alert Stolen Four Letter Names

[jberryhill]

The following names were stolen from a GoDaddy customer:

wumz.com
fexz.com
cclw.com
yded.com
clcy.com
kdtx.com
wohp.com
ubve.com

The names interactivebrain.com and cloneclothing.com appear also to have followed similar unauthorized transfer patterns.

The same person attempted a theft of qauf.com, but the intended victim caught the transfer email in time to stop it.

 

[lotk]

@lotk Have you been able to track down and get in touch with @j2tuff911 regarding wohp.com?
Not sure he was the purchaser from you, mentioned above, but I did notice he has one of the stolen names listed for sale on his website. Hoping the domain will find it's way back to the rightful owner at GoDaddy!

The person I sold wohp.com to was James Cluster but he appears to be banned or not have an account here any more. Anyways, I have issued his refunds (he made 3 paypal payments for the domain) and copied Mr. Berryhill on the email.

 

[lotk]

@jberryhill - I am copying you on all emails to James Cluster I refunded the wohp.com payment to. Please reply to him as he keeps asking me for next steps but I am deferring to you. As far as I'm concerned, everything on my part is complete. Both domains I bought and resold have been refunded.

 

[Acroplex]

I warned about this method of domain hijacking via the sacking of secondary ISP emails a year ago:

https://domaingang.com/domain-crime...way-from-aol-yahoo-and-hotmail-accounts-fast/

And:

https://domaingang.com/domain-news/time-warner-cable-are-domains-linked-to-rr-com-emails-in-danger/

Cybercriminals compile domain lists they're interested in, then scour the WHOIS info for vulnerable domains. Rest assured that happens more often "in the wild" e.g. for domains not owned by domain investors.

 

[DomainRecap]

What's actually happening is that the 3rd-world scammers are totally bypassing any old email lists, and going straight to the WHOIS data for emails from any major Internet provider with a customer service phone number (i.e.. Verizon, AT&T, Comcast,. etc) and then forwarding these lists to massive call centers.

Then cheap labor mass-calls these providers and plays the old "I am sorry, I lost my password" social engineering trick (using your WHOIS address and phone info to authenticate) to gain access to your account, and by virtue all your emails. And then a quick password change later they are playing the "forget password" game at your registrar account and quickly transferring out all your valuable domains.

If you have 2-factor authentication, they then just call your cell phone company and port the number out (again using WHOIS address/phone data) and defeat it that way.,

The most vulnerable part of any security plan are the people sitting in CS at your local Internet provider, happily giving fully account access to Nigerian, Kenyan and Moroccan scammers who only need to provide them your address and phone number. The lack of security protocols and accountability is appalling and I highly recommend these steps to negate these CS nimrods:

1) Do not use an email for WHOIS from any source that has phone support.
2) Do not use an email for Registrar accounts from any source that has phone support.
3) Use a different email for WHOIS than you do for Registrar account access.
4) If possible, use multiple email accounts from domains that you control - zzzzz @ mysite.com for WHOIS and xxxxx @ myothersite.com for Registrar account.

Remember, these thieves are looking for quick scores from calling well known ISPs, and like any security system, you are simply trying to dissuade jokers like this from making an easy theft. They see "admin @ sdjeuyydkkes.com" and they quickly move along to the next victim.

 

[SuperBrander]

Just wanted to update that Alejandro just refunded the money for one of the stolen domains that he sold to me. He hasn't been in touch lately but the refund landed in my paypal account. I truly don't understand what happened with this whole situation. The fact that Alejandro has already refunded some people for some of the stolen domains is a good sign and I hope that it will turn out that he wasn't involved in this and was just sold stolen domains. Why would a thief refund people? The email sent to eZen.com's owner is certainly confusing but perhaps Alejandro sent a random email to verify ownership and that's why it appears there? At the moment, the main thing I know for sure is that I don't know anything. But hopefully this situation will continue to improve for everybody involved.

 

[Andish]

@SuperBrander please note that the "email of Alejandro" was sent on Dec 31st, 2017, at least 10 days after the domains in question were sold on Namepros. So this story does not add up. I would very much like to have this all story explained based on solid facts.
Can someone please provide full history of whois before the theft? From what I see in whois the owner in 2016 and 2017 was Jon Bentz:
Name: j bentz
Address: 109 BESLER AVE, Cranford, New Jersey, 07016, United States
Email: [email protected]
Phone: 11234567890

Can we as a domainers' community work together to establish sound community practices to deal with these cases? It is so dangerous to the trade and frustrating that even if we buy from respected and honest sellers and we do our due diligence before purchase we can not be sure if we become the rightful owners of the names we pay for. That should change.

 

[SuperBrander]

@Andish eZen was stolen from a different owner. One of the domains that was sold to me was indeed stolen from Jon whom you mentioned and I pushed it back to him. It seems like there were multiple thefts from multiple people done at different times.

 

[Embrand]

@SuperBrander please note that the "email of Alejandro" was sent on Dec 31st, 2017, at least 10 days after the domains in question were sold on Namepros. So this story does not add up. I would very much like to have this all story explained based on solid facts.
Can someone please provide full history of whois before the theft? From what I see in whois the owner in 2016 and 2017 was Jon Bentz:
Name: j bentz
Address: 109 BESLER AVE, Cranford, New Jersey, 07016, United States
Email: [email protected]
Phone: 11234567890

Can we as a domainers' community work together to establish sound community practices to deal with these cases? It is so dangerous to the trade and frustrating that even if we buy from respected and honest sellers and we do our due diligence before purchase we can not be sure if we become the rightful owners of the names we pay for. That should change.

It seems at least these two cases have in common that both the owners used Comcast as their email provider. I am not in the U.S. Is this considered a particularly insecure provider?

 

[SuperBrander]

I got an email from Alejandro after sending him an email to thank him for the refund. My impression is that he's a victim in all of this, that he's trying to make this situation right and that he'll refund the money for any stolen domain that he sold. Tracking all of the transactions is apparently difficult due to an email address that isn't operational anymore and some deals that were done using cryptocurrency. At least in some cases he seemed to have sent emails to owners to validate ownership (which might explain the email sent to the email address of eZen's owner). As I said earlier, the fact that he's refunding people is a good sign. I think he should have been public from the get go about everything, explain every detail etc. But either way, hopefully everything will get sorted out.

 

[Acroplex]

Comcast .net emails have transitioned under Xfinity. Criminals attempt to reset the passwords by using existing leaked info and social engineering. Once they reactivate the Comcast .net email accounts, they are able to take over domains linked to them.

 

[SuperBrander]

I communicated further with Alejandro. He plans to return the rest of the funds to all buyers within two weeks. If you think about it- if he were the thief responsible for all of these thefts, it wouldn't make much sense for him to use his real name, his real email address, his real paypal account etc. He also used his escrow account for one transaction with me. He's had a great reputation here. Why would he go rogue using his own name? He says that he's dealing with each transaction individually and plans to return all of the funds. I believe him. I think that he found himself in an extremely stressful situation where he was accused from every direction and he's trying to make that situation right now. So hopefully this mess will be cleared and everybody involved can move on to better things.

 

[Embrand]

I can also confirm I have received a partial refund from Alejandro for one of the domains I bought from him.

I don't want to draw any conclusions, but I do think it is possible he is a victim himself. It would be great if he could point to the real culprit, though.

 

[DN_Hunter]

I happen to have one of those emails from a third party (Verizon, ATT, Comcast). I'm not mentioning the exact one in case the "bad guys" are watching me...

Anyway, whenever you call my email provider for customer service, they send me a follow-up email thanking me for contacting customer support, and they hope I received all the support I needed (and sometimes they want me to fill out a brief survey about my call to their Customer Service).

A few months ago, the strange thing is I got 3 of these emails thanking me for contacting their Customer Service. The problem is that I NEVER contacted them. So I was convinced someone was trying to hack my account. I changed my password each time. I also turned on 2FA.

Other emails I received the last few months (so at least one hacker was trying hard to hack me)
-email that package cannot be delivered (have to click the attachment for package/tracking info)
-email saying my email account was suspended, click the link to sign into my account to re-activate
-email saying my hosting was suspended, click link to re-activate
-email about my bank account suspended (from a bank I don't even have an account with)

As a safety measure, I download a complete list of all my domain names each day. Load them to MS Access and compare to the prior day.

These hackers need to be stopped -- they drive me nuts...

Regards,
DN

 

[DNWon]

It would be great if he could point to the real culprit, though.

 

[SuperBrander]

@DNWon I don't think that pic is fair. Innocent until proven guilty should mean something. I'm still down $1200 at this point in time and since realizing I was sold stolen domains- I had my fair share of doubts too. But refunds have been made to a few different people- me included, Alejandro has communicated with me several times- and what he says rings true. So let's let things play out and see what happens. Imagine being in the shoes of a seller who unknowingly bought domains from a thief, sold them to a few different people and now has to face a shit storm of confused and angry owners who want their domains back, registrars that are investigating the transactions and buyers who want their money back- and they all end up getting to you because the thief is long gone. That sounds like a nightmare to me and like something that takes time to sort out. So I for one, will give the matter a little time and have faith in Alejandro because as far as I'm concerned he isn't behaving like a thief would. Just like a guy dealing with a very big mess and trying to sort it out.

 

[DNWon]

First off, it was a joke, but by the amount of likes it's gotten, it hasn't been a very popular one!
Not looking to offend anyone, but let's just say, he certainly hasn't run to this thread to defend himself now, has he? I think it's terrific that he is trying to pay people back for selling them stolen domains, whether he stole them or bought them stolen, trying to make things right will go a long way. But let's just say I'm always skeptical of someone who's name shows up in an wiped email chain from a victim the same day her domain gets stolen. Also when, a top domain attorney says that persons account is under a fraud investigation, and then when said person suddenly completely disappears from this forum when all comes to light. Let me know when everyone gets all their domains back and every cent of their money back and I'll then give Alejandro the benefit of a doubt. Until then, I still see one of Jon Benz's stolen domains for sale by a member of this forum, I've pointed it out but have been ignored thus far. You can continue to believe in his innocence and I won't tell you that it's unfair! But Jon Bentz or @Lola Lola whose domains were stolen probably have a different outlook than you! I hope you get all your money back!

 

[SuperBrander]

@DNWon Yeah, probably not a super funny joke in the context of this thread and when a person's reputation is on the line. Thanks for the good wishes. I agree that Alejandro should have come here and defend himself from the get go. Tell things exactly the way they happened so people could judge for themselves and if they find his account true- understand that he's making an effort to make things right. I wrote that to him today. I can't know for sure what the truth is about the situation. But when I see someone make refunds, communicate and really seem like he's going through a terrible ordeal- it seems less and less likely that he's the thief. When I read what he writes, I believe him. He sounds sincere and committed to make the situation right and refund all the buyers. As for that suspicious email- it might be a verification email he sent to the owner before a purchase while the thief had control of her email. Why would he use his real email address to send an email there if he's the thief? Seems weird to do that and also use all of his real accounts to conduct transactions. If he's a thief, he's a very bad one that didn't try to cover his track because everything leads back to him. Seems highly unlikely to me. The fact that stolen domains are still out there is terrible. He mentioned that he's still piecing things together to get a complete picture of the situation. I hope that this matter will be taken care of ASAP so all of the owners will get their property back.

 

[anantj]

My piece of advice is to use a business email address in for whois as in

[email protected]

This way the person doing the hacking does not know who your email carrier is.
It's harder to hack a gmail account when you're using outlook

Most business email will use a carrier like google apps etc but like I said.... make it as hard as possible.

I use 2-factor with godaddy and 2-factor with my email and I monitor both every day for activity.

Not necessarily. Email headers will more than likely giveaway the origin server. The DKIM value will also indicate the originating server. This makes it more than likely that the malicious actor can determine the e-mail provider.

 

[MapleDots]

Not necessarily. Email headers will more than likely giveaway the origin server. The DKIM value will also indicate the originating server. This makes it more than likely that the malicious actor can determine the e-mail provider.

So why would I email a hacker using that address? How does he get my headers?

For him to figure that out there would have to be some sort of inquiry and I have the option of using that address exclusively for whois.

As in.... [email protected]

Now leave it exclusively for whois, make it a different carrier and it is safe forever, cannot be hacked, nobody knows who the email carrier is.

 

[anantj]

So why would I email a hacker using that address? How does he get my headers?

You wouldn't yourself. But that's where social engineering comes in. Say they create a dummy account and send a price inquiry. Would you not reply to it? And assuming you reply from that same e-mail OR even if you use a different e-mail, it is highly likely that you use the same backend provider which gives hints or confirmation to the "hacker"

 

[MapleDots]

it is highly likely that you use the same backend provider which gives hints or confirmation to the "hacker"

Or not.... depending on how careful you are and on how valuable the domains are.

Even then Two factor would keep the culprit out.

 

[creataweb]

Saw one of these for sale on FB yesterday. What’s the update?

 

[SuperBrander]

Alejandro has gone missing at this point. I still have a sliver of hope that he'll do the right thing since he refunded some of the money to others and to me (I got a $120 refund for one purchase, as I mentioned earlier. Others apparently got more). His emails, when he was still communicating, seemed extremely sincere and he described a very bad situation for him and his family. That may still be the case. But he promised to return the money- and should have done it by now. If he couldn't due to financial matters- he should have communicated and explained why. Not refunding despite his promises and not communicating well, even if he's a victim too, has made things worse for the people involved. The last I heard from him was when he wrote that he expects to resume refunding around Thursday the 5th of April. No word since then. I'll update if anything changes, but at this point I'd be extremely surprised if I end up retrieving my $1200. I'll probably never know what exactly happened in this whole crazy ordeal but I hope to learn from it and avoid similar situations in the future.

 

[CryptoInvestor]

No updates on this? What a crappy situation

 

[anantj]

whuj.com

Was this recovered and resold? We have a member here trying to sell this domain: https://www.namepros.com/threads/whuj-com-wjei-com-ojnr-com-gyuh-com-vkhb-com.1087239/#post-6772837