This is some pretty scary stuff.
REALLY SCARY stuff and its happening to domainers
Identity theft, impersonation, and if one victim is correct, there is a thief among us, someone with a lot of knowledge about the domain industry, how the business works, who the players are.
Dr. Chris Hartnett is here to warn you.
Dr. Chris Hartnett, is no ordinary domainer.
Dr. Chris is a member of the Domain Hall Of Fame, and was the subject of A Cover Story by Ron Jackson’s DnJournal.com back in June 2008.
This week he was the victim of identity theft at NameJet.com.
Here the REALLY scary part:
Dr. Chris says It hasn’t been the first time.
He thinks he was targeted because he is in the domain business.
and he is warning it could happen to you.
Lets review what we know.
On the morning of September 30th I got three separate emails from three separate people that watch the NameJet.com auctions all letting me know that several domains had been put back into auction due to a non payment with the bidder ID: bidder9999, which these domainers associated with Dr. Chris.
The domains effected included Solars.com which “sold” for $6,100 on September 21, TradeWire.com which “sold” for $4,600 and W3W.com which sold for $3,200 on September 23rd.
These weren’t the only domains “won” by that bidder ID, but these totaled almost $15K in bids alone.
The emails I received from the concerned domainers all suggested the same thing.
Dr. Chris “used to have money” what happened to him that he can’t pay for his auctions.
In the business world about all you have is your reputation so I immediately wrote to Dr. Chris and the GM of NameJet.
Here’s the bottom line
Someone set up an account at NameJet.com in Chris Hartnett’s name, furnishing NameJet.com with a North Carolina’s drivers license, with Dr. Chris’s home address but with a different picture.
This person then put in stolen credit card numbers into Namejet.com system to pay for his purchases.
Some of the purchases went through, and the domains we transferred to the fake Dr. Chris Harnett account so that the whois of these domains now reflect the owner to be “Hartnett, Chris”.
Other domains won by auction under this bidder id were not paid for, some where over the credit card limit of $5K set by NameJet.com, like Solars.com.
Namejet.com has had a policy since its inception that any auction ending in $5K or more had to be paid by wire transfer.
Other NameJet.com bidders were pushed up by the bids placed by fake Chris bidding account in some cases by increasing their bids by thousands of dollars.
At this point Namejet.com recognizes that the fake Chris account is just that, a fake account set up with fake Id and stolen credit cards.
NameJet.com will be commenting on this story later sometime today and I will let them figure out how they are going to handle the effected bidders.
Back to the REALLY scary part:
This is not an isolated instance.
This is one of several identity fraud situations Dr. Chris has faced over the last few months, including the loss of a few of his domains (still unretrieved).
In Dr. Chris own words, he details what has happened to him:
“So far over the last 6 months they have hacked into several registrar accounts where my domains are kept.”
“The hacker put a Key Logger on one of my computers that watched every word I typed.”
“Then he got into all my email accounts (5) and changed the forward to his hotmail email address and when I was in one of the accounts just as they were changing the email forward address they knew then that I was on to them.”
“So within minutes I received an email stating that they “owned me” knew where I lived and they had control of my life. They said if I wanted them to leave me alone I had to transfer these 3 major domain names I own to them within 24 hours.”
“I was in Vancouver at the time and the head of security at a major registrar told me I couldn’t get back into my account because I wasn’t Chris Hartnett. He said that he had talked to Chris Hartnett a number of times over the last few weeks and I wasn’t him. He said he had a photo copy of Chris Hartnett’s North Carolina drivers license in hand. I said, “really” how old is Chris Hartnett? He said, “37”. I told him I was 56 at the time and asked him for his email address and I took a picture of my drivers license and my passport and emailed it to him with another picture of me while I was on the phone.”
“I told him to Google me and see if I am 37 or 56 and gave him my hotel phone number in Vancouver to call me back through the switch board. He called back and apologized and put a hold on my entire account and 15K domains.”
“There were 380 of my best domains scheduled to be transferred out within the next few days. I lost 3 domains in the process, the rest were saved. By the time I figured what was gone, all three were flipped and purchased at auction or sold privately for pennies on the dollar within days.”
“The hacker sent me an email calling me “a stupid asshole” for not checking my accounts in over three weeks. He probably had a point but I wouldn’t have put it that way.”
“I had a old employee of mine who could hack into anything on earth spend the next three days getting my life back for me. He told me that this crook was very very good and he had also loaded three, not one but three Key Loggers on my computer and he knew every word that I typed, probably for months.”
“This crook is obviously a domainer because he is all over our space.”
“Last week a got a letter from a guy who wanted a domain name I owned. It turned out I didn’t own it but the domain was using my whois info with a different email address but my home address here at heavenly mountain.”
“These guys are slick.”
“Let’s say they somehow get a key logger onto one of your computers. (very easy to do.) They quietly watch what you are doing.”
They see you log into one of your domain accounts by watching every keystoke you make over a few weeks. ”
Now they can hack into your domain account when you aren’t looking. Quietly over a few weeks or months they go into your account and they look at all your domains.”
They pick some good ones but not great ones that you wouldn’t instantly miss and steal some of the good ones.”
They transfer those name out quietly and they change the email forwarding address on your account long enough so that they get the transfer notice and not you. They then switch the forwarding email back to you as soon as the notice comes from your registrar saying that you have transferred out a name or changed the email address or something like that. Now they have got your name and you may not notice that it is even missing from the account. (which is what happened to me)”
“They change the whois info on your stolen name to my name and address (Chris Hartnett’s) and open an auction account, put up a valid yet stolen credit card on that new account and they start auctioning off names for a few hours or days. Eventually they sell something and take the money and run.”
“This guy probably figures that he can’t get cash or gems or gold on the internet but if he targets a domainer and gets control of his accounts, he can transfer out domains, put them up for quick auction, get the cash out that way.”
He also is using my name when he wants to auction off an important domain because he figures it is believable that I would own such a name.”
“A few weeks ago John Mauriello from SnapNames/Moniker called meto see why I hadn’t paid an invoice for $35,000.
“For what I asked?”
“He said because I had sold the domain, Prince.com privately but I signed a 90 day exclusive with Moniker and the domain was in the August Showcase auction.”
“I told him I never owned that domain name.”
“This person put the domain up for auction using my name”
“John apologized for the mistake”
“Bottom-line. There is a very very very smart thief amongst us and we should all beware.”
Thanks to Dr. Chris for bravely telling his story.
As domainers we are particular in danger of identity theft.
We have a LOT more at stake than most people, assets that are protected only by log in access to registrars accounts and those other companies in the domain space.
So we have someone or a group of people who are pretty brazen.
Fake Id’s
Stolen credit cards
and I have been told by mulitple parties he has no problem getting on the phone to assert that he is the person he is pretending to be.
Scary
Be careful out there.
Correct me if I’m wrong, but shouldn’t the FBI be involved with this type of theft?
This is one reason i really love fabulous’ keyfob or whatever its called, no one can login to my account except me because I have a device that verifies my fingerprint each time i login.
Very scary stuff. This is why the “VeriSign Lock” system is so important (or alternatively other “Executive Lock” systems) for valuable domains, and why one should be on a first-name basis with one’s registrar.
David
If it happened to myself I would have contacted them.
It also happened to me. Donny over at Parked notified me that someone used my SS and name to register with them. Luckily Donny figured it wasn’t me. Also with credit card theft they are using whois info to defraud knowing it has to be accurate information of our domains. I’ve contacted the FBI several times but I think this stuff is either over their heads or budgets.
This is frightening stuff, particularly considering that this is not a work-free industry. I’ve worked very hard for what I have, and to lose it to some slinky like this would really send me over the top (as I have a pretty strong temper). This should be discussed at the coming TRAFFIC show in Miami, like an urgent, last-minute session or some kind.
Danny
The more I learned about this the scary it has become.
I agree, it a HUGE issue and should be addressed at TRAFFIC
I was thinking the same thing. This isn’t petty theft, this is a HUGE deal and the FBI should have certainly been called. I have to admit I check my computers constantly for key loggers. It’s my biggest fear. Thanks for sharing
I’ve been using a USB storage device with a password vault and it even has a virtual keyboard to prevent key-logging. I never login to my accounts without it. There are many on the market, this one is called IRONKEY. Works great. If more than 10 wrong attempts are made to access the device it self destructs.
“…assets that are protected only by log in access to registrars accounts…”
How many assets in the world are little more than some numbers on magnetic disks?
Many of the systems have been…”made up as people went along”.
Life was better and MORE SECURE before ICANN when people connected directly to the Registry. It is ironic, the .COM Registry was in the process of adding Premium Access for Volume ISPs when the Registrar (retail) model arrived and was imposed as… better. Prior to that, it was largely b2b mailing of checks.
The .COM Registry was somewhat lax because their product cost pennies to
manufacture and they sold it for $35.
With the new DNS, your names are burned into boxes you can hold in your
hands. No box, no ownership. Steal the box, they steal something you can
touch.
Or you could just get a Mac
By the way…”on contacting the FBI…”
…
past experiences show…the FBI will likely tell you two things…
…
1. This is the jurisdiction of the U.S. Secret Service
…
2. The FBI will also likely tell you to “find a different (more secure) business”
Lots of damage done here and not to just one guy.
One of my sources said the fraudster picked off about $60k worth of auctioned domains at namejet. Those were just the ones bidder999 won. There were several bidders who paid “overages” on names that bidder9999 ran up and they ended up buying. Namejet has issued refunds on these auctions to the affected parties. Lucky for them he was caught, not so lucky for namejet.
Dr Chris, why don’t you use a good registrar like nameview lololol
NameJet takes the issue of fraud very seriously. We are working with the individual customers that were affected in this incident to complete the necessary refunds for overpayment. We also have implemented additional monitoring practices to detect and avoid this type of fraudulent activity in the future.
Didn’t sex.com get stolen during the “better and MORE SECURE” time period ? maybe not
Mike have actual domains been stolen from Chris ? What registrars ?
Adam
My understanding is yes, he has domains that have actually been stolen, gone goodbye
Domainbank.com which is now owned by Dotster and Enom.com are the 2 he mentioned to me
“As domainers we are particular in danger of identity theft.”
You can thank ICANN’s WHOIS Community (Policy Groupies).
Many members of “The Community” do not own any domain names.
They just like to make policy for other people.
One of the founders of ICANN did not even have a PC at home.
She imposed her view of the way the industry should be structured, and that was that. That was the main entry of the plastic Credit Card vendors into the .NET.
Many domain policies are tied directly to Credit Card charge-back policies.
People tried to ride on top of the existing fraud systems in place. It was a cheap
way to structure policies.
The big problem, happening over and over is that people with no clue or no skin in the game are allowed to dominate the policy making. The Community thinks that is so cool, so open, so transparent. They could not care less how dangerous that is.
Michael – thanks for bringing this to light.
I myself had several domains stolen from me (3 letter .com’s) in the last 12 months. Both times it was because of key loggers.
This is very scary stuff and unfortunately, if the thief is international as I believe he is in this case, there is very little you can do about it.
Look at Warren Weitzmann – he is still fighting to get his names back which were stolen 2 years ago.
I AGREE 100% – THIS NEEDS TO BE A SERIOUS TOPIC OF DISCUSSION AT TRAFFIC.
Also – this industry is in great need of some form of title & insurance company to protect those of us who derive our whole livelihood from this business. To think that you could wake up tomorrow and have NOTHING because of some hacker is a horrifying reality.
I went through this recently, luckily my identity wasn’t stolen at least i don’t think it was but someone hacked into my moniker account and pushed 10 domains. Luckily for me a friend had notified me that someone is selling one of my domains on dnforum, had i not been notified i would of never gotten my names back. I was also disturbed as to why i wants notified via email by moniker that a domain has been pushed.
this is some scary shit.
BTW how do I do check for key loggers on my computers?
This has happened to him before and he doesn’t have the security to prevent keylogger software?
and “They said if I wanted them to leave me alone I had to transfer these 3 major domain names I own to them within 24 hours.”
Even the dumbest criminal wouldn’t put blackmail in writing in an email, would they?
Sounds too bizarre.
Put domaintools.com alerts on all your domains so you’ll get an email when something changes.
Sure, this can happen to anyone but sounds like he needs to be a bit more vigilant protecting his property. He does lock his doors when he’s not home, right.
Lock down your computer with secure tools and passwords and monitor everything.
Maybe this is a good lesson to the domain community.
@Adam
“Didn’t sex.com get stolen during the “better and MORE SECURE” time period ?”
Yes, good point. There is more here and in many articles and even a book.
en. wikipedia. org/wiki/Sex.com
…but, IF artificial scarcity had not been used to herd people into .COM the value of SEX.COM may not have risen to a point where a person would jump through hoops to transfer it away. Note, it took work. “misrepresentation, using phone calls, e-mails and forged letters.”
In 1995 the policies were not perfect, they got worse with ICANN in 1998.
What are the best and most effective ways of both detecting and protecting against “Key Loggers” …especially those that can observe/record essentially everthing you type on the keyboard ???
1. was he not using windows?
2. was he using whois privacy?
not to imply either would stop someone who is determined, but these factors could slow him down.
i’m also troubled by some of the public registrars who seem to put convenience first and security second, e.g., they use windows servers. they’re making it very easy for thieves. add in the level of social engineering described here, and these registrars are really the weak link, no matter how diligent the domainer. not putting blame on them (it’s the thieves who are to blame), but just saying… be careful.
Wow, I really, really feel for this guy but seriously…Hotmail? Keyloggers?
Folks if you deal with anything of value online get a Mac or other non-Windows OS and avoid all Microsoft products like the plague. Especially Hotmail and Windows.
Mac + Firefox + non-free email + a serious registrar + common sense. It’s as close to safe as you’re gonna get.
Net
Get a Mac
@Adam
“Didn’t sex.com get stolen during the “better and MORE SECURE” time period ?”
===
Another topic to note about the 1995 time-frame was that the U.S. National Science Foundation had structured “the domain industry” as IS-RS-DS.
InterNIC = General Atomics(IS) + Network Solutions(RS) + AT&T(DS)
That had THREE companies running the BackOffice. (The Registry)
Network Solutions (before Verisign) nudged General Atomics out of the deal.
NSI was working on AT&T which was largely asleep on the job. The U.S.
Department of COMmerce stepped in and took it all away from the NSF
and imposed their business model. A few clueless people developed it.
As people saw in the RegisterFLY debacle, domains were trapped and lost.
The 3-way model makes it very hard to “steal” domains. The IS-RS-DS model
was never really given a chance. Control freaks wanted it their way.
using windows to connect to the internet (as either client or server) is just asking for trouble.
i would guess that many domainers and registrars still prefer to use windows desktops. i see that many registrars use windows servers.
this is troubling.
because it is no doubt it is enticing for capable thieves. windows makes it far too easy for them.
are there any registrars that do *not* use windows?
Thanks Mike for putting the word out there so more people aren’t victims of this sort of thing.
David, my dad, William F. Hartnett spent five years in the FBI as a special agent when I was younger so I have a great deal of respect for the agency and its people on many levels but they just don’t have the bandwidth to follow up on this sort of thing at this level. If we added a few more zeros (Translate: if I had better domain names :)) or someone was in immediate physical danger, they would be all over it. There was an attempted kidnapping of my eldest daughter back in Chicago in 1980 when I was in the gemstone business and it was the FBI that uncovered the ring that was responsible and it was the FBI that saved her and put our lives back together. As devastated parents at the time, my wife Linda and I will always be grateful for their extraordinary and immediate help and service. We are turning everything over to the FBI and it is being investigated along with some other events and breaches that were not mentioned in the article to protect the innocent and the investigation. Make no mistake, these guys will be caught but there is still homework we can do from our side.
This being said, a great deal of this was my fault. I was so busy working in Vancouver during that time, I hardly ever had time to check my domain account for weeks on end and I wasn’t being super careful like I normally would have been. I left the door to the vault wide open. Obviously I was shocked when the head of security at this one registrar told me I wasn’t myself. That is pretty freaky when they are so bold that the crooks have a better speaking personal relationship with the head of security at your registrar then you do. (Got to hand it to them, they have big cahoonas.) Again, my fault to “some” degree.
Everyone is calling and emailing me as a result of this article and they want to know the names of al the registrars that were breached. Put the rope away gang, it isn’t time to hang anyone quite yet. Let’s clean our own house first. Believe me, this was my poor luck or bad karma so to speak but this could happen to almost anyone. I blame myself not the registrars. On the positive side, it didn’t happen to two of my domain accounts nor did I lose any premium DOT TV names. (Hint, hint) so we know that some of these registrar’s have their acts together. Yes, some of those DOT TV’s are worth money and people do want them even if the crooks don’t yet appreciate the virtues of DOT TV’s. 🙂
But as Michael has kindly said here, we have been warned and now it is up to us to lock things down. What more valuable thing can you steal on the internet today than a domain name? Not many things I can think of. This dude is still out there in our industry hacking as I type (and probably a great deal faster) and he is not alone. We are on their radar folks and they found us. Now that I have shown them how stupid domainers can be, let’s work together now and show them how smart we really are and make these pirates really work for their booty. Let me know if I can help any of you in any way.
Thanks Michael, Steve Heflin (Never lost anything under your watch Steve but thanks for the help today), NameJet, SnapNames, Moniker and all those great companies that have helped us piece this whole thing together.
See you all at TRAFFIC next week and I will be the one packing the gun and with the body guards. I’m trying to talk my wife into letting them be blonds. Judy, I need my wing girl. And Bandit, tell your banditos to back off or we are going to throw them to the dogs. 🙂
“What more valuable thing can you steal on the internet today than a domain name?”
===
There are likely “more valuable” things… eGold accounts for one… but, domain names have the unique property of being somewhat “traceable” ?
It is not like a Mona Lisa, where someone takes it to hide it and sit in their house staring at it.
Also, if someone steals your car keys, they have not stolen your car. If you leave your keys hanging in the car, then it makes it easier to steal both at the same time. If they steal your keys and now you have to call OnStar to open your car,
that could be an adventure. If there is no pre-arrangement for you to convince
OnStar you are the owner that can be a problem.
The IS-RS-DS model was never really given a chance. There are now better
systems coming, once ICANN gets out of the way.
@ MHB
Oh…. I see you really like da MACs !
How bout “Key Logger” tips for us HP/PC mortals — Anybody !
I came reasonably close to getting a MAC last month when my hard drive on my deaktop got is’s arse kicked permanently during a power outage zap (had a surge protector)…. but one of the reasons I did not put the Apple on my plate was breakdowns/bugs/compatablility problems conveyed/disclosed with some online/remote connectivity during “Live” domain auction platforms…and some other venues…….not trashing the MAC here…. just my “alibi” for not getting one this past month.
Tips from me (do your reseasch though) :
Use Roboform, once you type the initial Roboform password nothing is typed to access password protected area, done automatically by Roboform with a click. Nothing typed means nothing captured.
Use Keyscrambler
Use Zemana
I also use Fabulous.com and have privacy on.
I just change all my pass codes this weekend.
Including,isp,registers,etc
Looks like we wil all have to do this weekly until it handle
Thanks Mike for this Info
Please dont laugh
What does everyone think about having 1 computer you use only to log into registers. Maybe even a dial up modem?
I think this is the most shocking news ive ever read in the domain business.
Thank You very much MHB for posting this news. I will always consider these things in order to be safe.
@MHB what about iPad ?
doug: only a fool would laugh. if you are thinking he picked up the keylogger from an email attachment or accessing some site other than the registrar, i agree.
there are keyloggers for all os types, but i’ll bet he was using windows, where it’s extraordinarily easy to hide stealth software (whether on disk or in memory). if you must use windows to access the internet consider running it from read-only media like a cdrom. if that’s not feasible, then consider running your os in a virtual machine. if that’s too technical, then consider periodically wipe your disk as best you can, and reinstalling windows, which incidntally will give you an immediate performance boost. at the very least you can make the malfeasor’s work a little harder.
also consider not using a browser that runs javascript except when you absolutely must. javascript can do almost anything. all the malfeasor needs is for you to access the webpage.
with no javascript it’s much more difficult for anyone to manipulate your machine from just using the web. they have to trick you into willingly executing some file.
life does go on without windows and without javascript (and even without flash). they are not essential. there is a lot of misinformation that suggests otherwise.
Good work Mike and thanks to Chris for his openness and timely warning….ggg
You all need to get a Mac for your security access. I would NEVER access my stuff online without one. Last time I got a troj or vir was 1998 dudes.
I have a Mac Mini running Vistashitsa, it’s banished to the corner of the office where it belongs, the only time I use it is to test my dev sites with crappy IE. Otherwise I have absolutely no use for a PC “Prehistoric Contraption” aka “Pile of Crap” or whatever you unfortunate people call them by..
Aaaa.. life is good.. 🙂
The PONE runs Linux and has been designed for Domaining.
It comes from the PONE COmpany.
i have a thought on this. my credit union uses a system that notifies me via a text message to my cell phone every time there is a login to my online account. obviously, if i get a text message that my account was just logged into, i know if it was me or not.
maybe this would be a good idea for registrars to start implementing. i presume this would be impossible for the thief to circumvent, since even if they hacked in to your registrar account and attempted to change your cell phone #, then a) you would have already been notified of the initial login, and b) i presume you would have to phone verify any change to your phone #, which would not be possible for the scumbag to do.
would this not be an elegant solution?
“This is some pretty scary stuff.”
If you think that is “scary” try running a large ISP in a major city.
Looking at the upcoming T.R.A.F.F.I.C conference, it is great to party but that
is the last place one should TRUST anyone or the WIFI or network. Would
you bring a bag of diamonds with you and toss them on the table for all to see ?
The T.R.A.F.F.I.C conference also seems to be devoid of any serious talks about
the realities of the NEW DNS. THAT !!! is scary !!!
@Mike Curving
Good idea but bare in mind SMS notification is expensive to run especially if it’s worldwide. You’ll probably find that registrars would need to cover their costs making it an optional paid security system for end users.
I just went through a hacking experience recently with an expired domain name, and the hacker tried to offer to sell me the expired name, which I did not care too much about, I had only registered it to use for DNS not cause it was a “good” domain name…
http://www.dnforum.com/f26/domain-thief-okan-dogan-thread-432804.html
I never had any reply to my thread so I assume no one is interested in such cases anymore.
In the past I have had experiences with thiefs that toke domains in various ways, stolen credit cards, expired domain names, stolen credit cards in paypal accounts, an I even toke down a spammer for a while once, or at least I made his operation a lot harder then it had been before.
One guy just told me he was using my names to create accounts on gold key and DS in the last few years, and then using those accounts to do click fraud using a bot network. He also told me some domainers started being his partners in this scheme to rip off the parking industry. No wonder my goldkey account was banned. I did not know why, but this makes sense now.
Mike I like that, I had that email security feature on in namecheap and that is what notified me that my account was accessed – cause I got the notice via my blackberry’s email system.
T.R.A.F.F.I.C. TO HOLD EMERGENCY SECURITY SESSION AT SOUTH BEACH and Mike Berkens and Dr. Chris Hartnett along with others will be on that panel.
@ Einstein
what happens if they get your main rodoform password. wouldn’t that give someone access to all your passwords?
>Einstein PERMALINKTips from me (do your reseasch though) :
>Use Roboform, once you type the initial Roboform password nothing is typed to access password protected area, done automatically by Roboform with a click. Nothing typed means nothing captured.
>Use Keyscrambler
>
Registrars need to offer 2-factor ID, such as RSA Token or whatever.
COMCAST AGREES WITH HARTNETT – MORE SECURITY IS A MUST
Comcast is instituting a new program to identify computers that are susceptible to identity theft. read the whole article at HowardNeu.com
The best way to protect yourself from keyloggers is to get a secondary netbook and only use this netbook to login to registrar accounts or make DNS/Contact updates. I never combine the same computer for daily use to the ones which I enter in sensitive passwords which aren’t tied together with some kind of encrypted keyfob or rolling password.
To any domainers that have been hit with key loggers… get together and communicate amongst yourselves. There is some site you have all been to that has tricked you into downloading something. Or there is an email that has tricked you into uploading something.
There is a commonality. Find it.
As for the FBI… a bigger bunch of do-nothings you will not find on earth. I have been the victim of online theft across state lines on several occasions, and they do nothing.
They won’t take a report, they won’t take action, and spend their phone time debating with you that you should take your complaint to local police departments, who also do nothing.
I hope this guy gets caught and put in jail where he belongs, but he has a consequence-free license to steal.
This is just the dirty little secret that so many DON’T want to talk about. Mostly registrars and auction houses. They NEED to be part of this panel. They NEED to be out front on this. They NEED to do more. They NEED to listen to their own customers or somebody will come and SWOOP them away!
Maaan, I gotta feel for ya.
had some jerk lift 16k from my account once (got it back 6 weeks later)
he’s not a hacker, just a criminal as most decent hackers will move on once they have cracked your computer.
its quite easy to track them down and turn the tables as he wont see it coming and will make a mistake at some stage.
run a program called ‘malwarebytes’ once a week (over night) seeing that im sure the domains that you own are worth 10minutes per week to keep sensitive information protected on your computer.
hope things work out for you.
“what happens if they get your main rodoform password. wouldn’t that give someone access to all your passwords?”
Yeah, but not with a keylogger. It needs to be a specific trojan done for that (look at roboform dir, steal, email etc)
But, you can type the roboform password on the screen, no typing.
And Keyscrambler works as well, the keylogger will see something like hjhd$5784
I have the DTVS (Domain Transfer Validation Service) at GoDaddy. It’s great. All domains are on lockdown with this system.
Every domain transfer requires my rep to call me on the phone and I have to give him my secret code I have written on paper only. My GD rep also knows my voice and, obvioulsy, calls me on my phone number. That’s a pretty tight system.
I don’t see any way I can be robbed of a domain with this system. I’m kind of surprised nobody has mentioned it yet.
Also, add keystroke logger software to this mix and I think I’m safe.
Somebody tell me if I am wrong here. 🙂
BTW……the DTVS service at GoDaddy is free. I believe it is available only to Executive Domains Department customers, but most of us reading this are at that level anyhow so that should not be a problem.
Not sure if anything like this is available for the PC but there’s a utility for Macs called LittleSnitch. It monitors all outgoing TCP/IP connections and alerts you when an app is trying to “call home”. You can allow/disallow the connections “like browsers email, FTP apps etc” so after a while it builds a profile of safe apps on your machine. Whenever something new is trying to communicate it alerts you immediately..
I am almost positive someone is masquarading amongst the domainers on FB. I have patterns I have detected that involve spam. Watch out for FB apps.
Lock down at the registrar. Know your account rep.
There was a problem with a .com on Namejet and they reauctioned it. This is the last bid on the first auction;
bidder9999 $6,548 Sep. 22, 2010 12:35 PM PT
Then went to re auction and was won by po3kjd5nf4b which doesnt look like a real bid name and domain hasnt been transferred yet.
Faris
No one has mentioned the money trail the money went some where didn’t it .. when the thief sold the names by whatever means the auction company paid him the money where did it go who did it go to ? ..there is always a money trail .. auction companies dont pay via western union they pay by cheque or maybe wire transfer .. they dont pay via paypal for large amounts .. railex in denmark forwards western union funds to Iran the old domainstate.com carried a front page warning of domain thefts and the precautions to take .. thats no longer there .. follow the money and it will eventually lead to the thief .. Dr Harnet needs to reveal more info to the masses here because there is nothing new to be learnt here it’s just a wake up call on the same old story it’s happened many times before and it will happen many times again.
T.R.A.F.F.I.C. TO HOLD EMERGENCY SECURITY SESSION AT SOUTH BEACH and Mike Berkens and Dr. Chris Hartnett along with others will be on that panel.
Great idea. Who better to have on the panel than Dr. Harnett who is in the domain hall of fame for reasons no seasoned domainer can understand and is apparently unable to protect his own computer or his domain names. As well as being a domain expert he’s now a security expert. The business gets more and more humourous all the time. More pigeon poop.
Doctor
I assume Mr. Hartnett will be on the panel to tell his tale besides those who are victims of crimes can usually tell you want not to do.
Hopefully we will have people on the panel with answers
Registers should consider using a login system like OpenID that works for multiple websites using the OpenID API, yet is far more secure due to the use of images and Q/A rather than just a login ID.
The Lil’ Snitch commenter earlier was right. The lesson to learn here is not that we need to pressure registrars. Moniker and apparently GoDaddy have effective, human communication-based systems that allow you to add a level of security to your domain transactions. There will continue to be a market for discount retailers with nothing but the basics, but we don’t have to use them.
What IS needed here is basic internet safety education. If you make your living online, you NEED to learn about safe computing practices. Blaming others is not effective.
There are programs on all platforms to allow you to setup rules to monitor and restrict outgoing traffic on your machine. Do not click links in email messages, if a service requires it, then copy the link and inspect it before going there. Take time to set your browser default settings. Do not allow sites to download arbitrary code to your computer. Do not depend on malware and virus scanners to keep you safe, they are not proactive. Using a different machine for sensitive sites as one commenter suggested is a fine idea. And so on and so forth. Point is, safe computing is like safe driving – there’s a lot at stake, we should all learn the basic behaviors necessary to do it safely.
The top defense to secure your data must start in the office! You can not rely on the companies you deal with to offer you 100% security – otherwise your totally in their hands..
You need to look at your own configurations and protect yourself against fraudsters with TROJANS. If you’ve done so “and you can do this easily with small utilities like LittleSnitch”, then anything beyond your configuration can be blamed on the companies you deal with.
Unless of course, someone who knows your login want’s to have you over..
Very scary is right.
I saw this video about trying to prevent it, even on PC I guess-
http://www.youtube.com/watch?v=bB1pwmAhkDo
Basically saying to use mouse/cut/paste or online keyboard – so no keystrokes to monitor.
Could this be a decent solution?
“This crook is obviously a domainer because he is all over our space.”
“These guys are slick.”
“Other domains won by auction under this bidder id were not paid for”
“Bottom-line. There is a very very very smart thief amongst us and we should all beware.”
Hmmm, Fake bidding id’s, auction house knowledge, domain value knowledge, knows who the big players are, knows how/where to quick flip, software knowledge,…sounds like something “Halvarez” is more than capable of doing.
Where is that roach hiding these days, Mexico, Venezuela, Panama, .Columbia ??
I agree with Keyser, follow the wire transfers
while we’re on the subject lets not let an even scarier door open, vis a vis idiot bureaucrats trying to pass some new internet regulations claiming you need to give up your privacy in order to have it protected, or some such other logical fallacy.
Must be Doctor compromised the persoanl information over the net. We get so many such emails in the name of Paypal or eBay or from my banker name and with exact logo. It is very difficult not to click and provide the information. It said,’ if you did not provide correct information within next week/few days, your account will be blocked/suspened.’ or similar entising content . We are busy. where is the time to see the link is genuine or check with Paypal or the bank? So after getting the warning we tempt to provide quick information. That is obvious.
Folks! we must thank Dr. Chris Hartnett for bringing this fact to our knowledge . We also must thank Mike & Rick for their timely focusing the issue. Hope our domains or personal info will be safe. But folks@ be careful while opening mails with doubtful attachment. Sending to SPAM mail folder does nothelp protecting you either. Your daily exposed over the net Best of luck!
Mike
The bill has been officially pushed back until after the election
http://www.dailytitan.com/2010/10/05/online-internet-piracy/
IMO, nothing should ever be “lost”, be it money or domains. If the transactions can be documented, they should be traced and reversed once proof of a crime has been made.
The lack of ability or willingness to reverse these crimes by registrars, auction houses, and payment processors should be the main focus of all of us.
There is NO REASON a domain needs to be transfered to a new owner right away. The more expensive a domain is, the longer the delay should be. Name servers can be changed for the new owner without the existing owner losing control of their property. There can be no “trust” anymore, only proof. And that proof needs to be better than what caused Dr. Chris’ identity to be doubted at first. Clearly that system was broken.
Doesn’t most AV software ask or warn with confirmation that someone is trying to install a program – in this case a keylogger program ?
Also – I just go to my programs in the control panel every week or so to look for something out of the ordinary.
I like the idea the one guy mentioned about using a netbook only for online transactions – that would make it easier to monitor the programs installed in the control panel
Brian
Same way with Viruses, you click on something which launches a program without you knowledge
Get a Mac
That was a terribly story.
And this goes for all people and places where we log in on the internet.
Havnät read the comments but does anybody know of how to detect those keyboard loggers?
Mike
Read the comments there are a lot of suggestions in there
Scary stuff.. The best thing to do after something like this happens is to try to figure out how those keyloggers were installed on your PC.
Check when the files where last updated, when they were installed. If you can find these dates, check your email accounts and browser history to track everything you did those days. Fat chance you would be able to find at least some clues about where the keyloggers came from.
Web 2.0 (windows like apps on the web) requires cookies – and it is thru cookies – or accepting a cookie where all this stuff originates – with rare exceptions –
My new stuff, bank websites, all the registrars, all web 2.0 stuff and even Mike’s Blog all require cookies – therefore giving access to a way to install programs.
So the only way to stop it is have your anti-spyware, anti-malware and AV software all prompt you when a new program needs to be installed – but those programs will not stop an .exe from being copies to your program – to the best of my knowledge anyway
“T.R.A.F.F.I.C. TO HOLD EMERGENCY SECURITY SESSION AT SOUTH BEACH and Mike Berkens and Dr. Chris Hartnett along with others will be on that panel.”
Leave it to Rick to use every opportunity or unfortunate situation to try to make a buck. Decency anywhere?
Einstein is no Einstein. If you really believe that T.R.A.F.F.I.C. is holding an emergency session on Identity Theft to make a buck, your head must be somewhere other than on your shoulders.
@Einstein
Scavengers!
@Keyser Söze
The usual suspects, am I right!!
@ Einstein …
That is just WRONG … people do not pay for the seminars. TRAFFIC is about domains, and any threat to that investment gets addressed. The issue is timely and topical, and there’s no profit in it, save for the scammers.
@BrianWick: A cookie is simply a data store, nothing else. Web 2.0 etc. doesn’t factor into this unless passwords are weak enough to be brute forced, or if used consistently across sites. But all modern web apps hash the password so it’s never in plaintext for someone to steal. Cookies really don’t enter the picture.
The drive-by infections that you see in the news are either cross-site vulnerabilities or exploits due to bugs in Internet Explorer or Windows itself. Since IE is a proprietary codebase, you’ll never know how many there are and how many Microsoft simply refuses to fix (or simply hide). That’s why open source apps like Firefox are safer to use. It doesn’t mean that there’s *not* tons of huge wholes to be exploited in the codebase. The important thing is that the book is open, so to speak. When problems are found, they usually get fixed quickly. This leads to a much more secure application.
By the way, for folks who absolutely need to use Windows, consider running it in a virtual machine on top of a real operating system like OSX or a Linux distro. Then if there is a problem, the changes can be rolled back at the disk level. Running VMWare player/workstation or Parallels on a Mac works very well (imho better than bootcamp since dual booting isn’t required).
For those who can’t invest in macs, and because Macs are very hard to use and not all programs are able to be used on a Mac:
@NetJohn said: @ MHB
Oh…. I see you really like da MACs !
How bout “Key Logger” tips for us HP/PC mortals — Anybody !
let me take a stab:
Registry Mechanic & SpywareDr combo from PCTools; the paid version of Registry Mechanic “protects Internet privacy and personal information; securely deletes files from your PC; and bleaches free space and deleted files using Department of Defense standard (DoD 5220.22-M) making the data unrecoverable using regular file recovery methods,” and Spyware Dr. prevent key loggers from accessing your pc while it runs in the background. Or, if you disable it, it cleans the logger off when it runs. The Registry Mechanic cleans the damage from the virus that implants the keylogger and would harm your key files needed to even run your computer; but Spyware Dr actually: “detects and removes All viruses and malware you currently have or May encounter and prevents you from getting infected. And you don’t need to worry if there are new threats that Surface because our product will instantly make a fix.” – Customer Service rep Marie Dunphy I consulted to compose this comment. The Registry Mechanic/Spyware Dr. combo runs about $50.00.
good to see this is getting some attention as a larger issue.
all due respect, anti-this and anti-that (3d party programs) will not protect you from someone who knows more than you about your base system. (your own, not someone else’s) knowledge is your best defense. how well do you understand how computers work? generally, the more complex your system, the more vulnerable it is. so the first tip is: simplify.
second, default settings and configs make things easy for the bad guys; obscure, idiosyncratic setups make them work harder. second tip: make your computer difficult for others to use.
third, keep your “data” and your “code” (os, software) separate. no need for them to be on the same silicon or storage media. these days, you can run an os entirely from ram. you can have a pristine os every time you boot.
but what this community (the serious domainers, not the general public) really needs is a registrar that caters to more security conscious customers. offering a console-based means to manage domains would be a start. how can anyone effectively manage 1000’s domains with a web-based GUI? this is insane. oversight is inevitable- something will be missed. wipo uses SSH to service their IP office customers. that’s smart. it would be great to see a registrar who is similarly security conscious.
@ascii: Unless I’m misunderstanding your last point, Moniker and Namecheap both have simple APIs available for account functions (sure other registrars do too). I script with Python all the time to manage my accounts. You’ll need to apply for a key but it’s very simple, secure and free.
SL: yes, i’m aware of that and i greatly appreciate it. i wish all registrars would offer this.
web api’s and SSL are ok, but then they add in html, xml, json, etc. –> needless complexity and overhead.
simpler, but not less secure solutions exist.
is there a regsistrar who offers something other than a web-based interface?
@ascii generally agree on most points, definitely good idea to teach people how to keep data off their main disk storage, or at least make sure they think of that data only as a working copy.
Can’t really agree on the console based management of domain portfolios. I would sign up for this in a heartbeat; I want to tunnel every service possible through ssh, it offers real security. But this doesn’t even remotely sound like anything resembling a good business decision on the part of a registrars. Provide a service like this and what, 5 or 6 domainers will use it?
Personal computing education, that’s the name of the game. Safe computing behaviors are not as hard as they sound, just need to be learned like anything else. If you routinely click on links in emails and use the excuse that you’re too busy to be careful then you deserve no more sympathy than non-voters complaining about their government. @Altaf are you too pressed for time to buy insurance? Are you too busy to fasten your seat belt?
Like I said, if you make your living from the Internet then you need to think about it. Shouldn’t you act like a responsible investor and learn the basics of safe computing? A SERIOUS investor ought to learn a bit about DNS too, since your livelihood depends on it 100%.
Mike: agree on all points 100%. i’m not holding my breath – on either education or more secure services. but is it really only 5 or 6? i’m curious.
there was a time before hard disks. computers ran from memory. the hdd was a new luxury. it remains true today: hdd’s are not essential. but don’t count on anyone to “teach” you this or to tell you to run diskless… even though it might be many times faster and more secure than using a hdd. it’s very difficult to “teach” computer education- who decides what you “need to know”?
curiousity, experimentation and patience may be the best teachers.
This is a very good thread with some great ideas – bottom line is what occured to Dr. Chris could and may already be happening to more of us.
In business survival means policing your teritory – this bing just one more area to police.
I am the biggest student around
@ascii: Ok, I see what you mean by web based. API keys are definitely not ideal and I’d love like a real certificate based login with IP access control too. They can even keep the data format in XML. But I tend to agree with Mike above, it may only be three domainers using it…me, you and him 😉
Just a wild guess but I wonder if a registrar leasing company provides this type of low-level control (not just to the various registries but for general account administration). There was a story on DNJournal a while back about myrebel.com that provides this type of leasing service. Don’t know anything about it beyond that though.
“Registers should consider using a login system like OpenID that works for multiple websites using the OpenID API, yet is far more secure due to the use of images and Q/A rather than just a login ID.”
I totally agree Blake.. There should be a lot better security on all accounts..
When you have as many domains as Chris, your talking mega bucks and to my way of thinking they should implement security as they do in the online banking world.
Brian
You are correct the more calls I made following up on this story the more obvious it became that Dr. Chris is by far not the only victim probably of this same hacker
Read
All of this just demonstates how valueable our dirt is !!!
“If you really believe that T.R.A.F.F.I.C. is holding an emergency session on Identity Theft to make a buck”
Maybe not but you are holding it and announcing to sell tickets. Emergency session is to have 2-3 people talk about this instead of something else, no new stadiums or railways built–it’s not the Olympics or anything.
Terrifying stuff… However, it is totally shocking, the number of ‘legacy domainers’ who own millions worth of virtual property and have basically no meaningful, comprehensive lock on the gate that protects them; guys who engage in no substantive security strategies to keep this sort of shit from happening.
If you’re going to play in this game at that level, best practices for security are no longer an optional thing. Even if you’re not a ‘tech guy’, at minimum, you must make sure your ‘tech assets’ aren’t trivially easy to steal and if you aren’t going to take the time to learn it yourself, pay someone to do it for you.
It does sound like this crook, whoever he is, is dangerous as hell. You’re clearly dealing with a planner, a very dynamic thinker, a high-IQ mf’er. When guys like that go over to the dark side, they can be a real handful to deal with and *no one* is safe until they’re taken care of.
I’m posting anon because there’s no question the person in question is reading this, and I don’t want a target on my back.
Oh, and one more thing that’s patently obvious, but lets not overlook the gravity of this one fact:
This wasn’t a run-of-the-mill security breach case of an irresponsible domainer browsing Russian porn and winding up with a keylogger- the hacker on the other end realizing that he now had access to his domains and exploited it from that angle.
Specific, high profile people are getting targeted. A very, very knowledgeable and skilled person is picking and choosing his victims and attacking them from the outside, in.
As someone else said, getting to the root of this (and at the end of that root, to the person responsible) starts with the money trail. Unless this is a case of a supertalented person going into meltdown mode and wreaking as much havoc as possible before he’s inevitably caught, I think we can safely assume he knows how to mask his online footprint and has done so… The only way to track this back to the responsible party is to get this into court, ASAP, and start petitioning for orders to obtain the relevant financial information, regarding where the money eventually went.
If I’m correct in reading, this guy has spoken with people on the phone? Was any accent or dialect detected? If he is based in the west and not in some 3rd world Techistan, getting him behind bars is possible.
Every day I do a LOCK on all my 7,000 domains at eNom – it returns a result of how many domains it locked. That number should always be ZERO – very easy way to monitor your portfolio – considering a domain needs to be unlocked inorder to transfer it. They all send an email if any domain is pushed into a different account.
At Name.com where I keep some other domains, they only just lock all the domains but do not tell you how many it locked.
Might be something for other folks on this thread to look into at their registrar.
It should be obvious but since many of you mentioned it, domainers have no ability to follow the money trail, unless the “hacker” is pretty stupid.
We need law enforcement to come in with subpoena power to find out where the money actually went.
That take someone involved in the transaction to reach out to law enforcement to do the work.
Brian: “Locking” your domains does nothing more than denying an incoming transfer request from an outside registrar. It does absolutely nothing to secure you from something like this. In this case, the person in question had infiltrated the domainers accounts and could lock, unlock, transfer or delete and and all domains at will. If you own 7000 domains and don’t know this, well, that’s exactly the sort of thing I’m talking about…
Michael: Yes, I know that, which is why I said: “The only way to track this back to the responsible party is to get this into court, ASAP, and start petitioning for orders to obtain the relevant financial information, regarding where the money eventually went.”
You have a lot more faith in cops than I do… However, it might not be a bad idea to circle the wagons, talk to people who have been down this road before and see if there aren’t any sympathetic ears in Federal Law Enforcement Agencies who understand the issue and are willing to look at it, rather than just kicking the can down the road because it addresses something they don’t ‘get’. Instead of going to cops and navigating the web of cluelessness, a tactical phone call or two to agents who are known to understand the issue from the outset might get the ball rolling on the enforcement end. If not, then civil action, court and emergency petitions.
@Way, Way Anon
You missed the entire point – unlike Name.com – who already as a result of my entry on this blog – has told me they are working on a similar feature as eNom.
For the seriousness of this matter I will state it a different way….
Here is what you missed by example – Tomorrow hypotherically if I run the locking feature at enom and end up with a number other than ZERO as far as domains that were locked (or relocked) – this means someone has hacked into my account and unlocked domains without my permission at which time I can change passwords and call eNom to freeze all transactions – certainly the hacker would know the new password via keylogging unless I used a different PC – but at this point he account would be under manual monitoring and supervision. This uses the locking feature in a different capacity only someone using eNom would understand.
@Way, Way Anon
Tru Dat ! … Law enforcement needs to stop focusing too much on donut consumption and get more tech savvy, concerned and motivated on such “contemporary issues”.
Way, Way
“You have a lot more faith in cops than I do”
No I don’t expect them to do shit./
However I recognize the law enforcement is the only ones who can get orders to make banks and other financial institutions reveal who the beneficial owners of accounts are.
You can bring a private suit but against who and if you don’t know the party your suing has a interest in a specific account your not going to be able to get much info
I use Fabulous.com as my Registrar and they offer probably the best security that is available ,including questions and answers that you can set plus a special security key and on top of that you can use executive lock that requires special actions such as phone calls, faxes or whatever you wish to ask for. In short it is 99.99% secure.
I just bought SpyReveal and it found two illegally back door installed keyloggers from SpectorSoft and Net Spy – which claim to fame is it is easy to install remotely.
Back door because they do not show up in the add/remove programs nor the applications, processes or services from the Task Manager.
Is buying a mac really going to stop this kind of stuff – no doubt I enjoy naked farm animals wearing pantyhose and 6 inch heels – but something tells me that is not how these keyloggers arrived on my box.
@ Brian Wick
99% of trojans and viruses are built for PC.
And someone trying to get an app via internet or email installed on Mac OS X is difficult – Apple think differently, in especially about security!
And no I don’t work for Apple – but I used to 🙂
Thanks HUW
Something to consider doing is using a separate laptop exclusively for your domain activities, and in particular, for logging into your domain email addresses and registrar accounts. If you simply reformat the hard drive every one to two months (I do so monthly) and change all your log-in passwords periodically right after a reformat, that should prevent the problem, for the most part. With only the necessary software on that laptop for domain activities, it should be pretty easy to reformat and reinstall the software. I think we are all accustomed to using one laptop or computer for everything and the more everything (especially email and sensitive files – like lists of all our domains) is on one computer, the more at risk we are and the more reluctant we are to reformat the hard drive. Regardless, simply using a software program that inputs all your passwords automatically (after they are provided/typed in once, for which using a fresh computer to do so would be a good idea!) would probably be sufficient for a lot of people without having to use separate computers and/or reformatting.
@Meredith: What happens if you get infected a week after a fresh reinstall? Then you’ll be running for a couple months with a false sense of security.
A better way would be simply to keep a single system and run a VM image of Windows. Then if there’s a problem it only takes a few minutes to rollback instead of wasting all that time reinstalling. VMWare Workstation is extremely easy to use.
Finally, if you’re going to have a laptop solely for security-sensitive tasks, why not do it right and avoid Microsoft altogether? Either buy a Mac or simply install a free OS like Ubuntu or Fedora on the laptop and it’ll run for years without reinstalls or virus worries.
I just received by USB security key from Fabulous and thus now should be even more secure than before . The Security key contains a unique and encrypted key that needs to be entered (by inserting usb stick) before any actions (that you choose) such as transfer, changing email, pushes etc etc. Good idea I think and dont see any other registrar doing that ,yet.
“Faris”
I dont mean to sound like an advert, I am NOT I am a customer of Fabulous for number of years, but this article explains what I have said in earlier posts;
http://fabulous.com/informationcenter/index.htm?formdata%5Bqid%5D=1324
“Faris”
One other thing that may well be of interest that I discovered recently is a program that was offered free by my UK Bank called “Trusteer Rapport” ,which
blocks keyloggers and several other things. Quite useful program.
http://www.trusteer.com/product/trusteer-rapport
This is whyI recommend using an identity theft protection service like Lifelock. http://www.lifelock.com/landing/real/safe . They are currently offering 10% off if you use promo code SAFEID1. Hope this helps.
I ‘m also a contracted representative of LifeLock, so if you have any questions about their identity theft protection services, let me know.
Yeah, I don’t know about that. There’s plenty of press that Lifelock isn’t all it’s cracked up to be. Here’s an example:
http://www.wired.com/threatlevel/2010/03/lifelock-accused-of-running-con-operation/