security Domain crime : Abdullah.com and ASAD.com are stolen domains

[News]

Two domains of Arabic interest have been reported as stolen; both ASAD.com and Abdullah.com were taken away from their legitimate owner, Abdullah S. Jafari.

NamePros moderators have confirmed that the domains have been stolen, by contacting their legitimate owner...

Read More

 

[venturefile.com]

I asked for payment on delivery with a transfer to be done away from the russian registrar. The seller said no problem and I thought it was a bit odd, but since he answered the whois email I didn't suspect anything... Then yesterday @wwwweb alerted me that he called the previous owner and that the domain was stolen.

If the transfer would be completed I would have returned the domain name to the previous owner but it wasn't completed yet and was cancelled yesterday. I guess that Netsol must have got the domain back. So everything turned out well here, I didn't lose any money, the thief didn't get any money and the rightful owner will get his domains back.

 

[Eric Lyon]

We restricted the seller's account yesterday and removed their marketplace access before the auction ended and alerted everyone about it.

The post is here: https://www.namepros.com/posts/5329609/

 

[Eric Lyon]

Most major marketplaces have WHOIS verification, but that doesn't help with stolen domains, because the WHOIS information is the thief's details by that point.

Making all new members suffer and not be able to list domains because of a few bad apples is more of a problem than a solution, and it will not prevent the sale of stolen domains.

Domain theft and resale is increasing, and it is affecting the major domain marketplaces. There's a good chance that a lot more of it goes unnoticed at other marketplaces because they handle it quietly (delete the sales listings) unlike here where everything is public information and can be referenced.

The best solution is for everyone to do their due diligence and please report anything suspicious. As you can see, we act as quickly as possible when it's brought to our attention and we shut it down.

 

[Bannen]

The best solution is for everyone to do their due diligence and please report anything suspicious. As you can see, we act as quickly as possible when it's brought to our attention and we shut it down.

Also, trust your gut and say something if there's any alarm bells. When I first saw the thread for Abdullah.com I immediately heard those bells in my head. I hear them all the time anyway, along with the chipmunk voices, my therapist says ignore them, but never mind that for the moment, I'm just sayin'.

I saw the sales line for Abdullah in the 'auctions' area; first bell. I thought 'why would an owner of a premium domain be trying to auction it in the auctions instead of the top domains?' My first suspicion was he was maybe afraid of the vetting process of the top domains area, that it might reveal something he didn't want revealed.

Then there was the price: BIN of $5K. Second bell. I broker premiums for a good friend of mine, one of the original domain pioneers, and I have a good knowledge of values. 5k bin for this was a big red flag. Like if you're selling a luxury mansion in Malibu but you're only asking $500k for it. Something's wrong. Not that it's a million dollar name, but 5K even reseller price is far too low. He could have left himself a much higher BIN ceiling for this name. BIN it at $25K, and even if the bids stop at 5K, whatever. With that BIN, my thought was he wanted a really quick sale and was willing to sell unrealistically low in exchange for a speedy sale. Suspicious, even theoretically considering it might be a seller desperately needing cash.

There were a handful more alarm bells about other things, interspersed with the chipmunks singing, but it was more than that: each individual thing could have been explained and rationalized... but my gut just said 'nope, no way' to the entire way he did it. I listened to my gut, and without doing any research vis-a-vis seeing if the domain was stolen, I figured I'd interrupt that thread and mention my concern. I'm glad I did.

I think the other members bidding there probably had their suspicions, too, and I expect even if I hadn't said something that someone else would soon put the kibosh on it. But sometimes... you get caught up in wanting that too-good-to-be-true price for a premium, and you just bid and do only surface due diligence and hope it's legit, and things progress a little further than they should. I'll tell you how much my gut was telling me it was bogus: if I'd thought it was legit, I or my buddy would have pulled the trigger and bought it at BIN in a second, bypassing all the bidders. I'd have thought 5K for this one was a steal. - Turns out, it was

My point is: I'll bet everyone in that thread, and looking at it, had some part of their instinct saying 'no way, this is too good to be true'. It's a good lesson to listen very clearly to that little nagging feeling breathing over your shoulder. I know you don't have the added benefit of chipmunks helping you, so you'll just have to struggle through it on your lonesome.

Best wishes to the legit owner of both these stolen domains, hope he somehow gets them returned in a not-too-painful process. Would be nice to be kept updated here.

 

[JB Lions]

We restricted the seller's account yesterday and removed their marketplace access before the auction ended and alerted everyone about it.

The post is here: https://www.namepros.com/posts/5329609/

What about his first one, that one ended - https://www.namepros.com/threads/sold.917594/

"It’s the second time in as many days that premium, stolen domain names have been peddled for sale by Russian cybercriminals on NamePros."

It's been suggested by many people, and if you polled the members here, I think they would be fine with some sort of selling restrictions on newbies. Or some sort of steps/verification before they were allowed to sell here. New member selling those type of names in a forum, should have raised some flags.

 

[Chris Hydrick]

Not cool to involve @DAN.COM
it’s a six year thread man.
Maybe it got resolved, maybe it didnt.
But now Dan is obligated to reply,
for a thread made in 2016.

What's not cool is your attempt to obstruct/hinder/damper/troll investigations, or make light of those wanting to hold others accountable.. Maybe too much radical far right Trumpanigans are starting to wear off on you? I mean, you don't think @DAN.COM needs to be made aware of these risks/concerns?

Well, now let’s solve this then.

Summary/Update based on public info

According to DomainIQ

ASAD.com

Since at least 2003 to 2015 the domain belonged to Abdullah Jafari of Texas, last using a @yahoo.com email address regged @ NetSol.

A January 2016 historical WHOIS entry shows ASAD.com moved to reg.ru <IANA 1606> possibly <2015-12-17T01:16:34Z> to email address [email protected] to a Sergey Kokarev.

It was listed on namePros auction that ended February 2016 with the winning bidder @venturefile.com. To whit, @venturefile.com responded on page one of this thread. <<anybody just jumping in, please read full thread>>

In the February nP Abdullah.com auction @wwwweb commented

@Eric Lyon closed the Abdullah.com auction shortly after.

Later in 2016, ASAD.com moved to <IANA 1418> EvoPlus LTD
At some point registrar <IANA 1418> EvoPlus becomes registrar Danesco Trading Ltd.
In 2018 privacy is removed, nameservers are changed from <DOMAINPARKING.RU to
SEDOPARKING.COM> and reveal <Ilia Krukover and [email protected] as the registrant>. 2018 Archive.org entry shows the sedo parked paged used <as-drid-2193629928210616>.

Similar history for Abdullah.com

Since at least 2008 to 2015 the domain belonged to Abdullah Jafari of Texas, last using a @yahoo.com email address regged @ NetSol.

A January 2016 historical WHOIS entry shows Abdullah.com moved to reg.ru <IANA 1606> possibly <2015-12-17T01:16:34Z which matches exactly with asad.com> to email address [email protected] to a Sergey Kokarev.

It was listed on namePros auction that ended February 2016 when mods closed the thread, and restricted the account after confirming the name stolen via telephone with owner.

Later in 2016, Abdullah.com moved to <IANA 1418> EvoPlus LTD
At some point registrar <IANA 1418> EvoPlus becomes registrar Danesco Trading Ltd.
In 2018 privacy is removed, nameservers are changed from <DOMAINPARKING.RU to
SEDOPARKING.COM> and reveal <Ilia Krukover and [email protected] as the registrant>. 2018 Archive.org entry shows the sedo parked paged used <as-drid-2193629928210616>.

////////////

I have no idea how [email protected] came abouts to own these domains. Nor am I implying that ilia was/is the thief/hacker, as this registrant could have purchased after the theft, and its unknowing how many times the domain may have changed hands after theft. Nonetheless, I think it's worth noting that ilia krukover is currently listed as the registrant of some other domains that were reported by as possibly stolen when a cache of stolen domains was uncovered by @TheLegendaryJP in this 2016 nP thread and by @Acroplex in a 2017 DomainGang report.

VXL.com STOLEN?

ETTI.com STOLEN?

,,,,

Additionally, ilia krukover, is listed as the current registrant for GR.org. A domain which @Acroplex reported as stolen in a August 2017 stolen domain report.

GR.org – The domain has been under the control of Russian domain thief, Stanislav Khramov for several years. It has been offered for sale on various venues where it has been blocked.

GR.org, like to VXL.com and Etti.com, passed through the control of Stanislav Khramov, and all domains mentioned look to have used a yahoo email address prior to theft.

 

[Bannen]

P.S. Thank you Eric for once again being Johnny-on-the-spot, making some phone calls, and revealing the theft.

Once again, Namepros wins against the evildoers! The feds should be hiring us to flush out any hiding terrorists. However, knowing how they operate, instead I expect my use of the word 'terrorist' here (twice now!) has been flagged by their computers. As we speak a find-and-grab team has been dispatched and soon I'll have a bunch of black-suited sunglass-wearing guys smashing through my door yelling and taking me down.

Hang on, there's the doorbell. If I don't post anymore, tell Eric to start making some calls. I hope he's as good at finding a stolen domainer as he is at stolen domains.

 

[Bashar]

Not cool to involve @DAN.COM
it’s a six year thread man.
Maybe it got resolved, maybe it didnt.
But now Dan is obligated to reply,
for a thread made in 2016.

I guess this is way asking for 6 year update?!!
want to kno too, suspicious if sale, wouldnt buy

It's not resolved, I've spoke to the owner he said both domains still stolen and he is working with a lawyer to get them back.

I offered help several times but he wasn't interested

 

[DAN.COM]

It's not resolved, I've spoke to the owner he said both domains still stolen and he is working with a lawyer to get them back.

I offered help several times but he wasn't interested

The domains were deleted from our marketplace as soon as we received and validated that the domains might still not have been recovered by the original owner.

 

[Bashar]

The domains were deleted from our marketplace as soon as we received and validated that the domains might still not have been recovered by the original owner.

Thanks to Laszlo of DAN for responding to my report and taking a prompt action

Professional as always @DAN.COM

 

[Eric Lyon]

That's up to @venturefile.com to share details about.

I think they would be fine with some sort of selling restrictions on newbies.

Another solution could be to choose not to bid on auctions by new members, if they'd like. From what we've seen with auctions, though, many members still want to bid on auctions by new members, because most new members are legitimate.

The scammers are a minority.

 

[Acroplex]

I've confirmed with the owner of Jada.com that his domain was stolen. He's working with Network Solutions to get it back.

 

[Bashar]

6 years later and the domains are still offered for sale at Dan.com

 

[iowadawg]

A minority are scammers is like saying a minority are killers.
You will get the short end of the stick in any event running across such people.

I agree with JBL that new members wanting to sell domains need some restrictions to avoid being scammed by that minority.

 

[Acroplex]

Let's focus on security vs. what makes a registrar great, or this will turn into a biased analysis of one's preferred registrar.

Personally, I have not lost a single domain other than with Network Solutions, and that was in 2000.

I use GoDaddy, Uniregistry, eNom, Fabulous and Name.com. Because I follow simple instructions to securing my domain accounts, such as two-factor authentication, I can support my analysis of the domain theft issue. No interface that makes domain management easy can ensure security, which boils down to how one uses the registrar's additional layers of security and user practices that utilize them.

Domain monitoring is the byproduct of security. With all that in mind, does Namespro.ca offer two-factor authentication? That's what matters when it comes down to security these days.

 

[mattG]

Wow. People. Lock up your domains with 2fa and dont click links in email.

Asad.com was just auctioned off here at NP I think

I'm pretty sure I ran across abdullah.com up for auction here too

 

[Samer]

6 years later and the domains are still offered for sale at Dan.com

Not cool to involve @DAN.COM
it’s a six year thread man.
Maybe it got resolved, maybe it didnt.
But now Dan is obligated to reply,
for a thread made in 2016.

I guess this is way asking for 6 year update?!!
want to kno too, suspicious if sale, wouldnt buy

 

[Nem0]

Wow. People. Lock up your domains with 2fa and dont click links in email.

Asad.com was just auctioned off here at NP I think

 

[mikenormal]

I'm pretty sure I ran across abdullah.com up for auction here too

Yup you are right, I saw it too.

 

[Ram G.]

@wwwweb great service you did there. Kudos.

 

[JB Lions]

That's up to @venturefile.com to share details about.


Another solution could be to choose not to bid on auctions by new members, if they'd like. From what we've seen with auctions, though, many members still want to bid on auctions by new members, because most new members are legitimate.

The scammers are a minority.

I don't know if that's actually true, hence the suggestion of a poll if you really want to know for sure. In the suggestion thread somebody posted:

"Lock new members out of having their own auctions until they pass a multiple choice test about the auction rules."

That got 5 likes, actually I guess that's just talking rules.

And it doesn't stop the many members who want to bid on auctions by new members, they'll just know they've been vetted. Based on other threads, I think NP wanted more self moderation, hands off approach. Of course, a newbie, selling great domains, in a forum auction format, is a 3 (red) flagger, so bidders should have figured that one out. When I read the blog post mentioned above, I was thinking, does NP want to become known as the place where you can peddle stolen domains? Eh, nevermind.

 

[eurorealtor]

Most major marketplaces have WHOIS verification, but that doesn't help with stolen domains, because the WHOIS information is the thief's details by that point.

Making all new members suffer and not be able to list domains because of a few bad apples is more of a problem than a solution, and it will not prevent the sale of stolen domains.

Domain theft and resale is increasing, and it is affecting the major domain marketplaces. There's a good chance that a lot more of it goes unnoticed at other marketplaces because they handle it quietly (delete the sales listings) unlike here where everything is public information and can be referenced.

The best solution is for everyone to do their due diligence and please report anything suspicious. As you can see, we act as quickly as possible when it's brought to our attention and we shut it down.

Well, it may sounds weird, but maybe better to be auctioned a stolen domain on the NP than anywhere else, because it's the best chance that the scammer will be caught here than elsewhere, without anyone loosing money.

 

[Abdullah Abdullah]

Good to know. Some new members seem to be creating problems but a scammer will always be a scammer even if you have rules to prevent them from selling or buyung the minute they sign up.

 

[Acroplex]

I would like to see in all the titles of stolen domains WHERE they were stolen from. Is there a Pattern of lack of Security?

Lack of security as it applies to the Registrar? That was true with Moniker a year ago when they were targeted and dozens of domains were moved out.

It might be also true with eNom, when a particular issue led to a few domains being stolen without a password needed.

It is not true about GoDaddy, despite a large number of domain thefts occurring there. As the biggest domain registrar, GoDaddy is being targeted by phishing emails. In other words, the registrant is being social-engineered into surrendering their username/password, but that' s not a security issue per se.

Enable two-factor authentication at GoDaddy and anywhere else that it's available.