Domain Stealer

As many of you already know on November 2nd, MakeUseOf.com's domain was stolen from us. It took us about 36 hours to get the domain back. As we have pointed out earlier the hacker somehow managed to get access to my Gmail account and from there to our GoDaddy account, unlock the domain and move it to another registrar.

You can see the whole story on our temporary blog makeuseof-temporary.blogspot.com/

I wasn't planning to publish anything about the incident or cracker (person who steals domains) and how he managed to pull it off unless I was completely sure about it myself. I had a good feeling it was a Gmail security flaw but wanted to confirm it before posting anything about it on MakeUseOf. We love Gmail and giving them bad publicity is not something we would ever want to do.

So why write about this now then?

Several things have happened in the last two days that have made me believe that Gmail has a serious security flaw and everyone should be aware about it. Especially during the times when individuals like Steve Rubel tell you How To Make Gmail Your GateWay To The Web. Now, don't get me wrong here, Gmail is an AWESOME email program. The best probably. The problem is that it might not be a reliable one when it comes to security. That being said, it doesn't necessarily mean that you will be better off with Yahoo or Live Mail.

Incident 1: MakeUseOf.com - November 2nd

When our domain was stolen, we suspected that the hacker used some hole in Gmail but we were not sure about it. Why did I suspect that it was something to do with Gmail? Well for one thing I am rather cautious about security and rarely run anything I am not sure about. I also keep my system up to date and have all essentials including 2 malware monitors, an antivirus and 2 firewalls. I also tend to use strong and unique passwords for every one of my accounts.

The hacker did access my Gmail account and set up some filters there that eventually helped him to get access to our GoDaddy account. What I didn't know is how he managed to do that. Was it a security hole in Gmail? Or was it a keylogger on my PC? I wasn't sure about it. After the incident I scanned my system with a number of malware removals and didn't find anything. I also went through every running process as well. All semed to be clean.

So, I am inclined to believe the problem was with Gmail.

Incident 2: YuMP3.org - November 19th

On November 18'th, I got an email from someone named Edin Osmanbegovic who runs the site yump3.org [Broken URL Removed]. (He probably found my email through Google as the incident with MakeUseOf was covered on several popular blogs, many of which included my email ID.) In his email, Edin told me that his domain was stolen and moved to another registrar. I quickly googled the yoump3 and saw that a rather established website was now serving a link farm page (exactly like in our case).

Google (on last index):

YouMP3.org hompage (present):

Here is a copy of the very first email I got from Edin:

 

Hello,

I have the same problem with my domain.

The domain has transfered from Enom to GoDaDDy.

I have immediately send support ticket regarding that problem.

The whois of new domain owner is :

Name: Amir Emami

Address 1: P.O. Box 1664

City: League City

State: Texas

Zip: 77574

Country: US

Phone: +1.7138937713

Email:Administrative Contact Information:

Name: Amir Emami

Address 1: P.O. Box 1664

City: League City

State: Texas

Zip: 77574

Country: US

Phone: +1.7138937713

Email:

Technical Contact Information:

Name: Amir Emami

Address 1: P.O. Box 1664

City: League City

State: Texas

Zip: 77574

Country: US

Phone: +1.7138937713

Email:

Email is : webs@domainsgame.org

Yesterday the guy from that email adress had contacted me via Gtalk.

He said that he want 2000$ for the domain.

I need advice please,I have contacted the Enom.

Thank you.

 

And guess what, it's the same guy who earlier this month stole MakeUseOf.com. We too were contacted from the same email address: webs@domainsgame.org. Edin also emailed me today and confirmed that the guy also got access to his domain account through his Gmail account. So it's again Gmail.

In his last email (received today) Edin included a quick recap of the events

I have the history of how he did everything.

On 10th of November I was the owner.

On 13th of November Mark Morphew.

On 18th of November Amir Emami.

He used webs@domainsgame.org on both persons.

I have send yesterday also everythig to Moniker.

They will investigate.

Incident 3: Cucirca.com - November 20th

This last email was the main reason for this post. It came from Florin Cucirka, the owner of cucirca.com. The site has an alexa rank of 7681 and according to Florin receives over 100,000 visits daily.

First email from Florin:

 

Hi Aibek

I'm in the same situation makeuseof.com got out.

I am Cucirca Florin and my domain www.cucirca.com was

transfered from my godaddy account without my permission.

It seems that the thief knew my gmail password which is odd.

He managed to create some filters to my account.

I've attached 2 screenshots.

Can you help me? Give me some details on how I could get

out of this bad dream? I just found today about this and I

don't think I'm able to sleep tonight.

Thanks in advance.

Florin Cucirca.

 

I emailed Florin and asked him some details about his domain, whether he contacted GoDaddy and whatever information he got on the domain cracker (term used for domain stealer) guy so far.

Second email from Florin:

 

The hacker had access to my email account (gmail). The domain was hosted on godaddy.

I used gmail notifier extension on firefox. maybe there is the big bug.

He transfered the domain to register.com

I haven't talk to the hacker. I want to get it back legally and if there is not other solution maybe i'll pay him

www.cucirca.com has an Alexa Rank of 7681 and over 100 000 visits daily.

I will attach you 2 screenshots of my gmail account.

joy.hock@gmail.com and in the second screen domain.selln@gmail.com

If you do a google search of domain.selln@gmail.com you will find this:

http://www.domainmagnate.com/2008/08/11/788-domains-stolen-including-yxlcom/

I think someone should stop them.

I emailed undo@godaddy.com and waiting for a reply.

What do you think? Will i get my domain back?

 

Looks like it's Gmail again! Here are the partial screenshots from what he sent me:

In Florin's case the hacker changed ownership of the domain several month ago. The cucirca.com was transfrred from GoDaddy to Register.com. Since the hacker was intercepting his emails and never changed nameservers I assume Florin had no idea that something was wrong. When I asked him how come it took him that long to find out he send me following:

 

He transfered the domain to his name on 2008-09-05 leaving the nameservers unchanged. That's why I haven't noticed that my doomain was stolen until yesterday when a friend of mine did a whois on my domain....

I had no reason to check whois records because the domain was registered over 7 years (until 2013-11-08)

I haven't received any emails from this person.

 

And again it seems to be the same guy! Why do I think so? If you check that link that Florin included in one of his emails (i added it below as well) you'll see that in some other similar incidents (who knows how many more domains he has stolen like this) email address domain.selln@gmail.com was mentioned together with the name 'Aydin Bolourizadeh'. That same email also appeared in the forward rule in Florin's Gmail account (see first screenshot).

When MakeUseOf.com was taken from us, the cracker was asking me for 2000$. And when I asked him where and how he wants to get paid, he told me to send money via Western Union to the following address:

Aydin Bolourizadeh

Turkey

Ankara

Cukurca kirkkonaklar mah 3120006954

screenshot from http://www.domainmagnate.com/2008/08/11/788-domains-stolen-including-yxlcom/

I am pretty pretty that it was the same guy in all 3 incidents and probably 788 others mentioned in the above link, including domains such as yxl.com, visitchina.net and visitjapan.net.

When I searched for that address on Google, I also discovered that he owns the following domains (probably stole them as well):

    • Elli.com -

http://whois.domaintools.com/elli.com

    • Ttvx.net -

http://www.dnforum.com/post252-post-1399775.html

I assume the guy is indeed from Turkey, and is likely to reside somewhere in the following area.

    • Cukurca kirkkonaklar mah 3120006954

 

    Ankara, Turkey

We also know that he uses webs@domainsgame.org as his email. So if we know who stands behind domainsgames.org we might just get one step closer. In fact, he emailed several days ago and asked me to remove all instances of his email from the website and if we don't comply he would DDOS us.

Here are his exact words:

Hi,

I ask you to remove my email address (webs@domainsgame.org) from your website !

Do it if you want to dont have any problem in the future, Otherwise firstly I'll start to have the big DDOS on your website and will make it down...

Im very seriuos so remove my email and domainsgame.org name

So, it seems if we can get to the ID behind domainsgame.org we might get our guy and probably uncover many more domains he has stollen. Read more on it below. Now let's talk about Gmail.

Gmail Vulnerability

Does anyone remember what hapeened with David Airey last year? His domain was stolen too. The story was all over the web.

- WARNING: Google's GMail security failure leaves my business sabotaged

- Collective effort restores David Airey.com

Both we and David managed to get the domain back. But I am not sure if everyone is as lucky as we are. Unfortunately, registrars won't really cooperate with you on this unless the story gets some attention. So, I have no doubt there are hundreds of people out there left with no chance but to either give their domain name or pay the guy.

Anyways, back to Gmail.

In his first article David Airey was referring to a Gmail vulnerability that was (if I am not mistaken) mentioned here several months earlier. To sum up:

The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim's filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

original page: http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

Now, the interesting part is that update on the above GNU Citizen link states that vulnerability was fixed before 28 September 2007. But in David's case, the incident took place in December, 2-3 months later.

So, was the exploit really fixed back then? Or was it a new exploit in David's case? And most importantly is there a similar security flaw in Gmail NOW?

What should you do now?

(1) Well, my very first advice would be to check your email settings and make sure your email is not compromised. Check fowarding options and filters. Also make sure to disable IMAP if you don't use it. This also applies to Google Apps accounts.

(2) Change contact email in your sensitive web accounts (paypal, domain registrar etc.) from your primary Gmail account to something else. If you own the website then change the contact email for your host and registrar accounts to some other email. Preferably to something that you aren't logged in to when browsing web.

(3) Make sure to upgrade your domain to private registration so that your contact details don't show up on WhoIS searches. If you're on GoDaddy I'd recommend going with Protected Registration.

(4) Don't open links in your email if you don't know the person they are coming from. And if you decide to open the link make sure to log out first.

UPDATE:

I discovered some good articles discussing potential security flaw in response to MakeUseOf's article:

- Gmail Security Flaw Proof Of Concept

- Comments About This on YCombinator

- (Nov. 26'th) Gmail Security and Recent Phishing Activity [Official Response from Google]

Help Us Catch The Guy!

Apart from above mailing address, we also know that he uses webs@domainsgame.org as his email. So if we find out who now owns the domainsgames.org we might get one step closer. or at the very least return the domains he stole to their respective owners.

Now the thing is the domain name domainsgames.org is protected by Moniker and they hide all the contact info for it.

Domain ID:D154519952-LROR

Domain Name:DOMAINSGAME.ORG

Created On:22-Oct-2008 07:35:56 UTC

Last Updated On:08-Nov-2008 12:11:53 UTC

Expiration Date:22-Oct-2009 07:35:56 UTC

Sponsoring Registrar:Moniker Online Services Inc. (R145-LROR)

Status:CLIENT DELETE PROHIBITED

Status:CLIENT TRANSFER PROHIBITED

Status:CLIENT UPDATE PROHIBITED

Status:TRANSFER PROHIBITED

Registrant ID:MONIKER1571241

.

.

.

.

Name Server:NS3.DOMAINSERVICE.COM

Name Server:NS2.DOMAINSERVICE.COM

Name Server:NS1.DOMAINSERVICE.COM

Name Server:NS4.DOMAINSERVICE.COM

I already emailed (so did Edin) them about it and will update you here as soon as I hear something from them.

I also have some requests to following companies that are now providing their services to that individual.

1- To Gmail Team:

When going through header files in several emails it was clear that hacker was using Google Apps. Please look into it. The domain is domainsgame.org. And also please FIX! the Gmail.

2- To GoDaddy.COM & ENOM & Register.COM

First of all, please help Edin and Florin get their domains back. One smart thing to do would be to check the account login IP addresses for all similar reported cases. For instance, both in Edin's case and ours (not sure about Florin ) the hacker was using 64.72.122.156 IP address. (Which by the way turned out to be a compromised server on Alpha Red Inc.) Or even easier, just lock the domain name and ask the current account holder to prove his identity. Since the hacker was using different identities everywhere it would be impossible for him to do that. It's in your best interests to ensure that this person is no longer using your services.

3- To Moniker.COM:

Close his account! (that is the one for domainsgame.org). Any additional info or assistance that you can provide will be appreciated.

4- To Domainsponsor.COM

I am not really sure but I think DomainSponsor is the company that monetizes those domains that this guy steals. It happened with MakeUseOf.com and now hapening with YouMP3.org.

5- To PayPal.COM: (Your SUPPORT IS AWFUL)

I am sure they won't even read this so I'll just tell you instead. I sent an email to spoof@paypal.com and warned them that the person who stole our domain and blackmailed us earlier was using a.npaypal@gmail.com account (he uses some other accounts as well). I just asked them to look into it. Instead I get an email which has nothing to do with what I said. Basically it's an email template that was meant to look genuine and sent to the people who got spoofed. C'mon! We are paying 3% commision fee on every transaction, can't you people provide better customer support?

That's all I got!

Once again I am deeply sorry for what has happened to Florin and Edin. I trully hope they will get their domains back soon. It's all in the hands of the respective registrars now. But most importantly, I want to see something get done by big corps (not the customers) to catch that person. I am sure every blogger out there would appreciate that and probably even write about it on his/her blog.

It's time for CHANGE ;-)

best regards

Aibek

image credit: thanks to machine for top 'Mr Cracker' image