ESE.com hijacked at moniker

[alldig]

On August 20th a person named "j p" ( [email protected] ) contacted me via email and I agreed to sell him ese.com for 33k via sedo.

On September 2nd we entered into an agreement on sedo at US $33,000.

On September 4th I received the following email from [email protected] :

Dear Mr. Ambrose,

Now that the buyer has made payment into Our escrow account you can push the ese.com domain
into our Moniker account and finish your part of this transfer.

Please log into your Moniker account, Go to your Domain management ,Click on Push Button

And Do The Push with following information:

Account number: 77514
Authorization Code: FFC97F476A
Email: [email protected]
domain name: ese.com

As soon as the domain is in our Moniker account, we will be able to process
your payment.

Now would be a good time to ensure that your payment information with Sedo is
accurate. Please click on the following link:

http://www.sedo.com/member/bankdata.php4

and login to your Sedo account, in order to verify your information.

Should you have any questions or difficulties with this step please let us
know.

Best regards,

Colin Finnan
Domain-Transfers
--
Sedo GmbH :: Im Mediapark 6 ::50670 Cologne (Germany)
tel +49 221.34030.188 :: fax +49 221.34030.109
http://www.sedo.com :: mailto: [email protected]

District Court of Cologne HRB 35019
Board of Management: Tim Schumacher, Ulrich Priesner, Marius W?

Confidentiality Statement:
This e-mail, including attachments, may include confidential and/or proprietary
information, and may be used only by the person or entity to which it is
addressed. If the reader of this e-mail is not the intended recipient or his or
her authorized agent, the reader is hereby notified that any dissemination,
distribution or copying of this e-mail is prohibited. If you have received this
e-mail in error, please notify the sender by replying to this message and
delete this e-mail immediately.

I pushed ese.com to the moniker account listed in the email shortly after.

On September 5th I received the following email from [email protected] :

hi
it this your domain ese.com?
i wan't to buy this domain from some one ....
i think he is hacked this domain ......
im waiting your response

thanks

Just a few hours ago I received a phone call from Martin Osusky of Sedo notifying me that the email that was sent on September 4th from [email protected] was a spoof email and that I had pushed ese.com to the hijackers Moniker account. Luckily Martin caught this early on and he has already contacted Moniker. The domain was on ACTIVE status but about 30 minutes ago it was changed to REGISTRAR LOCK.

 

[NewYorkBum]

Spoofing emails, that is something new. I would have think that company as big as Sedo and Moniker would have implemented spf records to authenticate incoming and outgoing servers.

 

[Corey]

thanx for the warning...

A close call for you tho

Cheers
Corey

 

[alldig]

Here is the email header from the spoof email on Sept 4th:

Return-Path: <[email protected]>
Received: from smtp6.hushmail.com (smtp6.hushmail.com [65.39.178.137])
by imap9.hushmail.com (Cyrus v2.2.12-Invoca-RPM-2.2.12-8.1.RHEL4) with LMTPA;
Thu, 04 Sep 2008 16:06:54 +0000
X-Sieve: CMU Sieve 2.2
Received: from tmz.tmzhosting.com (2a.88.5546.static.theplanet.com [70.85.136.42])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by smtp6.hushmail.com (Postfix) with ESMTP
for <[email protected]>; Thu, 4 Sep 2008 16:06:52 +0000 (UTC)
Received: from pejudgem by tmz.tmzhosting.com with local (Exim 4.69)
(envelope-from <[email protected]>)
id 1KbFih-00039Q-1s; Thu, 04 Sep 2008 09:21:59 -0500
To: [email protected]
Subject: Transfer of ese.com
X-PHP-Script: www.foolex.com/fake/ese/email.php for 91.98.154.140
From: "[email protected]" <[email protected]>
Reply-To: "[email protected]" <[email protected]>
To:<[email protected]>
Mime-Version: 1.0
Content-type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
Message-Id: <[email protected]>
Date: Thu, 04 Sep 2008 09:21:59 -0500
X-TmzHosting-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-ID: 1KbFih-00039Q-1s
X-TmzHosting-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details
X-TmzHosting-MailScanner-SpamCheck:
X-TmzHosting-MailScanner-From: [email protected]
X-Spam-Status: No
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - tmz.tmzhosting.com
X-AntiAbuse: Original Domain - domainhighway.com
X-AntiAbuse: Originator/Caller UID/GID - [32209 32212] / [47 12]
X-AntiAbuse: Sender Address Domain - tmz.tmzhosting.com

It looks like the guy used www.foolex.com/fake/ese/email.php to generate/send the email. If you click on that link the same exact email that I received on Sept 4th will be sent to [email protected]

 

[inspiration100]

Yikes. You can see what domains he plans to scam out.
http://www.foolex.com/fake/

Also, did the typo in [email protected] catch your attention?

 

[maxeaus]

Wow, that is appalling, it is amazing what lengths people go to to scam domains. I can only guess that he was going to flip it quick for $10,000 or so and run off with the loot, leaving a trail of destruction in his wake.
Somebody should contact the other list of targets and warn them, if they have not already.

 

[alldig]

Wow, that is appalling, it is amazing what lengths people go to to scam domains. I can only guess that he was going to flip it quick for $10,000 or so and run off with the loot, leaving a trail of destruction in his wake.
Somebody should contact the other list of targets and warn them, if they have not already.

My friend, Kevin Ohashi, has contacted everyone on the list and Martin from Sedo is canceling any transactions for those target domains that may be pending. Moniker is running an investigation and the domain is expected to be returned to my account by Tuesday at the latest.

 

[mozzeratti]

My friend, Kevin Ohashi, has contacted everyone on the list and Martin from Sedo is canceling any transactions for those target domains that may be pending. Moniker is running an investigation and the domain is expected to be returned to my account by Tuesday at the latest.

At least this appears to have a happy ending in the horizon.
It's good to hear that Moniker was not reluctant to get involved.

Thank you for posting this.
Hopefully this serves as a warning for others.
Be vigilant. Double check, triple check.
Check directly via the site to confirm all correspondence and do not rely
on e-mails only when there is much at stake.
.

 

[Sedo]

To our valued Sedo customers,

With immediate effect we have updated our communication protocols used for domain purchases and sales. All correspondence related to a transaction will be made directly through the respective Sedo accounts. Emails will only be sent to indicate that there is an update and that the customer should refer to their account for the relevant information.

As well as automated processes, our customers have a dedicated transfer agent to ensure a safe and expeditious transaction for all parties. You will of course still be able to contact your agent directly by phone and email.

Sedo is committed to ensuring the highest possible security and we encourage you to contact us with any issues, by emailing [email protected]

-Stephanie

 

[darknight867]

holly cow that means sedo is at risk for people using their domain emails, that is a big thread to sedo imo, good luck getting your awesome domain back, all the best!

 

[alldig]

ese.com has been pushed back to my Moniker account. Thanks again to Martin Osusky of Sedo and Monte Cahn of Moniker for resolving this issue in a prompt manner. Hopefully due to Sedo's new security measures this will never happen again.

 

[ripley]

Be glad you were dealing with Moniker, which has always been thoroughly professional when I've had dealings with them. (Won't use anyone else, personally, if I can avoid it.) Glad you got it taken care of, what a nightmare.

ripley.

 

[Len]

Good to see a happy ending to this and the quick actions taken by all parties involved.