NameStarter.com :: domaining business blog // Domaining for Domainers

Archive for the ‘domain theft’ Category

Good News: YH.com Returned to Rightful Owner

April 8, 2010domain theft, Domaining, Domainnamewire, Policy & LawComments Off on Good News: YH.com Returned to Rightful Owner

Owner gets domain name back after long ordeal.

Last week I wrote about the domain name YH.com, which was stolen from its owner and offered for sale. I received good news today: the owner has gotten the domain name back.

The entire domain name industry should pat itself on the back for stepping up to the plate. According to T.M. Camp, whom I interviewed for the previous story, the domain name was returned thanks to “some concerted efforts by GoDaddy, Escrow.com, Verisign, and a number of others.”

Individual domainers deserve some credit, too. As the domain name was in the process of being sold by the thief, a number got involved in some way. One domainer, who realized the domain was stolen, told the thief he would buy the domain and set up an Escrow.com transaction. His goal was to get the seller to stop trying to sell the domain by stalling. Also, a number of domain blogs and forums publicized the theft, which certainly slowed down the thief’s efforts as well.


© DomainNameWire.com 2009.

Review and rate domain name parking companies at Parking Judge.

Related posts:

  1. Lawsuit Against Tucows Provides Glimpse Into Domain Theft
  2. Allegedly Stolen Domain Names Resold on Flippa
  3. The problem with domain name exchanges

RL.com Case Shows What Can Happen if You Buy a Stolen Domain Name

April 7, 2010charles carreon, domain theft, Domaining, Domainnamewire, Policy & LawComments Off on RL.com Case Shows What Can Happen if You Buy a Stolen Domain Name

Buyer of hijacked RL.com domain name has spent dearly on legal bills.

In light of recent domain thefts, you might ask yourself what can happen if you happen to buy a stolen domain name. Look no further than the case of John Laxton, who bought the domain name RL.com for $15,000 in 2005.

RL.com was originally registered by Dale Mayberry in 1995. He also owned the domain name mat.net, and used a mat.net email address as the registered contact for both RL.com and Mat.net. The domain name mat.net expired, letting another party register it and use it to get access to the RL.com domain name in a fashion similar to what recently happened with PRFirm.com.

Mayberry later found out what happened, and demanded that Laxton return the domain name he had purchased. By the time this happened, Laxton had already incurred significant legal expenses fighting off an attack under UDRP by Ralph Lauren for the domain name.

In October 2007, Mayberry filed a second amended complaint against Laxton and others involved with the domain name. A district court agreed on two of the counts, and ordered the domain name returned to Mayberry. Laxton appealed, and the Court of Appeals for the Ninth Circuit agreed in part that the district court erred (pdf).

One of Mayberry’s lawyers on the case is Charles Carreon, who himself was involved in the high profile case of the theft of Sex.com. The Ninth Circuit court in this decision was also involved in the sex.com case.

So the saga continues. RL.com is currently owned by well-known domainer Richard Lau but held in care of lawyer Carreon’s law firm.

(Hat tip Bret Fausett)


© DomainNameWire.com 2009.

Review and rate domain name parking companies at Parking Judge.

Related posts:

  1. Supreme Court won’t hear domain name case
  2. Gripe site wins trademark case
  3. 800.com Buyer Dials Up Great Deal at $250,000

VeriSign Offers Tools to Secure Domain Names

April 7, 2010domain security, Domain Services, domain theft, Domaining, Domainnamewire, registry lock, VeriSignComments Off on VeriSign Offers Tools to Secure Domain Names

Two tools from VeriSign help keep your domain names secure.

VeriSign two factor authenticationWith a couple recent high profile domain thefts, and the recent hijacking of Baidu’s nameserver settings, I reached out to VeriSign Chief Technology Officer Ken Silva to learn what VeriSign offers to help domain owners protect themselves.

“Over the next 12 months, we’re working so that from the time a person registers a domain name and creates an account to when it gets resolved, almost every single solitary aspect of the process will have the ability to be much more secure,” said Silva.

A number of protections are already offered to VeriSign’s registrar channel to help lock down domains.

VeriSign Registry Lock is a service that would have prevented the hijacking of Baidu.com’s nameservers.

“Once the domain is set and configured with its nameservers, it cannot be changed by anyone except the registry itself,” explained Silva.

Registry Lock essentially locks down the domain at the registry level. Anyone wishing to make a change that is controlled by the registry needs to go through their registrar, which in turn passes along verification to VeriSign.

Since VeriSign manages .net and .com, which use a “thin whois”, this basically means the name servers are protected. Information about the registered user is held only by the registrar, so VeriSign can’t directly protect a change to the registered user with this lock. Registry Lock is an ideal service for Fortune 500s and other companies that rarely need to change their name servers, but would be significantly affected by a hijacking. This service certainly would have saved CheckFree and Baidu a lot of money and public relations headaches.

VeriSign also offers two factor authentication, which enables registrars to more securely authenticate logins. Domain owners don’t have to worry about passwords getting compromised because a second authentication mechanism is used.

For example, Name.com offers a key fob with constantly changing security pins.

In another example, domain owners can download an iPhone app that is then registered with the service. Whenever a user logs in to his registrar account, the app will provide a one time pin or password for authentication. VeriSign already offers this service for non-domain web sites, such as PayPal.

Helping registrars offer services to protect registrants is a big part of VeriSign’s security push. But it also goes further as the company wants to protect the entire domain transaction — including visiting any .com web site. VeriSign is currently implementing DNSSEC. Look for it to be applied to .edu first, then rolled out to .net and .com.


© DomainNameWire.com 2009.

Review and rate domain name parking companies at Parking Judge.

Related posts:

  1. VeriSign: 162 Million Domain Names Registered
  2. VeriSign Gets Patent for Suggesting Alternative Domain Names
  3. Breaking: VeriSign Hikes Domain Prices Again

8 Clues a Domain Name is Stolen

April 5, 2010domain theft, Domaining, Domainnamewire, Policy & Law, stolen domainsComments Off on 8 Clues a Domain Name is Stolen

8 warning signs a domain name is stolen.

thiefOver the past few days we’ve learned about a number of domain name thefts, including YH.com and VL.com.

People typically steal domains with the hopes of selling them before word gets out that the domain is stolen. Here are 8 clues a domain name you’re thinking about buying is stolen. Just because one of these is true doesn’t mean a domain is stolen; but you should use caution.

1. Person claims they must sell the domain fast – there are legitimate reason for needing to sell something quickly, such as to raise needed cash. But it’s also a warning sign that something else is at play. So when there’s a sense of urgency, be suspicious.

2. The seller emphasizes the need to use a particular, unsecure payment method instead of traditional escrow services – this is usually PayPal (which offers absolutely zero protection to domain buyers), or some sort of PayPal knock-off. If a seller requests a wire transfer and rules out any sort of escrow, you should also be wary.

3. Domain owner sends you an unsolicited PM on a domain forum – if someone sends you a PM out of the blue offering a domain for sale, ask yourself why they wouldn’t have posted the domain for sale on the forum itself? Surely that would maximize their return rather than just sending a one-off message to you.

4. Seller has a short history on domain forums – if you are transacting on a domain forum, make sure the seller has been an active user of the forum for a long period of time.

5. Person sends an unsolicited email to you with a few quality domains for sale – whenever someone sends you a sales pitch rather than you contacting them, your risk goes up. Of particular concern is when someone sends you an email out of the blue with a good deal for a 2 or 3 character domain name. If the domains are good, people won’t resort to unsolicited emails to sell the domains. I’m not talking about those annoying emails from someone listing hundreds of crappy domains they’re trying to sell.

6. The domain was recently transferred to a second-tier domain name registrar – if a domain was transferred from a top 10 registrar to one you’ve never heard of, ask the seller why.

7. The whois information changed recently – if the whois for a domain you’re buying changed recently, you need to ask the seller why. Just because the whois changed doesn’t mean it’s stolen. A lot of people quickly flip domains. But it’s also a warning sign. Run away from any domain that has transferred ownership several times in the past year. Be wary of any domain that suddenly changes whois information and is transferred to another domain registrar. If you are an active buyer, you owe it to yourself to use DomainTools’ whois history service to verify domains you’re buying.

8. The price is too good to be true – this goes for just about anything in business, but especially domain names. If someone emails you offering to sell a 2 letter .com domain for $25,000, it’s probably stolen. If someone posts Recent.net, Than.net, and They.net on Flippa for $1,000, they’re probably stolen.

Here are three take-away tips:

-Ask questions! You’ll find holes in the seller’s story. Or they’ll just give up and move on to easier prey.

-Ask to talk on the phone. If someone won’t take a simple phone call for a five figure transaction, they probably have something to hide.

-It’s your responsibility to research the history of a domain on DomainTools.


© DomainNameWire.com 2009.

Review and rate domain name parking companies at Parking Judge.

Related posts:

  1. Allegedly Stolen Domain Names Resold on Flippa
  2. Warning: YH.com Domain Name Stolen
  3. Hot Domains (Hot as in Stolen)

VL.com Domain Name Stolen, Too. Here’s the Inside Story.

April 3, 2010domain theft, Domaining, Domainnamewire, dreamhost, Policy & LawComments Off on VL.com Domain Name Stolen, Too. Here’s the Inside Story.

Beware: more stolen domain names.

Yesterday I reported about the theft of YH.com. It turns out another valuable domain, VL.com, was also recently stolen. In this case it appears the weak link was web hosting company Dreamhost. That’s also the host in the YH.com case, although the actual weak link in that case hasn’t been determined.

It wasn’t Dreamhost’s automated systems that are to blame. It was a human mess up, just like when Baidu’s DNS was hijacked. A number of registrars and web hosting companies add human elements to security systems, thinking this will improve security. In reality, it is often the weak link.

Here’s the story, as Tom Metro of Venture Logic relayed to me via email. You can read a more in-depth account here.

In brief, a directed attack using social engineering was perpetrated against my domain registrar, Dreamhost, and due to multiple failures on their part, they granted the attacker access to my account, froze me
out, and hampered my ability to halt the attack.

This started Saturday night, and by Sunday afternoon, given lax response from Dreamhost, the attacker had succeeded in transferring my vl.com domain, which is considered of high value due to being only two letters,
to a foreign registrar located in the Bahamas.

See this mailing list thread for an “as-it-happened” account:

Included in my posts are laughable chat transcripts between the attacker and the Dreamhost support personnel, where support people were more than happy to update contact info, supply plain text passwords, and force through a domain transfer.

Clearly, humans were the weakest link in this system.

The good news is that the attacker never succeeded in compromising my email account used as the domain contact (despite a few attempts) and the foreign registrar has been convinced that there was enough fishy about the transfer to put modifications on hold. So for the time being my name server records are safe, and they haven’t gained access to my vl.com email traffic. (Though I’m pretty sure they only care about the domain itself.)

Monday the attackers made attempts to reset the password on my Google hosted account used as the contact address for the domain. Undoubtedly so they can leverage it to send a forged letter to the
foreign registrar. This attack included another attempt to socialengineer the Dreamhost support people (where the DNS was hosted for this other Google hosted domain; Google uses your ability to add a CNAME
record to a domain’s DNS as proof of account ownership), but fortunately by this point Dreamhost was wise to the trick. Amazing they hadn’t yet disabled the “live chat” support feature that enabled key parts of the
forgery (though it appears to be disabled now).

Tuesday morning the foreign registrar concluded their investigation, agreeing that it was fraudulent circumstances and started the return process. And currently the return is still being processed by Verisign.

I’ve reported the attack to the local police and the FBI, and had a long conversation with the supervisor of the FBI Cyber Squad in Boston.

Dreamhost reports that there were other customers of theirs victimized (who also had domains stolen, but from other registrars). There is indeed a rash of domain thefts happening.

On Tuesday I was contacted by someone from Iran using the same anonymiser IP address as the attacker offering to help recover or purchase my domain. He curiously had a portfolio of 2-letter domains.

I would be happy to share forensics with any other victims.


© DomainNameWire.com 2009.

Review and rate domain name parking companies at Parking Judge.

Related posts:

  1. Warning: YH.com Domain Name Stolen
  2. GoDaddy Gets Stolen Domain Name Back to Owner
  3. Hot Domains (Hot as in Stolen)

Warning: YH.com Domain Name Stolen

April 2, 2010domain theft, Domaining, Domainnamewire, Policy & LawComments Off on Warning: YH.com Domain Name Stolen

Valuable two letter domain name YH.com has been stolen.

The domain name YH.com has been hijacked from its owner and the thief is trying to sell it.

The domain’s owner is Jaynell Hogan, who was properly identified in the whois database until March 26, when the domain name was suddenly transferred from Go Daddy to DOMENESHOP AS. The whois record changed to “Domain Administrator”. The thief then created a Gmail address using Hogan’s name, which is currently listed as the administrative contact.

T.M. Camp, Web Strategist for Hogan’s company Gazillion & One, explained what happened in an interview with Domain Name Wire.

“Early last week I started to get some notifications from our hosting provider Dreamhost and from Go Daddy that someone was attempted to transfer a couple of our domains, one of which was gazillion1.com,” explained Camp. He said he replied to the emails stating not to transfer the domains.

Camp explained that the company uses Gmail (Google Apps) for its email. Later in the week Camp realized that someone had compromised the Gmail accounts. They changed the administrative passwords, which locked them out of their accounts. They also got access to the company’s hosting accounts.

YH.com wasn’t connected to any of that hosting. But with access to the corporate accounts, the thief was then able to access the account connected with YH.com. From there, transferring the domain was simple.

Companies with valuable domain names should consider extra locking and security services offered by domain name registrars. Go Daddy offers such a service, and VeriSign now offers “registry lock” service that can also add protection.

Remember, if someone approaches you about buying a domain name quickly at a discount price, be wary. Especially if it’s a two or three letter domain name. If you see any forum postings offering YH.com for sale, please comment with the information.


© DomainNameWire.com 2009.

Review and rate domain name parking companies at Parking Judge.

Related posts:

  1. GoDaddy Gets Stolen Domain Name Back to Owner
  2. 8 Clues a Domain Name is Stolen
  3. Allegedly Stolen Domain Names Resold on Flippa

Allegedly Stolen Domain Names Resold on Flippa

March 22, 2010domain theft, Domaining, Domainnamewire, Policy & Law, udrpComments Off on Allegedly Stolen Domain Names Resold on Flippa

Thief resold domain names on Flippa to unsuspecting domain buyer.

A National Arbitration Forum panel has refused to hand over the domain names Recent.net, Than.net, and They.net in a UDRP decision.

I wrote about the case earlier this month, suggesting that the UDRP dispute must be over stolen domain names. UDRP is sometimes used to regain control of stolen domain names, but the complainant needs to be able to show trademark rights to the domain names. In this case the complainant admitted he had no trademark rights to the generic recent.net, than.net, and they.net domains.

The complainant says he bought the domain names on June 30, 2009, but his Go Daddy account was latter compromised and the domains transferred to the thief.

The respondent claims he bought the domain names on December 20, 2009 along with others for $1,000 at domain and web site marketplace Flippa.com. He says Flippa verified the seller by telephone. He also contacted the email addresses listed in the WHOIS to verify that Respondent was dealing with the owner and used an escrow service to effect the transaction.

Just because he won the UDRP doesn’t mean the buyer is safe yet. The fact that Flippa verified the current owner of the domains means little, and using an escrow service doesn’t help you avoid buying stolen domain names. In this case, the buyer would have been wise to look at the whois history for the domains, rather than just looking at the current whois. As I pointed out in my earlier article, the whois records for these domains has been erratic — a common sign of theft.


© DomainNameWire.com 2009.

Review and rate domain name parking companies at Parking Judge.

Related posts:

  1. Hot Domains (Hot as in Stolen)
  2. Peculiar UDRPs: Recent.net, Than.net, They.net
  3. Dubai Law Firm Nailed for Reverse Domain Name Hijacking

DingBats.com Case Discusses Pool.com Lawsuit Over Domain Theft

January 21, 2010domain theft, Domaining, Domainnamewire, Policy & Law, pool.comComments Off on DingBats.com Case Discusses Pool.com Lawsuit Over Domain Theft

Case sheds light on Pool.com lawsuit against former registrar partner.

A National Arbitration Forum has awarded the domain name Dingbats.com to the complainant in a case against a Pool.com entity. What makes this case interesting is not that Dingbats is a generic term (don’t make me start writing in dingbats!), nor that the complainant bought the rights to a trademark for Dingbats for watches just recently, nor that the domain was originally owned by the previous trademark holder who let it expire over five years ago.

OK, so those are all interesting. But what’s more interesting is how expired domain name service Pool.com came to own the domain name. In its response, “Pool.com In Trust” explains that it was awarded the domain name in a lawsuit against one of its former domain registrar partners.

According to Pool, it registered the Dingbats.com domain name on behalf of a customer in 2004 and placed the domain with a partner registrar, Best Registration Services. Pool writes that the registrar originally put the domain in its customer’s name, but then stole the domain name back. Pool was forced to give a refund to the customer (along with other customers who were affected). Pool sued Best Registration Services, and a court awarded Pool a collection of domain names that were stolen by the registrar after Pool.com won them for its customers.

Crazy, huh? Almost as crazy has awarding this domain name to the complainant.


© DomainNameWire.com 2009.

Review and rate domain name parking companies at Parking Judge.

Related posts:

  1. Pool.com to snag .EU domain names
  2. Pool Taking Pre-Orders for Non-Existent Domain Names
  3. Pool.com gives in to customer pressure for auction method

Indictment Shows Ease of Hijacking Domain Name

November 20, 2009comcast.net, domain hijacking, Domain Registrars, domain theft, Domaining, Domainnamewire, lawsuitsComments Off on Indictment Shows Ease of Hijacking Domain Name

Three hackers indicted for hijacking domain name.

An indictment against three hackers involved in hijacking the Comcast.net domain name last year shows how easy it is to pull it off: just get access to the administrative contact’s email address.

The U.S. government has charged three hackers with doing just that, and using the email address to change the nameservers on Comcast.net at domain name registrar Network Solutions.

Blame the hackers, but also Comcast for not having security measures in place with their registrar. Moniker, Fabulous, and GoDaddy each have optional security tools available that make it harder to make changes to DNS.

If I were a registrar, I’d offer a gold standard security measure to big companies for critical domains. It would be expensive — something like $10,000 a year — but would guarantee that incidents like this don’t happen.

In order to make any change to the DNS or ownership of a domain, a representative of the registrar would literally fly to the headquarters of the company to meet in person. Over the top? I don’t think so. If I were the CTO of a Fortune 500 company, I’d gladly pay this amount as an insurance policy.


© DomainNameWire.com 2009.

Review and rate domain name parking companies at Parking Judge.

Related posts:

  1. ICANN releases domain hijacking report
  2. The Weakest Security Link is You
  3. Mirabella Beauty Products Guilty of Reverse Domain Name Hijacking

New Jersey Indicts Alleged Domain Thief

November 16, 2009domain theft, Domaining, Domainnamewire, Policy & LawComments Off on New Jersey Indicts Alleged Domain Thief

New Jersey hands down first every indictment for domain theft.

New Jersey today handed down an indictment (pdf) against Daniel Goncalves, alleged thief of the P2P.com domain name. The Division of Criminal Justice Major Crimes/Computer Analysis & Technology Unit obtained a seven-count state grand jury indictment for theft by unlawful taking, theft by deception, computer theft, and identity theft, all in the second degree, and three counts of fourth-degree falsifying records.

Goncalves was arrested in July after an investigation by New Jersey police. He allegedly broke into a GoDaddy account owned by P2P.com, LLC and transferred the domain away. He later sold it on eBay for over $100,000 to NBA basketball player Mark Madsen.

In a press release, New Jersey Attorney General Anne Milgram said, “In the big money marketplace of the Internet, a popular domain name is like prime commercial real estate. The indictment charges that this defendant hacked into an online account of P2P.com, LLC, stole their domain name, and sold it to an unsuspecting customer on eBay for approximately $111,000.”


© DomainNameWire.com 2009.

Review and rate domain name parking companies at Parking Judge.

Related posts:

  1. Hells Angels Sue Alleged Cybersquatter for $2 Million