Getting a stolen domain back

It appears that the person or persons who for a while took over direction.com are also hackers. A Google search recently made me aware of a defacement of persianwhois.com (captured by h-zone.net). It appears that sillworks4@gmail.com is operated by a hacker or hacker group called OurQuest - and for some reason the city of Shiraz is mentioned. Here is a screen dump of the defacement:

The text at the bottom is written in Iranian slang. It says something like: “What you are up to is queer and childish, you should rather go for the money.”

It looks as if social engineering - that is: tricking people - is the easiest way for someone to steal a domain name. From the owner of sweet.com I received an email sent from sillworks4@gmail.com in which the sender pretends to be the legitimate owner of the domain and tries to trick the ISP to set up a forward in order to gain control over the domain.

I assume this was the method used also when our domain - direction.com - was stolen in late 2006 by someone operating also from sillworks4@gmail.com (and stillworks20@gmail.com). Here is how the email reads:

Hello Dear,

Thanks for nice services and support,

I’m tried many time to set mail forwarding for my email account, but page will not load after click on Submit button for set mail forwarding!!!

domain: SWEET.com

Tried to set: xxx@SWEET.COM forward to sillworks4@gmail.com So, Please check it and try to set this mail forwarding….and send me note when you have done it.

[the name of the administrator of sweet.com]

Thanks Again

The other day I got a call from a local Danish police officer. This was nine months after I reported to the Danish National IT Crime Investigation Unit (NITEC) that our domain, direction.com, had been stolen. The local officer to whom the case had been referred was kind of sorry to say that he would not investigate the theft and that we would have to recover any losses through civil proceedings.

I explained to him that my counterpart was unknown so it would difficult to initiate proceedings - and that we luckily had recovered the domain through arbitration. In the end he said that his decision mainly had to do with the fact that IT crimes in Denmark are referred to local police authorities and that he did not have the necessary resources and tools to investigate the case. So the costs of him investigating the case would not be justified by the possible benefit.

I told him that my main reason for reporting the theft was to obtain peace of mind and to at least do something, and also that I knew that local police cannot do much when crime goes global - and that my hope is that there some day will be adequate resources for some kind of police force that is able to track IT crimes across boarders. As of now, criminals are far ahead of law enforcement … good for them, bad for the rest of us …

On feb. 1, New York Times had a good article describing the development of the domain name industry - and the economic incentive for stealing domain names.

Recently I was interviewed about how our domain was stolen and how we got it back. You can hear the interview as a podcast from VTalkRadio.

Today I corresponded with Enrico Schaefer from Traverse Legal, a law company in Michigan that specializes in among other things domain theft. He wrote to me that the experience we had is common.  I didn’t hear anyone say that so clear before and it confirms that we are talking about a systemic problem which ICANN and registrars should address.  Check out his recommendations on how to protect domain names, he sees all the kinds of trouble people are getting into. Also, Wall Street Journal on September 25, 2007 ran an article with the headline Web-Address Theft Is Everyday Event. In the article, Bob Parsons, chief executive officer of GoDaddy.com says that hijacking occurs daily and that the frequency has increased as Internet use grows.

Here is a simple fact: Your (valuable?) .com/.org/.net domain is only as secure as your mailbox. ICANN does not write this in their regulations but if you boil it all down, that’s how it is. Anyone who can hack your mailbox will be in control of your domain name. I wonder what exactly the companies with hugely valuable domain names are doing. I looked up who is taking care of google.com - and this nice little job is taken care of by markmonitor.com. Dropped them an email to ask if they could help me. Got no answer. Called them by phone, and yes, they could help if we had 100 domain names or more. I didn’t ask about the price. They probably have very good security. But why doesn’t ICANN stipulate that everyone who owns a domain name should be able to buy higher security as an option?

Facebook now asks me if I’m sick and tired of their antispam feature with the curly letters with lines through - and they propose that I authenticate my identity through an sms with a code they send to my mobile phone. That’s the kind of simple trick that ICANN could demand that all registars implement. As long all the security around domain names are running through only one rather insecure channel (our mailboxes) we will keep seeing a rise of domain thefts based on identity thefts. Why doesn’t ICANN change its policy?

My name is Bjørn Kassøe Andersen; founder, owner and leader of Direction, a management and communications consulting company based in Denmark.

In November 2006 the domain name we use for our English language website, direction.com, was stolen. To our surprise, ICANN’s general domain name regulations were of no help getting it back. On this website we describe how to prevent getting your domain stolen - and what you can do if it should happen to you. We welcome your comments. Here is a link to the rss feed with new entries from us and here is the rss feed with comments from others.

Leave a comment.