Forgot your password?
typodupeerror
Australia Crime Security The Internet IT Your Rights Online

Domain Theft-for-Ransom Hits css-tricks.com and Others 147

Posted by timothy
from the low-down-dirty-rotten dept.
An anonymous reader writes "Chris Coyer at css-tricks.com has had his domain transferred from GoDaddy.com to a registrar in Australia where it's being held for ransom. Several other domains have experienced the same theft by what seems to be the same person, and the registrars seem helpless to do anything about it."
This discussion has been archived. No new comments can be posted.

Domain Theft-for-Ransom Hits css-tricks.com and Others

Comments Filter:
  • Umm.... (Score:5, Informative)

    by Bucky24 (1943328) on Friday December 02, 2011 @08:46PM (#38246182)
    From TFA: "We have reviewed your claim and we will contact PlanetDomain and request an FOA (Form of Authorization) for the transfer. If their records also show the same registrant at the time of transfer, we will work with them to see if they can transfer the domain name back. However, they are not required to transfer the domain name back."

    Not required? As in, he paid for it, it's legally registered to him, and then someone just stole it away and they don't have to give it back? Isn't that theft?
    • Re:Umm.... (Score:4, Interesting)

      by Meshach (578918) on Friday December 02, 2011 @09:00PM (#38246324)

      From TFA: "We have reviewed your claim and we will contact PlanetDomain and request an FOA (Form of Authorization) for the transfer. If their records also show the same registrant at the time of transfer, we will work with them to see if they can transfer the domain name back. However, they are not required to transfer the domain name back." Not required? As in, he paid for it, it's legally registered to him, and then someone just stole it away and they don't have to give it back? Isn't that theft?

      I don't know about theft as much as mismanagement by GoDaddy. If the domain was not expired then it should be reverted back to the rightful owner. If it actually did expire he may be SOL (although that is pretty low of GoDaddy to not at least give him notice).

      • Re: (Score:3, Informative)

        GoDaddy can't reverse the transfer once other registrar has it.
      • Re:Umm.... (Score:4, Insightful)

        by MightyMartian (840721) on Friday December 02, 2011 @09:05PM (#38246366) Journal

        It's most certainly theft, and on top of that Godaddy is most certainly liable for civil damages.

        • Re:Umm.... (Score:5, Informative)

          by John Hasler (414242) on Friday December 02, 2011 @09:19PM (#38246456) Homepage

          It's certainly a crime, but it is fraud, not theft (just as copyright infringement is not theft). Theft involves deprivation of possession of chattel property.

        • Re:Umm.... (Score:5, Insightful)

          by jamesh (87723) on Friday December 02, 2011 @10:16PM (#38246800)

          It's most certainly theft, and on top of that Godaddy is most certainly liable for civil damages.

          I just transferred a domain from GoDaddy to a preferred registrar. All I needed, and all I should need, was my username and password.

          If I let my username and password fall into the hands of somebody else, which I believe is the case here, and they transferred the domain then firstly, godaddy are not at fault, and secondly, godaddy can't actually do anything about it because they don't own the domain anymore. It's a bit rude of them to not offer more assistance in terms of providing evidence to help the owner prove his ownership to the new registrar, eg maybe the access was from an IP address in a different country than the owner resides, etc, but that's hardly grounds for a civil suit for damanges.

          If you buy a domain from a registrar who doesn't charge you enough to offer assistance when something goes wrong, and have a reputation for this, then you kind of get what you deserve.

          IMHO, GoDaddy aren't evil, just cheap, and are just a product of our collective race to the bottom in terms of not caring about quality of service when buying a product and only complaining about it when something goes wrong.

          • Re:Umm.... (Score:5, Informative)

            by mysidia (191772) * on Saturday December 03, 2011 @12:05AM (#38247280)

            and secondly, godaddy can't actually do anything about it because they don't own the domain anymore.

            There are things they can do about it, the ICANN Inter-Registrar Transfer Policy [icann.org] says so, so does the ICANN Transfer Dispute Resolution Policy [icann.org],

            The Gaining Registrar must retain, and produce pursuant to a request by a Losing Registrar, a written or electronic copy of the FOA. In instances where the Registrar of Record has requested copies of the FOA, the Gaining Registrar must fulfill the Registrar of Records request (including providing the attendant supporting documentation) within five (5) calendar days. Failure to provide this documentation within the time period specified is grounds for reversal by the Registry Operator or the Dispute Resolution Panel in the event that a transfer complaint is filed in accordance with the requirements of this policy.

            If either a Registrar of Record or a Gaining Registrar does not believe that a transfer request was handled in accordance with the provisions of this policy, then the Registrar may initiate a dispute resolution procedure as set forth in Section C of this policy.

            Registry Operator must undo the transfer within fourteen calendar days unless a court action is filed. The notice required shall be one of the following:

            Agreement of the Registrar of Record and the Gaining Registrar sent by email, letter or fax that the transfer was made by mistake or was otherwise not in accordance with the procedures set forth in this policy;

          • by Relayman (1068986)
            A username and password should not be sufficient, especially if the domain name has a regsitrar lock. My domain registrar (BulkRegsiter aka eNom) requires two-factor authentication to do anything.
            • by jamesh (87723)

              A username and password should not be sufficient, especially if the domain name has a regsitrar lock. My domain registrar (BulkRegsiter aka eNom) requires two-factor authentication to do anything.

              Sounds like you got what you paid for then... in a good way :)

              Seriously though, there is a place for a low cost, no frills registrar for domains you aren't particularly attached to and that nobody is going to hold for ransom because they aren't worth the effort. Using such a registrar for a domain that's actually worth something to you is probably a bad choice though.

        • by Dan541 (1032000)

          It's most certainly theft, and on top of that Godaddy is most certainly liable for civil damages.

          How? If Godaddy received a genuine transfer request then they did the right thing by not blocking it. Registrars are supposed to comply with requests from the domain administrator. If that person has poor security it isn't godaddy's fault.

      • by Bucky24 (1943328)
        The blog didn't read like the domain had expired, but you may be right.
    • by mysidia (191772) *

      Not required? As in, he paid for it, it's legally registered to him, and then someone just stole it away and they don't have to give it back? Isn't that theft?

      There's always an option to open a UDRP dispute. Although it is expensive to execute the process, it would likely result in the domain being returned to the rightful owner.

  • Don't Use GoDaddy (Score:5, Interesting)

    by sexconker (1179573) on Friday December 02, 2011 @08:54PM (#38246258)

    Don't use GoDaddy.
    If you needed any more reasons to stay far away from GoDaddy and their shitty advertising, RTFA.

            So far they have found this has happened to around 12 accounts, all within the "Web Design" genre (so most likely a targeted attack).
            There is no accessible log from with your GoDaddy account to see what/when things happened.
            They do [claim to] have access logs, but they can't [won't] share that information with me.
            The domain was transferred away from GoDaddy the evening of Nov 20th
            They [claim to] have, but cannot [won't] provide me with, the email address used to transfer the domain away.
            GoDaddy confirmed my global account email has never been changed, but it WAS changed for the domain css-tricks.com prior to the move.
            The request to unlock the domain happened on Nov. 14th at 4:30pm Mountain Time. Normally there is a 5-7 day waiting period, but GoDaddy offers instant transfer and they remarked that it was unusual that the hacker chose not to do that.
            They confirmed no other domains have left my account.

    [Stuff in brackets is mine.]

    • Re: (Score:3, Informative)

      1and1 and Network Solutions are on the list too.
    • Who is a reputable registrar these days? Does such a thing exist?

      • by John Hasler (414242) on Friday December 02, 2011 @09:20PM (#38246470) Homepage

        > Who is a reputable registrar these days?

        Gandi.

        • by Urza9814 (883915) on Friday December 02, 2011 @09:37PM (#38246586)

          If only I had mod points. Gandi is by far and without a doubt the best domain registrar out there. Hell, if they were double or even triple the price of GoDaddy, I'd still be using them. (From what I've seen their prices are on par with everyone else.)

        • by Anonymous Coward on Friday December 02, 2011 @09:40PM (#38246616)

          :) We switched to them from Dotster. If you are from the USA the price is better than advertised too. They don't charge VAT and that is a HUGE percentage of the fee. The only complaint I have is the free SSL certificate is confusing/misleading. Or maybe it is just me not understanding things well enough although I doubt it. You have to install the free Gandi certificate in the browser you are using or something like that. In other words it isn't something you can actually use for business or even a personal web site unless you have control over the computers from where you/others will be accessing it from. Therefore what good is it over accepting your own ssl certificate? I know I sound like an idiot as I'm wrong in my explanation. Hopefully you understand what I'm trying to say though.

          • by The Blue Meanie (223473) on Friday December 02, 2011 @11:51PM (#38247208)

            Nope, you misunderstand. I got them to issue one of the free certs for one of my domains (I use Gandi for all of my registrations), and it works perfectly with all major browsers out of the box.
            All you have to do is add Gandi's intermediate certificate (the cert that links their signature on your free cert to the base CA cert that's in everybody's browser), but you do that on your server (web/mail/whatever) and offer it up as part of the SSL negotiation. It works perfectly, and transparently. It is definitely NOT like the hassle of a self-signed certificate, where you DO have to either add the "security exception" to every client's browser, or get them to install your cert into their browser ahead of time.

        • by efalk (935211) on Friday December 02, 2011 @09:53PM (#38246662)
          Seconded. I register all my domains with Gandi. Clean user interface, no offensive advertising, no constant trying to upsell me. Easy to understand services and contract. Plus, they're outside of the U.S., which is a huge plus -- it makes it much harder for a U.S. court to seize your domain on a whim.
          • by tomp (4013) on Friday December 02, 2011 @11:25PM (#38247110) Homepage

            Gandi rocks, no doubt about it. However, they cannot protect a domain owner from the US government.

            I have my domain there because they respect the rights of a domain owner far more than other registrars, but there's nothing they can do if the US government wants a domain in a US-hosted top level domain. When it comes .com, .net, or .org, NSI is all that matters. And unfortunately, they don't care about domain owners.

          • by mysidia (191772) *

            it makes it much harder for a U.S. court to seize your domain on a whim.

            It also much makes it much harder for you to sue them, if they do something bad and it hurts you or you lose the domain or uptime as a result.

          • it makes it much harder for a U.S. court to seize your domain on a whim.

            Wouldnt it make it easier for some other government to seize it on a whim?

            I mean, that may be the determination that youve made, that this is less of a risk, but Im just saying.

        • Thirded. Been with them since they were one of the first ICANN registrars outside of Network Solutions. Like their motto says, "no bullshit"

        • by hpa (7948) on Friday December 02, 2011 @10:16PM (#38246796) Homepage
          Seconded the recommendation for Gandi. Another good one is Loopia in Sweden, loopia.se. Loopia got acquired reasonably recently, so they may or may not stay that way but for now they have been very good and for a long time they were the best-priced .se and .nu registrar (and may still be.)
        • Re: (Score:3, Insightful)

          by mrbester (200927)
          Status: clientTransferProhibited FTW. Set by a checkbox in a settings screen. GANDI never forget that your domain is yours (unlike other registrars who consider it theirs and you're just borrowing it from them).
        • by Animats (122034) on Saturday December 03, 2011 @02:27AM (#38247918) Homepage

          Who is a reputable registrar these days?

          The top of the line is MarkMonitor [markmonitor.com]. If you have to ask how much they cost, you can't afford them. They're the registrar for "gm.com", "ford.com", "bankofamerica.com", etc. If something goes wrong with one of their domains, alarm bells ring at their monitoring center and DNS experts, investigators, and lawyers swing into action.

          Network Solutions can be difficult to deal with, but they register enough corporate domains that they have a support organization that's not a joke.

          GoDaddy is generally considered to be near the bottom of the heap. You might register your personal blog with GoDaddy. Maybe.

          Down at the bottom is eNom, the leader in junk domain registration. That's where you register your 100,000 typosquatting domains.

      • SafeNames. They are NOT the cheapest, but they have amazing customer service. Absolutely rock. You actually have a real person as an account manager. Type "whois dell.com" for more.
      • by QuoteMstr (55051)

        I've been happy with gkg.net. I like that they started offering IPv6 glue records very early.

    • Re:Don't Use GoDaddy (Score:5, Interesting)

      by Anonymous Coward on Friday December 02, 2011 @11:54PM (#38247224)

      Don't use GoDaddy.

      To be fair, this wasn't strictly a GoDaddy Issue. TFA stated:

      This is not isolated to GoDaddy. Original registrants varied, see below.

      Which then listed multiple GoDaddy's, a 1and1.com, and a NetworkSolutions.com. This sounds more like the fact that GoDaddy happens to be the big horse (ala Microsoft) so it's likely going to be attacked me most. Not using GoDaddy might be good advice but it seems like it's also not a guarantee.

      The bigger issue is that there's no authoritative way to quickly re-gain such lost domains. And domain name disputes are always a huge PITA. Given the value of a domain name and how easy it is to sit on it once stolen, costing some business tons of money, I wouldn't be surprised if this starts happening more.

      One thing that keeps popping out is the fact that they're all being xfered to PlanetDomain.com. ICANN needs to revoke their ability to register domains.

  • For the curious (Score:5, Informative)

    by Anonymous Coward on Friday December 02, 2011 @08:57PM (#38246284)

    That phone number looks like a valid aussie mobile number. Who answers?

    Domain Name: CSS-TRICKS.COM
                Reseller..............: PlanetDomain Ltd Pty
                Created on............: 4 Jul 2007 16:26:57 EST
                Expires on............: 4 Jul 2019 16:26:57 EST
                Record last updated on: 21 Nov 2011 16:20:33 EST
                Status................: ACTIVE

          Owner:
                oca
                  (465144)
                    Bakulina 12,
                Kharkiv, gras 61166
                Austria
                Phone: +61.4354353455
                Email:
          Administrative Contact, Billing Contact:
                oca
                  (465143)
                    Bakulina 12,
                Kharkiv, gras 61166
                Austria
                Phone: +61.4354353455
                Email:
          Technical Contact:
                oca
                  (465145)
                    Bakulina 12,
                Kharkiv, gras 61166
                Austria
                Phone: +61.4354353455
                Email:

          Domain servers in listed order:

          No name servers present.

  • by Anonymous Coward

    My domain, DAVIDWALSH.NAME has also been stolen. 1And1 yet to return the domain or give me a detailed response for 5 days.

  • Gmail problem (Score:5, Interesting)

    by Albanach (527650) on Friday December 02, 2011 @09:29PM (#38246540) Homepage

    it looks like the big problem here is that 4 years on it's still apparently possible for websites to silently create filters on gmail accounts if a logged in user visits their site. That effectively allows a malicious site to compromise hosting accounts, bank accounts and much more.

    • Re:Gmail problem (Score:5, Informative)

      by cultiv8 (1660093) on Friday December 02, 2011 @09:34PM (#38246574) Homepage
      As noted in 2008 on Mashable [mashable.com]:

      According to a proof of concept by Geek Condition, there is a security flaw in Gmail that allows an attacker to forward GoDaddy account reset information to the offending party unbeknownst by the victim. This is done by creating a filter that forwards GoDaddy’s “change of password” mail to the attacker and deletes it from your inbox.

      • Re:Gmail problem (Score:5, Informative)

        by MyFirstNameIsPaul (1552283) <myfirstnameispaul@gmail.com> on Friday December 02, 2011 @09:48PM (#38246642) Homepage Journal
        That article states that the attacker must direct the victim to a site with a malicious script in order to get a Session Authorization Key.
        • by cultiv8 (1660093)
          Quick follow-up, did anyone notice gmail is giving the following message:

          Thousands of online accounts are hijacked every day. If you re-use your Gmail password at other websites, change it now. Learn more [google.com].

        • That article states that the attacker must direct the victim to a site with a malicious script in order to get a Session Authorization Key.

          How hard is that? I have run dozens of websites, and I can get on a first-page google search for some key phrases easily. This is the law of averages: attack _everybody_ and some will fall. If the attacker wants a _specific_ domain, though, that is much more of a challenge.

    • Re:Gmail problem (Score:5, Insightful)

      by HeyBob! (111243) on Friday December 02, 2011 @09:39PM (#38246602)

      Exactly - why are you using a free email account to be the key to owning your domain name? Run your own email server! Become your own registrar - it's worth it if you have a bunch of domains.

      • Re:Gmail problem (Score:5, Informative)

        by tftp (111690) on Saturday December 03, 2011 @01:27AM (#38247618) Homepage

        why are you using a free email account to be the key to owning your domain name? Run your own email server!

        You shouldn't have a contact email on the domain that is being administered. Your suggestion is good only if you have several domains registered by different registrars, and if your email is very reliable (with reverse DNS and such.) Then you can cross-link these records. For everyone else Gmail is a rational choice; it's free, it's reliable, and it's always there.

        • I do not know a single network admin worth a damn that does not have at least 5 non-free e-mail addresses. And you only need 3. And, yes, none of them should be on the domain in question, and none of the mail servers should be with the registrar. Security through diversity.
      • by jtnix (173853)

        There's nothing wrong with using a 'free' email account to register for domain services or any other product or service for that matter. I would however recommend some recursion, i.e. create a unique freemail account with a very high security password and set it up to forward (while still saving emails) to your master email account(s). Of course, it's a good idea to rotate a high security password on your master email account(s) as well. It's not rocket science, it's security. These crafty bastards have

    • by cultiv8 (1660093)
      Really, your comment was moderated as a Troll? Who are these moderators?
      • Re: (Score:2, Offtopic)

        by Mashiki (184564)

        You know, we had a discussion just the other day about group-think and the /. condition [slashdot.org] where people making good comments are shouted down. The GP is yet another example of this.

        • Re: (Score:3, Interesting)

          by headkase (533448)
          I don't even bother to moderate anymore. I read the comments at -1 because that is the only way to combat moderator abuse. It happens too often that you see a completely worthwhile comment moderated -1. Slashdot's game has been fixed. I blame the "Friend/Foe" system: that let's you instantly know whether to mod up/down if you were so inclined.
          • Re:Gmail problem (Score:5, Interesting)

            by houstonbofh (602064) on Saturday December 03, 2011 @02:09AM (#38247836)
            It is only temporary... Go ahead and moderate. Read at -1 and just give points to people unfairly trolled.
        • by jamesh (87723)

          It's at +5 now... what was the problem again?

          • by Mashiki (184564)

            Give it 6 hours for a group of people to throw a hissy fit over what they read, and it'll be -0 troll or flamebait. You know much like how my post is 'offtopic' when it's not.

    • Google say this is fixed.
  • by Nethead (1563) <joe@nethead.com> on Friday December 02, 2011 @09:39PM (#38246610) Homepage Journal

    http://www.wired.com/politics/law/news/2000/01/33571 [wired.com]

    Network Solutions' administrative policies are once again being blamed for Internet domain hijackings that took at least brief control over some major Web domains.
    Beginning Saturday, an unidentified individual began attempts, some successful, to seize control over domains including major Web hosting service Exodus, Web standards body World Wide Web Consortium and Emory University.
    And all the misappropriation required was a simple spoofing of email addresses.

    The only good thing about it was getting my name in Wired.

  • ICANN (Score:4, Interesting)

    by DaMattster (977781) on Friday December 02, 2011 @10:33PM (#38246886)
    Does ICANN offer any assistance with this matter? Can't they just yank the domain back?
    • Re:ICANN (Score:5, Informative)

      by Tacvek (948259) on Friday December 02, 2011 @11:50PM (#38247198) Journal

      ICANN cannot technically do that, since they don't actually control the content of the TLD. The Domain Registry (Verisign) could technically reverse the transfer, but are bound by ICANN policies that likely prevent them from doing anything. ICANN in conjunction with Verisign could get the transfer reverted, but since that requires two entities working in concert, I would not count on it happening.

      Of course the Australian registry could determine that the transfer was fraudulent, and transfer it back to Go Daddy as a registrar (who is bound by contract to return it to the control of Chris Coyer), and provide information about the fraud to the police, but since that is not in their interests, they will never do that either.

      • by Nemyst (1383049)

        It isn't in their interests? Surely siding against the web design community, a very large source of domain registrations, isn't the brightest of ideas?

        • by Tacvek (948259)

          That sort of thing only rarely shows up in the accounting books, and is usually vastly underestimated when it does, so the decision makers only see: Loss of one registration ($x per year) vs status quo.

          Which will they decide is in their interests?

    • Re:ICANN (Score:5, Informative)

      by dissy (172727) on Saturday December 03, 2011 @02:01AM (#38247800)

      Does ICANN offer any assistance with this matter? Can't they just yank the domain back?

      Yup, there is a process for this. Unfortunately a bit slow, but better than nothing.

      The registrar the domain is with now must provide proof the owner submitted it that can be challenged. No proof in 5 days, ICANN reverses the transfer.

      At that point they have two weeks to argue that the transfer was not authentic.
      I believe a court order would cause the action to be taken immediately in reversing it, and ICANN states they will comply.

      http://www.icann.org/en/transfers/ [icann.org]
      All the forms and the policy itself (Items 1-4 on that page) plus some FAQ's that mention this type of thing.

      I've never had to do a transfer dispute, so am not sure if their policy matches reality, but there it is.

  • Helpless? No. (Score:4, Insightful)

    by macraig (621737) <[mark.a.craig] [at] [gmail.com]> on Saturday December 03, 2011 @02:22AM (#38247896)

    ... the registrars seem helpless to do anything about it.

    Not helpless: careless, as in "we couldn't care less". How exactly do these thefts hurt their reputation or profits or bottom line? It doesn't, which is exactly why they don't care. These registrars will continue to not-care unless and until the victims can make the thefts affect the registrars in some measurable way.

    • Re:Helpless? No. (Score:5, Insightful)

      by zyzko (6739) <kari.asikainen@gm[ ].com ['ail' in gap]> on Saturday December 03, 2011 @06:36AM (#38248690)

      I actually prefer them not to care. It seems in this case email was hijacked and GoDaddy is not supposed to deny the transfer if everything is done properly. It is a real pain in the ass trying to obtain an "utility bill" or other "proof" from $5 / month web service customer when all they want is to get their domain transferred from the previous $15 / month provider (provided of course that the previous ISP who registered the domain was generous enough to put a real owner contact email to whois data...). It *should* be that easy for you average low-cost domain.

      If you want your domain provider to "care" - which in this case is that you get personal service and are not just using automation yourself - you pay (actually GoDaddy also offers phone verification option for extra fee...). If you are bankofamerica.com or microsoft.com you should really do take a bit more expensive option - it is not likely that you change your registrar yearly to the cheapest alternative. But if you are a random website (this is first time I heard about css-tricks.com, I really don't know if they are big and famous site on web design field) looking for the cheapest option this is how it should be, because on the other side you have very angry customers complaining that registrars hold their domains hostage; been there in the middle answering to customer on the other side that no, this is not that easy because your registrar requires this and that and I have to bill you by the hour and on the other side having the registrar jump me through obstacle course to transfer ordinary domains by just flagging transfer "suspicious" and everything from first tier customer support is some form of "sorry, I can't do that".

      By the way US registrars - identification by utility bill is something we do not do in Europe - the whole concept is strange, so please do not ask me for my clients electricity bill, they most likely can't provide one.

  • Since it seems accepted by everyone that the domain was stolen and that the crook now wants money to give it back, surely the police can be involved (this is supposed to be what they are there for). The crook wants money, the money needs to be paid into an account somewhere or perhaps one of these money transfer people. Would it be really too hard to finger their thief's collar when he comes to collect ?

    • by Relayman (1068986)
      This is a property crime, not a personal one. The police couldn't care less so such a small case.
  • by bryan1945 (301828) on Saturday December 03, 2011 @10:33AM (#38249604) Journal

    You put your domain with a company because they have commercials with big boobs? If you want to "host" something, I'm sure it's more convenient and cheaper downtown.

  • All have the same issue regarding their communications trail.

    Anyone with an account with these people (and have done domain transfers) should check their comms history in their control panel during that time... especially the sent items and the clickable link contained within.

    I've sent plenty of emails to these people, but I've given up. They don't listen.

Whoever dies with the most toys wins.

Working...