BREAKING: New Gmail Security Flaw. More Domains Get Stolen!

Ads by Google

domain cracker   BREAKING: New Gmail Security Flaw. More Domains Get Stolen! As many of you already know on November 2nd, MakeUseOf.com’s domain was stolen from us. It took us about 36 hours to get the domain back. As we have pointed out earlier the hacker somehow managed to get access to my Gmail account and from there to our GoDaddy account, unlock the domain and move it to another registrar.

You can see the whole story on our temporary blog makeuseof-temporary.blogspot.com/

I wasn’t planning to publish anything about the incident or cracker (person who steals domains) and how he managed to pull it off unless I was completely sure about it myself. I had a good feeling it was a Gmail security flaw but wanted to confirm it before posting anything about it on MakeUseOf. We love Gmail and giving them bad publicity is not something we would ever want to do.

So why write about this now then?

Several things have happened in the last two days that have made me believe that Gmail has a serious security flaw and everyone should be aware about it. Especially during the times when individuals like Steve Rubel tell you How To Make Gmail Your GateWay To The Web. Now, don’t get me wrong here, Gmail is an AWESOME email program. The best probably. The problem is that it might not be a reliable one when it comes to security. That being said, it doesn’t necessarily mean that you will be better off with Yahoo or Live Mail.

Ads by Google

Incident 1: MakeUseOf.com – November 2nd

When our domain was stolen, we suspected that the hacker used some hole in Gmail but we were not sure about it. Why did I suspect that it was something to do with Gmail? Well for one thing I am rather cautious about security and rarely run anything I am not sure about. I also keep my system up to date and have all essentials including 2 malware monitors, an antivirus and 2 firewalls. I also tend to use strong and unique passwords for every one of my accounts.

The hacker did access my Gmail account and set up some filters there that eventually helped him to get access to our GoDaddy account. What I didn’t know is how he managed to do that. Was it a security hole in Gmail? Or was it a keylogger on my PC? I wasn’t sure about it. After the incident I scanned my system with a number of malware removals and didn’t find anything. I also went through every running process as well. All semed to be clean.

So, I am inclined to believe the problem was with Gmail.

Incident 2: YuMP3.org – November 19th

On November 18’th, I got an email from someone named Edin Osmanbegovic who runs the site yump3.org. (He probably found my email through Google as the incident with MakeUseOf was covered on several popular blogs, many of which included my email ID.) In his email, Edin told me that his domain was stolen and moved to another registrar. I quickly googled the yoump3 and saw that a rather established website was now serving a link farm page (exactly like in our case).

Google (on last index):

gmail domain stealing3   BREAKING: New Gmail Security Flaw. More Domains Get Stolen!

YouMP3.org hompage (present):

yoump3org 2   BREAKING: New Gmail Security Flaw. More Domains Get Stolen!

Here is a copy of the very first email I got from Edin:


Hello,
I have the same problem with my domain.
The domain has transfered from Enom to GoDaDDy.
I have immediately send support ticket regarding that problem.

The whois of new domain owner is :

    Name: Amir Emami
    Address 1: P.O. Box 1664
    City: League City
    State: Texas
    Zip: 77574
    Country: US
    Phone: +1.7138937713
    Email:

    Administrative Contact Information:
    Name: Amir Emami
    Address 1: P.O. Box 1664
    City: League City
    State: Texas
    Zip: 77574
    Country: US
    Phone: +1.7138937713
    Email:

    Technical Contact Information:
    Name: Amir Emami
    Address 1: P.O. Box 1664
    City: League City
    State: Texas
    Zip: 77574
    Country: US
    Phone: +1.7138937713
    Email:

Email is : webs@domainsgame.org
Yesterday the guy from that email adress had contacted me via Gtalk.
He said that he want 2000$ for the domain.
I need advice please,I have contacted the Enom.

Thank you.

And guess what, it’s the same guy who earlier this month stole MakeUseOf.com. We too were contacted from the same email address: webs@domainsgame.org. Edin also emailed me today and confirmed that the guy also got access to his domain account through his Gmail account. So it’s again Gmail.

In his last email (received today) Edin included a quick recap of the events


I have the history of how he did everything.

On 10th of November I was the owner.
On 13th of November Mark Morphew.
On 18th of November Amir Emami.

He used webs@domainsgame.org on both persons.

I have send yesterday also everythig to Moniker.
They will investigate.

Incident 3: Cucirca.com – November 20th

This last email was the main reason for this post. It came from Florin Cucirka, the owner of cucirca.com. The site has an alexa rank of 7681 and according to Florin receives over 100,000 visits daily.

First email from Florin:


Hi Aibek

I’m in the same situation makeuseof.com got out.

I am Cucirca Florin and my domain www.cucirca.com was
transfered from my godaddy account without my permission.

It seems that the thief knew my gmail password which is odd.
He managed to create some filters to my account.

I’ve attached 2 screenshots.

Can you help me? Give me some details on how I could get
out of this bad dream? I just found today about this and I
don’t think I’m able to sleep tonight.

Thanks in advance.

Florin Cucirca.

I emailed Florin and asked him some details about his domain, whether he contacted GoDaddy and whatever information he got on the domain cracker (term used for domain stealer) guy so far.

Second email from Florin:


The hacker had access to my email account (gmail). The domain was hosted on godaddy.
I used gmail notifier extension on firefox. maybe there is the big bug.
He transfered the domain to register.com

I haven’t talk to the hacker. I want to get it back legally and if there is not other solution maybe i’ll pay him

www.cucirca.com has an Alexa Rank of 7681 and over 100 000 visits daily.

I will attach you 2 screenshots of my gmail account.

joy.hock@gmail.com and in the second screen domain.selln@gmail.com

If you do a google search of domain.selln@gmail.com you will find this:

http://www.domainmagnate.com/2008/08/11/788-domains-stolen-including-yxlcom/

I think someone should stop them.

I emailed undo@godaddy.com and waiting for a reply.

What do you think? Will i get my domain back?

Looks like it’s Gmail again! Here are the partial screenshots from what he sent me:

gmail domain stealing   BREAKING: New Gmail Security Flaw. More Domains Get Stolen!

gmail domain stealing 2   BREAKING: New Gmail Security Flaw. More Domains Get Stolen!

In Florin’s case the hacker changed ownership of the domain several month ago. The cucirca.com was transfrred from GoDaddy to Register.com. Since the hacker was intercepting his emails and never changed nameservers I assume Florin had no idea that something was wrong. When I asked him how come it took him that long to find out he send me following:

He transfered the domain to his name on 2008-09-05 leaving the nameservers unchanged. That’s why I haven’t noticed that my doomain was stolen until yesterday when a friend of mine did a whois on my domain….

I had no reason to check whois records because the domain was registered over 7 years (until 2013-11-08)

I haven’t received any emails from this person.

And again it seems to be the same guy! Why do I think so? If you check that link that Florin included in one of his emails (i added it below as well) you’ll see that in some other similar incidents (who knows how many more domains he has stolen like this) email address domain.selln@gmail.com was mentioned together with the name ‘Aydin Bolourizadeh’. That same email also appeared in the forward rule in Florin’s Gmail account (see first screenshot).

When MakeUseOf.com was taken from us, the cracker was asking me for 2000$. And when I asked him where and how he wants to get paid, he told me to send money via Western Union to the following address:

Aydin Bolourizadeh
Turkey
Ankara
Cukurca kirkkonaklar mah 3120006954

screenshot from http://www.domainmagnate.com/2008/08/11/788-domains-stolen-including-yxlcom/

yxl link   BREAKING: New Gmail Security Flaw. More Domains Get Stolen!

I am pretty pretty that it was the same guy in all 3 incidents and probably 788 others mentioned in the above link, including domains such as yxl.com, visitchina.net and visitjapan.net.

When I searched for that address on Google, I also discovered that he owns the following domains (probably stole them as well):

I assume the guy is indeed from Turkey, and is likely to reside somewhere in the following area.

    Cukurca kirkkonaklar mah 3120006954
    Ankara, Turkey

We also know that he uses webs@domainsgame.org as his email. So if we know who stands behind domainsgames.org we might just get one step closer. In fact, he emailed several days ago and asked me to remove all instances of his email from the website and if we don’t comply he would DDOS us.

Here are his exact words:

Hi,
I ask you to remove my email address (webs@domainsgame.org) from your website !
Do it if you want to dont have any problem in the future, Otherwise firstly I’ll start to have the big DDOS on your website and will make it down…
Im very seriuos so remove my email and domainsgame.org name

So, it seems if we can get to the ID behind domainsgame.org we might get our guy and probably uncover many more domains he has stollen. Read more on it below. Now let’s talk about Gmail.

Gmail Vulnerability

Does anyone remember what hapeened with David Airey last year? His domain was stolen too. The story was all over the web.

WARNING: Google’s GMail security failure leaves my business sabotaged
Collective effort restores David Airey.com

Both we and David managed to get the domain back. But I am not sure if everyone is as lucky as we are. Unfortunately, registrars won’t really cooperate with you on this unless the story gets some attention. So, I have no doubt there are hundreds of people out there left with no chance but to either give their domain name or pay the guy.

Anyways, back to Gmail.

In his first article David Airey was referring to a Gmail vulnerability that was (if I am not mistaken) mentioned here several months earlier. To sum up:

The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

original page: http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

Now, the interesting part is that update on the above GNU Citizen link states that vulnerability was fixed before 28 September 2007. But in David’s case, the incident took place in December, 2-3 months later.

So, was the exploit really fixed back then? Or was it a new exploit in David’s case? And most importantly is there a similar security flaw in Gmail NOW?

What should you do now?

(1) Well, my very first advice would be to check your email settings and make sure your email is not compromised. Check fowarding options and filters. Also make sure to disable IMAP if you don’t use it. This also applies to Google Apps accounts.

(2) Change contact email in your sensitive web accounts (paypal, domain registrar etc.) from your primary Gmail account to something else. If you own the website then change the contact email for your host and registrar accounts to some other email. Preferably to something that you aren’t logged in to when browsing web.

(3) Make sure to upgrade your domain to private registration so that your contact details don’t show up on WhoIS searches. If you’re on GoDaddy I’d recommend going with Protected Registration.

(4) Don’t open links in your email if you don’t know the person they are coming from. And if you decide to open the link make sure to log out first.

UPDATE:

I discovered some good articles discussing potential security flaw in response to MakeUseOf’s article:

Gmail Security Flaw Proof Of Concept
Comments About This on YCombinator
– (Nov. 26’th) Gmail Security and Recent Phishing Activity [Official Response from Google]

Help Us Catch The Guy!

Apart from above mailing address, we also know that he uses webs@domainsgame.org as his email. So if we find out who now owns the domainsgames.org we might get one step closer. or at the very least return the domains he stole to their respective owners.

Now the thing is the domain name domainsgames.org is protected by Moniker and they hide all the contact info for it.

Domain ID:D154519952-LROR
Domain Name:DOMAINSGAME.ORG
Created On:22-Oct-2008 07:35:56 UTC
Last Updated On:08-Nov-2008 12:11:53 UTC
Expiration Date:22-Oct-2009 07:35:56 UTC
Sponsoring Registrar:Moniker Online Services Inc. (R145-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:MONIKER1571241
.
.
.
.
Name Server:NS3.DOMAINSERVICE.COM
Name Server:NS2.DOMAINSERVICE.COM
Name Server:NS1.DOMAINSERVICE.COM
Name Server:NS4.DOMAINSERVICE.COM

I already emailed (so did Edin) them about it and will update you here as soon as I hear something from them.

I also have some requests to following companies that are now providing their services to that individual.

1- To Gmail Team:

When going through header files in several emails it was clear that hacker was using Google Apps. Please look into it. The domain is domainsgame.org. And also please FIX! the Gmail.

2- To GoDaddy.COM & ENOM & Register.COM

First of all, please help Edin and Florin get their domains back. One smart thing to do would be to check the account login IP addresses for all similar reported cases. For instance, both in Edin’s case and ours (not sure about Florin ) the hacker was using 64.72.122.156 IP address. (Which by the way turned out to be a compromised server on Alpha Red Inc.) Or even easier, just lock the domain name and ask the current account holder to prove his identity. Since the hacker was using different identities everywhere it would be impossible for him to do that. It’s in your best interests to ensure that this person is no longer using your services.

3- To Moniker.COM:

Close his account! (that is the one for domainsgame.org). Any additional info or assistance that you can provide will be appreciated.

4- To Domainsponsor.COM

I am not really sure but I think DomainSponsor is the company that monetizes those domains that this guy steals. It happened with MakeUseOf.com and now hapening with YouMP3.org.

5- To PayPal.COM: (Your SUPPORT IS AWFUL)

I am sure they won’t even read this so I’ll just tell you instead. I sent an email to spoof@paypal.com and warned them that the person who stole our domain and blackmailed us earlier was using a.npaypal@gmail.com account (he uses some other accounts as well). I just asked them to look into it. Instead I get an email which has nothing to do with what I said. Basically it’s an email template that was meant to look genuine and sent to the people who got spoofed. C’mon! We are paying 3% commision fee on every transaction, can’t you people provide better customer support?

That’s all I got!

Once again I am deeply sorry for what has happened to Florin and Edin. I trully hope they will get their domains back soon. It’s all in the hands of the respective registrars now. But most importantly, I want to see something get done by big corps (not the customers) to catch that person. I am sure every blogger out there would appreciate that and probably even write about it on his/her blog.

It’s time for CHANGE ;-)

best regards
Aibek

image credit: thanks to machine for top ‘Mr Cracker’ image

Ads by Google

164 Comments - Write a Comment

Reply

ShuShine

This is pretty scary. Who will think that the hacker used gmail

MobileAnswers Mashup

call me crazy but I don’t think they should shut down his account. Instead investigate into the matter and restore all accounts he’s breached. Then fine him heavily, and push both civil and corporate suits against him.

I hope you catch him, but what I don’t want to see is a lot of racism coming out of this. So let’s keep it civil and leave it to the companies and parties involved to do the work, otherwise you end up with people messing the entire thing up by swearing and throwing insults which complicates everything.

Honestly three things on the web that suck, domain squatters, spammers and thieves.

Reply

Mackenzie Morgan

Oh, so *this* is why I only access GMail via IMAP and never login to it in my browser.

kristarella

In what way is it more secure that you never view the online Gmail environment and therefore rarely see your filters or know what is usual for your Gmail account?

TerminalDigit

It’s “more secure” in the sense that the exploit described is browser-based and requires the user to be logged into GMail in their *browser* while visiting a malicious site. If you access your e-mail via IMAP, then your login credentials are sent via your e-mail client, and your browser has no active session cookie for your Google account, rendering the call to inject a redirect filter useless.

kristarella

Yep, my bad for commenting in a hurry. I’ve read the post thoroughly now. Using IMAP sounds like a good idea. The four tips at the end of the post are good ones, although I’m shocked that no one has mentioned the setting to always use GMail with https!

Turn on HTTPS!

Garcya

If you are not logged in to Gmail maybe you are logged in for google.com/ig or any other google apps ? it’s the same thing.
Anyway the big companies won’t do something about this until their domains get stolen :)
They don’t care about you and me, or anybody else. Do you really think they want their websites to get flooded with DDOS attacks?

TerminalDigit

HTTPS is a good idea for other reasons, but it won’t protect you against this attack.

Pete

Well, if you’re accessing Gmail through a desktop email client, you’re not making any HTTP POST requests, which means you’re not vulnerable to the attack described above. The IMAP in this case is sorta irrelevant, POP should work fine too. It’s the separate client in this case that’s the key.

As for the blog post, I haven’t yet seen a clear case for anything other than someone discovered their Gmail account password and used it to obtain access to the other accounts.

What proof have you got that there’s a Gmail vulnerability in play here? All you’ve shown is that someone managed to get into some accounts.

Marius Gundersen

Because of how the security flaw works. The hacker can only hack your account if you are logged into Gmail in the same browser as you browse the web with.

Ashish Mohta

Best would be use Chrome to access your Mail accounts specially gmail and stuff . You can also use chrome for accessing your private accounts. Use any other browser for surfing. And Please improve surfing habits

drfindley

Ashish: Using chrome is no more a help than using IE or Firefox with a multipart/form-data POST…. any browser that supports AJAX could easily do that. Chrome has yet to stand up to the security scrutiny that Firefox and Safari have. While it’s a fun browser, it’s security is not tested and therefore not to be trusted (yet).

Peter

Who says Chrome is not vulnerable to this? All Chrome windows and tabs share the same session ID. So if you’re logged in one window you’re logged in into all of them.

Eric

drfindley, Perter: You are missing the point. He isn’t saying that Chrome is not vulnerable. He is saying that you should use two separate browsers, one for email, and another general web surfing. He just specifically suggests using Chrome for the email browser.

Reply

Miguel Wickert

Unreal! Well… glad you got everything worked out! What if you own a site but transfer it to someone else, as far as hosting and you wanted it back but they won’t transfer it… now what?

Reply

Yashar

“Amir Emami” and “Aydin Bolourizadeh” are not Turkish names. Both are Persian names.

Aibek

Amir Emani is not, Aydin Blourizadeh can be turkish on the other hand. I lived two years in Turkey.

Alphan Gunaydin

“Blourizadeh” doesn’t sound Turkish.

Zaur

Aydin Bolourizadeh is azerbaijani for sure. But he can be originally from South Iran too.

Reply

Richard M

I’d venture to guess that you guys were probably victims of phishing or something of the likes. If it was just an issue Gmail then I’d think you’d see more widespread issues. I also find it interesting that everyone affected is using Go-Daddy.

Aibek

Well, I am 100% sure there are dozens of more cases out there, we just don’t get to hear about them.

Richard M

I’m curious in your case was anything related to Gmail changed. It just strikes me as odd that between all the cases, Gmail and GoDaddy are the two biggest common factors. I’m sure there might be more but that would take some detailed evaluations.

Aibek

Yes, when it happened to me it was also via Gmail. The account had a filetr set up fowarding certain emails to the hijacker

David Airey

Richard,

When my domain was stolen, I had no business dealings with GoDaddy. The cracker transferred my domain name from another registrar into his / her GoDaddy account, so not everyone affected is using their service.

Aibek,

I’m glad it wasn’t any longer than 36 hours before you had your domain returned.

Aibek

I wa referring to Gamil in particulat, not GoDaddy. GoDaddy is definitely not to blame here, it’s nomal for it to appear in most of the incidents simply due to their huge popularity.

Reply

D L Owens

He seems very clever and it is likely that there are a lot of victims that still aren’t aware that they’ve been compromised. The best prevention is to educate yourself about the numerous ways that your email can be infiltrated.

Aibek

Indeed, I am sure many of of his victims have no idea about it. I also believe, it’s a lot harder to get the domain back once it has been in someone’s hands for a while.

Reply

Angel

I was lead here through a link someone posted on Twitter, but I am glad I stopped to read. Thank you for bringing this possibility to everyones attention. I fall under all the ‘no-no’s’ that are listed here and it could have been my story (and I own quite a few domains!).

Reply

sylv3rblade

toinks, I’ve already suspect gmail as the problem when David Airey’s domain got stolen, now this. BTW, Paypal support really sucks.

Dee

Four unconfirmed cases in a year are definitely signs of a weakness in gmail alright.

Reply

Gspider

I don`t think that`s related to Gmail itself but probably the environment and the way you connect to your Gmail. example, having lots of untrusted or even trusted Firefox adds-on decrease your security level dramatically.

You mentioned that he was able to get your info using forward filters but he didn`t actually had physical access to your account or he would have got it all without filters and even change and block access to your email too. I think it`s more like using and sending a code to generate such filters. i guess.

Google apps and services are all connect together so a security bug in igoogle will affect all your other apps.

Aibek

I can’t tell for sure whether the guy had a physical access to my account. The filters were there, they might have been inserted using similar technique as described in the post or he could added them there manually. I am inclined to believe it’s the first one. Mainly because this guy knows very well what he needs to do before moving some domain. In our case he new before hand that he would be moving the domain from GoDaddy to NameCheap (reseller for Enom). Thus he knew every step of the process and what emails to intercept and where hey will be coming from.

Reply

kailoon

Wow… scary man… I am using Gmail too. So, what should I do? I don’t know anything about security issue…

kristarella

In your Gmail settings select the option to always use https, check your filters and forwarding, make sure there’s nothing there you didn’t set up, have a good password and don’t give it to anyone. Should go along way to keeping things secure.

kailoon

There is nothing in the filters, what should I add?

kristarella

Nothing. If you don’t want/need to use filters that’s fine. The thing about this technique is that once someone gets in to your Gmail account they can set up filters to prevent you from seeing emails or to forward emails to themselves. So if there’s a filter that you didn’t set up with a weird email address, delete it.

Reply

Richard M

The fact that no one seems to have been permanently locked out of their accounts almost leads me to believe this is related to the old “known” cross site scripting issue http://arstechnica.com/news.ars/post/20070927-cross-site-request-forgery-vulnerability-found-in-gmail.html. That issue was supposedly fixed right after it was found. But its possible there is a new issue there.

Reply

Daniel

I highly doubt anyone writing for MUO would fall prey to phising, nevertheless, it is a possibility. I can recommend Bluehost to anyone out there as a hosting company, I tried to ask them for complicated stuff, but they always help me out and complete everything in not 24, but more like 2-3 hours. They’re really friendly and I should think they’d address this issue.

I love paypal, but I think they’ve become a bit ‘eliteist’. Unless you have tens of millions of dollars going through I doubt they will take the time to help until it’s happening “only” with 5-6 people.

One thing more that I don’t get is, and it shows how these people aren’t that bright, is why didn’t the guy just replace the adsense block with his own? I doubt anyone would notice for months, in total earning him more. I’ve always thought about this as a threat, so perhaps you would like to check your ads as well!

Reply

Matt Cutts

I started asking some people here at Google about this. Other than David Airey a while ago, I can’t remember hearing about other cases of this “add malicious forwarding rules to Gmail to sniff registrar passwords and hijack a domain” type of situation, but I’ll keep my ears open.

Matt Cutts

By the way, a security person found me to chat about this specifically. They mentioned that the original bug from 2007 is still fixed properly. They also said that the David Airey incident was not an exploitation of the XSRF flaw or other Gmail flaw.

If I had to guess (and bear in mind that I have no special/inside knowledge or computer security background), I would guess that it was a keylogger. Once an attacker knows (say) a Gmail password, they could exploit that to try to grab any domain names that you own. Notice for example that the Gmail snapshot above includes multiple registrars (register.com and godaddy.com), so it could easily be a scripted attack that tried to see if that Gmail account can be used to hijack domains from multiple registrars. In a keylogger situation, there’s nothing special about Gmail–the attacker could attack other webmail providers too.

Aibek

The reason there are filters for multiple registrars is because domain transfer process includes several emails both from loosing and gaining registrar. So if the hacker doesn’t want victim to know anything about it he has to setup multiple filters.

In my opinion the hack was carried out in the following way:

– 1. hacker has an automattic script that searches public WhoIS databases and finds people that have gmail email listed as a contact.
– 2. the script further filters the results leaving only somewhat established sites.
– 3. next he sends an email to the owner (or even leaves a comment on his blog) with a link to a site that targets Gmail bug.

Aibek

geekamongus

That seems the most logical explanation to me. A little XSS mixed with some social engineering.

Whoever mentioned above that the fact no GMail accounts have been locked out is correct in that this must be some sort of cross-site scripting vulnerability, as it relies upon filters for the cracker to obtain copies of emails. If he had direct access to the GMail account, why not simply log into it and use it?

I want to stress the importance of selecting the “Always use https” option in the GMail settings, especially if you use GMail from your local coffee shop or other public wi-fi hotspot.

Aibek

Hi Matt,

Thanks for the comment. It’s good to know that the article made its way to known Google individuals like yourself.

Reply

venkat

This is scary story to all Gmail users,having said that no email is safe enough to get hacked,I agree with Aibek I really gets worried if i don’t find any keyloggers ,viruses and spywares enough to hack ,then we have to doubt the service we are using in this case here Gmail.I also really worried after scanning with internet Security suite some one is spying on me.

Reply

aloishis

I don’t have time, but if someone else wants to fire up Backtrack 3 and do a bunch of scans on the domain, that could be helpful. And gmail logs the IP’s of last logins, any chance you got those from when he logged in? Remember: there is always a way around a security measure.

Aibek

In my case the IP was pointing to the compromised server on Alpha Red Inc. They have already taken the server down. They couldn’t help us as the server logs were deleted.

Reply

Jaf

Since the beginning of this episode i carefully watched every development and even wrote a short note on my blog that makeuseof.com got hijacked — i instantly changed my Gmail account associated with my domain, previously my domain was on Godaddy even it was still there i would definitely have moved it somewhere else and also added domain privacy to my domain…. i also took the time to setup my domain email and abandoned using gmail email in blog comments….. in short Google must need to pay quick attention to this ongoing issue, more and more people learn about it more they are gonna be scare of Gmail, i know Aibek didn’t mean to scare us of Gmail nor do i,,,, but i am just pointing out there seems to be a issue or a loophole in Gmail security no? i m glad that matt cutts followed this blog post and eventually this matter would be addressed by gmail team (hope so)

Reply

Manuel Fickovic

Here are more info about the guy from webs@domainsgame.org

His MSN is betterdomains@hotmail.com
Gmail he contact me domain.bs@gmail.com
Email he changed in my paypal account domain.bs@googlemail.com
Email he changed in my parked account webs@domainsgame.org
IP address he log in my parked account 64.72.122.156

Source : http://www.namepros.com/528516-i-have-been-hacked-please-help-2.html

Reply

Peter W

The gmail folks could go a long way towards fixing this with some defensive configuration changes.

There are two simple things I’d like to see in particular:
1) Require a password refresh in order to add or change filters with forwarding
2) Require a password refresh in order to add forwarding in general.

It doesn’t have to be too intrusive.. Just require re-verifying your gmail password before allowing forwarding to go elsewhere. Set the timeout to something small like 15 minutes. That greatly narrows the window where an undetected XSS attack can affect you. In order to have the XSS/link attack work silently, you’d have had to have verified your password within the last 15 minutes.

You’d notice if clicking on a link caused gmail to ask for a password to allow editing the forwarding…

Ashish Mohta

This would be really good. Funny thing is They ask for password when you add a feed in orkut but they dont when you add filter. !!!!

Aibek

I agree, this can definitely help.

Reply

Technogadge

This is really a scary thing for beginners like me. I would like to thank you for putting all the information together on this post. what you think about Yahoo! Do they have such security flaw?

Aibek

I don’t know about Yahoo, but I doubt that their security measures are better than that of Gmail. The reason we hear abot Gmail more often is due to its huge popularity in tech communty.

Reply

Aibek [impostor]

“I also keep my system up to date and have all essentials including 2 malware monitors, an antivirus and 2 firewalls.”

The fact that you need, or think you need that, says a lot.

You can have all the security in the world, but it is undermined by your stupidity and ignorance.

Aibek

“The fact that you need, or think you need that, says a lot. You can have all the security in the world,…

So based on your argument, smart people should ignore security software. And what’s wrong with “think you need that” ? So what should we who think that we need security software to protect our PCs do then?

There is a flaw in your logic.
You’re an idiot !

Reply

Chris/James

So wait.. You actually used your e-mail address associated with the account with GoDaddy for your website? I used to work for GoDaddy, and christ (if it wasn’t obvious from the post), you’re quite inept and should not be allowed to have a website. Such as it is.

Reply

david smeaton

firstly, @ goodluck – please don’t say racist things. by saying “99% of Turks are retards” then you’re just as bad as the people you criticise.

secondly, this is a serious issue … so treat it seriously!

thirdly, a simple way to protect yourself is by installing another browser for gmail. i use firefox for most stuff … but i use chrome for email. i don’t surf at all using chrome, just check email. if there are links, i copy/paste them back to firefox.

i do this because i don’t like email clients. i like web based email.

finally, thanks for chasing this guy on everyone’s behalf … good luck getting him and helping people retrieve their domains.

kudos!

cheers

david

davidsmeaton.com

Reply

Anon

domainsgame.com ip block is owned by.. could place a call there

OrgName: Oversee.net
OrgID: OVERS-1
Address: 515 S. Flower St
Address: Suite 4400
City: Los Angeles
StateProv: CA
PostalCode: 90071
Country: US

NetRange: 208.73.208.0 – 208.73.215.255
CIDR: 208.73.208.0/21
NetName: OVERSEE-NET-2
NetHandle: NET-208-73-208-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.OVERSEE.NET
NameServer: NS2.OVERSEE.NET
Comment:
RegDate: 2006-12-28
Updated: 2006-12-28

OrgAbuseHandle: OVERS-ARIN
OrgAbuseName: Oversee NOC
OrgAbusePhone: +1-213-408-0080
OrgAbuseEmail:

OrgTechHandle: OVERS-ARIN
OrgTechName: Oversee NOC
OrgTechPhone: +1-213-408-0080
OrgTechEmail:

also interesting

domainsgame.org. 21600 IN MX 10 aspmx.l.google.com.
domainsgame.org. 21600 IN MX 30 aspmx5.googlemail.com.
domainsgame.org. 21600 IN MX 30 aspmx4.googlemail.com.
domainsgame.org. 21600 IN MX 30 aspmx3.googlemail.com.
domainsgame.org. 21600 IN MX 30 aspmx2.googlemail.com.
domainsgame.org. 21600 IN MX 20 alt2.aspmx.l.google.com.
domainsgame.org. 21600 IN MX 20 alt1.aspmx.l.google.com.

;; ADDITIONAL SECTION:
ns1.domainservice.com. 68916 IN A 208.73.210.41
ns2.domainservice.com. 3398 IN A 208.73.211.42
ns3.domainservice.com. 167141 IN A 208.73.210.43
ns4.domainservice.com. 46168 IN A 208.73.211.44
aspmx5.googlemail.com. 1765 IN A 74.125.45.27
aspmx4.googlemail.com. 3441 IN A 66.249.93.27
aspmx3.googlemail.com. 1997 IN A 209.85.199.27

Possible using googles mail service (non-gmail) stuff as a back door in?

Reply

mehtuus

Correct me if I am wrong, but think that you can be protected from this flaw by using firefox and the plugin NoScript.

aleron

Sure, but with this plugin you disable all JavaScript. You are even better protected if you unplug your modem.

Aibek

:-)

Reply

Ozimus

Hello MUO.

First, let me say I’m not a legal/criminal expert. However, having reviewed the evidence you and your faithful readers have compiled, it seems to me you have a legitimate international crime. The only place I can think of that this could be reported is at FBI. Specifically, FBI tips or you could go to your local field office. When major corporations are hacked, the FBI gets involved. I can only hope they’d put the same efforts into protecting a growing list of small businesses. I would urge you to organized all of the documentation and information gathered in a report presented to the FBI. In the end, the worst they can do is say no to your request for help.

A Daily Reader

Aibek

Thanks for the tip, i am adding this to my to do

Reply

Brandon Blaylock

Here are some very easy ways to ensure the security of your domain.

1. Set your whois email contacts to an administrative email account. Set a very long and complex password on the account and have all email forwarded to your daily use account. Since you do not log into the account and it has a very long and obfuscated password it makes it much more difficult to break into. Also set very random security questions, as sometimes your security questions can be very simple to break. Since the email address listed in the whois database is publicly available it is the prime target for anyone attempting to steal a domain, this practice adds a layer of security, much like root priveledges in a linux environment.

2. Get privacy on your domain. Privacy masks your whois contact information. The less information someone has on your domain, the more difficult it becomes for them to gain control of it. Also be aware that there are services that keep a history of whois information, so this is not a fullproof method of privacy since the information is probably still out there.

3. Keep your registrar(GoDaddy, Moniker, Etc.) email address different than your whois email address. This makes it more difficult for someone to gain direct access to your domains since your account email will not be publicly available.

4. If you are really concerned, pay for a service like Protected Registration at GoDaddy. This service locks down a domain irrevocably. In fact, it makes it almost impossible to transfer even if it’s you that wants do the transferring.

5. Keep alerting on. Most registrars have account options that will send you an email if any registrant information is changed or a domain is unlocked. Make sure it’s turned ON!

6. Call the experts! I have all my domains at GoDaddy and I use Google Apps on over 40 domains. If I need to know something about my account I call the free support and ask them.

Aibek

Brandon,

EXCELLENT TIPS!

Thanks for sharing, I second every one of them.

Reply

ABc DEf

You got phished.

Reply

Goodluck

[THE COMMENT WAS REMOVED BY MODERATOR FOR BEING RACIST & IRRELEVANT]

Brandon Blaylock

Any security policy based off of a racial slur, a made up statistic, or an underestimation of another person’s intelligence is not really a security policy at all. But I get it, you were being funny.

Reply

tompa

I hope the malicious people behind these hacks are found and brought to justice!

As a regular user I have no idea if there’s a basic security flaw in gmail that allows adversaries access in the first place.

But I still think that gmail easily could add features that would limit the damage in such cases:

1. add multilevel security: require the use of some master password to create filters, edit forwarding rules and so on.

2. increased transparency: when a filter, forwarding rule is changed (or a failed attempt to change it occurs) then gmail should display a note about it visible to the user each time he/she logs onto gmail for the next few days.

Let me also just agree that this is excellent advise:

“(2) Change contact email in your sensitive web accounts (paypal, domain registrar etc.) from your primary Gmail account to something else. If you own the website then change the contact email for your host and registrar accounts to some other email. Preferably to something that you aren’t logged in to when browsing web.”

I even go so far as to only access that special email account after booting an Ubuntu live-CD. I never access it from within Windows or any other installed OS.

Reply

Johan

What is the answer to your password recovery question and is it easily discoverable via google?

Aibek

Definitely not in my case!

Reply

India Travel

It is a serious isssue

Reply

alex

that’s a pretty interesting story. you’ve done some nice research. but it won’t help you anything because police in Turkey won’t do anything, even if you have clear evidence. I think it’s a little bit like the Russian Business Network – Problem.

and c’mon … it’s your own fault. who uses a free-mail account for registering domains (exept it’s you first domain ;) ) … so i think you have to blame yourself, too. if you have a site with xxxxx visitors each day, you make enough money through ads that you can buy yourself a secure email-account and some think you even have the duty to do so (even more when you are dealing with user-credentials, user-generated-content, etc.)

but nevertheless i hope you and the other guy’s get their domains back.
So, take more care about your emails in the future ;)

Reply

gregv

One thing you don’t mention in the article is how you access gmail. Always, always start by going to https://mail.google.com. It will force the entire mail session to be encrypted. You should also go to your security settings and check “Always use https.” Then if you forget to access via the encrypted URL, google will still use it. There are some flaws that are endemic to AJAX and really the only way to take care of it is via encrypted sessions. See http://en.wikipedia.org/wiki/Cross-site_request_forgery

Reply

ACTIVER

WE WILL RETALIATE EVERY TIME … We build our domain and websites with pure love and dedication, we have the right to protect them and sue the culprits..

This is a good site, i really love it in every way.

Reply

Louie

Same thing happened to David Airey about a year ago. davidairey.com/david-airey-hacked/

Reply

Karl L. Gechlik

Aibek is correct this is a SERIOUS issue that can happen to anybody using Gmail – and not just having your domain stolen… He can create filters for anything and hijack anything that sends password links via email.

I want to hear Gmail’s, Moniker and PayPals come backs for this one!

Any hackers out there want to fill us in on the way he is gaining access? I got cash and an AskTheAdmin.com t-shirt for the REAL answer.

email tips at AskTheAdmin dot Com .

Your help is needed in fixing this issue!

Reply

T.J. Mininday

Great read…Now that this has some serious coverage all over the web, let’s hope some eyes at all parties reach out and actually do something.

Reply

ech01337

his server’s main ip address and domain info ge-2-2.r00.lansca17.us.ce.gin.ntt.net domain ip 208.73.208.14 actual server for ns3 is 208.73.210.43

curently running a smokeping study through dsl reports. should show all activity occuring on the line for the next 24 hours. here is the link http://www.dslreports.com/r3/smokeping.cgi?target=network.322ec634e73b4f05dd8ea711d0eea08a&r=922

copy and paste.

Reply

D14BL0

Thanks for the heads-up, guys. I’m going to start keeping an eye on my filters to make sure that nothing changes.

Good luck catching the guy!

Reply

GB

Just FYI, but most key logger processes do not show up in the process list. The fact that your running two different firewalls makes me think that you don’t really know as much as you think you know about security. Just because YOU didn’t find anything on your machine, doesn’t mean it wasn’t compromised, or you didn’t go to a spoofed site/whatever.

D14BL0

Did you read the article? They already know how they got into the Gmail account. It’s a Gmail flaw, not an infection.

Reply

DK

Dudes, I ALWAYS get email meant for other people in my GMail account – stock broker information, bank statements with real address and coversation for other people- and guess whose ID is in the TO line? Mine. I think there is serious flaw in Gmail, so I stopped using it months back!

person

That’s not a gmail flaw it’s a human flaw. One or more idiots have confused your email with their own and signed up for stuff. If your username is something common, it happens all the time. One girl even accidentally gave my address to her mother! It’s just the same as wrong number phonecalls.

Nancy Kramer

I also got sensitive email for someone else on my Gmail account. I got confirmation for airline tickets and stuff like that. I was terrified my Gmail account was hacked. Contacted Gmail support and found out that to Gmail a space ” ” and a period “.” are the same. My Gmail account was firstname.lastname the other person having the same name probably had firstname lastname. Gmail made it the same account. I stopped using Gmail and eventually deleted my account. All those PHDs and they can’t tell the difference between a space and a period. Humans are way smarter than that.

kristarella

Email addresses don’t allow spaces at all, but if someone makes a mistake in your address by adding a space or missing a point Gmail generally manages to send it to the correct person. It doesn’t let one person sign up for a email with a point and an identical email without one for just that reason, it doesn’t care if there’s one in it.

Sounds like someone was just silly and wrote the wrong email down.

Reply

Rich

If this is a problem with Gmail it isn’t an XSS attack but rather a CSRF vulnerability. While similar, CSRF sends a legitimate request to the server/site you are authenticated with. It is harder to detect in that you may never know you visited a site that “rode your session” on Gmail and sent some POSTs to it.

While this is definitely possible, I would hope that Google would now be using some of the widely known methods to combat these attacks. Using tokens for all POST data is easy to implement and will eliminate all but the most persistent attacker.

Educate yourselves:
http://shiflett.org/articles/cross-site-request-forgeries
http://www.codinghorror.com/blog/archives/001171.html

Reply

Court

If google would just allow people to lock sensitive settings like filters and only allow them to unlock them for editing by typing in their login credentials again, exploits like this wouldn’t be an issue for those that actually take their email security seriously.

Reply

YuriGoul

Hope it never happens to me -and I will definitely take some of the advice at heart (at my last provider my website got infected with shitty javascript code that sends people to other websites not sure if it was me or the provider who was to blame)

About paypal: AFAIK the spoof adress is for people who get the paypal scam/spam/phish mails. Not sure what they can or will do if you send it to support?

Aibek

That was the only email I could find on their site.

Reply

BloggerSavvy

Check your “Contact Us” email.
I have sent some valuable follow up. The server currently hosting yump3.org does not appear to be in Turkey at all.
You have contacted the police already right? If not you should contact the cyber crimes unit in your area.

Reply

anon

that belongs to a person named Michael James, based on Australia. He offers stolen domains for auction on eBay

Reply

Andy

I’m only about 15 minutes from that address, 3250 W. Commercial Blvd. I’ll go see what’s there within the next day or 2 and get back to you.

Aibek

Thank you

Reply

Fin

How come noone has mentioned anything about GMail’s “last account activity” where it shows you the IP address that last accessed that gmail account and from what service (pop3, browser, mobile)?

Reply

Pothi

There could be many more hackers who have been doing similar thefts. Don’t you think so?

Reply

Michel B.

Something interesting is mentionned by Florin:

I used gmail notifier extension on firefox. maybe there is the big bug

Or could it be any other extension? I think i will never update any of mines without a code check now. It’s so easy to add a “keylogger” into the extensions.

Ollie

exactly… I recently downloaded gnotify, and was amazed to see it ask for my username & password, even though I was already logged into gmail at the time. I did not use it as I was suspicious of this. Could this little program be malign?

Reply

Ryan

If this happened to me I think I would break down. What a lot of drama to deal with.

Reply

Nematode

CSRF vulnerabilities are one of the very good reasons never to use webmail for anything important. POP/IMAP clients aren’t vulnerable to CSRF attacks.

I’d be really surprised if any of the contact information provided by this attacker turned out to be real. If he’s half-way competent, he’ll be using fake information in his fake whois data and all of his connections will be reflected through zombied PCs. The Western Union data is very likely fake as well; the only thing WU needs to complete a transaction is the MTCN. The address is irrelevant to WU.

The only thing you can be sure about is that the paypal accounts he uses as drop boxes for extortion payments will eventually get money to him somehow. Good luck tracing the money trail, however…

Reply

Homefinding Book

Maybe the email/passwords were pulled when connecting to a wifi hubspot? I’ve seen that happen multiple times, and this is how the hacker got access.

Reply

ntopics

A security break is always a bummer.
I have had some myself.
Lately I have been making my passwords
longer and more complex, which doesn’t
matter to me because todays browsers remember
them. On the other hand, they are tougher
for others to crack.

thanks from tony

Reply

Chris Cardinal

You know, these XSS/POST/REST attacks could be pretty easily covered by requiring a user to always enter their password in order to set a new filter.

I realize that’d be a bit annoying, but if all it takes is a simple, silent XSS and NO actual phishing in order for ALL my fucking email to be forwarded to some random stranger, maybe we require a password entry for each filter request. I don’t know…

Reply

testguy

This guy deserves whatever he gets.

Reply

Daniel

Anyone feel like going to Turkey and arranging an old school hanging? God I hate those little pussies stealing domains. Maye if we string one of them up against a wall and rape him with a machete the rest will think twice?

Reply

Steve

Gmail flaw or keylogger/rootkit on the guy’s machine that sends the hacker his e-mail password?

Reply

bob

Moniker Whois info. on Domainsgame.org

Registrant Street1:20 SW 27th Ave.
Registrant Street2:Suite 201
Registrant Street3:
Registrant City:Pompano Beach
Registrant State/Province:FL
Registrant Postal Code:33069
Registrant Country:US
Registrant Phone:+1.9549848445
Registrant FAX:+1.9549699155

source: http://www.moniker.com/pub/Whois

Reply

carlos

thanks a lot for sharing your experience

Reply

Alex Cassell

I had the same thing happen to me about a month ago with two of my domain names,at the time I thought I had a trojan that sent him the info.. I have since stopped using free email services..

Reply

brian

Thank you for this article.

I only wish I could give back. I also had a horrible experience with paypal. I was locked out of my account for 3 weeks because of an error in their system. The Philippines people kept telling me the account was fine, and that they were having website issues and to try again later. Finally I was transferred to a web technician in Alabama (I think), and he apologized a thousand times for the idiots overseas. He fixed my problem in 10 seconds, and told me if I ever had a problem to call their help center in the USA directly. I’ve searched my whole PC and house for that number for you, and I’m sorry I can’t find it. If I do, I’ll post it right away.

Their email and phone support is a joke.

Reply

Miles

Heh, well now I get to start doing a weekly check on every gmail account I have for extra filters and forwarding. Doubtful that I would ever be targeted, however, due to the fact that I own no popular site, server, or etc.
However paranoia ensues.
thanks for the post. Will be sure to send this along to some of my friends that could put more use into this.

Reply

Adam

our hearts go out to you that have fallen victim to these attacks. best of luck brothers and sisters of the internet.

Reply

me

Ok I will say that 99% chance that it was your firewall that screwed you here.

There is a feature in HTTP called Referer, this allows any website you visit to know the last URL where you came from.

Alot of stupid firewalls (Norton definitely) blocks this function, as they say it protects your privacy, this is true to a certain extent, but it is also is the only line of defense against XSS attacks, which is what the gmail attack you described is.

Gmail’s fix for this issue is to check the referring page of the form POST, if the post comes from a domain other then gmail.com, then gmail knows its suspicious and blocks the request.

If your firewall disables the referrer feature, then gmail is unable to determine the difference between a legitimate and fake request.

Reply

M@zilla

Hello I just wanted to be a response that you have write myself because I have been subjected to group hacer. and I think is really blackmail heinous lack of courage and lacht.
I have managed to go back to their areas jsqu I give you the link and I ask you kindly to convey to all the victims of pirates
etfaire a petition to make their mark thieves or close the top as possible.
all my sincere greetings
M @ zilla
best regard
the picture capture
http://img376.imageshack.us/img376/1452/universforumshacketrga3.jpg

the Site Of the Hackers is Mafiaroot
http://www.per1ova.com/

Reply

Brandon

I’ve looked into this issue this evening and discovered that a Gmail Filter Flaw still exists. That’s not too say that the “hacker” exploited this flaw in your situation … however, I think it is likely. I have posted a proof of concept here:

http://geekcondition.com/2008/11/23/gmail-security-flaw-proof-of-concept/

Aibek

Thanks Brandon,

Looking at your explanation i really feel that’s exctly how everythig happened. I will pass this to Gmail team for their comments as well.

Reply

Ollie

well, this is enough to stop me using gmail in my browser, and now I access it through my email client. Yeah, it’s not as friendly, but it’s going to be a lot safer I hope.
good luck to everyone who has been hacked & had their domains stolen, hope you get them back pronto

Reply

Leion

This is scary. Good that you shared this. Time to beware of gmail’s use

Reply

Alex D

Damn, this is indeed a nightmare! Thank you for sharing your story and investigations with us, I really hope someone will catch the stealer.

Reply

Andy Xie

Just to let you know that my domain animeost.net was also stolen from this guy around August 18. It was transferred away from GoDaddy to Register.com. You can tell that I have huge traffic since August and dropped after my domain was hijacked. I contacted both registrars and GoDaddy got a reply from Register.com saying that they claimed that it was a valid transfer. I’m so pissed that I have to hear that response after waiting two freaking months. The hijacker did indeed access my gmail account and retrieved my username and password from GoDaddy and initiated an unauthorized transfer to Register.com. I just sent another ticket to Register.com and see if I can prove to them that this domain is mines and that if they can transfer ownership to me.

Reply

Graham Wilson

Just read this article with extreme interest as my gmail account has been compromised and I did not know what to do about it. My emails were getting posted with a message from http://www.ele-motors.com. This seemed to happen every few days. Your article got me to check out my email account (I normally just use IMAP ) in my browser. Right away it had a banner The ZWEB Address http://www.ele-motors.com. On checking further – details had been set up in the out of office auto reply with the messages that were getting sent- I deleted this and switched auto reply off. BUT as it has been compromised there is a hole in their security and I am not happy that this can happen I would advise everyone to check their gmail settings. when are they going to sort this out ???. This is not the first problem I have had with my account being compromised.

David

I would suggest contacting the FBI and filing a criminal complaint against both domain registrars and the domain hijacker. The domain registrars for assisting with the commission of a crime. Whoever was operating your domain is guilty of receiving stolen property. The impact of the crime is valued at the total revenue loss you have experience for the duration of the hijacking.

This should help the domain registrars see the light once the FBI starts serving up search warrants. Good Luck!

P.S. This constitutes identity theft and many states now requires companies to notify all customers when their identity has potentially been compromised.

Reply

meany

Pay someone 2 grand to break his knee caps

Reply

Simon Slangen

heh… stollen ^^

Reply

Brandon Blaylock

@David

To what degree would the registrar be responsible for the security of a customer’s email account? Also, what legislation leads you to believe that the FBI would be responsible for criminal investigation? Please don’t post misleading information, as it has the effect of frustrating not only the people who invest time in it, but adds to the strain on the FBI, the registrars, and any legal advisors brought into play.

In situations like this, you’re best bet for resolution beyond the registrar is WIPO (World Intellectual Property Organization : http://www.wipo.int/about-ip/en/). I don’t mean to start an argument, I only bring this up because it is better for people in this situation to have pertinent information that is true. For those that get lost on websites, the direct link to arbitration is here http://www.wipo.int/amc/en/ .

Anyway, I hope this helps some of you.

Reply

BO

People like this guy is giving us hackers a bad reputation.

Reply

Rosario

He must be trapped soon.

Reply

Mel

Well, looks like I am two minutes too late to the discussion but as a born Turkish citizen, and a unix guy, too much into security, wanted to say something.

First and foremost, I have not seen anything about this phone number this guy gave you being investigated or not. Since there is no real address given where he wanted the money to be wired via Western union, the only way to reach him, should you be suckered into his scheme, is by phone. 312 area code being Ankara, where I was born and raised, adding a 01190 at the beginning of this phone number from US, you can call and see if this is a real number or not. If it is, I am sure some decent people of your blog readership, will have no problem to put a trace on this person visually. As ascertained by some racist bigots here, not 99% of all Turks are morons. As a matter of fact there is that 1% population of assholes, who give a nation a bad name. And I am sure this person, Aydin Bolourizadeh, if he really exists, is one of those.

You said you lived in Turkey for 2 years. Looking at your handle Aibek (or Aybek in central asian Turkic dialects) you are from Azerbaican, Turkmenistan, Kyrgyzstan or someplace in that region. And if you have a little bit grasp of the regional languages, you can easily say, the suffix “zadeh” as in “son of” (equivalent to “oglu” suffix in Turkish or “-ian” suffix in Armenian) is very common to names of people from Persian heritage f some sort. Yes it is seldom encountered in Turkish names but not too often.

Having said all of this, I sensed a Russian mafia style threat in the email that they sent you to remove their domain and email address from your website or else (DDOS etc). Knowing the culture of the coutry, most copies of the windows running there, especially at the homes of many students, are being pirated copies, assuming more than 50% of personal computers being unpatched and compromised, is not too outlandish I presume. Under the circumstances, the doain stealing effort might have originated from Russia. But the chink in the armor in this train of thought, is wiring the money to Ankara Turkey. In order to access this two grand wired money, they have to have a physical presence in the location of cukurca neighborhood. This is not some place that I am familiar with other than by its name and knowing it is kind of a section of city with lower educated population in the average, i.e., where you can hire muscle to collect debt, really cheap. I have hard time believing someone from this neighborhood being so crafty to organize such a multi-pronged attack.

My 2 cents and keep up the good work.

Aibek

Hi Mel

“And if you have a little bit grasp of the regional languages, you can easily say, the suffix “zadeh” as in “son of” (equivalent to “oglu” suffix in Turkish or “-ian” suffix in Armenian) is very common to names of people from Persian heritage f some sort. Yes it is seldom encountered in Turkish names but not too often.”

I know it’s not common, but as you said they are encountered. The main reason why I thought the person was from Turkey is Westren Union. I don’t think it’s possible to pick up the funds from WU without going to the address and valid ID card.

As about Russians, i don’t know. Based on some recent updates and an email from an Iranian bloger who covered the story on his blog (in Iranian) I believe that this people might be actually from Iran. The Iranian blogger was asked to remove the story from the blog and if he doesn’t comply the hacker threatened to take his site down. There are some other strong indications pointing to the Iran but I won’t disclose them now before we are 100% sure and know his exact location.

Reply

andres

Google silences Gmail security blogorumors

http://www.theregister.co.uk/2008/11/26/gmail_debunks_vuln_claims/

Reply

two0nine

I wouldn’t have assumed it was a gmail exploit with out a working POC. ouch.

Reply

Richard M

Hey Aibek, I was wondering if Google contacted you in relation to their follow up story? I didn’t see any mention of your situation nor any of the others in their blog post.

Aibek

Richard,

Nope they haven’t contacted me. I also talked to both Florin and Edin and only one of them was contacted by Google.

Reply

Richo

2 Firewalls, hey?

You clearly understand how a firewall works, ie at the kernel level inspecting packets. How on earth are two meant to coexist?

Reply

Florin

“With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information.”

They haven’t contacted me yet, although I’ve emailed them 4 days a go…

alisa

Florin, again as of 16/12/08, all traces of cucirca.com have been deleted! A few days ago, I received a gmail in which someone who calls himself Florin Cucirca asked me what kind a problems I witnessed on the website at cucirca.com when it was still in operation. There was no real indication that the email was really written by you.I did not reply for fear it was the hacker so I immediately deleted the email. Isn’t it crazy we can’t even feel safe anywhere?

Reply

David

I say we all work together with our gmail accounts and autosend emails to him, perhaps with a macro, thus a DOS attack…

Reply

Tamar Weinberg

As about 5 commenters said, ONLY use HTTPS on your Gmail account. I’ve heard of accounts being hacked and the only reason for this was because users were checking their email on a non-secure protocol. I have to admit that I’m surprised that nobody mentioned that in the post either.

Reply

John Sullivan@POTPOLITICSâ„¢

Hi Aibek
First timer here and what an interesting and important post to read.I for some reason keep getting lucky but hear from friends alot lately of hackers coming back strong. (I don’t use paypal anymore and their customer service 20 mins call wait time high fees has no value to me at all )
What I really wanted to say as an aspiring blogger that has seen may well known blogs.
I like your attitude and style and I’m going to look around.
Thanks for the heads up and sorry about your experience I’d hate to loose a blog like this :)
and aspire to have one half as good one day ;)
Stumbled-my blog is do follow that’s how I’ll bet you in the end ;) j/k

Reply

fotoflo

ok.
ONLY USE HTTPS.

Choose a strong password.

Disable pop and Imap.

keep strong passwords on your domain name accounts.

keep your domain names locked.

Etc.

Reply

web

I’m starting to think that Kimberrliehotgrl22 isn’t going to show me her pics, even after I gave her my gmail pw…

Reply

notparaniod

I stumbled on this and found it quite interesting. FYI, the address in Ft. Lauderdale happens to be the address for Affinity Internet (Hostway Corp) a major hosting operation. The owner of Hostway happens to be a player in the domain name business. Not sure if there is a connection but thought it was worth mentioning.

Reply

notparaniod

btw… the address that was shown for the domainsgames.org is the address for moniker.com, which, coincidentally, is owned by oversee, which was also mentioned somewhere.

Reply

alisa

Cucirca, as of 05/12/08 , I was shocked and dismayed to discover that overnight the criminal hackers deleted every trace of cucirca.com. Just by chance I googled and found this article. We hope & pray you will find these thugs. You worked so hard to maintain the best site and they just were thieves in the night. Good luck!

alisa

Like clockwork, once a month cucurca.com is either hacked and disappears and mysteriously reappears… I sure hope this site is just temporarily not available…and not being hacked & tampered by cyber-criminals!

Reply

Kamic

change your password, right now, bam, better security.

Reply

Cheryl Franz

Since you are talking about godaddy, I’ll also list a couple of recent findings for Godaddy coupon codes. I am a Creative Suite Producer, and these discounts come in very handy when purchasing or renewing a domain. Use Godaddy promo code ZINE3 for $7.49 .com domains and renewals. I save about $35 every time I purchase domains from go daddy. When I buy at least five domains, I also get free private registration when I use ZINE3. For other Godaddy coupons, use ZINE1 for 10% off, ZINE2 for $5 off any $30+ purchase, and ZINE25 for $25 off any purchase of $100 or more, like hosting plans. These promo codes are current, working, and do not expire. Hope these Godaddy coupon codes save as much loot for the other blog subscribers as they have for my co-workers and I. Take care!
-Cheryl from Port Orange, FL.

Reply

Jamie

I was hit by this quite recently. He got into my Gmail Filters, and then my PayPal account. Because of the “mark as read” and then “delete” filters, I was none the wiser until I checked my bank account for routine banking. I have been able to retrieve some of my money from PayPal and am waiting on the rest.

I had https turned on, POP and IMAP turned off, and there is no evidence to show that he was actually in my Google account. My best guess, he got in via the CSRF method. The only thing that was messed with was the addition of filters, and messages deleted due to the filters.

My domains were not involved in the attack, although I personally spoke to my hosts / registrars and had them lock all my assets down tight.

While a keylogger sounds like a nice theory, these attacks would be way more widespread (As in Not just Gmail) if someone was logging keystrokes.

Reply

Izo

My Gmail also got hacked:
Here my website link: CommentEstate.com

I have changed all my password and try to contact GoDaddy. After reading this post, I’m very sure that I have faced the same problem.

Domain Name: COMMENTESTATE.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@Privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 06-Nov-2007
Expiration Date: 06-Nov-2010

Domain servers in listed order:
ns2.everydns.net
ns1.everydns.net

Administrative Contact:
PrivacyProtect.org
Domain Admin (contact@Privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Technical Contact:
PrivacyProtect.org
Domain Admin (contact@Privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Billing Contact:
PrivacyProtect.org
Domain Admin (contact@Privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Status:ACTIVE

PRIVACYPROTECT.ORG is providing privacy protection services to this domain name to protect the owner from spam and phishing attacks. PrivacyProtect.org is not responsible for any of the activities associated with this domain name. If you wish to report any abuse concerning the usage of this domain name, you may do so at http://privacyprotect.org/contact. We have a stringent abuse policy and any
complaint will be actioned within a short period of time.

Aibek

Soryy to hear about that. Any updates?

Reply

brayden

phew my Gmail isn’t hacked. i didn’t think it would be. well sorry to hear about the hacked domains. i will see into this a bit. maybe that web@domaingames.org will get a nice little addition of about 500 e-mails at the same time ;) well in any case i hope this guy gets arrested.

Reply

Tomi

I don’t understand why you and anyone else who has been hijacked has not gone to the FBI about this. Blackmail is a Federal Offense, especially given the money involved and the amount of money demanded. I would urge anyone who has fallen victim to this con artist NOT TO PAY a DIME, NOT a PENNY. Instead, contact the FBI ASAP. They will pursue this. I believe some of this has happened to my sister. She says she had her email hijacked, first, they were sending out emails with her email account, then, more recently, she said she was not getting some of her emails, and some of her emails weren’t being received. THe only way to really stop this guy and any copycats, is to file complaints with the FBI. The more who file, and the more money it involves, the more intensely the FBI will pursue it. Caving in and paying the blackmail money will only encourage such crimes. Moreover, if you file with the FBI, you will get more and better cooperation from the domain host’s administrators, because they don’t want the FBI breathing down their necks.

Reply

Jed Morely

I lost an adsense account and can’t get any reply from google on the matter. But it’s not gmail, exactly – it’s a man in the middle attack that works on a browser vulnerability and spoofs google once, phishing. Google could prevent it, and is doing more, re adsense, now.

Reply

Sham

http://lifehacker.com/5164463/import-and-export-your-gmail-filters
Pretty sure he used this script…or modified version of it.

I have spoken with the FBI about working with RCMP to arrest Nigerian scammers in Canada.I was told they wouldnt open a case unless there was a $100,000 loss,when I mailed them evidence of $370,000 loss….they said they wouldnt open a case unless there was a $100,000 loss (I had the scammers names address and victims phonenumbers).
That coupled with the fact that the FBI does not have jurisdiction over the world means that they would be ineffectual to say the least.

To those that posts were to the effect of “ha ha you got hacked” I hate you for making me read your words

Reply

political info

Buried because of the use of the word BREAKING! .

Reply

syaz – jumpsacbaby

hey there,
Thanks for posting this!
would certainly make me more careful!

Anyway.. paypal support still sucks!! 3 reply .. with an almost similar template???
Do they even readd my email?

Reply

Encryption Software

Encrypting all emails through Gmail is like always remembering to brush your teeth. It may seem inconsequential, but once you get gingivitis, you will rue the day when you were too lazy to take the two minutes to do what was necessary. There are plenty of hackers out there, and as this example demonstrates, they are just as smart as the smartest IT guys at these companies. They pounce on every opportunity they get, and they are not afraid of law enforcement agencies or extorting hard working Americans. Moral: encrypt, encrypt, encrypt!

Reply

Seo

Hi,
Good Work , Thanks For Sharing . :-)

Your comment