan 953 days ago | link

In addition to the one time pad, you can specify other phone numbers. The system will call these phones and read the code aloud.

-----

Natsu 953 days ago | link

Also, you should NOT have Gmail open while surfing the web. I won't even visit a link emailed to me directly. I'm either reading email or surfing, but never both; all private data gets wiped between sessions. Sure, it's a bit paranoid, but it eliminates quite a few attacks and opportunities for social engineering.

-----

teyc 952 days ago | link

Perhaps it is domain registrars that need to implement two-step verification before transfers. It would be such a labour-saving move, and potentially safe so much time resolving disputes. Just offer people to "lock" their domains to be unlocked with a mobile phone number.

It would be a simple twillio app.

-----

paul9290 953 days ago | link

Yeah i am thinking this too.

I mean a day or two ago Gmail was showing and promoting users to enable 2 step verification because thousands and thousands of gmail accounts are stolen everyday (something to that extent).

Big fish are big targets and gmail like godaddy and bank of america may no longer be safe and or wise to maintain your businesses with!?! I have had issues with all 3 mentioned.

-----

paul9290 953 days ago | link

Yeah i am thinking this too.

I mean a day or two ago Gmail was showing and promoting users to enable 2 step verification because thousands and thousands of gmail accounts are stolen everyday (something to that extent).

Big fish are big targets and gmail like godaddy and bank of america may no longer be safe and or wise to maintain your business with!?! I have had issues with all 3 mentioned.

-----

More



Guidelines | FAQ | Lists | Bookmarklet | DMCA | News News | Bugs and Feature Requests | Y Combinator | Apply | Library | Contact

Search: