IT.COM

Best practices for recovering the stolen domain ghh.com?

Spaceship Spaceship
Watch

Gerard Hughes

Established Member
Impact
18
As some may have seen on domaingang, my 19 year old personal website and email domain, ghh.com, was stolen on 4/7/17. (My registration was paid through 2021.) I'm looking for some best practices for getting it returned. I've read the interview with David Weslow on domainsherpa and have been working to get a bit of a crash course on security and domain crime.

The hacker got access to my ICANN account of record, transferred the domain to eNom, and proceeded to attempt to negotiate sales in my name using the hacked account while the domain is on 60 day ICANN lock.

I've since recovered the email account, but getting the registrars to reverse this rather obvious case of transfer fraud is something I'm still working on. It's frustrating that ICANN, in effect, pretends to consider temporary access to, say, my car keys as proof of permanent legal title to my car. That's simply false as a matter of law. So it is surprising to me that the transfer has not been reversed already, especially given that the hacker clearly has violated their terms of service, has no legal title to the domain, cannot indemnify the registrar, and cannot show up in court to defend this fraud. So, from even just an ordinary risk management perspective, I'd have thought the receiving registrar would be eager to avoid the costs and liabilities of not returning the domain.

Does anyone have suggestions on the best was to communicate to the registrars that it will be most cost effective for them to return it without protracting the issue? Or, for that matter, the best way to communication the the registrars? So far, the responses have been less, well, responsive, than I'd hoped.
 
Last edited:
5
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
It's frustrating that ICANN, in effect, pretends to consider temporary access to, say, my car keys as proof of permanent legal title to my car. That's simply false as a matter of law.

But unlike circumstances which can be proven or disproven in court with reliable evidence, neither ICANN nor the registrar has any way of confirming whether or not your email was hacked.

You didn't mention the registrar from which the name was transferred. Sometimes, in high confidence situations, the original registrar will agree to indemnify the registrar to whom the domain name was transferred in the event the second registrar agrees to to transfer it back.

Why?

Because sometimes people who bought a stolen name will sue their registrar if that registrar turns the name back over to the original registrar.

But from Enom's perspective here, they are getting emails from someone who is not their customer, and with whom they have no relationship, claiming the name was stolen. These kinds of things are usually more credible when Enom is hearing from someone they know at the original registrar saying that they have looked into it. So, depending on the relative status of "friendly relations" between the two registrars, this is normally best dealt with by convincing someone up the chain at your original registrar to look into it and communicate with Enom about it.

If you can drop $20k or whatever the going rate is now for these kinds of cookie-cutter claims filed in Virginia (where the .com registry is located, and where the current registrant is unlikely to show up), then it works relatively reliably. If you can show that "GHH" served the function of a trade or service mark, then the UDRP is a less expensive alternative.

This is an example of a successful UDRP "stolen name" case:

http://www.adrforum.com/domaindecisions/1623023.htm

This is an example of a misguided UDRP "stolen name" case:

http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-0289

The difference between those two cases is that in the first one, the complainant was able to present some evidence that the domain name functioned as a trade or service mark. In the second one, the complainant obviously misunderstood what is needed to make out a UDRP case.

In a court action, by contrast, if the defendant doesn't show up, then the court doesn't look very deeply into the allegation that the name corresponded to a trade or service mark - and some lawyers have no problems making that allegation even where it is clearly not true.
 
Last edited:
7
•••
But unlike circumstances which can be proven or disproven in court with reliable evidence, neither ICANN nor the registrar has any way of confirming whether or not your email was hacked.

You didn't mention the registrar from which the name was transferred. Sometimes, in high confidence situations, the original registrar will agree to indemnify the registrar to whom the domain name was transferred in the event the second registrar agrees to to transfer it back.

Why?

Because sometimes people who bought a stolen name will sue their registrar if that registrar turns the name back over to the original registrar.

Thank you for the informative reply. I've left some details out of my description for brevity, because it is an open forum, and because I do not wish to alienate the registrars with whom I look forward to reaching an amicable agreement.

In this case the hacker would have a rather difficult time suing the registrar because the transferred WHOIS record continued to use my name and address, and the hacker continued to attempt to negotiate sales in my name. He can't sue the registrar as Gerard Hughes. I would hope the registrar would recognize that the difference in liability weighs in my favor. I can sue, the hacker cannot, because he claims to be me.

Due to the value of the domain, a lawsuit would be a net gain for me. I hope the registrars recognize that as well.
 
Last edited:
1
•••
Suing the registrars is usually a pointless proposition anyway. They are entitled to rely on email confirmation from the authoritative contact, and their contracts generally don't provide much recourse. That's not to say that people don't try.

If the domain name is still in your name, then you may have other alternatives.
 
2
•••
Suing the registrars is usually a pointless proposition anyway. They are entitled to rely on email confirmation from the authoritative contact, and their contracts generally don't provide much recourse. That's not to say that people don't try.

Thanks. Why is it pointless? It sounds expensive but your earlier post suggested that unopposed cases are generally successful. And the hacker cannot show up in court, certainly not as "Gerard Hughes".

Are you talking about suing them for damages, as opposed to the return of the domain? While I could see that they might be entitled to rely on the email account as evidence of ownership such that they might not be found negligent for doing so, I would think that as a matter of law mere control of the email account is not, in fact, legal title, no more than access to my car keys is legal title to my car. Thus just because they could argue that they were reasonable to rely on the email account, that isn't sufficient reason to allow them to keep the domain, no more than a car dealer gets to keep a stolen car just because they didn't know it was stolen when they bought it.

Also, I am not a party to a contract with eNom. So I'm not understanding how their terms would be binding on me in any way.

If the domain name is still in your name, then you may have other alternatives.

Any suggestions on what those might be and how to best implement them?
 
Last edited:
2
•••
Gerard - good to see you here.

The theft of GHH.com which I shared via DomainGang, is not the first and sadly won't be the last time a domain is stolen. There are many reasons to blame ICANN and its lack of mandating a modern, secure and flawless method of locking down domains - the same way you can't buy a house without a deed.

At this point, the domain is recoverable, IMO, due to the short time frame that has lapsed since its theft. The losing registrar was Domain.com, and they are to be contacted to initiate a transfer reversal from eNom.

That being said, eNom has not been the friendliest of registrars reversing such thefts, without extensive wrangling with their legal team and the signing of waivers. Read the case of See.com.

The good news is that eNom is now part of Tucows.com, so their policies might have changed.

From my understanding, GHH.com was moved to eNom still having Gerard's contact information; the thief changed the email address only to a matching username under a different email provider.

I'm confident no lawsuit will be needed but I'd recommend consulting with an IP attorney with knowledge in domain theft matters, to draft the process and ensure timely responses are made by the registrars involved. John Berryhill who is responding in this thread is one such competent attorney.
 
5
•••
Any suggestions on what those might be and how to best implement them?

Some registrars have an "out of band" process for correcting domain name registrations. If you are the "registrant" of the domain name, and you can identify yourself as the named "registrant" of the domain name, then at some registrars you can submit your identification and have the registrar correct the associated email account and/or registration account to you - since you are the registrant of the domain name.

I do not maintain a continuously-updated mental database of all registrar-specific policies and procedures. So whether this type of procedure would or would not apply to your circumstances I wouldn't know off the top of my head without doing some digging.
 
1
•••
Gerard - good to see you here.

The theft of GHH.com which I shared via DomainGang, is not the first and sadly won't be the last time a domain is stolen. There are many reasons to blame ICANN and its lack of mandating a modern, secure and flawless method of locking down domains - the same way you can't buy a house without a deed.

Indeed. ICANN transfer rules seem to be left over from before domains were valuable. It takes more paperwork to sell a six hundred dollar car than a million dollar domain. UDRP seems like only a partial fix to a much broader problem.

At this point, the domain is recoverable, IMO, due to the short time frame that has lapsed since its theft. The losing registrar was Domain.com, and they are to be contacted to initiate a transfer reversal from eNom.

I'm confident no lawsuit will be needed but I'd recommend consulting with an IP attorney with knowledge in domain theft matters, to draft the process and ensure timely responses are made by the registrars involved. John Berryhill who is responding in this thread is one such competent attorney.

I think at this point the registrars have both finally kicked this past the reflexive, rubber stamp level and are actually working out a proper resolution. If so, I'll be delighted and I think everyone is going to be a lot better off. The clock is ticking though, so if they can't resolve this during this window of opportunity I will, reluctantly, have to bring in outside council. I'm willing and able to do that but my preference for this to never get to that stage.

Thanks for the help from the domain community on this theft. I think it has been very important to resolving this issue.

I don't have it back just yet, but at least my domain wasn't sex.com :-0 On the other hand, one of my other websites got an SQL injection hack that scanned the same day I recovered my ghh.com domain account. Coincidence? Could be. But it is the first hack that has ever shown up in scans on any of my sites.
 
Last edited:
2
•••
Some registrars have an "out of band" process for correcting domain name registrations. If you are the "registrant" of the domain name, and you can identify yourself as the named "registrant" of the domain name, then at some registrars you can submit your identification and have the registrar correct the associated email account and/or registration account to you - since you are the registrant of the domain name.

I do not maintain a continuously-updated mental database of all registrar-specific policies and procedures. So whether this type of procedure would or would not apply to your circumstances I wouldn't know off the top of my head without doing some digging.

Thanks, I'm just looking to be pointed towards some possibilities. This is useful to know. Every little bit of information helps.
 
1
•••
Gerard,

PM me your personal contact via PM. I have some connections with Enom and see what I can do for you.
May be they can freeze the name for the time being pending the investigation.

John
 
5
•••
Th
Gerard,

PM me your personal contact via PM. I have some connections with Enom and see what I can do for you.
May be they can freeze the name for the time being pending the investigation.

John

Thanks, that is a great offer. Let me see how things are going and play it by ear from there.
 
1
•••
1
•••
Oh, by the way, you might want to contact law enforcement:

Great article. Thanks for posting it - lots of aspects of it seem really familiar to me now.

Notably, calling the FBI did not result in him getting his domain back. Instead, after getting nowhere with the registrars, the author got his domain back by using a friend's account to buy the domain back from the hacker on the auction site the hacker posted it to, and then stopping payment.

If we did release the money to him, there was a possibility that he would take the money and run, and also a possibility that he would deliver the site as promised. It wasn't a gamble I wanted to take…but I didn't see any option. And so I authorized the wire transfer.

I spent twenty minutes sitting in front of the dummy GoDaddy account I had created to receive the domain name from the seller, waiting to see whether I was out thousands of dollars and a domain name, or just thousands of dollars.

And then it came through.

I immediately transferred the domain into a different account and placed it (and all of my other domain names) on what amounted to lockdown. And then I called the wire transfer company and placed a stop on the payment.
 
1
•••
I don't know how many registrars use 2-factor logins but I use Tucows and I have the authenticator app running on an old cell phone.
 
2
•••
I don't know how many registrars use 2-factor logins but I use Tucows and I have the authenticator app running on an old cell phone.

2F seems like a really good idea. I think ICANN rules should require all ICANN registrars to offer 2F. These days 2F really should be considered baseline security practice, as well as behavioral heuristics that flag behaviors that are outside of the norm.
 
1
•••
2
•••
If you can drop $20k or whatever the going rate is now for these kinds of cookie-cutter claims filed in Virginia (where the .com registry is located, and where the current registrant is unlikely to show up), then it works relatively reliably. If you can show that "GHH" served the function of a trade or service mark, then the UDRP is a less expensive alternative.

This is an example of a successful UDRP "stolen name" case:

http://www.adrforum.com/domaindecisions/1623023.htm

If you go this route and end up with transfer being denied have you in any way attested to the fact that the registrant of record is in fact the owner? Could it not be argued that any future efforts to reclaim the domain are actually just attempts to steal the name from the rightful owner because you couldn't get it through a now failed UDRP?
 
1
•••
Then most of us here would be flagged all the time.

Heh :)

I don't' think so. The behavioral analysis, as I understand it, is trained on your behavior. (I'm not a security specialist, so I"m probably using the wrong terms for this...) At its most basic it would be when you suddenly try to get into your account from Slovenia rather than your usual location in Monterey, the protections kick in. Like when your credit card company calls you to ask if you are really buying television sets in a Best Buy across the country from you. It's also like when a service notifies you about a new device logging into your account. But it can also use more sophisticated metrics as well. Clearly false positives (security alerts when it is actually you) can be an issue with heightened security monitoring, but with expensive assets that trade off becomes more and more acceptable.
 
Last edited:
1
•••
In this case the hacker would have a rather difficult time suing the registrar because the transferred WHOIS record continued to use my name and address, and the hacker continued to attempt to negotiate sales in my name. He can't sue the registrar as Gerard Hughes.

It seems the current controlling party of the domain is now masking the contact information with the [ Whois Guard Protection Service] ... Maybe he's reading this thread?
Good luck recovering your valuable domain
 
1
•••
If you go this route and end up with transfer being denied have you in any way attested to the fact that the registrant of record is in fact the owner? Could it not be argued that any future efforts to reclaim the domain are actually just attempts to steal the name from the rightful owner because you couldn't get it through a now failed UDRP?

No and no. Given that the entirety of your filing on points 2 and 3 of the UDRP is that the name was stolen, then you are not admitting the domain name rightfully belongs to the other party by filing a UDRP.
 
1
•••
Thanks. Why is it pointless? It sounds expensive but your earlier post suggested that unopposed cases are generally successful.

Let's try this again...

Suing the registrars is usually a pointless proposition anyway. They are entitled to rely on email confirmation from the authoritative contact, and their contracts generally don't provide much recourse. That's not to say that people don't try.

My earlier post did not suggest suing the registrars. Filing an in rem suit against the domain name in EDVA is not suing the registrars.
 
1
•••
Also, I am not a party to a contract with eNom. So I'm not understanding how their terms would be binding on me in any way.

What did Enom do?

Did they steal your domain name?

No. They followed the rules they are required to follow for an inbound domain transfer. So, let me see if I can make this clearer:

Suing the registrars is usually a pointless proposition anyway. They are entitled to rely on email confirmation from the authoritative contact (i.e. the gaining registrar), and their contracts generally don't provide much recourse (i.e. the losing registrar). That's not to say that people don't try.

But if you sue Enom for stealing your domain name, then it's not going to be a default, and I can pretty much guess the one thing that Enom is going to resist doing if they are sued.
 
1
•••
Let's try this again...

Suing the registrars is usually a pointless proposition anyway. They are entitled to rely on email confirmation from the authoritative contact, and their contracts generally don't provide much recourse. That's not to say that people don't try.

My earlier post did not suggest suing the registrars. Filing an in rem suit against the domain name in EDVA is not suing the registrars.
Thanks for the clarification. As a non lawyer, in rem suits are a bit alien to me.
 
1
•••
No and no. Given that the entirety of your filing on points 2 and 3 of the UDRP is that the name was stolen, then you are not admitting the domain name rightfully belongs to the other party by filing a UDRP.

The transfer seems primarily based on the lack of response from the respondent more than anything. If the respondent had merely replied with "I'm the registrant of record" and I own a three letter .com because I think it's valuable and was within my rights I don't see how he would have lost the domain. It's not the panelists to ascertain rights of ownership outside of the points 1, 2, 3.

I find it shocking that part 1 can be almost removed from the criteria:

"the domain name registered by Respondent is identical or confusingly similar ..."

The argument that it was "registered" (i.e. not registered) seems to be to make this an instance denial of award. The registrants email is the owner regardless of how it got there from a UDRP perspective.

That said I'm answering my own question above - the UDRP Is not determining the ownership rights outside of the three criteria they have to consider... but now I also think if you deny the complainant has ownership of the name I don't see how the UDRP can be applied considered in the first place.

Also
"This means Respondent cannot have acquired any rights to the domain name (or a similar trademark) merely by registering the domain name."

Wow. If you are under privacy you cannot acquire any rights to a domain name? That's nuts.
 
1
•••
"This means Respondent cannot have acquired any [Trademark] rights to the domain name (or a similar trademark) merely by registering the domain name."

I fixed the quote for the missing word that is implied. It has nothing to do with whois privacy because you acquire trademark rights by using the domain so you don't actually have to be the listed owner in whois. There is a FAQ at the US patent and trademark office about domain names and trademarks.

As a side note there are some complex discussions about whether the Anti-Cybersquatting Protection Act fits under the Lanham Act because it discusses domain registration rather than trademarks and use in commerce. from what I understand you can be sued under the ACPA because of domain registrations but a domain registrant generally needs a trademark to be able to sue someone else.
 
1
•••
Back