Domain Theft-for-Ransom Hits css-tricks.com and Others 147
An anonymous reader writes "Chris Coyer at css-tricks.com has had his domain transferred from GoDaddy.com to a registrar in Australia where it's being held for ransom. Several other domains have experienced the same theft by what seems to be the same person, and the registrars seem helpless to do anything about it."
Umm.... (Score:5, Informative)
Not required? As in, he paid for it, it's legally registered to him, and then someone just stole it away and they don't have to give it back? Isn't that theft?
Re:Umm.... (Score:4, Interesting)
From TFA: "We have reviewed your claim and we will contact PlanetDomain and request an FOA (Form of Authorization) for the transfer. If their records also show the same registrant at the time of transfer, we will work with them to see if they can transfer the domain name back. However, they are not required to transfer the domain name back." Not required? As in, he paid for it, it's legally registered to him, and then someone just stole it away and they don't have to give it back? Isn't that theft?
I don't know about theft as much as mismanagement by GoDaddy. If the domain was not expired then it should be reverted back to the rightful owner. If it actually did expire he may be SOL (although that is pretty low of GoDaddy to not at least give him notice).
Re: (Score:3, Informative)
Re:Umm.... (Score:4, Informative)
That would be the job of ICANN or WIPO.
Neither of which care to step in and make the effort unless forced to.
Re:Umm.... (Score:4, Insightful)
It's most certainly theft, and on top of that Godaddy is most certainly liable for civil damages.
Re:Umm.... (Score:5, Informative)
It's certainly a crime, but it is fraud, not theft (just as copyright infringement is not theft). Theft involves deprivation of possession of chattel property.
Re: (Score:2)
Re:Umm.... (Score:5, Funny)
Well, I thought it was the pirating <= theft brigade that modded people into oblivion.
Re: (Score:3)
I thought it was the modding == theft brigade that the pirates send into oblivion
Re:Umm.... (Score:5, Informative)
Legally fraud is a form of theft, i.e. theft by deception.
Re: (Score:3)
Really? Soon romance will be theft because someone stole a young girl's heart...
Re: (Score:2)
No. Fraud is fraud, and theft is theft. There are frauds, which don't cause the transfer of ownership of something to the fraudster or any person affiliated with him.
Re:Umm.... (Score:5, Interesting)
And the perps haven't deprived the victims of their property? Not sure what you mean here.
With copyright infringement, the original owners still have their stuff. With this, the victim doesn't.
Re:Umm.... (Score:5, Insightful)
Erm, that argument doesn't fly here... because the -control- over the domain was seized away. It's not like it was just copied, like the whole "pirating != theft" argument has at it's heart.
Re: (Score:2)
Since the 'victim' doesn't have use of the said domain any longer, id say it qualifies as theft.
Re: (Score:2)
Well, Coyer has been deprived of something, namely the domain name. So no, it's not like ignoring copyrights, but rather like hijacking all your mail by somehow convincing the post office to forward it to you instead. Which is theft.
Re:Umm.... (Score:5, Insightful)
It's most certainly theft, and on top of that Godaddy is most certainly liable for civil damages.
I just transferred a domain from GoDaddy to a preferred registrar. All I needed, and all I should need, was my username and password.
If I let my username and password fall into the hands of somebody else, which I believe is the case here, and they transferred the domain then firstly, godaddy are not at fault, and secondly, godaddy can't actually do anything about it because they don't own the domain anymore. It's a bit rude of them to not offer more assistance in terms of providing evidence to help the owner prove his ownership to the new registrar, eg maybe the access was from an IP address in a different country than the owner resides, etc, but that's hardly grounds for a civil suit for damanges.
If you buy a domain from a registrar who doesn't charge you enough to offer assistance when something goes wrong, and have a reputation for this, then you kind of get what you deserve.
IMHO, GoDaddy aren't evil, just cheap, and are just a product of our collective race to the bottom in terms of not caring about quality of service when buying a product and only complaining about it when something goes wrong.
Re:Umm.... (Score:5, Informative)
and secondly, godaddy can't actually do anything about it because they don't own the domain anymore.
There are things they can do about it, the ICANN Inter-Registrar Transfer Policy [icann.org] says so, so does the ICANN Transfer Dispute Resolution Policy [icann.org],
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
A username and password should not be sufficient, especially if the domain name has a regsitrar lock. My domain registrar (BulkRegsiter aka eNom) requires two-factor authentication to do anything.
Sounds like you got what you paid for then... in a good way :)
Seriously though, there is a place for a low cost, no frills registrar for domains you aren't particularly attached to and that nobody is going to hold for ransom because they aren't worth the effort. Using such a registrar for a domain that's actually worth something to you is probably a bad choice though.
Re: (Score:2)
It's most certainly theft, and on top of that Godaddy is most certainly liable for civil damages.
How? If Godaddy received a genuine transfer request then they did the right thing by not blocking it. Registrars are supposed to comply with requests from the domain administrator. If that person has poor security it isn't godaddy's fault.
Re: (Score:2)
Re: (Score:2)
GoDaddy locks the domain by default, and even if you do unlock the domain you need an EPP or Authinfo code for .COM and other major GTLDs to effect a transfer.
None of that helps at all if your e-mail account is hijacked, though; and doesn't really
protect you against intra-registrar transfers.
As for the "auto-renewal" service, don't trust it necessarily.
There have been reports in the past of registrars' auto-renewal failing to auto-renew certain highly desirable domains.
Of course the story could be th
Re: (Score:3)
Not required? As in, he paid for it, it's legally registered to him, and then someone just stole it away and they don't have to give it back? Isn't that theft?
There's always an option to open a UDRP dispute. Although it is expensive to execute the process, it would likely result in the domain being returned to the rightful owner.
Re:Umm.... (Score:4, Insightful)
Yeah but thats not counting international law which would apply here. It's quite likely these people will need to sue in whatever country has the domain.
Re:Umm.... (Score:5, Insightful)
In this case it's lucky the domain was moved to an Australian registrar and not China, or Russia. Legal action against the gaining registrar isn't out of the question.
Don't Use GoDaddy (Score:5, Interesting)
Don't use GoDaddy.
If you needed any more reasons to stay far away from GoDaddy and their shitty advertising, RTFA.
So far they have found this has happened to around 12 accounts, all within the "Web Design" genre (so most likely a targeted attack).
There is no accessible log from with your GoDaddy account to see what/when things happened.
They do [claim to] have access logs, but they can't [won't] share that information with me.
The domain was transferred away from GoDaddy the evening of Nov 20th
They [claim to] have, but cannot [won't] provide me with, the email address used to transfer the domain away.
GoDaddy confirmed my global account email has never been changed, but it WAS changed for the domain css-tricks.com prior to the move.
The request to unlock the domain happened on Nov. 14th at 4:30pm Mountain Time. Normally there is a 5-7 day waiting period, but GoDaddy offers instant transfer and they remarked that it was unusual that the hacker chose not to do that.
They confirmed no other domains have left my account.
[Stuff in brackets is mine.]
Re: (Score:3, Informative)
So out of curiosity, (Score:3)
Who is a reputable registrar these days? Does such a thing exist?
Re:So out of curiosity, (Score:5, Informative)
> Who is a reputable registrar these days?
Gandi.
Re:So out of curiosity, (Score:5, Interesting)
If only I had mod points. Gandi is by far and without a doubt the best domain registrar out there. Hell, if they were double or even triple the price of GoDaddy, I'd still be using them. (From what I've seen their prices are on par with everyone else.)
Re:So out of curiosity, (Score:4, Informative)
:) We switched to them from Dotster. If you are from the USA the price is better than advertised too. They don't charge VAT and that is a HUGE percentage of the fee. The only complaint I have is the free SSL certificate is confusing/misleading. Or maybe it is just me not understanding things well enough although I doubt it. You have to install the free Gandi certificate in the browser you are using or something like that. In other words it isn't something you can actually use for business or even a personal web site unless you have control over the computers from where you/others will be accessing it from. Therefore what good is it over accepting your own ssl certificate? I know I sound like an idiot as I'm wrong in my explanation. Hopefully you understand what I'm trying to say though.
Re:So out of curiosity, (Score:5, Informative)
Nope, you misunderstand. I got them to issue one of the free certs for one of my domains (I use Gandi for all of my registrations), and it works perfectly with all major browsers out of the box.
All you have to do is add Gandi's intermediate certificate (the cert that links their signature on your free cert to the base CA cert that's in everybody's browser), but you do that on your server (web/mail/whatever) and offer it up as part of the SSL negotiation. It works perfectly, and transparently. It is definitely NOT like the hassle of a self-signed certificate, where you DO have to either add the "security exception" to every client's browser, or get them to install your cert into their browser ahead of time.
Re:So out of curiosity, (Score:5, Informative)
Re:So out of curiosity, (Score:5, Informative)
Gandi rocks, no doubt about it. However, they cannot protect a domain owner from the US government.
I have my domain there because they respect the rights of a domain owner far more than other registrars, but there's nothing they can do if the US government wants a domain in a US-hosted top level domain. When it comes .com, .net, or .org, NSI is all that matters. And unfortunately, they don't care about domain owners.
Re: (Score:3)
NSI doesn't matter. It's Verisign you need to be afraid of.
Re: (Score:3)
it makes it much harder for a U.S. court to seize your domain on a whim.
It also much makes it much harder for you to sue them, if they do something bad and it hurts you or you lose the domain or uptime as a result.
Re: (Score:2)
it makes it much harder for a U.S. court to seize your domain on a whim.
Wouldnt it make it easier for some other government to seize it on a whim?
I mean, that may be the determination that youve made, that this is less of a risk, but Im just saying.
Re: (Score:2)
Thirded. Been with them since they were one of the first ICANN registrars outside of Network Solutions. Like their motto says, "no bullshit"
Re:So out of curiosity, (Score:4, Informative)
Re: (Score:3, Insightful)
Re:So out of curiosity, (Score:5, Informative)
Who is a reputable registrar these days?
The top of the line is MarkMonitor [markmonitor.com]. If you have to ask how much they cost, you can't afford them. They're the registrar for "gm.com", "ford.com", "bankofamerica.com", etc. If something goes wrong with one of their domains, alarm bells ring at their monitoring center and DNS experts, investigators, and lawyers swing into action.
Network Solutions can be difficult to deal with, but they register enough corporate domains that they have a support organization that's not a joke.
GoDaddy is generally considered to be near the bottom of the heap. You might register your personal blog with GoDaddy. Maybe.
Down at the bottom is eNom, the leader in junk domain registration. That's where you register your 100,000 typosquatting domains.
Re: (Score:2)
Re: (Score:2)
I've been happy with gkg.net. I like that they started offering IPv6 glue records very early.
Re:Don't Use GoDaddy (Score:5, Interesting)
Don't use GoDaddy.
To be fair, this wasn't strictly a GoDaddy Issue. TFA stated:
This is not isolated to GoDaddy. Original registrants varied, see below.
Which then listed multiple GoDaddy's, a 1and1.com, and a NetworkSolutions.com. This sounds more like the fact that GoDaddy happens to be the big horse (ala Microsoft) so it's likely going to be attacked me most. Not using GoDaddy might be good advice but it seems like it's also not a guarantee.
The bigger issue is that there's no authoritative way to quickly re-gain such lost domains. And domain name disputes are always a huge PITA. Given the value of a domain name and how easy it is to sit on it once stolen, costing some business tons of money, I wouldn't be surprised if this starts happening more.
One thing that keeps popping out is the fact that they're all being xfered to PlanetDomain.com. ICANN needs to revoke their ability to register domains.
Re:Don't Use GoDaddy (Score:4, Informative)
For the curious (Score:5, Informative)
That phone number looks like a valid aussie mobile number. Who answers?
Domain Name: CSS-TRICKS.COM
Reseller..............: PlanetDomain Ltd Pty
Created on............: 4 Jul 2007 16:26:57 EST
Expires on............: 4 Jul 2019 16:26:57 EST
Record last updated on: 21 Nov 2011 16:20:33 EST
Status................: ACTIVE
Owner:
oca
(465144)
Bakulina 12,
Kharkiv, gras 61166
Austria
Phone: +61.4354353455
Email:
Administrative Contact, Billing Contact:
oca
(465143)
Bakulina 12,
Kharkiv, gras 61166
Austria
Phone: +61.4354353455
Email:
Technical Contact:
oca
(465145)
Bakulina 12,
Kharkiv, gras 61166
Austria
Phone: +61.4354353455
Email:
Domain servers in listed order:
No name servers present.
Re:For the curious (Score:4, Informative)
Ummmm, Graz is a town on the Mur in Austria, not Austrialia. However +61 is the country code of Australia. Some sort of bizzare joke.
Re:For the curious (Score:4, Informative)
Re: (Score:3)
It's a dormitory for students of Kharkov's National University of Radioelectronics -- sounds like a likely place for the cracker to be from.
Re: (Score:2)
phone number looks like hex string (Score:4, Interesting)
Did anyone else notice that the phone number looks like a hex string?
43:54:35:34:55 => CT54U
it doesn't look particularly meaningful unless they were stupid enough to encode a password or something in it.
Re: (Score:2)
or "aCT54U" if you were to include the country code... still seems meaningless, maybe just a coincidence
Re:phone number looks like hex string (Score:5, Insightful)
1337-speek for "Acts for you"
Re: (Score:2)
1337-speek for "Acts for you"
Great, now lets start on the bible codes and prove that 666 refers to Bill Gates. Everyone's number looks like a hex string!
Re: (Score:2)
Re: (Score:2)
Too many digits. Australian numbers are ten digits long.
adding the leading zero that gets dropped when you dial international numbers gives 11 digits.
And of course the fact that "Austria" and "Australia" are usually right next to each other in your average "choose your country" drop-down box.
Bigger news! (Score:4, Funny)
Damn! Austria must have invaded Australia.
Re: (Score:2)
PlanetDomain is one of Australia's leading Domain Name Registrars and Web Hosting Service providers.
We provide domain name registration and web hosting services to the global community with the goal of delivering low prices and high standard products and services.
PlanetDomain Pty Ltd.
Registered Office:
Level 15, 309 Kent Street
Sydney
NSW, 2000, Australia
Telephone: +1300 36 64 05 (Australia)
Facsimile: +613 9923 4412
Email: info@planetdomain.com
Click here to review our Service Level Agreement.
Looks quite contactable, try picking up the phone, it's often the best way.
Re: (Score:2)
Address: Austria
Phone: +61 (Australia)
Looks legit.
Re: (Score:2)
Mobile (cell phone) numbers in Australia are all ten digits and start with. 04 so that number in Australia would be 04354353455 which is of course 1 digit too many. I think it's a typo since anyone trying to fake a phone number would at least use the correct amount of digits.
Re: (Score:2)
I notice the contacts are in Austria, not Australia.
Re: (Score:3)
+61 is Australia but yes the postal address is Austria.
Re: (Score:2)
That, and what are the odds of getting a phone number where all the digits are 3, 4, or 5. 0435 doesn't sound valid from my time in market research either.
DAVIDWALSH.NAME stolen also (Score:2)
My domain, DAVIDWALSH.NAME has also been stolen. 1And1 yet to return the domain or give me a detailed response for 5 days.
Gmail problem (Score:5, Interesting)
it looks like the big problem here is that 4 years on it's still apparently possible for websites to silently create filters on gmail accounts if a logged in user visits their site. That effectively allows a malicious site to compromise hosting accounts, bank accounts and much more.
Re:Gmail problem (Score:5, Informative)
According to a proof of concept by Geek Condition, there is a security flaw in Gmail that allows an attacker to forward GoDaddy account reset information to the offending party unbeknownst by the victim. This is done by creating a filter that forwards GoDaddy’s “change of password” mail to the attacker and deletes it from your inbox.
Re:Gmail problem (Score:5, Informative)
Re: (Score:2)
Thousands of online accounts are hijacked every day. If you re-use your Gmail password at other websites, change it now. Learn more [google.com].
Re: (Score:2)
That article states that the attacker must direct the victim to a site with a malicious script in order to get a Session Authorization Key.
How hard is that? I have run dozens of websites, and I can get on a first-page google search for some key phrases easily. This is the law of averages: attack _everybody_ and some will fall. If the attacker wants a _specific_ domain, though, that is much more of a challenge.
Re:Gmail problem (Score:5, Insightful)
Exactly - why are you using a free email account to be the key to owning your domain name? Run your own email server! Become your own registrar - it's worth it if you have a bunch of domains.
Re:Gmail problem (Score:5, Informative)
why are you using a free email account to be the key to owning your domain name? Run your own email server!
You shouldn't have a contact email on the domain that is being administered. Your suggestion is good only if you have several domains registered by different registrars, and if your email is very reliable (with reverse DNS and such.) Then you can cross-link these records. For everyone else Gmail is a rational choice; it's free, it's reliable, and it's always there.
Re: (Score:2)
Re: (Score:2)
There's nothing wrong with using a 'free' email account to register for domain services or any other product or service for that matter. I would however recommend some recursion, i.e. create a unique freemail account with a very high security password and set it up to forward (while still saving emails) to your master email account(s). Of course, it's a good idea to rotate a high security password on your master email account(s) as well. It's not rocket science, it's security. These crafty bastards have
Re: (Score:2)
Re: (Score:2, Offtopic)
You know, we had a discussion just the other day about group-think and the /. condition [slashdot.org] where people making good comments are shouted down. The GP is yet another example of this.
Re: (Score:3, Interesting)
Re:Gmail problem (Score:5, Interesting)
Re: (Score:3)
Underrated and Overrated do not add the text to the score, FYI. They commonly are used as the "+1, I Agree" and "-1, I Disagree and wish to Censor Your Dissenting Opinion" moderations. It used to be counterable back before /. fucked up metamoderation and turned it into a herp-derp free + or - for random comments. Which incidentally is the other reason a post may be moderated + or - with no history - it was metamoderated up or down instead.
Mumble mumble stagnated or something.
Re: (Score:2)
It's at +5 now... what was the problem again?
Re: (Score:2)
Give it 6 hours for a group of people to throw a hissy fit over what they read, and it'll be -0 troll or flamebait. You know much like how my post is 'offtopic' when it's not.
Google say this is fixed (Score:2)
Same thing happened back in 2000 to me and others (Score:5, Interesting)
http://www.wired.com/politics/law/news/2000/01/33571 [wired.com]
The only good thing about it was getting my name in Wired.
ICANN (Score:4, Interesting)
Re:ICANN (Score:5, Informative)
ICANN cannot technically do that, since they don't actually control the content of the TLD. The Domain Registry (Verisign) could technically reverse the transfer, but are bound by ICANN policies that likely prevent them from doing anything. ICANN in conjunction with Verisign could get the transfer reverted, but since that requires two entities working in concert, I would not count on it happening.
Of course the Australian registry could determine that the transfer was fraudulent, and transfer it back to Go Daddy as a registrar (who is bound by contract to return it to the control of Chris Coyer), and provide information about the fraud to the police, but since that is not in their interests, they will never do that either.
Re: (Score:3)
It isn't in their interests? Surely siding against the web design community, a very large source of domain registrations, isn't the brightest of ideas?
Re: (Score:3)
That sort of thing only rarely shows up in the accounting books, and is usually vastly underestimated when it does, so the decision makers only see: Loss of one registration ($x per year) vs status quo.
Which will they decide is in their interests?
Re:ICANN (Score:5, Informative)
Does ICANN offer any assistance with this matter? Can't they just yank the domain back?
Yup, there is a process for this. Unfortunately a bit slow, but better than nothing.
The registrar the domain is with now must provide proof the owner submitted it that can be challenged. No proof in 5 days, ICANN reverses the transfer.
At that point they have two weeks to argue that the transfer was not authentic.
I believe a court order would cause the action to be taken immediately in reversing it, and ICANN states they will comply.
http://www.icann.org/en/transfers/ [icann.org]
All the forms and the policy itself (Items 1-4 on that page) plus some FAQ's that mention this type of thing.
I've never had to do a transfer dispute, so am not sure if their policy matches reality, but there it is.
Helpless? No. (Score:4, Insightful)
... the registrars seem helpless to do anything about it.
Not helpless: careless, as in "we couldn't care less". How exactly do these thefts hurt their reputation or profits or bottom line? It doesn't, which is exactly why they don't care. These registrars will continue to not-care unless and until the victims can make the thefts affect the registrars in some measurable way.
Re:Helpless? No. (Score:5, Insightful)
I actually prefer them not to care. It seems in this case email was hijacked and GoDaddy is not supposed to deny the transfer if everything is done properly. It is a real pain in the ass trying to obtain an "utility bill" or other "proof" from $5 / month web service customer when all they want is to get their domain transferred from the previous $15 / month provider (provided of course that the previous ISP who registered the domain was generous enough to put a real owner contact email to whois data...). It *should* be that easy for you average low-cost domain.
If you want your domain provider to "care" - which in this case is that you get personal service and are not just using automation yourself - you pay (actually GoDaddy also offers phone verification option for extra fee...). If you are bankofamerica.com or microsoft.com you should really do take a bit more expensive option - it is not likely that you change your registrar yearly to the cheapest alternative. But if you are a random website (this is first time I heard about css-tricks.com, I really don't know if they are big and famous site on web design field) looking for the cheapest option this is how it should be, because on the other side you have very angry customers complaining that registrars hold their domains hostage; been there in the middle answering to customer on the other side that no, this is not that easy because your registrar requires this and that and I have to bill you by the hour and on the other side having the registrar jump me through obstacle course to transfer ordinary domains by just flagging transfer "suspicious" and everything from first tier customer support is some form of "sorry, I can't do that".
By the way US registrars - identification by utility bill is something we do not do in Europe - the whole concept is strange, so please do not ask me for my clients electricity bill, they most likely can't provide one.
Follow the money (Score:2)
Since it seems accepted by everyone that the domain was stolen and that the crook now wants money to give it back, surely the police can be involved (this is supposed to be what they are there for). The crook wants money, the money needs to be paid into an account somewhere or perhaps one of these money transfer people. Would it be really too hard to finger their thief's collar when he comes to collect ?
Re: (Score:2)
Dude, c'mon (Score:3)
You put your domain with a company because they have commercials with big boobs? If you want to "host" something, I'm sure it's more convenient and cheaper downtown.
PlanetDomain and (Aust|Cheap|Crazy)Domains.com.au (Score:2)
All have the same issue regarding their communications trail.
Anyone with an account with these people (and have done domain transfers) should check their comms history in their control panel during that time... especially the sent items and the clickable link contained within.
I've sent plenty of emails to these people, but I've given up. They don't listen.
stolen (Score:2)
RTFriendlyA
GoDaddy has the e-mail that requested the change, and the domain owner did not send it.
Or, are you the thief, trying to misdirect the conversation?
Re: (Score:3)
Re: (Score:3)
Just because you are paranoid, doesn't mean they aren't after you
That's definitely not something I'm going to argue with.
e-mail (Score:3)
Actually, in this case, the problem seems to be hijacked e-mail.
What I'm trying to understand now is why they need a copy of a license to start checking about undoing the transfer, when they don't require the copy of the license to initiate it.
Re: (Score:2)
What I'm trying to understand now is why they need a copy of a license to start checking about undoing the transfer, when they don't require the copy of the license to initiate it.
Cost, people want cheap domain registrations and aren't prepared to pay for the extra security of document verification.