BREAKING: New Gmail Security Flaw. More Domains Get Stolen!

Aibek Esengulov 21-11-2008

Domain Stealer As many of you already know on November 2nd,’s domain was stolen from us. It took us about 36 hours to get the domain back. As we have pointed out earlier the hacker somehow managed to get access to my Gmail account and from there to our GoDaddy account, unlock the domain and move it to another registrar.


You can see the whole story on our temporary blog

I wasn’t planning to publish anything about the incident or cracker (person who steals domains) and how he managed to pull it off unless I was completely sure about it myself. I had a good feeling it was a Gmail security flaw but wanted to confirm it before posting anything about it on MakeUseOf. We love Gmail and giving them bad publicity is not something we would ever want to do.

So why write about this now then?

Several things have happened in the last two days that have made me believe that Gmail has a serious security flaw and everyone should be aware about it. Especially during the times when individuals like Steve Rubel tell you How To Make Gmail Your GateWay To The Web. Now, don’t get me wrong here, Gmail is an AWESOME email program. The best probably. The problem is that it might not be a reliable one when it comes to security. That being said, it doesn’t necessarily mean that you will be better off with Yahoo or Live Mail.

Incident 1: – November 2nd

When our domain was stolen, we suspected that the hacker used some hole in Gmail but we were not sure about it. Why did I suspect that it was something to do with Gmail? Well for one thing I am rather cautious about security and rarely run anything I am not sure about. I also keep my system up to date and have all essentials including 2 malware monitors, an antivirus and 2 firewalls. I also tend to use strong and unique passwords for every one of my accounts.

The hacker did access my Gmail account and set up some filters there that eventually helped him to get access to our GoDaddy account. What I didn’t know is how he managed to do that. Was it a security hole in Gmail? Or was it a keylogger on my PC? I wasn’t sure about it. After the incident I scanned my system with a number of malware removals and didn’t find anything. I also went through every running process as well. All semed to be clean.


So, I am inclined to believe the problem was with Gmail.

Incident 2: – November 19th

On November 18’th, I got an email from someone named Edin Osmanbegovic who runs the site [Broken URL Removed]. (He probably found my email through Google as the incident with MakeUseOf was covered on several popular blogs, many of which included my email ID.) In his email, Edin told me that his domain was stolen and moved to another registrar. I quickly googled the yoump3 and saw that a rather established website was now serving a link farm page (exactly like in our case).

Google (on last index):

BREAKING: New Gmail Security Flaw. More Domains Get Stolen! gmail domain stealing3

Advertisement hompage (present):

BREAKING: New Gmail Security Flaw. More Domains Get Stolen! yoump3org 2

Here is a copy of the very first email I got from Edin:



I have the same problem with my domain.
The domain has transfered from Enom to GoDaDDy.
I have immediately send support ticket regarding that problem.

The whois of new domain owner is :

Name: Amir Emami
Address 1: P.O. Box 1664
City: League City
State: Texas
Zip: 77574
Country: US
Phone: +1.7138937713
Administrative Contact Information:
Name: Amir Emami
Address 1: P.O. Box 1664
City: League City
State: Texas
Zip: 77574
Country: US
Phone: +1.7138937713

Technical Contact Information:
Name: Amir Emami
Address 1: P.O. Box 1664
City: League City
State: Texas
Zip: 77574
Country: US
Phone: +1.7138937713

Email is :
Yesterday the guy from that email adress had contacted me via Gtalk.
He said that he want 2000$ for the domain.
I need advice please,I have contacted the Enom.

Thank you.


And guess what, it’s the same guy who earlier this month stole We too were contacted from the same email address: Edin also emailed me today and confirmed that the guy also got access to his domain account through his Gmail account. So it’s again Gmail.

In his last email (received today) Edin included a quick recap of the events

I have the history of how he did everything.

On 10th of November I was the owner.
On 13th of November Mark Morphew.
On 18th of November Amir Emami.

He used on both persons.

I have send yesterday also everythig to Moniker.
They will investigate.

Incident 3: – November 20th

This last email was the main reason for this post. It came from Florin Cucirka, the owner of The site has an alexa rank of 7681 and according to Florin receives over 100,000 visits daily.


First email from Florin:


Hi Aibek

I’m in the same situation got out.

I am Cucirca Florin and my domain was
transfered from my godaddy account without my permission.

It seems that the thief knew my gmail password which is odd.
He managed to create some filters to my account.

I’ve attached 2 screenshots.

Can you help me? Give me some details on how I could get
out of this bad dream? I just found today about this and I
don’t think I’m able to sleep tonight.

Thanks in advance.

Florin Cucirca.


I emailed Florin and asked him some details about his domain, whether he contacted GoDaddy and whatever information he got on the domain cracker (term used for domain stealer) guy so far.

Second email from Florin:


The hacker had access to my email account (gmail). The domain was hosted on godaddy.
I used gmail notifier extension on firefox. maybe there is the big bug.
He transfered the domain to

I haven’t talk to the hacker. I want to get it back legally and if there is not other solution maybe i’ll pay him has an Alexa Rank of 7681 and over 100 000 visits daily.

I will attach you 2 screenshots of my gmail account. and in the second screen

If you do a google search of you will find this:

I think someone should stop them.

I emailed and waiting for a reply.

What do you think? Will i get my domain back?


Looks like it’s Gmail again! Here are the partial screenshots from what he sent me:

BREAKING: New Gmail Security Flaw. More Domains Get Stolen! gmail domain stealing

BREAKING: New Gmail Security Flaw. More Domains Get Stolen! gmail domain stealing 2

In Florin’s case the hacker changed ownership of the domain several month ago. The was transfrred from GoDaddy to Since the hacker was intercepting his emails and never changed nameservers I assume Florin had no idea that something was wrong. When I asked him how come it took him that long to find out he send me following:


He transfered the domain to his name on 2008-09-05 leaving the nameservers unchanged. That’s why I haven’t noticed that my doomain was stolen until yesterday when a friend of mine did a whois on my domain….

I had no reason to check whois records because the domain was registered over 7 years (until 2013-11-08)

I haven’t received any emails from this person.


And again it seems to be the same guy! Why do I think so? If you check that link that Florin included in one of his emails (i added it below as well) you’ll see that in some other similar incidents (who knows how many more domains he has stolen like this) email address was mentioned together with the name ‘Aydin Bolourizadeh’. That same email also appeared in the forward rule in Florin’s Gmail account (see first screenshot).

When was taken from us, the cracker was asking me for 2000$. And when I asked him where and how he wants to get paid, he told me to send money via Western Union to the following address:

Aydin Bolourizadeh
Cukurca kirkkonaklar mah 3120006954

screenshot from

BREAKING: New Gmail Security Flaw. More Domains Get Stolen! yxl link

I am pretty pretty that it was the same guy in all 3 incidents and probably 788 others mentioned in the above link, including domains such as, and

When I searched for that address on Google, I also discovered that he owns the following domains (probably stole them as well):

    • –

    • –

I assume the guy is indeed from Turkey, and is likely to reside somewhere in the following area.

    • Cukurca kirkkonaklar mah 3120006954


    Ankara, Turkey

We also know that he uses as his email. So if we know who stands behind we might just get one step closer. In fact, he emailed several days ago and asked me to remove all instances of his email from the website and if we don’t comply he would DDOS us.

Here are his exact words:

I ask you to remove my email address ( from your website !
Do it if you want to dont have any problem in the future, Otherwise firstly I’ll start to have the big DDOS on your website and will make it down…
Im very seriuos so remove my email and name

So, it seems if we can get to the ID behind we might get our guy and probably uncover many more domains he has stollen. Read more on it below. Now let’s talk about Gmail.

Gmail Vulnerability

Does anyone remember what hapeened with David Airey last year? His domain was stolen too. The story was all over the web.

WARNING: Google’s GMail security failure leaves my business sabotaged
– Collective effort restores David

Both we and David managed to get the domain back. But I am not sure if everyone is as lucky as we are. Unfortunately, registrars won’t really cooperate with you on this unless the story gets some attention. So, I have no doubt there are hundreds of people out there left with no chance but to either give their domain name or pay the guy.

Anyways, back to Gmail.

In his first article David Airey was referring to a Gmail vulnerability that was (if I am not mistaken) mentioned here several months earlier. To sum up:

The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

original page:

Now, the interesting part is that update on the above GNU Citizen link states that vulnerability was fixed before 28 September 2007. But in David’s case, the incident took place in December, 2-3 months later.

So, was the exploit really fixed back then? Or was it a new exploit in David’s case? And most importantly is there a similar security flaw in Gmail NOW?

What should you do now?

(1) Well, my very first advice would be to check your email settings and make sure your email is not compromised. Check fowarding options and filters. Also make sure to disable IMAP if you don’t use it. This also applies to Google Apps accounts.

(2) Change contact email in your sensitive web accounts (paypal, domain registrar etc.) from your primary Gmail account to something else. If you own the website then change the contact email for your host and registrar accounts to some other email. Preferably to something that you aren’t logged in to when browsing web.

(3) Make sure to upgrade your domain to private registration so that your contact details don’t show up on WhoIS searches. If you’re on GoDaddy I’d recommend going with Protected Registration.

(4) Don’t open links in your email if you don’t know the person they are coming from. And if you decide to open the link make sure to log out first.


I discovered some good articles discussing potential security flaw in response to MakeUseOf’s article:

Gmail Security Flaw Proof Of Concept
Comments About This on YCombinator
– (Nov. 26’th) Gmail Security and Recent Phishing Activity [Official Response from Google]

Help Us Catch The Guy!

Apart from above mailing address, we also know that he uses as his email. So if we find out who now owns the we might get one step closer. or at the very least return the domains he stole to their respective owners.

Now the thing is the domain name is protected by Moniker and they hide all the contact info for it.

Domain ID:D154519952-LROR
Created On:22-Oct-2008 07:35:56 UTC
Last Updated On:08-Nov-2008 12:11:53 UTC
Expiration Date:22-Oct-2009 07:35:56 UTC
Sponsoring Registrar:Moniker Online Services Inc. (R145-LROR)
Registrant ID:MONIKER1571241

I already emailed (so did Edin) them about it and will update you here as soon as I hear something from them.

I also have some requests to following companies that are now providing their services to that individual.

1- To Gmail Team:

When going through header files in several emails it was clear that hacker was using Google Apps. Please look into it. The domain is And also please FIX! the Gmail.

2- To GoDaddy.COM & ENOM & Register.COM

First of all, please help Edin and Florin get their domains back. One smart thing to do would be to check the account login IP addresses for all similar reported cases. For instance, both in Edin’s case and ours (not sure about Florin ) the hacker was using IP address. (Which by the way turned out to be a compromised server on Alpha Red Inc.) Or even easier, just lock the domain name and ask the current account holder to prove his identity. Since the hacker was using different identities everywhere it would be impossible for him to do that. It’s in your best interests to ensure that this person is no longer using your services.

3- To Moniker.COM:

Close his account! (that is the one for Any additional info or assistance that you can provide will be appreciated.

4- To Domainsponsor.COM

I am not really sure but I think DomainSponsor is the company that monetizes those domains that this guy steals. It happened with and now hapening with


I am sure they won’t even read this so I’ll just tell you instead. I sent an email to and warned them that the person who stole our domain and blackmailed us earlier was using account (he uses some other accounts as well). I just asked them to look into it. Instead I get an email which has nothing to do with what I said. Basically it’s an email template that was meant to look genuine and sent to the people who got spoofed. C’mon! We are paying 3% commision fee on every transaction, can’t you people provide better customer support?

That’s all I got!

Once again I am deeply sorry for what has happened to Florin and Edin. I trully hope they will get their domains back soon. It’s all in the hands of the respective registrars now. But most importantly, I want to see something get done by big corps (not the customers) to catch that person. I am sure every blogger out there would appreciate that and probably even write about it on his/her blog.

It’s time for CHANGE ;-)

best regards

image credit: thanks to machine for top ‘Mr Cracker’ image

Related topics: Domain Name, Gmail, Webmaster Tools.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Seo
    January 8, 2010 at 6:23 pm

    Good Work , Thanks For Sharing . :-)

  2. Encryption Software
    October 27, 2009 at 11:28 am

    Encrypting all emails through Gmail is like always remembering to brush your teeth. It may seem inconsequential, but once you get gingivitis, you will rue the day when you were too lazy to take the two minutes to do what was necessary. There are plenty of hackers out there, and as this example demonstrates, they are just as smart as the smartest IT guys at these companies. They pounce on every opportunity they get, and they are not afraid of law enforcement agencies or extorting hard working Americans. Moral: encrypt, encrypt, encrypt!

  3. syaz - jumpsacbaby
    July 27, 2009 at 3:29 am

    hey there,
    Thanks for posting this!
    would certainly make me more careful!

    Anyway.. paypal support still sucks!! 3 reply .. with an almost similar template???
    Do they even readd my email?

  4. political info
    June 8, 2009 at 9:48 pm

    Buried because of the use of the word BREAKING! .

  5. Sham
    April 28, 2009 at 5:37 pm
    Pretty sure he used this script...or modified version of it.

    I have spoken with the FBI about working with RCMP to arrest Nigerian scammers in Canada.I was told they wouldnt open a case unless there was a $100,000 loss,when I mailed them evidence of $370,000 loss....they said they wouldnt open a case unless there was a $100,000 loss (I had the scammers names address and victims phonenumbers).
    That coupled with the fact that the FBI does not have jurisdiction over the world means that they would be ineffectual to say the least.

    To those that posts were to the effect of "ha ha you got hacked" I hate you for making me read your words

  6. Jed Morely
    March 20, 2009 at 1:18 pm

    I lost an adsense account and can't get any reply from google on the matter. But it's not gmail, exactly - it's a man in the middle attack that works on a browser vulnerability and spoofs google once, phishing. Google could prevent it, and is doing more, re adsense, now.

  7. Tomi
    February 28, 2009 at 9:40 am

    I don't understand why you and anyone else who has been hijacked has not gone to the FBI about this. Blackmail is a Federal Offense, especially given the money involved and the amount of money demanded. I would urge anyone who has fallen victim to this con artist NOT TO PAY a DIME, NOT a PENNY. Instead, contact the FBI ASAP. They will pursue this. I believe some of this has happened to my sister. She says she had her email hijacked, first, they were sending out emails with her email account, then, more recently, she said she was not getting some of her emails, and some of her emails weren't being received. THe only way to really stop this guy and any copycats, is to file complaints with the FBI. The more who file, and the more money it involves, the more intensely the FBI will pursue it. Caving in and paying the blackmail money will only encourage such crimes. Moreover, if you file with the FBI, you will get more and better cooperation from the domain host's administrators, because they don't want the FBI breathing down their necks.

  8. brayden
    February 4, 2009 at 4:29 am

    phew my Gmail isn't hacked. i didn't think it would be. well sorry to hear about the hacked domains. i will see into this a bit. maybe that will get a nice little addition of about 500 e-mails at the same time ;) well in any case i hope this guy gets arrested.

  9. Izo
    December 27, 2008 at 9:13 am

    My Gmail also got hacked:
    Here my website link:

    I have changed all my password and try to contact GoDaddy. After reading this post, I'm very sure that I have faced the same problem.


    Domain Admin (
    P.O. Box 97
    Note - All Postal Mails Rejected, visit
    null,5066 ZH
    Tel. +45.36946676

    Creation Date: 06-Nov-2007
    Expiration Date: 06-Nov-2010

    Domain servers in listed order:

    Administrative Contact:
    Domain Admin (
    P.O. Box 97
    Note - All Postal Mails Rejected, visit
    null,5066 ZH
    Tel. +45.36946676

    Technical Contact:
    Domain Admin (
    P.O. Box 97
    Note - All Postal Mails Rejected, visit
    null,5066 ZH
    Tel. +45.36946676

    Billing Contact:
    Domain Admin (
    P.O. Box 97
    Note - All Postal Mails Rejected, visit
    null,5066 ZH
    Tel. +45.36946676


    PRIVACYPROTECT.ORG is providing privacy protection services to this domain name to protect the owner from spam and phishing attacks. is not responsible for any of the activities associated with this domain name. If you wish to report any abuse concerning the usage of this domain name, you may do so at We have a stringent abuse policy and any
    complaint will be actioned within a short period of time.

    • Aibek
      December 28, 2008 at 9:46 am

      Soryy to hear about that. Any updates?

  10. Jamie
    December 10, 2008 at 10:47 pm

    I was hit by this quite recently. He got into my Gmail Filters, and then my PayPal account. Because of the "mark as read" and then "delete" filters, I was none the wiser until I checked my bank account for routine banking. I have been able to retrieve some of my money from PayPal and am waiting on the rest.

    I had https turned on, POP and IMAP turned off, and there is no evidence to show that he was actually in my Google account. My best guess, he got in via the CSRF method. The only thing that was messed with was the addition of filters, and messages deleted due to the filters.

    My domains were not involved in the attack, although I personally spoke to my hosts / registrars and had them lock all my assets down tight.

    While a keylogger sounds like a nice theory, these attacks would be way more widespread (As in Not just Gmail) if someone was logging keystrokes.

  11. Cheryl Franz
    December 9, 2008 at 9:41 am

    Since you are talking about godaddy, I'll also list a couple of recent findings for Godaddy coupon codes. I am a Creative Suite Producer, and these discounts come in very handy when purchasing or renewing a domain. Use Godaddy promo code ZINE3 for $7.49 .com domains and renewals. I save about $35 every time I purchase domains from go daddy. When I buy at least five domains, I also get free private registration when I use ZINE3. For other Godaddy coupons, use ZINE1 for 10% off, ZINE2 for $5 off any $30+ purchase, and ZINE25 for $25 off any purchase of $100 or more, like hosting plans. These promo codes are current, working, and do not expire. Hope these Godaddy coupon codes save as much loot for the other blog subscribers as they have for my co-workers and I. Take care!
    -Cheryl from Port Orange, FL.

  12. Kamic
    December 5, 2008 at 12:37 pm

    change your password, right now, bam, better security.

  13. alisa
    December 5, 2008 at 3:22 am

    Cucirca, as of 05/12/08 , I was shocked and dismayed to discover that overnight the criminal hackers deleted every trace of Just by chance I googled and found this article. We hope & pray you will find these thugs. You worked so hard to maintain the best site and they just were thieves in the night. Good luck!

    • alisa
      January 29, 2009 at 8:09 am

      Like clockwork, once a month is either hacked and disappears and mysteriously reappears... I sure hope this site is just temporarily not available...and not being hacked & tampered by cyber-criminals!

  14. notparaniod
    December 3, 2008 at 4:52 pm

    btw... the address that was shown for the is the address for, which, coincidentally, is owned by oversee, which was also mentioned somewhere.

  15. notparaniod
    December 3, 2008 at 4:29 pm

    I stumbled on this and found it quite interesting. FYI, the address in Ft. Lauderdale happens to be the address for Affinity Internet (Hostway Corp) a major hosting operation. The owner of Hostway happens to be a player in the domain name business. Not sure if there is a connection but thought it was worth mentioning.

  16. web
    December 2, 2008 at 1:40 am

    I'm starting to think that Kimberrliehotgrl22 isn't going to show me her pics, even after I gave her my gmail pw...

  17. fotoflo
    December 1, 2008 at 8:33 pm


    Choose a strong password.

    Disable pop and Imap.

    keep strong passwords on your domain name accounts.

    keep your domain names locked.


  18. John Sullivan@POTPOLITICSâ„¢
    November 29, 2008 at 3:21 am

    Hi Aibek
    First timer here and what an interesting and important post to read.I for some reason keep getting lucky but hear from friends alot lately of hackers coming back strong. (I don't use paypal anymore and their customer service 20 mins call wait time high fees has no value to me at all )
    What I really wanted to say as an aspiring blogger that has seen may well known blogs.
    I like your attitude and style and I'm going to look around.
    Thanks for the heads up and sorry about your experience I'd hate to loose a blog like this :)
    and aspire to have one half as good one day ;)
    Stumbled-my blog is do follow that's how I'll bet you in the end ;) j/k

  19. Tamar Weinberg
    November 27, 2008 at 10:41 am

    As about 5 commenters said, ONLY use HTTPS on your Gmail account. I've heard of accounts being hacked and the only reason for this was because users were checking their email on a non-secure protocol. I have to admit that I'm surprised that nobody mentioned that in the post either.

  20. David
    November 27, 2008 at 10:37 am

    I say we all work together with our gmail accounts and autosend emails to him, perhaps with a macro, thus a DOS attack...

  21. Florin
    November 27, 2008 at 3:53 am

    "With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information."

    They haven't contacted me yet, although I've emailed them 4 days a go...

    • alisa
      December 17, 2008 at 4:12 am

      Florin, again as of 16/12/08, all traces of have been deleted! A few days ago, I received a gmail in which someone who calls himself Florin Cucirca asked me what kind a problems I witnessed on the website at when it was still in operation. There was no real indication that the email was really written by you.I did not reply for fear it was the hacker so I immediately deleted the email. Isn't it crazy we can't even feel safe anywhere?

  22. Richo
    November 26, 2008 at 10:04 pm

    2 Firewalls, hey?

    You clearly understand how a firewall works, ie at the kernel level inspecting packets. How on earth are two meant to coexist?

  23. Richard M
    November 26, 2008 at 5:21 pm

    Hey Aibek, I was wondering if Google contacted you in relation to their follow up story? I didn't see any mention of your situation nor any of the others in their blog post.

    • Aibek
      November 26, 2008 at 5:29 pm


      Nope they haven't contacted me. I also talked to both Florin and Edin and only one of them was contacted by Google.

  24. two0nine
    November 26, 2008 at 4:12 pm

    I wouldn't have assumed it was a gmail exploit with out a working POC. ouch.

  25. andres
    November 26, 2008 at 2:10 pm

    Google silences Gmail security blogorumors

  26. Mel
    November 26, 2008 at 1:26 am

    Well, looks like I am two minutes too late to the discussion but as a born Turkish citizen, and a unix guy, too much into security, wanted to say something.

    First and foremost, I have not seen anything about this phone number this guy gave you being investigated or not. Since there is no real address given where he wanted the money to be wired via Western union, the only way to reach him, should you be suckered into his scheme, is by phone. 312 area code being Ankara, where I was born and raised, adding a 01190 at the beginning of this phone number from US, you can call and see if this is a real number or not. If it is, I am sure some decent people of your blog readership, will have no problem to put a trace on this person visually. As ascertained by some racist bigots here, not 99% of all Turks are morons. As a matter of fact there is that 1% population of assholes, who give a nation a bad name. And I am sure this person, Aydin Bolourizadeh, if he really exists, is one of those.

    You said you lived in Turkey for 2 years. Looking at your handle Aibek (or Aybek in central asian Turkic dialects) you are from Azerbaican, Turkmenistan, Kyrgyzstan or someplace in that region. And if you have a little bit grasp of the regional languages, you can easily say, the suffix "zadeh" as in "son of" (equivalent to "oglu" suffix in Turkish or "-ian" suffix in Armenian) is very common to names of people from Persian heritage f some sort. Yes it is seldom encountered in Turkish names but not too often.

    Having said all of this, I sensed a Russian mafia style threat in the email that they sent you to remove their domain and email address from your website or else (DDOS etc). Knowing the culture of the coutry, most copies of the windows running there, especially at the homes of many students, are being pirated copies, assuming more than 50% of personal computers being unpatched and compromised, is not too outlandish I presume. Under the circumstances, the doain stealing effort might have originated from Russia. But the chink in the armor in this train of thought, is wiring the money to Ankara Turkey. In order to access this two grand wired money, they have to have a physical presence in the location of cukurca neighborhood. This is not some place that I am familiar with other than by its name and knowing it is kind of a section of city with lower educated population in the average, i.e., where you can hire muscle to collect debt, really cheap. I have hard time believing someone from this neighborhood being so crafty to organize such a multi-pronged attack.

    My 2 cents and keep up the good work.

    • Aibek
      November 26, 2008 at 2:54 pm

      Hi Mel

      "And if you have a little bit grasp of the regional languages, you can easily say, the suffix “zadeh” as in “son of” (equivalent to “oglu” suffix in Turkish or “-ian” suffix in Armenian) is very common to names of people from Persian heritage f some sort. Yes it is seldom encountered in Turkish names but not too often."

      I know it's not common, but as you said they are encountered. The main reason why I thought the person was from Turkey is Westren Union. I don't think it's possible to pick up the funds from WU without going to the address and valid ID card.

      As about Russians, i don't know. Based on some recent updates and an email from an Iranian bloger who covered the story on his blog (in Iranian) I believe that this people might be actually from Iran. The Iranian blogger was asked to remove the story from the blog and if he doesn't comply the hacker threatened to take his site down. There are some other strong indications pointing to the Iran but I won't disclose them now before we are 100% sure and know his exact location.

  27. Rosario
    November 25, 2008 at 11:26 pm

    He must be trapped soon.

  28. BO
    November 25, 2008 at 6:24 am

    People like this guy is giving us hackers a bad reputation.

  29. Brandon Blaylock
    November 25, 2008 at 6:12 am


    To what degree would the registrar be responsible for the security of a customer's email account? Also, what legislation leads you to believe that the FBI would be responsible for criminal investigation? Please don't post misleading information, as it has the effect of frustrating not only the people who invest time in it, but adds to the strain on the FBI, the registrars, and any legal advisors brought into play.

    In situations like this, you're best bet for resolution beyond the registrar is WIPO (World Intellectual Property Organization : I don't mean to start an argument, I only bring this up because it is better for people in this situation to have pertinent information that is true. For those that get lost on websites, the direct link to arbitration is here .

    Anyway, I hope this helps some of you.

  30. Simon Slangen
    November 24, 2008 at 12:59 pm

    heh... stollen ^^

  31. David
    November 24, 2008 at 11:29 am

    I would suggest contacting the FBI and filing a criminal complaint against both domain registrars and the domain hijacker. The domain registrars for assisting with the commission of a crime. Whoever was operating your domain is guilty of receiving stolen property. The impact of the crime is valued at the total revenue loss you have experience for the duration of the hijacking.

    This should help the domain registrars see the light once the FBI starts serving up search warrants. Good Luck!

    P.S. This constitutes identity theft and many states now requires companies to notify all customers when their identity has potentially been compromised.

  32. meany
    November 24, 2008 at 10:31 am

    Pay someone 2 grand to break his knee caps

  33. Andy Xie
    November 24, 2008 at 1:37 am

    Just to let you know that my domain was also stolen from this guy around August 18. It was transferred away from GoDaddy to You can tell that I have huge traffic since August and dropped after my domain was hijacked. I contacted both registrars and GoDaddy got a reply from saying that they claimed that it was a valid transfer. I'm so pissed that I have to hear that response after waiting two freaking months. The hijacker did indeed access my gmail account and retrieved my username and password from GoDaddy and initiated an unauthorized transfer to I just sent another ticket to and see if I can prove to them that this domain is mines and that if they can transfer ownership to me.

  34. Alex D
    November 23, 2008 at 2:52 pm

    Damn, this is indeed a nightmare! Thank you for sharing your story and investigations with us, I really hope someone will catch the stealer.

  35. Leion
    November 23, 2008 at 9:04 am

    This is scary. Good that you shared this. Time to beware of gmail's use

  36. Ollie
    November 23, 2008 at 5:41 am

    well, this is enough to stop me using gmail in my browser, and now I access it through my email client. Yeah, it's not as friendly, but it's going to be a lot safer I hope.
    good luck to everyone who has been hacked & had their domains stolen, hope you get them back pronto

  37. Brandon
    November 23, 2008 at 3:16 am

    I've looked into this issue this evening and discovered that a Gmail Filter Flaw still exists. That's not too say that the "hacker" exploited this flaw in your situation ... however, I think it is likely. I have posted a proof of concept here:

    • Aibek
      November 23, 2008 at 10:48 am

      Thanks Brandon,

      Looking at your explanation i really feel that's exctly how everythig happened. I will pass this to Gmail team for their comments as well.

  38. me
    November 22, 2008 at 9:19 pm

    Ok I will say that 99% chance that it was your firewall that screwed you here.

    There is a feature in HTTP called Referer, this allows any website you visit to know the last URL where you came from.

    Alot of stupid firewalls (Norton definitely) blocks this function, as they say it protects your privacy, this is true to a certain extent, but it is also is the only line of defense against XSS attacks, which is what the gmail attack you described is.

    Gmail's fix for this issue is to check the referring page of the form POST, if the post comes from a domain other then, then gmail knows its suspicious and blocks the request.

    If your firewall disables the referrer feature, then gmail is unable to determine the difference between a legitimate and fake request.

  39. Adam
    November 22, 2008 at 9:16 pm

    our hearts go out to you that have fallen victim to these attacks. best of luck brothers and sisters of the internet.

  40. Miles
    November 22, 2008 at 6:14 pm

    Heh, well now I get to start doing a weekly check on every gmail account I have for extra filters and forwarding. Doubtful that I would ever be targeted, however, due to the fact that I own no popular site, server, or etc.
    However paranoia ensues.
    thanks for the post. Will be sure to send this along to some of my friends that could put more use into this.

  41. brian
    November 22, 2008 at 5:34 pm

    Thank you for this article.

    I only wish I could give back. I also had a horrible experience with paypal. I was locked out of my account for 3 weeks because of an error in their system. The Philippines people kept telling me the account was fine, and that they were having website issues and to try again later. Finally I was transferred to a web technician in Alabama (I think), and he apologized a thousand times for the idiots overseas. He fixed my problem in 10 seconds, and told me if I ever had a problem to call their help center in the USA directly. I've searched my whole PC and house for that number for you, and I'm sorry I can't find it. If I do, I'll post it right away.

    Their email and phone support is a joke.

  42. Alex Cassell
    November 22, 2008 at 5:27 pm

    I had the same thing happen to me about a month ago with two of my domain names,at the time I thought I had a trojan that sent him the info.. I have since stopped using free email services..

  43. carlos
    November 22, 2008 at 5:17 pm

    thanks a lot for sharing your experience

  44. bob
    November 22, 2008 at 4:31 pm

    Moniker Whois info. on

    Registrant Street1:20 SW 27th Ave.
    Registrant Street2:Suite 201
    Registrant Street3:
    Registrant City:Pompano Beach
    Registrant State/Province:FL
    Registrant Postal Code:33069
    Registrant Country:US
    Registrant Phone:+1.9549848445
    Registrant FAX:+1.9549699155


  45. Steve
    November 22, 2008 at 4:03 pm

    Gmail flaw or keylogger/rootkit on the guy's machine that sends the hacker his e-mail password?

  46. Daniel
    November 22, 2008 at 3:28 pm

    Anyone feel like going to Turkey and arranging an old school hanging? God I hate those little pussies stealing domains. Maye if we string one of them up against a wall and rape him with a machete the rest will think twice?

  47. testguy
    November 22, 2008 at 2:49 pm

    This guy deserves whatever he gets.

  48. Chris Cardinal
    November 22, 2008 at 2:28 pm

    You know, these XSS/POST/REST attacks could be pretty easily covered by requiring a user to always enter their password in order to set a new filter.

    I realize that'd be a bit annoying, but if all it takes is a simple, silent XSS and NO actual phishing in order for ALL my fucking email to be forwarded to some random stranger, maybe we require a password entry for each filter request. I don't know...

  49. ntopics
    November 22, 2008 at 2:06 pm

    A security break is always a bummer.
    I have had some myself.
    Lately I have been making my passwords
    longer and more complex, which doesn't
    matter to me because todays browsers remember
    them. On the other hand, they are tougher
    for others to crack.

    thanks from tony

  50. Homefinding Book
    November 22, 2008 at 1:27 pm

    Maybe the email/passwords were pulled when connecting to a wifi hubspot? I've seen that happen multiple times, and this is how the hacker got access.

  51. Nematode
    November 22, 2008 at 1:27 pm

    CSRF vulnerabilities are one of the very good reasons never to use webmail for anything important. POP/IMAP clients aren't vulnerable to CSRF attacks.

    I'd be really surprised if any of the contact information provided by this attacker turned out to be real. If he's half-way competent, he'll be using fake information in his fake whois data and all of his connections will be reflected through zombied PCs. The Western Union data is very likely fake as well; the only thing WU needs to complete a transaction is the MTCN. The address is irrelevant to WU.

    The only thing you can be sure about is that the paypal accounts he uses as drop boxes for extortion payments will eventually get money to him somehow. Good luck tracing the money trail, however...

  52. Ryan
    November 22, 2008 at 1:20 pm

    If this happened to me I think I would break down. What a lot of drama to deal with.

  53. Michel B.
    November 22, 2008 at 1:12 pm

    Something interesting is mentionned by Florin:

    I used gmail notifier extension on firefox. maybe there is the big bug

    Or could it be any other extension? I think i will never update any of mines without a code check now. It's so easy to add a "keylogger" into the extensions.

    • Ollie
      November 23, 2008 at 5:34 am

      exactly... I recently downloaded gnotify, and was amazed to see it ask for my username & password, even though I was already logged into gmail at the time. I did not use it as I was suspicious of this. Could this little program be malign?

  54. Pothi
    November 22, 2008 at 1:03 pm

    There could be many more hackers who have been doing similar thefts. Don't you think so?

  55. Fin
    November 22, 2008 at 12:57 pm

    How come noone has mentioned anything about GMail's "last account activity" where it shows you the IP address that last accessed that gmail account and from what service (pop3, browser, mobile)?

  56. Andy
    November 22, 2008 at 12:52 pm

    I'm only about 15 minutes from that address, 3250 W. Commercial Blvd. I'll go see what's there within the next day or 2 and get back to you.

    • Aibek
      November 22, 2008 at 2:08 pm

      Thank you

  57. anon
    November 22, 2008 at 12:33 pm

    that belongs to a person named Michael James, based on Australia. He offers stolen domains for auction on eBay

  58. BloggerSavvy
    November 22, 2008 at 11:35 am

    Check your "Contact Us" email.
    I have sent some valuable follow up. The server currently hosting does not appear to be in Turkey at all.
    You have contacted the police already right? If not you should contact the cyber crimes unit in your area.

  59. YuriGoul
    November 22, 2008 at 11:29 am

    Hope it never happens to me -and I will definitely take some of the advice at heart (at my last provider my website got infected with shitty javascript code that sends people to other websites not sure if it was me or the provider who was to blame)

    About paypal: AFAIK the spoof adress is for people who get the paypal scam/spam/phish mails. Not sure what they can or will do if you send it to support?

    • Aibek
      November 22, 2008 at 2:06 pm

      That was the only email I could find on their site.

  60. Court
    November 22, 2008 at 11:19 am

    If google would just allow people to lock sensitive settings like filters and only allow them to unlock them for editing by typing in their login credentials again, exploits like this wouldn't be an issue for those that actually take their email security seriously.

  61. Rich
    November 22, 2008 at 11:16 am

    If this is a problem with Gmail it isn't an XSS attack but rather a CSRF vulnerability. While similar, CSRF sends a legitimate request to the server/site you are authenticated with. It is harder to detect in that you may never know you visited a site that "rode your session" on Gmail and sent some POSTs to it.

    While this is definitely possible, I would hope that Google would now be using some of the widely known methods to combat these attacks. Using tokens for all POST data is easy to implement and will eliminate all but the most persistent attacker.

    Educate yourselves:

  62. DK
    November 22, 2008 at 10:59 am

    Dudes, I ALWAYS get email meant for other people in my GMail account - stock broker information, bank statements with real address and coversation for other people- and guess whose ID is in the TO line? Mine. I think there is serious flaw in Gmail, so I stopped using it months back!

    • person
      November 22, 2008 at 6:41 pm

      That's not a gmail flaw it's a human flaw. One or more idiots have confused your email with their own and signed up for stuff. If your username is something common, it happens all the time. One girl even accidentally gave my address to her mother! It's just the same as wrong number phonecalls.

    • Nancy Kramer
      November 22, 2008 at 11:09 pm

      I also got sensitive email for someone else on my Gmail account. I got confirmation for airline tickets and stuff like that. I was terrified my Gmail account was hacked. Contacted Gmail support and found out that to Gmail a space " " and a period "." are the same. My Gmail account was firstname.lastname the other person having the same name probably had firstname lastname. Gmail made it the same account. I stopped using Gmail and eventually deleted my account. All those PHDs and they can't tell the difference between a space and a period. Humans are way smarter than that.

      • kristarella
        November 22, 2008 at 11:45 pm

        Email addresses don't allow spaces at all, but if someone makes a mistake in your address by adding a space or missing a point Gmail generally manages to send it to the correct person. It doesn't let one person sign up for a email with a point and an identical email without one for just that reason, it doesn't care if there's one in it.

        Sounds like someone was just silly and wrote the wrong email down.

  63. GB
    November 22, 2008 at 10:50 am

    Just FYI, but most key logger processes do not show up in the process list. The fact that your running two different firewalls makes me think that you don't really know as much as you think you know about security. Just because YOU didn't find anything on your machine, doesn't mean it wasn't compromised, or you didn't go to a spoofed site/whatever.

    • D14BL0
      November 22, 2008 at 10:57 am

      Did you read the article? They already know how they got into the Gmail account. It's a Gmail flaw, not an infection.

  64. D14BL0
    November 22, 2008 at 10:45 am

    Thanks for the heads-up, guys. I'm going to start keeping an eye on my filters to make sure that nothing changes.

    Good luck catching the guy!

  65. ech01337
    November 22, 2008 at 10:02 am

    his server's main ip address and domain info domain ip actual server for ns3 is

    curently running a smokeping study through dsl reports. should show all activity occuring on the line for the next 24 hours. here is the link

    copy and paste.

  66. T.J. Mininday
    November 22, 2008 at 9:19 am

    Great read...Now that this has some serious coverage all over the web, let's hope some eyes at all parties reach out and actually do something.

  67. Karl L. Gechlik
    November 22, 2008 at 9:08 am

    Aibek is correct this is a SERIOUS issue that can happen to anybody using Gmail - and not just having your domain stolen... He can create filters for anything and hijack anything that sends password links via email.

    I want to hear Gmail's, Moniker and PayPals come backs for this one!

    Any hackers out there want to fill us in on the way he is gaining access? I got cash and an t-shirt for the REAL answer.

    email tips at AskTheAdmin dot Com .

    Your help is needed in fixing this issue!

  68. Louie
    November 22, 2008 at 1:37 pm

    Same thing happened to David Airey about a year ago.

    November 22, 2008 at 7:58 am

    WE WILL RETALIATE EVERY TIME ... We build our domain and websites with pure love and dedication, we have the right to protect them and sue the culprits..

    This is a good site, i really love it in every way.

  70. gregv
    November 22, 2008 at 12:57 pm

    One thing you don't mention in the article is how you access gmail. Always, always start by going to It will force the entire mail session to be encrypted. You should also go to your security settings and check "Always use https." Then if you forget to access via the encrypted URL, google will still use it. There are some flaws that are endemic to AJAX and really the only way to take care of it is via encrypted sessions. See

  71. alex
    November 22, 2008 at 7:36 am

    that's a pretty interesting story. you've done some nice research. but it won't help you anything because police in Turkey won't do anything, even if you have clear evidence. I think it's a little bit like the Russian Business Network - Problem.

    and c'mon ... it's your own fault. who uses a free-mail account for registering domains (exept it's you first domain ;) ) ... so i think you have to blame yourself, too. if you have a site with xxxxx visitors each day, you make enough money through ads that you can buy yourself a secure email-account and some think you even have the duty to do so (even more when you are dealing with user-credentials, user-generated-content, etc.)

    but nevertheless i hope you and the other guy's get their domains back.
    So, take more care about your emails in the future ;)

  72. India Travel
    November 22, 2008 at 7:21 am

    It is a serious isssue

  73. Johan
    November 22, 2008 at 7:06 am

    What is the answer to your password recovery question and is it easily discoverable via google?

    • Aibek
      November 22, 2008 at 1:30 pm

      Definitely not in my case!

  74. tompa
    November 22, 2008 at 7:00 am

    I hope the malicious people behind these hacks are found and brought to justice!

    As a regular user I have no idea if there's a basic security flaw in gmail that allows adversaries access in the first place.

    But I still think that gmail easily could add features that would limit the damage in such cases:

    1. add multilevel security: require the use of some master password to create filters, edit forwarding rules and so on.

    2. increased transparency: when a filter, forwarding rule is changed (or a failed attempt to change it occurs) then gmail should display a note about it visible to the user each time he/she logs onto gmail for the next few days.

    Let me also just agree that this is excellent advise:

    "(2) Change contact email in your sensitive web accounts (paypal, domain registrar etc.) from your primary Gmail account to something else. If you own the website then change the contact email for your host and registrar accounts to some other email. Preferably to something that you aren’t logged in to when browsing web."

    I even go so far as to only access that special email account after booting an Ubuntu live-CD. I never access it from within Windows or any other installed OS.

  75. Goodluck
    November 22, 2008 at 6:56 am


    • Brandon Blaylock
      November 22, 2008 at 7:04 am

      Any security policy based off of a racial slur, a made up statistic, or an underestimation of another person's intelligence is not really a security policy at all. But I get it, you were being funny.

  76. ABc DEf
    November 22, 2008 at 6:53 am

    You got phished.

  77. Brandon Blaylock
    November 22, 2008 at 5:42 am

    Here are some very easy ways to ensure the security of your domain.

    1. Set your whois email contacts to an administrative email account. Set a very long and complex password on the account and have all email forwarded to your daily use account. Since you do not log into the account and it has a very long and obfuscated password it makes it much more difficult to break into. Also set very random security questions, as sometimes your security questions can be very simple to break. Since the email address listed in the whois database is publicly available it is the prime target for anyone attempting to steal a domain, this practice adds a layer of security, much like root priveledges in a linux environment.

    2. Get privacy on your domain. Privacy masks your whois contact information. The less information someone has on your domain, the more difficult it becomes for them to gain control of it. Also be aware that there are services that keep a history of whois information, so this is not a fullproof method of privacy since the information is probably still out there.

    3. Keep your registrar(GoDaddy, Moniker, Etc.) email address different than your whois email address. This makes it more difficult for someone to gain direct access to your domains since your account email will not be publicly available.

    4. If you are really concerned, pay for a service like Protected Registration at GoDaddy. This service locks down a domain irrevocably. In fact, it makes it almost impossible to transfer even if it's you that wants do the transferring.

    5. Keep alerting on. Most registrars have account options that will send you an email if any registrant information is changed or a domain is unlocked. Make sure it's turned ON!

    6. Call the experts! I have all my domains at GoDaddy and I use Google Apps on over 40 domains. If I need to know something about my account I call the free support and ask them.

    • Aibek
      November 22, 2008 at 1:10 pm



      Thanks for sharing, I second every one of them.

  78. Ozimus
    November 22, 2008 at 10:38 am

    Hello MUO.

    First, let me say I'm not a legal/criminal expert. However, having reviewed the evidence you and your faithful readers have compiled, it seems to me you have a legitimate international crime. The only place I can think of that this could be reported is at FBI. Specifically, FBI tips or you could go to your local field office. When major corporations are hacked, the FBI gets involved. I can only hope they'd put the same efforts into protecting a growing list of small businesses. I would urge you to organized all of the documentation and information gathered in a report presented to the FBI. In the end, the worst they can do is say no to your request for help.

    A Daily Reader

    • Aibek
      November 22, 2008 at 2:00 pm

      Thanks for the tip, i am adding this to my to do

  79. mehtuus
    November 22, 2008 at 5:36 am

    Correct me if I am wrong, but think that you can be protected from this flaw by using firefox and the plugin NoScript.

  80. Anon
    November 22, 2008 at 5:36 am ip block is owned by.. could place a call there

    OrgID: OVERS-1
    Address: 515 S. Flower St
    Address: Suite 4400
    City: Los Angeles
    StateProv: CA
    PostalCode: 90071
    Country: US

    NetRange: -
    NetName: OVERSEE-NET-2
    NetHandle: NET-208-73-208-0-1
    Parent: NET-208-0-0-0-0
    NetType: Direct Assignment
    NameServer: NS1.OVERSEE.NET
    NameServer: NS2.OVERSEE.NET
    RegDate: 2006-12-28
    Updated: 2006-12-28

    OrgAbuseHandle: OVERS-ARIN
    OrgAbuseName: Oversee NOC
    OrgAbusePhone: +1-213-408-0080

    OrgTechHandle: OVERS-ARIN
    OrgTechName: Oversee NOC
    OrgTechPhone: +1-213-408-0080

    also interesting 21600 IN MX 10 21600 IN MX 30 21600 IN MX 30 21600 IN MX 30 21600 IN MX 30 21600 IN MX 20 21600 IN MX 20

    ;; ADDITIONAL SECTION: 68916 IN A 3398 IN A 167141 IN A 46168 IN A 1765 IN A 3441 IN A 1997 IN A

    Possible using googles mail service (non-gmail) stuff as a back door in?

  81. david smeaton
    November 22, 2008 at 9:51 am

    firstly, @ goodluck - please don't say racist things. by saying "99% of Turks are retards" then you're just as bad as the people you criticise.

    secondly, this is a serious issue ... so treat it seriously!

    thirdly, a simple way to protect yourself is by installing another browser for gmail. i use firefox for most stuff ... but i use chrome for email. i don't surf at all using chrome, just check email. if there are links, i copy/paste them back to firefox.

    i do this because i don't like email clients. i like web based email.

    finally, thanks for chasing this guy on everyone's behalf ... good luck getting him and helping people retrieve their domains.




  82. Chris/James
    November 22, 2008 at 4:46 am

    So wait.. You actually used your e-mail address associated with the account with GoDaddy for your website? I used to work for GoDaddy, and christ (if it wasn't obvious from the post), you're quite inept and should not be allowed to have a website. Such as it is.

  83. Aibek [impostor]
    November 22, 2008 at 4:42 am

    "I also keep my system up to date and have all essentials including 2 malware monitors, an antivirus and 2 firewalls."

    The fact that you need, or think you need that, says a lot.

    You can have all the security in the world, but it is undermined by your stupidity and ignorance.

    • Aibek
      November 22, 2008 at 5:55 am

      "The fact that you need, or think you need that, says a lot. You can have all the security in the world,...

      So based on your argument, smart people should ignore security software. And what's wrong with "think you need that" ? So what should we who think that we need security software to protect our PCs do then?

      There is a flaw in your logic.
      You're an idiot !

  84. Technogadge
    November 22, 2008 at 4:42 am

    This is really a scary thing for beginners like me. I would like to thank you for putting all the information together on this post. what you think about Yahoo! Do they have such security flaw?

    • Aibek
      November 22, 2008 at 1:00 pm

      I don't know about Yahoo, but I doubt that their security measures are better than that of Gmail. The reason we hear abot Gmail more often is due to its huge popularity in tech communty.

  85. Peter W
    November 22, 2008 at 3:28 am

    The gmail folks could go a long way towards fixing this with some defensive configuration changes.

    There are two simple things I'd like to see in particular:
    1) Require a password refresh in order to add or change filters with forwarding
    2) Require a password refresh in order to add forwarding in general.

    It doesn't have to be too intrusive.. Just require re-verifying your gmail password before allowing forwarding to go elsewhere. Set the timeout to something small like 15 minutes. That greatly narrows the window where an undetected XSS attack can affect you. In order to have the XSS/link attack work silently, you'd have had to have verified your password within the last 15 minutes.

    You'd notice if clicking on a link caused gmail to ask for a password to allow editing the forwarding...

    • Ashish Mohta
      November 22, 2008 at 11:44 am

      This would be really good. Funny thing is They ask for password when you add a feed in orkut but they dont when you add filter. !!!!

    • Aibek
      November 22, 2008 at 12:56 pm

      I agree, this can definitely help.

  86. Manuel Fickovic
    November 22, 2008 at 3:28 am

    Here are more info about the guy from

    His MSN is
    Gmail he contact me
    Email he changed in my paypal account
    Email he changed in my parked account
    IP address he log in my parked account

    Source :

  87. Jaf
    November 22, 2008 at 2:30 am

    Since the beginning of this episode i carefully watched every development and even wrote a short note on my blog that got hijacked --- i instantly changed my Gmail account associated with my domain, previously my domain was on Godaddy even it was still there i would definitely have moved it somewhere else and also added domain privacy to my domain.... i also took the time to setup my domain email and abandoned using gmail email in blog comments..... in short Google must need to pay quick attention to this ongoing issue, more and more people learn about it more they are gonna be scare of Gmail, i know Aibek didn't mean to scare us of Gmail nor do i,,,, but i am just pointing out there seems to be a issue or a loophole in Gmail security no? i m glad that matt cutts followed this blog post and eventually this matter would be addressed by gmail team (hope so)

  88. aloishis
    November 22, 2008 at 1:24 am

    I don't have time, but if someone else wants to fire up Backtrack 3 and do a bunch of scans on the domain, that could be helpful. And gmail logs the IP's of last logins, any chance you got those from when he logged in? Remember: there is always a way around a security measure.

    • Aibek
      November 22, 2008 at 12:53 pm

      In my case the IP was pointing to the compromised server on Alpha Red Inc. They have already taken the server down. They couldn't help us as the server logs were deleted.

  89. venkat
    November 22, 2008 at 1:04 am

    This is scary story to all Gmail users,having said that no email is safe enough to get hacked,I agree with Aibek I really gets worried if i don't find any keyloggers ,viruses and spywares enough to hack ,then we have to doubt the service we are using in this case here Gmail.I also really worried after scanning with internet Security suite some one is spying on me.

  90. Matt Cutts
    November 22, 2008 at 12:42 am

    I started asking some people here at Google about this. Other than David Airey a while ago, I can't remember hearing about other cases of this "add malicious forwarding rules to Gmail to sniff registrar passwords and hijack a domain" type of situation, but I'll keep my ears open.

    • Matt Cutts
      November 22, 2008 at 12:38 pm

      By the way, a security person found me to chat about this specifically. They mentioned that the original bug from 2007 is still fixed properly. They also said that the David Airey incident was not an exploitation of the XSRF flaw or other Gmail flaw.

      If I had to guess (and bear in mind that I have no special/inside knowledge or computer security background), I would guess that it was a keylogger. Once an attacker knows (say) a Gmail password, they could exploit that to try to grab any domain names that you own. Notice for example that the Gmail snapshot above includes multiple registrars ( and, so it could easily be a scripted attack that tried to see if that Gmail account can be used to hijack domains from multiple registrars. In a keylogger situation, there's nothing special about Gmail--the attacker could attack other webmail providers too.

      • Aibek
        November 22, 2008 at 3:53 pm

        The reason there are filters for multiple registrars is because domain transfer process includes several emails both from loosing and gaining registrar. So if the hacker doesn't want victim to know anything about it he has to setup multiple filters.

        In my opinion the hack was carried out in the following way:

        - 1. hacker has an automattic script that searches public WhoIS databases and finds people that have gmail email listed as a contact.
        - 2. the script further filters the results leaving only somewhat established sites.
        - 3. next he sends an email to the owner (or even leaves a comment on his blog) with a link to a site that targets Gmail bug.


        • geekamongus
          November 23, 2008 at 10:25 am

          That seems the most logical explanation to me. A little XSS mixed with some social engineering.

          Whoever mentioned above that the fact no GMail accounts have been locked out is correct in that this must be some sort of cross-site scripting vulnerability, as it relies upon filters for the cracker to obtain copies of emails. If he had direct access to the GMail account, why not simply log into it and use it?

          I want to stress the importance of selecting the "Always use https" option in the GMail settings, especially if you use GMail from your local coffee shop or other public wi-fi hotspot.

    • Aibek
      November 22, 2008 at 12:50 pm

      Hi Matt,

      Thanks for the comment. It's good to know that the article made its way to known Google individuals like yourself.

  91. Daniel
    November 22, 2008 at 5:16 am

    I highly doubt anyone writing for MUO would fall prey to phising, nevertheless, it is a possibility. I can recommend Bluehost to anyone out there as a hosting company, I tried to ask them for complicated stuff, but they always help me out and complete everything in not 24, but more like 2-3 hours. They're really friendly and I should think they'd address this issue.

    I love paypal, but I think they've become a bit 'eliteist'. Unless you have tens of millions of dollars going through I doubt they will take the time to help until it's happening "only" with 5-6 people.

    One thing more that I don't get is, and it shows how these people aren't that bright, is why didn't the guy just replace the adsense block with his own? I doubt anyone would notice for months, in total earning him more. I've always thought about this as a threat, so perhaps you would like to check your ads as well!

  92. Richard M
    November 22, 2008 at 12:07 am

    The fact that no one seems to have been permanently locked out of their accounts almost leads me to believe this is related to the old "known" cross site scripting issue That issue was supposedly fixed right after it was found. But its possible there is a new issue there.

  93. kailoon
    November 21, 2008 at 10:38 pm

    Wow... scary man... I am using Gmail too. So, what should I do? I don't know anything about security issue...

    • kristarella
      November 21, 2008 at 11:10 pm

      In your Gmail settings select the option to always use https, check your filters and forwarding, make sure there's nothing there you didn't set up, have a good password and don't give it to anyone. Should go along way to keeping things secure.

      • kailoon
        November 21, 2008 at 11:42 pm

        There is nothing in the filters, what should I add?

        • kristarella
          November 22, 2008 at 12:04 am

          Nothing. If you don't want/need to use filters that's fine. The thing about this technique is that once someone gets in to your Gmail account they can set up filters to prevent you from seeing emails or to forward emails to themselves. So if there's a filter that you didn't set up with a weird email address, delete it.

  94. Gspider
    November 21, 2008 at 10:23 pm

    I don`t think that`s related to Gmail itself but probably the environment and the way you connect to your Gmail. example, having lots of untrusted or even trusted Firefox adds-on decrease your security level dramatically.

    You mentioned that he was able to get your info using forward filters but he didn`t actually had physical access to your account or he would have got it all without filters and even change and block access to your email too. I think it`s more like using and sending a code to generate such filters. i guess.

    Google apps and services are all connect together so a security bug in igoogle will affect all your other apps.

    • Aibek
      November 22, 2008 at 12:45 pm

      I can't tell for sure whether the guy had a physical access to my account. The filters were there, they might have been inserted using similar technique as described in the post or he could added them there manually. I am inclined to believe it's the first one. Mainly because this guy knows very well what he needs to do before moving some domain. In our case he new before hand that he would be moving the domain from GoDaddy to NameCheap (reseller for Enom). Thus he knew every step of the process and what emails to intercept and where hey will be coming from.

  95. sylv3rblade
    November 21, 2008 at 10:12 pm

    toinks, I've already suspect gmail as the problem when David Airey's domain got stolen, now this. BTW, Paypal support really sucks.

    • Dee
      November 26, 2008 at 2:29 pm

      Four unconfirmed cases in a year are definitely signs of a weakness in gmail alright.

  96. Angel
    November 21, 2008 at 10:07 pm

    I was lead here through a link someone posted on Twitter, but I am glad I stopped to read. Thank you for bringing this possibility to everyones attention. I fall under all the 'no-no's' that are listed here and it could have been my story (and I own quite a few domains!).

  97. D L Owens
    November 21, 2008 at 10:05 pm

    He seems very clever and it is likely that there are a lot of victims that still aren't aware that they've been compromised. The best prevention is to educate yourself about the numerous ways that your email can be infiltrated.

    • Aibek
      November 22, 2008 at 12:00 am

      Indeed, I am sure many of of his victims have no idea about it. I also believe, it's a lot harder to get the domain back once it has been in someone's hands for a while.

  98. Richard M
    November 21, 2008 at 9:49 pm

    I'd venture to guess that you guys were probably victims of phishing or something of the likes. If it was just an issue Gmail then I'd think you'd see more widespread issues. I also find it interesting that everyone affected is using Go-Daddy.

    • Aibek
      November 21, 2008 at 9:52 pm

      Well, I am 100% sure there are dozens of more cases out there, we just don't get to hear about them.

      • Richard M
        November 21, 2008 at 10:00 pm

        I'm curious in your case was anything related to Gmail changed. It just strikes me as odd that between all the cases, Gmail and GoDaddy are the two biggest common factors. I'm sure there might be more but that would take some detailed evaluations.

        • Aibek
          November 21, 2008 at 10:12 pm

          Yes, when it happened to me it was also via Gmail. The account had a filetr set up fowarding certain emails to the hijacker

    • David Airey
      November 22, 2008 at 5:42 am


      When my domain was stolen, I had no business dealings with GoDaddy. The cracker transferred my domain name from another registrar into his / her GoDaddy account, so not everyone affected is using their service.


      I'm glad it wasn't any longer than 36 hours before you had your domain returned.

      • Aibek
        November 22, 2008 at 5:49 am

        I wa referring to Gamil in particulat, not GoDaddy. GoDaddy is definitely not to blame here, it's nomal for it to appear in most of the incidents simply due to their huge popularity.

  99. Yashar
    November 21, 2008 at 9:43 pm

    "Amir Emami" and "Aydin Bolourizadeh" are not Turkish names. Both are Persian names.

    • Aibek
      November 21, 2008 at 9:49 pm

      Amir Emani is not, Aydin Blourizadeh can be turkish on the other hand. I lived two years in Turkey.

      • Alphan Gunaydin
        November 22, 2008 at 10:57 am

        "Blourizadeh" doesn't sound Turkish.

    • Zaur
      November 24, 2008 at 9:19 am

      Aydin Bolourizadeh is azerbaijani for sure. But he can be originally from South Iran too.

  100. Miguel Wickert
    November 21, 2008 at 9:29 pm

    Unreal! Well... glad you got everything worked out! What if you own a site but transfer it to someone else, as far as hosting and you wanted it back but they won't transfer it... now what?

  101. Mackenzie Morgan
    November 21, 2008 at 9:27 pm

    Oh, so *this* is why I only access GMail via IMAP and never login to it in my browser.

    • kristarella
      November 21, 2008 at 11:08 pm

      In what way is it more secure that you never view the online Gmail environment and therefore rarely see your filters or know what is usual for your Gmail account?

      • TerminalDigit
        November 22, 2008 at 2:41 am

        It's "more secure" in the sense that the exploit described is browser-based and requires the user to be logged into GMail in their *browser* while visiting a malicious site. If you access your e-mail via IMAP, then your login credentials are sent via your e-mail client, and your browser has no active session cookie for your Google account, rendering the call to inject a redirect filter useless.

        • kristarella
          November 22, 2008 at 5:30 pm

          Yep, my bad for commenting in a hurry. I've read the post thoroughly now. Using IMAP sounds like a good idea. The four tips at the end of the post are good ones, although I'm shocked that no one has mentioned the setting to always use GMail with https!

          Turn on HTTPS!

        • Garcya
          November 23, 2008 at 5:57 pm

          If you are not logged in to Gmail maybe you are logged in for or any other google apps ? it's the same thing.
          Anyway the big companies won't do something about this until their domains get stolen :)
          They don't care about you and me, or anybody else. Do you really think they want their websites to get flooded with DDOS attacks?

        • TerminalDigit
          November 26, 2008 at 9:26 pm

          HTTPS is a good idea for other reasons, but it won't protect you against this attack.

      • Pete
        November 22, 2008 at 5:13 am

        Well, if you're accessing Gmail through a desktop email client, you're not making any HTTP POST requests, which means you're not vulnerable to the attack described above. The IMAP in this case is sorta irrelevant, POP should work fine too. It's the separate client in this case that's the key.

        As for the blog post, I haven't yet seen a clear case for anything other than someone discovered their Gmail account password and used it to obtain access to the other accounts.

        What proof have you got that there's a Gmail vulnerability in play here? All you've shown is that someone managed to get into some accounts.

      • Marius Gundersen
        November 22, 2008 at 5:22 am

        Because of how the security flaw works. The hacker can only hack your account if you are logged into Gmail in the same browser as you browse the web with.

        • Ashish Mohta
          November 22, 2008 at 11:36 am

          Best would be use Chrome to access your Mail accounts specially gmail and stuff . You can also use chrome for accessing your private accounts. Use any other browser for surfing. And Please improve surfing habits

        • drfindley
          November 22, 2008 at 1:05 pm

          Ashish: Using chrome is no more a help than using IE or Firefox with a multipart/form-data POST.... any browser that supports AJAX could easily do that. Chrome has yet to stand up to the security scrutiny that Firefox and Safari have. While it's a fun browser, it's security is not tested and therefore not to be trusted (yet).

        • Peter
          November 22, 2008 at 1:25 pm

          Who says Chrome is not vulnerable to this? All Chrome windows and tabs share the same session ID. So if you're logged in one window you're logged in into all of them.

        • Eric
          November 22, 2008 at 2:15 pm

          drfindley, Perter: You are missing the point. He isn't saying that Chrome is not vulnerable. He is saying that you should use two separate browsers, one for email, and another general web surfing. He just specifically suggests using Chrome for the email browser.

  102. ShuShine
    November 21, 2008 at 9:08 pm

    This is pretty scary. Who will think that the hacker used gmail

    • MobileAnswers Mashup
      November 22, 2008 at 7:47 pm

      call me crazy but I don't think they should shut down his account. Instead investigate into the matter and restore all accounts he's breached. Then fine him heavily, and push both civil and corporate suits against him.

      I hope you catch him, but what I don't want to see is a lot of racism coming out of this. So let's keep it civil and leave it to the companies and parties involved to do the work, otherwise you end up with people messing the entire thing up by swearing and throwing insults which complicates everything.

      Honestly three things on the web that suck, domain squatters, spammers and thieves.

    • samer
      November 23, 2008 at 3:07 am

      There was several incidents when accessing our gmail accounts will bring us other people inboxes, it was attributed to local ISPs caching tricks, but later the same happened with youtube accounts. see more here
      an here
      Now some goverment departments, economy, went for google to get thier own email accounts, that is scary for economya.