Domain Theft-for-Ransom Hits css-tricks.com and Others

An anonymous reader writes "Chris Coyer at css-tricks.com has had his domain transferred from GoDaddy.com to a registrar in Australia where it's being held for ransom. Several other domains have experienced the same theft by what seems to be the same person, and the registrars seem helpless to do anything about it."

Umm....

[Bucky24]

From TFA: "We have reviewed your claim and we will contact PlanetDomain and request an FOA (Form of Authorization) for the transfer. If their records also show the same registrant at the time of transfer, we will work with them to see if they can transfer the domain name back. However, they are not required to transfer the domain name back."

Not required? As in, he paid for it, it's legally registered to him, and then someone just stole it away and they don't have to give it back? Isn't that theft?

For the curious

[Anonymous Coward]

That phone number looks like a valid aussie mobile number. Who answers?

Domain Name: CSS-TRICKS.COM
            Reseller..............: PlanetDomain Ltd Pty
            Created on............: 4 Jul 2007 16:26:57 EST
            Expires on............: 4 Jul 2019 16:26:57 EST
            Record last updated on: 21 Nov 2011 16:20:33 EST
            Status................: ACTIVE

      Owner:
            oca
              (465144)
                Bakulina 12,
            Kharkiv, gras 61166
            Austria
            Phone: +61.4354353455
            Email:
      Administrative Contact, Billing Contact:
            oca
              (465143)
                Bakulina 12,
            Kharkiv, gras 61166
            Austria
            Phone: +61.4354353455
            Email:
      Technical Contact:
            oca
              (465145)
                Bakulina 12,
            Kharkiv, gras 61166
            Austria
            Phone: +61.4354353455
            Email:

      Domain servers in listed order:

      No name servers present.

Re:Don't Use GoDaddy

[InsightIn140Bytes]

1and1 and Network Solutions are on the list too.

Re:Umm....

[InsightIn140Bytes]

GoDaddy can't reverse the transfer once other registrar has it.

Re:For the curious

[iluvcapra]

Ummmm, Graz is a town on the Mur in Austria, not Austrialia. However +61 is the country code of Australia. Some sort of bizzare joke.

Re:Umm....

[John Hasler]

It's certainly a crime, but it is fraud, not theft (just as copyright infringement is not theft). Theft involves deprivation of possession of chattel property.

Re:So out of curiosity,

[John Hasler]

> Who is a reputable registrar these days?

Gandi.

Re:Gmail problem

[cultiv8]

As noted in 2008 on Mashable [mashable.com]:

According to a proof of concept by Geek Condition, there is a security flaw in Gmail that allows an attacker to forward GoDaddy account reset information to the offending party unbeknownst by the victim. This is done by creating a filter that forwards GoDaddy’s “change of password” mail to the attacker and deletes it from your inbox.

Re:So out of curiosity,

[Anonymous Coward]

:) We switched to them from Dotster. If you are from the USA the price is better than advertised too. They don't charge VAT and that is a HUGE percentage of the fee. The only complaint I have is the free SSL certificate is confusing/misleading. Or maybe it is just me not understanding things well enough although I doubt it. You have to install the free Gandi certificate in the browser you are using or something like that. In other words it isn't something you can actually use for business or even a personal web site unless you have control over the computers from where you/others will be accessing it from. Therefore what good is it over accepting your own ssl certificate? I know I sound like an idiot as I'm wrong in my explanation. Hopefully you understand what I'm trying to say though.

Re:Gmail problem

[MyFirstNameIsPaul]

That article states that the attacker must direct the victim to a site with a malicious script in order to get a Session Authorization Key.

Re:So out of curiosity,

[efalk]

Seconded. I register all my domains with Gandi. Clean user interface, no offensive advertising, no constant trying to upsell me. Easy to understand services and contract. Plus, they're outside of the U.S., which is a huge plus -- it makes it much harder for a U.S. court to seize your domain on a whim.

Re:So out of curiosity,

[hpa]

Seconded the recommendation for Gandi. Another good one is Loopia in Sweden, loopia.se. Loopia got acquired reasonably recently, so they may or may not stay that way but for now they have been very good and for a long time they were the best-priced .se and .nu registrar (and may still be.)

Re:Umm....

[Anonymous Coward]

Interesting that the 'pirating == theft' brigade hasn't modded you into oblivion yet...

I thought it was the pirating != theft brigade that modded people into oblivion.

Re:Umm....

[rickb928]

That would be the job of ICANN or WIPO.

Neither of which care to step in and make the effort unless forced to.

Re:So out of curiosity,

[tomp]

Gandi rocks, no doubt about it. However, they cannot protect a domain owner from the US government.

I have my domain there because they respect the rights of a domain owner far more than other registrars, but there's nothing they can do if the US government wants a domain in a US-hosted top level domain. When it comes .com, .net, or .org, NSI is all that matters. And unfortunately, they don't care about domain owners.

Re:Umm....

[the eric conspiracy]

Legally fraud is a form of theft, i.e. theft by deception.

Re:ICANN

[Tacvek]

ICANN cannot technically do that, since they don't actually control the content of the TLD. The Domain Registry (Verisign) could technically reverse the transfer, but are bound by ICANN policies that likely prevent them from doing anything. ICANN in conjunction with Verisign could get the transfer reverted, but since that requires two entities working in concert, I would not count on it happening.

Of course the Australian registry could determine that the transfer was fraudulent, and transfer it back to Go Daddy as a registrar (who is bound by contract to return it to the control of Chris Coyer), and provide information about the fraud to the police, but since that is not in their interests, they will never do that either.

Re:So out of curiosity,

[The Blue Meanie]

Nope, you misunderstand. I got them to issue one of the free certs for one of my domains (I use Gandi for all of my registrations), and it works perfectly with all major browsers out of the box.
All you have to do is add Gandi's intermediate certificate (the cert that links their signature on your free cert to the base CA cert that's in everybody's browser), but you do that on your server (web/mail/whatever) and offer it up as part of the SSL negotiation. It works perfectly, and transparently. It is definitely NOT like the hassle of a self-signed certificate, where you DO have to either add the "security exception" to every client's browser, or get them to install your cert into their browser ahead of time.

Re:Umm....

[mysidia]

and secondly, godaddy can't actually do anything about it because they don't own the domain anymore.

There are things they can do about it, the ICANN Inter-Registrar Transfer Policy [icann.org] says so, so does the ICANN Transfer Dispute Resolution Policy [icann.org],

The Gaining Registrar must retain, and produce pursuant to a request by a Losing Registrar, a written or electronic copy of the FOA. In instances where the Registrar of Record has requested copies of the FOA, the Gaining Registrar must fulfill the Registrar of Records request (including providing the attendant supporting documentation) within five (5) calendar days. Failure to provide this documentation within the time period specified is grounds for reversal by the Registry Operator or the Dispute Resolution Panel in the event that a transfer complaint is filed in accordance with the requirements of this policy.

If either a Registrar of Record or a Gaining Registrar does not believe that a transfer request was handled in accordance with the provisions of this policy, then the Registrar may initiate a dispute resolution procedure as set forth in Section C of this policy.

Registry Operator must undo the transfer within fourteen calendar days unless a court action is filed. The notice required shall be one of the following:

Agreement of the Registrar of Record and the Gaining Registrar sent by email, letter or fax that the transfer was made by mistake or was otherwise not in accordance with the procedures set forth in this policy;

Re:Gmail problem

[tftp]

why are you using a free email account to be the key to owning your domain name? Run your own email server!

You shouldn't have a contact email on the domain that is being administered. Your suggestion is good only if you have several domains registered by different registrars, and if your email is very reliable (with reverse DNS and such.) Then you can cross-link these records. For everyone else Gmail is a rational choice; it's free, it's reliable, and it's always there.

Re:ICANN

[dissy]

Does ICANN offer any assistance with this matter? Can't they just yank the domain back?

Yup, there is a process for this. Unfortunately a bit slow, but better than nothing.

The registrar the domain is with now must provide proof the owner submitted it that can be challenged. No proof in 5 days, ICANN reverses the transfer.

At that point they have two weeks to argue that the transfer was not authentic.
I believe a court order would cause the action to be taken immediately in reversing it, and ICANN states they will comply.

http://www.icann.org/en/transfers/ [icann.org]
All the forms and the policy itself (Items 1-4 on that page) plus some FAQ's that mention this type of thing.

I've never had to do a transfer dispute, so am not sure if their policy matches reality, but there it is.

Re:Don't Use GoDaddy

[houstonbofh]

The difference is that with a real company, like SafeNames, you call your account rep, and he says, "I will handle this for you." And you get updates, not stonewalls. May still take a lot of time, but it will be less stress than GoDaddy's "not my problem" BS.

Re:So out of curiosity,

[Animats]

Who is a reputable registrar these days?

The top of the line is MarkMonitor [markmonitor.com]. If you have to ask how much they cost, you can't afford them. They're the registrar for "gm.com", "ford.com", "bankofamerica.com", etc. If something goes wrong with one of their domains, alarm bells ring at their monitoring center and DNS experts, investigators, and lawyers swing into action.

Network Solutions can be difficult to deal with, but they register enough corporate domains that they have a support organization that's not a joke.

GoDaddy is generally considered to be near the bottom of the heap. You might register your personal blog with GoDaddy. Maybe.

Down at the bottom is eNom, the leader in junk domain registration. That's where you register your 100,000 typosquatting domains.

Re:For the curious

[OneMadMuppet]

Bakulina 12 is an address in Kharkiv, in Ukraine. Anyone can pick a random city or country, but picking a specific street in north Kharkiv is less likely. Start there.