Anatomy of a Domain Hijacking, part 1
Two weeks ago I'd never heard the term 'Domain Hijacking'. Right now, I'm in the middle of a fight to regain control of my hijacked domain, secretGeek.net. It's not an easy fight, I haven't yet won, and I may never win.
If you have any information that could help me get control of my domain again please leave a comment, or tweet me (@secretgeek), or get in touch via my (now re-secured) email address, email@example.com
From Russia with Love
On Monday 9th May, I checked my gmail account at around 3:40 in the afternoon, and I was confronted with a dark red message at the top of the screen (in the area where you normally see messages like 'Your email has been sent'). The message said:
Warning: we believe your account was recently accessed from: Russia. Show details and preferences | Ignore
I clicked on 'show details and preferences', and a new window opened with this message:
(click to see the message in context -- [note that my own ip addresses are redacted])
This was definitely not me. At 4:19 AM, and 5:40am I had been far too busy being fast asleep, preparing for a big week, to get to Russia and back for some casual email reading. So someone had infiltrated my email. The freaking out sensation began immediately. I couldn't move. I was frozen completely still.
I followed google's advice and immediately changed my password, then notified my wife. My mind was racing as to what the implications could be.
A little voice told me to check the trash. I was really hesitant, I think I knew the trash would contain something I didn't want to see.
In the trash I found two messages, received at 5:45am.
The content of the messages was to explain that my domain, secretGeek.net, had been succesfully transferred from my registrar, GoDaddy, to a Russian registrar, Regtime Ltd.
I felt completely unreal, like this was a dream, or a prank. I logged into my GoDaddy account to check on my domains. They all still appeared to be there. I took a few deep breaths. I felt it must be all just a daydream. I read the list carefully. No -- secretGeek.net was missing from the list. All of the others were still there.
I started sending emails to GoDaddy. I replied to the emails I'd found in the trash, telling them that it was a mistake, the result of my email being violated.
I lodged support requests with GoDaddy. When I went back to the trash to read the deleted emails again I found there were new messages in the trash. Emails from godaddy in response to my support requests had been automatically deleted. This was *weird*. It was a few minutes before the penny dropped.
I looked in my gmail filters and there were two new ones. The two new filters were designed to delete any messages containing the words 'GoDaddy' or 'Webnames'. (I later found that 'Webnames.ru' is the trading name of 'Regtime Ltd', the Russian registrar holding secretGeek.net)
This was starting to become very 'real'. This wasn't some kind of misunderstanding. It was definitely a thing. It was a deliberate, targeted attack, by a person or people who knew what they were doing and had either done this thing before or had thought it through very carefully.
I turned to my friend, Joe Cooney, to show him what I'd found. He was equally gobsmacked. He told me to call GoDaddy on their support number and see what they said.
A whois request on secretGeek.net showed that my name servers were still listed, but the registrar was Regtime ltd, and the contact information was all blank.
The support guy at GoDaddy told me to contact the gaining registrar and find out what their policy is for transfer disputes. He told me there was nothing GoDaddy could do (turns out this was bad advice, by the way)
I was busy worrying about what else was in danger. My wife was already on the task of changing every password, keycode, and security question associated with all of our bank accounts, credit cards, online identities, home pcs etc, and checking at each of these places for any trace of unusual activity.
In order to send a support request to the Russian registrar, I had to sign up as a member (and I noted with some distaste that they sent me my new password in plain text.) I sent them multiple emails explaining what happened. Then I re-sent each of those messages, in Russian this time, translated by translate.google, and including the original text.
I worked late that day to make up for the lost time and somehow managed another check-in before I went home.
That night I called GoDaddy again, hoping to get more help. By now I'd read about the similar case of David Airey where a gmail vulnerability led to a domain hijacking, which also involved godaddy. This time I got a more helpful support staff member. She told me to fill out the 'dispute on transfer away' form at GoDaddy, which I promptly did. This meant that the right people at godaddy would be notified, and they'd contact the Russian registrar to request the domain be returned.
Wrapping up part 1.
While there's more that's happened since, things haven't really progressed since that day at all.
I still haven't regained control of the domain. I'm waiting on word from the Russian registrar. I remain hopeful that any minute now I'll get an email from them saying "Ah, we're sending back your domain!" -- but my hope is fading.
The name servers haven't been changed, so my content continues to be served up as always. If it does go down, the plan is to launch a new and improved secretGeek at LeonBambrick.com. Announcements or news will be via twitter (@secretGeek) or from my business website, NimbleThing.net.
If you have any information that could help me get control of my domain again please leave a comment, or tweet me (@secretgeek), or get in touch via my (now re-secured) email address, firstname.lastname@example.org
In the next part of the story I want to discuss gmail security, all of the possible ways I could've been hacked, and the one I think is most likely. But I can't wait until then to put out the following checklists. These are steps that you can do to protect your email account and to protect your domains:
What can you do to stop this happening to you?
Protect your email via:
- Change your password often. For example, right now.
- Make your password very strong.
- In gmail: disable POP.
- Ensure your password recovery options are as strong as your password.
- Make sure 'always use https' is selected.
- In gmail: check for unusual activity (it's available at the foot of the screen).
- In gmail: don't let any other apps be associated with your account.
- Use two-step authentication.
Protect your domains via:
- Pay for private domain registration.
- Pay for enhanced transfer protection. (e.g. at GoDaddy they call it 'Deadbolt' protection, and it means they require you to send them identification before they'll approve a transfer.)
'joshka' on Sun, 22 May 2011 16:16:13 GMT, sez:
I read a blog post recently where a person bought a domain that had previously been used with Google apps. They signed up for Google apps themselves and had access to the previous owner's email. I'll try and dig up the post tomorrow. It's worth considering as problematic if they own the domain and potentially can change your DNS / nameservers etc.
'Shazza' on Sun, 22 May 2011 23:46:37 GMT, sez:
Sounds pretty stressful for your whole family.
Hope you get a resolution soon.
'Joshka' on Mon, 23 May 2011 06:30:16 GMT, sez:
As promised: http://techcrunch.com/2011/05/18/security-breach-heres-how-expired-domains-expose-you-to-embarrassment-and-theft/
'David Andersson' on Mon, 23 May 2011 08:02:57 GMT, sez:
Thanks for sharing. A real wake-up call for me.
'Matt Casto' on Mon, 23 May 2011 12:40:37 GMT, sez:
This sounds completely stressful. I can only imagine the level of panic I'd feel if someone compromised my gmail.
I'm wondering what you meant by this step in the protect your email section:
"In gmail: don't let any other apps be associated with your account."
'Juan Manuel' on Mon, 23 May 2011 13:43:16 GMT, sez:
Sorry this happened to you, and the best of luck!
One question, why do you recommend disabling pop in gmail?
'Eduardo' on Mon, 23 May 2011 14:35:31 GMT, sez:
Why didn't they change your gmail password? and why they didn't change the nameservers? It smells like a prank (A scary one)
'Paul OFlaherty' on Mon, 23 May 2011 15:41:57 GMT, sez:
Maybe registrars could implement SMS verification on domain moves?
'zoasterboy' on Mon, 23 May 2011 16:30:46 GMT, sez:
By disable POP do you mean disable POP access to Gmail or disable Gmail from pulling mail from POP accounts?
I would assume disabling POP access to Gmail would make brute-forcing more difficult.
'Score_Under' on Mon, 23 May 2011 17:42:55 GMT, sez:
Do you have any idea how they got your email password?
'Andy Brice' on Mon, 23 May 2011 17:44:52 GMT, sez:
I think one of the commonest mistakes people use is using the same password for multiple sites/apps.
>Change your password often. For example, right now.
I don't see how that helps, except in the unlikely circumstances where they have got your current password, but haven't used it.
'lb' on Mon, 23 May 2011 21:00:31 GMT, sez:
I mean disable POP access to Gmail.
POP access allows for brute forcing:
And if they have a botnet, they can perform some *serious* brute forcing.
>I think one of the commonest mistakes people
>use is using the same password for multiple
Yes, agreed. Though that wasn't the case here.
Changing your password often helps if they are attempting to brute force your password.
>Why didn't they change your gmail password?
I expect for the same reason they set up the filters, and only stole one domain (my highest value one) -- they didn't want me to notice they'd been there.
'Stan' on Tue, 24 May 2011 09:24:09 GMT, sez:
I suggest changing your recovery options for whatever services you are using with that e-mail address - they're just as good as the password.
'Matt Chase' on Tue, 24 May 2011 12:56:47 GMT, sez:
disappointed at go daddy , you would think they would offer this protection as standard......
'Luc' on Tue, 24 May 2011 13:09:22 GMT, sez:
Your real issue is your are dealing with Go Daddy. You actually never owned your domain name, Go Daddy owns it. You are just leasing it. If your site becomes super popular (millions of hit per day), GoDaddy can simply cancel you out and take over. Just go and read your contract...
'dusty' on Tue, 24 May 2011 13:44:07 GMT, sez:
Maybe the person that suggested a prank might be onto something. Have you considered that some (including myself) express a disgust at the owner of GoDaddy blasting defenceless animals (Elephants, etc...) to pieces for what has been described by him as in the interests of conservation!? For that reason and others suggested, I would not use their services. Sorry to hear about your predicament.
'austin' on Tue, 24 May 2011 13:54:05 GMT, sez:
well crap, after reading this i went to my gmail and seen it had been accessed twice from addresses in china. i dont think ive accessed my gmail with a proxy so yeah...beautiful.
'<a href='http://www.controlf1.co.uk'>Bespoke Software Solutions</a>' on Tue, 24 May 2011 14:01:16 GMT, sez:
Very scary. I will definitely be looking into your recommendations, particularly 'enhanced transfer protection' from GoDaddy. Thanks for posting this.
'Neal' on Tue, 24 May 2011 14:43:02 GMT, sez:
I'll tell you what helps me sleep better at night: the FREE two-step authentication that Google has now implemented for all consumer (free) and Business Apps user accounts. Once implemented, the difficulty in someone hacking your Gmail account is multiplied at least a bajillion times.
If you have a Droid or iPhone, there is the Google Authenticator App that generates a new key # every 30 seconds. Any new computer accessing your account must provide that key # to log in successfully. Machines you use frequently can keep you logged in for 15 days.
Here is a Google Support page on it: http://goo.gl/8Vl7u
'Abimaran' on Tue, 24 May 2011 14:59:11 GMT, sez:
Thanks for sharing about gmail security!
'JL' on Tue, 24 May 2011 15:02:12 GMT, sez:
Domain privacy should be a mandatory feature. Luc: Are you sure about that ? Do you know your contract ?
'james' on Tue, 24 May 2011 15:26:50 GMT, sez:
i found this article through codeproject.com but found it interesting because i spent most of yesterday helping my sister lock down her gmail acct after a hacker got in and sent the "mugged in london" scam email (google it). what i told her was that hackers often hack smaller less protected sites to get acct info (emails and passwords) and then try the passwords against the email accts. for example if a small website like kidsdaycare.com (made up for example) has an email address and a password so that you can login to the site, and they get hacked there is a pretty good chance that some of those passwords are reused by the people as their email passwords as well. the point is that make sure the password you use for your email is NOT used as a password anywhere else. in my sisters case they changed her password and had all of her incoming emails forwarded to a yahoo email that could be checked by the hacker. good luck on your issue, getting hacked sucks. there are good lists of what to do if your gmail gets hacked to lock it down better, everybody should read them now.
'Lee' on Tue, 24 May 2011 15:33:43 GMT, sez:
I run several sites, including a traffic exchange and I hope you get this solved soon.
I cannot understand however, why you would use gmail for important emails such as domain names. I use a domain for all my emails about other domains and then emails on each domain. I have very little trust in gmail, hotmail or any other free email provider.
I would recommend that you use 1 domain as your email domain and let that go through gmail if you have to, better your ISP email account though, then use that as your email for all other domains.
Wondering if I can write this more cryptic than that.
'Robert' on Tue, 24 May 2011 16:36:32 GMT, sez:
If GMail can tell you "your account was access from China/India/Russia" then couldn't it also DENY such access in the first place?!!
'Ty' on Tue, 24 May 2011 18:04:34 GMT, sez:
@Lee, I put way more trust in my Gmail account than any ISP account. Google has a lot of really smart people watching and improving Gmail...adding things like 2-step verification, details about where you're signed in from, etc. My ISP gives a POP account and webmail without added security features like Google's. I think the bigger danger is weak passwords and putting all your eggs in one basket with a single email account.
But I think you're dead-on that people should use a separate account for managing domain registrations and the like.
'rich st' on Tue, 24 May 2011 19:20:55 GMT, sez:
I dont have a domain so this may be unnecessary or redundant, but shouldn't one use a separate gmail account for all access to the domain and make sure that gmail account has very high security Maybe there should be two or more os emails coming from your domain (available to use or the view source) would also be separate.
Since gmail allows multiple accounts and very rich forwarding you can have things forwarded to a less secure account (cause you are using it often and for more things maybe) to get emails from the secure accounts.
'RC Roeder' on Tue, 24 May 2011 20:39:16 GMT, sez:
When having an issue with godaddy refer your complain to President@godaddy.com. Bob does not like problems.
'Joseph' on Tue, 24 May 2011 22:27:53 GMT, sez:
I am somewhat an expert in the domain industry, and have a history with this subject, so I might be able to help. It is not to uncommon to hack into a gmail account, and add a forwarding order. You may be able to file a WIPO for it too, but that is a last resort, as it is not cheap.
joe at slabaugh dot org
'Drongo' on Tue, 24 May 2011 22:35:55 GMT, sez:
What if this was an attack aiming to get you to do just what you did - a password-changing frenzy, thereby revealing all your new settings to an as-yet-undetected snooper? Hows that for morbidly paranoid.
'Googler' on Tue, 24 May 2011 23:38:16 GMT, sez:
Looks like the WHOIS got updated. it now appears to have some information.
'Johan' on Wed, 25 May 2011 01:51:34 GMT, sez:
Hack him back. The registered email address is with gmail. I bet you Google will help you do it.
'Joseph' on Wed, 25 May 2011 01:57:17 GMT, sez:
I also suggest that you register the .org, and "park" it on your host for the site to make it so that it is an alternitive URL, but once you get your domain name back, use google apps instead of gmail.
'Kevin' on Wed, 25 May 2011 02:00:09 GMT, sez:
And this is one of the reasons I run my own mail server instead of relying on the cloud. It can still get hacked, but it would be a one-off hack that requires a lot more effort than breaking into GMail.
'Shiju Alex' on Wed, 25 May 2011 05:49:17 GMT, sez:
Here is a document from Verisign, the registry for .net TLD
From the document, there seems to have some remote hope. But GoDaddy should intervene effectively.
Wish you get some positive results.
'Daniel15' on Wed, 25 May 2011 06:17:17 GMT, sez:
Very sorry to hear this! Quite a sad story :(
I'd strongly suggest setting up two-factor authentication. Not sure if it's available to normal Gmail users, but it's definitely available in Google Apps. Basically, before logging in to Gmail, if you've never logged in using that computer before, it sends you a code via SMS that you need to enter in order to log in.
When two-factor authentication is enabled, you can generate individual application-specific passwords. This lets you use POP3 safely - Use the app-specific password for POP3 access. The password doesn't actually let you log in to the Gmail site, just to use apps that use Gmail (like POP3, IMAP and Google Talk).
'snagy' on Wed, 25 May 2011 07:12:16 GMT, sez:
Hopefully our new russian overlords will work on the UI of your blog a little bit...
'Jose Correia' on Wed, 25 May 2011 09:26:54 GMT, sez:
Well I got that initial warning as well but it is from me using the TOR proxy, Im at a client and I need access to gmail so I setup TOR to bypass the client's proxy... a bunch of us do it here, and we all get these gmail warnings, and because TOR goes through various hoops, each time the location of the warning differs... in your case though that is not the case
'Joseph' on Wed, 25 May 2011 12:55:06 GMT, sez:
To tell a little of my story, I have hacked spammers and hijackers in the past, as well as had Deleted.com stolen not once, but twice. And yes I got it (and all other names I had hacked) recovered, but it was not an easy task. I should be able to help you.
'Price india' on Wed, 01 Jun 2011 16:00:45 GMT, sez:
Godaddy is highly threatened probably due to its popularity.
'tyler' on Fri, 03 Jun 2011 00:32:40 GMT, sez:
congratulations on getting your domain back... I hope to see part 2 of the saga to close it off and let us know the ins and outs of getting it back! Have you figured out how they actually got into the gmail account yet either? .. if it wasn't brute force (you said the password wasn't easy, nor was it used elsewhere?), then what?
'Alex' on Tue, 07 Jun 2011 08:50:58 GMT, sez:
I just submitted your story to HackerNews, hope you don't mind. Also, let the public know - have you gained control over your domain back or not yet?
'Daniel15' on Wed, 08 Jun 2011 02:54:34 GMT, sez:
@Alex: See the follow-up post - http://secretgeek.net/sg_hijack_2.asp
'Ed' on Fri, 10 Jun 2011 00:30:07 GMT, sez:
How about signing up at another (sympathetic, small) registrar and yanking it yourself? It isn't locked.
'hanko' on Wed, 10 Aug 2011 15:42:21 GMT, sez:
a very interesting story. I hope you win soon
'wholesale dvd suppliers australia' on Sun, 29 Apr 2012 04:01:22 GMT, sez:
This is a great giveaway to start out the year! I have always wanted to try LOAD, and this year I’m hoping to scrap more of my own stories and not just my children’s stories.
'Travis' on Mon, 30 Apr 2012 19:14:47 GMT, sez:
I have never, ever heard of domain hijacking, but I am not surprised... Great read. Thanks for the story.
'Totally pissed off' on Thu, 06 Sep 2012 05:24:45 GMT, sez:
Well, after years of renewing this particular domain name- and utilizing it for e-commerce a few times, I come to find, when I check on it today, that it has been hijacked. A FULLY OPERATIONAL SITE THAT IS NOT MINE, UNDER A DOMAIN NAME I OWN. How do I think this happened? Not opting for privacy of ownership- all my personal details were available if you were looking for this particular domain to buy. So while it was renewed and owned by me- someone clearly pretended to be me and get it hosted elsewhere. I cannot determine the host but they are using it as a newsite. With all google links. I called the company I renew the name with and they could not answer me( technical help) and suggested I call billing tomorrow morning! Duh- you are the tech help people who SHOULD be able to explain how a hijacking took place with your company and my domain name but instead you want to dump me onto billing? How is someone in billing, going to be able to tell me how my domain got hijacked? And like that lousy $15.00 refund is really going to make things better if you cannot get my domain name back? SO THE LESSON LEARNED? ALWAYS BUY THE PRIVACY PROTECTION SO NO ONE KNOWS WHO OWNS THE DOMAIN NAME-AND ALL THE CRITICAL INFO THAT SHOWS UP ONLINE WHEN YOU CHECK TO SEE IF A DOMAIN IS AVAILABLE FOR SALE- OR - WHO OWNS IT. Lesson learned the hard way :-(