RSS

Thief is targeting "Web Design" domain names

Sat, 3rd December 2011, 05:44

An disconcerting story that started with a number of domain holders claiming that their domains ownerships have been transferred to a foreign individual's account. While initially the domains in question appeared to be registered with GoDaddy, there are now indications that the problem could be affecting domains registered through other domain registers also!

Chris Coyier, the owner of a web design community, had the domain css-tricks.com registered with GoDaddy. It was brought to his attention that the ownership of the domain had been transferred  to PlanetDomain. At the moment "css-tricks.com" DNS nameservers still point to MediaTemple, and the site is still resolving to Chris's website.

Chris has throughly documented a timeline of his day researching when, and what transpired, as well as  possible solutions to resolve the css-tricks.com transfer. It would be difficult to condense the expose.  

Friday 7:30am - Chris found out about all this from emails from David Appleyard. Chris had received no email or phone call verifying the transferring of this domain. The email address in my GoDaddy account was unchanged.
Friday 7:45am - A call to GoDaddy support was not helpful. Was told just to email domaindisputes@godaddy.com (which I did immediately).
Friday 8:06am - I tweeted about the problem. GoDaddy sent me a DM saying to fill out a form, but the form was a 404 page.
Friday 8:30am - Got the correct link to the domain dispute form and filled it out. This included a scan of my driver's license. The website says it will be 3 days for an initial response.
Friday 9:00am - Sometimes a banjo lesson is just more important!

Friday 10:10am - Trying to contact PlanetDomain … No Twitter account.

Friday 10:15am - Got generic email back from GoDaddy:
We have reviewed your claim and we will contact PlanetDomain and request an FOA (Form of Authorization) for the transfer. If their records also show the same registrant at the time of transfer, we will work with them to see if they can transfer the domain name back. However, they are not required to transfer the domain name back.
If they are unwilling to transfer the domain name back you will need to contact the current registrar or registrant for further assistance.

Friday 11:50 - Just got off the phone with GoDaddy (Tony in domain disputes and Alon in customer service, I think). The current status is that they have already sent a request to PlanetDomain, and the next step is to wait for them to do the due diligence and get back to GoDaddy with an answer on whether or not they will return the domain. This be a matter of days, or a week (sine it's Friday, very likely won't be until early next week). Other facts about GoDaddy:
-So far they have found this has happened to around 12 accounts, all within the "Web Design" genre (so most likely a targeted attack).
-There is no accessible log from with your GoDaddy account to see what/when things happened.
-They do have access logs, but they can't share that information with me.
-The domain was transferred away from GoDaddy the evening of Nov 20th
-They have, but cannot provide me with, the email address used to transfer the domain away.
-GoDaddy confirmed my global account email has never been changed, but it WAS changed for the domain css-tricks.com prior to the move.
-The request to unlock the domain happened on Nov. 14th at 4:30pm Mountain Time. -Normally there is a 5-7 day waiting period, but GoDaddy offers instant transfer and they remarked that it was unusual that the hacker chose not to do that.
-They confirmed no other domains have left my account.

Friday 12:15pm - I asked VaultPress if they could tell me the IP address of the person who changed the index.php file, but they don't have that information. It might be in my server logs if I have them from that long ago.

Friday 1:05pm - Former employee of PlanetDomain tells me that it looks as if the hacker attempted to remove the nameservers, but the PlanetDomain system for that failed. (This line in the WHOIS: "No name servers present.") The hacker would have to call PlanetDomain to "fix" this, which they have not (thank god).

Friday 5:25pm - About the end of the work day here and heading in to the weekend, so it's unlikely anything will happen until early next week. I'd love to get at least an acknowledgment from PlanetDomain / NetRegistry that they've gotten the domain dispute from GoDaddy. But no such luck.

Presently it appears that there are 24 domains that have been transferred to the account holder of Planet Domain. Without actual proof, it does appear that a common denominator may be the use of gmail accounts by the legitamate account holders. Many domain registers associate an email address with the domain, and any requests to transfer a domain from that email address would not raise any red flags.

Hint: never use a free email account to register a domain! The contact email address can be modified in the client area of your domain registrar.

HostJury will continue to update this post as more information emerges.

css-tricks.com - Originally at GoDaddy

Domain Name: CSS-TRICKS.COM
Registrar: PLANETDOMAIN PTY LTD.
Whois Server: whois.planetdomain.com
Referral URL: http://www.planetdomain.com
Name Server: NS1.MEDIATEMPLE.NET
Name Server: NS2.MEDIATEMPLE.NET
Status: ok
Updated Date: 21-nov-2011
Creation Date: 04-jul-2007
Expiration Date: 04-jul-2019

Designshack.net -

Domain Name: DESIGNSHACK.NET
Registrar: PLANETDOMAIN PTY LTD.
Whois Server: whois.planetdomain.com
Referral URL: http://www.planetdomain.com
Name Server: NS1.MEDIATEMPLE.NET
Name Server: NS2.MEDIATEMPLE.NET
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 20-nov-2011
Creation Date: 05-may-2008
Expiration Date: 05-may-2013

KIRUPA.COM - Originally on NetworkSolution

Domain Name: KIRUPA.COM
Registrar: PLANETDOMAIN PTY LTD.
Whois Server: whois.planetdomain.com
Referral URL: http://www.planetdomain.com
Name Server: NS1.MEDIATEMPLE.NET
Name Server: NS2.MEDIATEMPLE.NET
Status: ok
Updated Date: 30-nov-2011
Creation Date: 10-feb-1999
Expiration Date: 10-feb-2016

davidwalsh.name -

Domain Name: DAVIDWALSH.NAME 
Domain Status: pendingTransfer

scriptandstyle.com -Originally at GoDaddy

Domain Name: SCRIPTANDSTYLE.COM
Registrar: PLANETDOMAIN PTY LTD.
Whois Server: whois.planetdomain.com
Referral URL: http://www.planetdomain.com
Name Server: NS15.DOMAINCONTROL.COM
Name Server: NS16.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 20-nov-2011
Creation Date: 18-jul-2008
Expiration Date: 18-jul-2013

sohtanaka.com - Originally at 1and1

Domain Name: SOHTANAKA.COM
Registrar: PLANETDOMAIN PTY LTD.
Whois Server: whois.planetdomain.com
Referral URL: http://www.planetdomain.com
Name Server: NS57.1AND1.COM
Name Server: NS58.1AND1.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 23-nov-2011
Creation Date: 12-apr-2005
Expiration Date: 12-apr-2013

instantshift.com - Originally at GoDaddy

Domain Name: INSTANTSHIFT.COM
Registrar: PLANETDOMAIN PTY LTD.
Whois Server: whois.planetdomain.com
Referral URL: http://www.planetdomain.com
Name Server: NS1.MEDIATEMPLE.NET
Name Server: NS2.MEDIATEMPLE.NET
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 20-nov-2011
Creation Date: 21-aug-2008
Expiration Date: 21-aug-2013

shiachat.com –

Domain Name: SHIACHAT.COM
Registrar: PLANETDOMAIN PTY LTD.
Whois Server: whois.planetdomain.com
Referral URL: http://www.planetdomain.com
Name Server: No nameserver
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 02-dec-2011
Creation Date: 26-mar-2000
Expiration Date: 26-mar-2013

Media Temple Hosting