Possibly Stolen Domains/Compromised Account: Night.com + more...

[Chris Hydrick]

Hey everyone,

I'm creating this thread in response to today's suspicious auction of Night.com (registered at Network Solutions)

https://www.namepros.com/threads/night-com-with-its-email-25-years-old.1241403/

The seller <@domainfor yo> listed Night.com in a 48 hour auction. Member @Freshnam bid $3,000, and shortly after (well before the 48 hour mark) the seller said SOLD, despite mods/members asking for further verification.

Night.com, and the other below domains were listed with [email protected] as the WHOIS registrant for many years. Then, according to a December 28th, 2020 Historical WHOIS entry, the registrant email had changed to:

Please note, the new email in WHOIS shows the ii's capitalized, almost to mimic to LL's.

That domain < MattToiie.com> was created on June 12th, 2020 at NameCheap. Tagging NameCheap rep @tamar for fraud investigation.

The domain <MattToLLe.com> was created on November 27th, 2019, and is registered at GoDaddy until 2024. tagging godaddy reps @Joe Styler and @Paul Nicks to keep godaddy in the loop.

You will notice a pattern with other domains once belonging to [email protected], go to [email protected] and DNS@MattToiie.com

Xenu.com

<<<>>>

UnHoly.com went from [email protected] to [email protected] possibly on or around: 2019-02-21T20:59:02Z

From WHoxy

<<<>>>

UnDead.com at NetSol

From Whoxy regarding UnDead.com

<<<>>>

Skaven.com seems to have retained the [email protected] email address. registered at NetSol

<<<>>

ToiletTools.com and LossGain.com is still at GoDaddy. Might be compromised if the Night.com seller is not the actual Matt ToLLe. @Joe Styler @Paul Nicks

<<>>

Fly-By-The-Night.com at NetSol

 

[Chris Hydrick]

Also, unknowing all the details here, or unknowing how long Night.com and by proxy the [email protected] email address may have been compromised, I will note two other domains previously connected to the [email protected] email address:

Myip.com looks to have been dealt through escrow.com (tagging @Escrow.com Support) In September, 2017.

And Risc.com went into privacy on or around: 2016-02-08T15:28:07Z

 

[Chris Hydrick]

In April 2014, Night.com is parked via domainRegistrant' : 'as-drid-2543182202899771',

view-source:http://web.archive.org/web/20140412200435/http://www.night.com:80/

... Again, unknowing what's going on, and purely speculating on the side of caution, as myip.com looks to have sold via Escrow.com in 2017, and unknowing of the status of the long time registrant of these great domains <aka Up at Night Productions> until we receive notice from the registrant, or other official word, it's unknowing if and/or how long these domains may have been compromised.

 

[Samer]

Thanks @Grilled.

i’m following this thread.

Samer

 

[Chris Hydrick]

Skaven.com seems to have retained the [email protected] email address. registered at NetSol

Correction... WHOIS at DomainIQ wasn't updated for Skaven.com.

Skaven.com didn't retain [email protected] as initially posted. Skaven.com is showing [email protected]

According to NetworkSolutions WHOIS:

Domain Name: SKAVEN.COM
Registry Domain ID: 3529503_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2020-06-06T06:51:40Z
Creation Date: 1995-08-06T04:00:00Z
Registrar Registration Expiration Date: 2023-08-05T04:00:00Z
Registrar: Network Solutions, LLC
Registrar IANA ID: 2
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Up at Night Productions, LLC
Registrant Organization: Up at Night Productions, LLC
Registrant Street: PO BOX 1166
Registrant City: HIGLEY
Registrant State/Province: AZ
Registrant Postal Code: 85236-1166
Registrant Country: US
Registrant Phone: +1.8573232552
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Tolle, Matthew
Admin Organization: Up At Night Productions, LLC
Admin Street: PO BOX 1166
Admin City: HIGLEY
Admin State/Province: AZ
Admin Postal Code: 85236-1166
Admin Country: US
Admin Phone: +1.8573232552

 

[bmugford]

Thanks for the post Grilled. I had multiple posts in the initial thread that were deleted.

It is obviously a scam. No one who has owned Night.com for 25 years is offering it for sale for $3K on NamePros. It would take no effort to get six figures for a domain like this.

There are so many red flags it is hard to list them all.

Brad

 

[Chris Hydrick]

Thanks for the post Grilled. I had multiple posts in the initial thread that were deleted.

No problem, happy to help.

I saw your posts, and was in the process of researching thanks to yours and others comments. Unfortunately, in the hundreds of tabs I have open, I don't have any from that thread available that I could copy and paste here.

We all know we can't post in sales threads, and that even with all the right intentions, and balancing the cost of sounding the alarm Vs breaking a nP rule, having posts deleted from sales threads is a risk we take when posting there, and an extra task for the mods to moderate with fairness. Maybe in the future the mods can moderate with a little more focus on security, and I mean no disrespect by that. I just mean @bmugford comments, and other deleted were necessary for sounding the alarm, albeit began to clutter the thread, as trolling commenced. A tough deletion line had/has to be drawn somewhere.

Nonetheless, and I can't stress this enough: if you value your posts, and foresee yourself feeling slighted or offended if your comments (or citable resources such as namejet auction logs) possibly getting deleted, either (a) take preventive measures by archiving the link/comment/source to archive.li <https://archive.li/4qewt> OR save the page locally to your device. OR (b) just message a mod team requesting a copy of the deleted post. As It may have info you wanted to circle back to, and quoted in the proper place.

Speaking of posting in the proper places, did I post this thread in the proper section, or is there better section for threads like this to be posted in?

There are so many red flags it is hard to list them all.

It's like Where's Waldo. But without listing/naming them all, we could be missing some data points needed to connect the dots to a more detailed image. And then it could become like a unravelling a ball of yarn, seeing how far it unravels, and uncovering what footprints were left behind. eg. time to reverse engineer.

Payment Methods: Bitcoin, Payeer, or PerfectMoney,

<<>>

 

[Chris Hydrick]

The nP seller of Night.com < @domainfor yo > second post on namePros was::: ...

https://www.namepros.com/threads/ponzi-scheme-script-website-for-crypto-investment.1202503/

<<<>>

Then the next day... errrrrm,,,,

https://www.namepros.com/threads/p123-ga.1202588/

except....

 

[Lox]

redplaid.com > matttoIIe / matttoiie .com @ NetSol

 

[Chris Hydrick]

redplaid.com > matttoIIe / matttoiie .com @ NetSol

Show attachment 192237

WOW, it looks like rwaidmann@matttoiie.com is now in possession of many domains from Connectria Corp, including Connectria.com

<>>

<<>>

[email protected] looks to have taken control of Elacity.com from Connectria as well.

Domain Name: ELACITY.COM
Registry Domain ID: 94722425_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2020-12-08T09:11:31Z
Creation Date: 2003-02-06T15:28:07Z
Registrar Registration Expiration Date: 2026-02-06T15:28:07Z
Registrar: Network Solutions, LLC
Registrar IANA ID: 2
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Connectria Corp.
Registrant Organization: Connectria Corp.
Registrant Street: 10845 Olive-Suite 300
Registrant City: St. Louis
Registrant State/Province: MO
Registrant Postal Code: 63141
Registrant Country: US
Registrant Phone: +1.3145877000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]

 

[Lox]

[email protected] looks to have taken control of Elacity.com as well.

Domain Name: ELACITY.COM
Registry Domain ID: 94722425_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2020-12-08T09:11:31Z
Creation Date: 2003-02-06T15:28:07Z
Registrar Registration Expiration Date: 2026-02-06T15:28:07Z
Registrar: Network Solutions, LLC
Registrar IANA ID: 2
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Connectria Corp.
Registrant Organization: Connectria Corp.
Registrant Street: 10845 Olive-Suite 300
Registrant City: St. Louis
Registrant State/Province: MO
Registrant Postal Code: 63141
Registrant Country: US
Registrant Phone: +1.3145877000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]

<joke>

Dear Network Solution,

Great news, networksolution.com has sold via Fast Transfer through our DLS Network for $199.00

No action is needed from you at this time. You will receive an email update within 8-10 days regarding your payment.

If you have any questions, please feel to message the TA Agent through the link at the bottom of the sea.

Bye

</joke>

Too many NetSol users are still using compromised passwords and the NetSol don't give a ...

 

[domainfor yo]

i'm famous now ? hahahah

 

[Chris Hydrick]

i'm famous now ? hahahah

Any chance you want to tell us how you did it, and be a white hat hero? puh-leazee

 

[Chris Hydrick]

@domainfor yo -- what is it that you're looking for?

I see you lookin at me

 

[Lox]

Any chance you want to tell us how you did it, and be a white hat hero? puh-leazee

You can download (or buy) the breached credential databases @ several places, incl. raw NetSol.

 

[Chris Hydrick]

You can download (or buy) the breached credential databases @ several places, incl. raw NetSol.

There's several ways it could have been done.

I was more so hoping to give @domainfor yo an honorable way out of the mess he/she/them appears to be entangling him(her)themselve(s) in.

 

[domainfor yo]

There's several ways it could have been done.

I was more so hoping to give @domainfor yo an honorable way out of the mess he appears to be entangling himself in. #StopTheMadness

i like you and i like aliens.com too

 

[Chris Hydrick]

i like you and i like aliens.com too

I too like aliens

https://sell.sawbrokers.com/domain/aliens.com/


Domain Name: ALIENS.COM
Registry Domain ID: 2707253_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.directnic.com
Registrar URL: http://www.directnic.com
Updated Date: 2020-09-24T09:15:15Z
Creation Date: 1994-10-20T23:00:00Z
Registrar Registration Expiration Date: 2021-10-19T23:00:00Z
Registrar: DNC Holdings, Inc
Registrar IANA ID: 291
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.8778569598
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: Not Applicable
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: KN

 

[domainfor yo]

I too like aliens

https://sell.sawbrokers.com/domain/aliens.com/

check your pm grilled

 

[Chris Hydrick]

check your pm grilled

Thanks for the DM.

 

[domainfor yo]

Thanks for the DM.

ain't no problem puppy

 

[Chris Hydrick]

ain't no problem puppy

What's all this puppy talk kitten?

Is that code for you wanting to work towards getting these domains fully in the hands of the rightful owners, with no quid pro quo expectations? Are we ready to turn white hat ethical hacker in hopes, but no guarantee, of a bug bounty type reward?

Or are you saying puppy to be cute, and deflect away from the ugliness of what appears to be criminal activity.

 

[Chris Hydrick]

check your pm grilled

@domainfor yo might be having a change of heart here folks...

He revealed Aliens.com and Same.com may also be compromised. I haven't verified it yet. But thanks @domainfor yo for wanting to help.

The community will be here for you if you continue to want to help clog some security holes, and help some possibly unknowing victims from forever losing their domains.

Also, please remember, no more trying to sell stolen domains... And more returning to the rightful owner, less selling, should be your new motto!

 

[domainfor yo]

@domainfor yo might be having a change of heart here folks...

He revealed Aliens.com and Same.com may also be compromised. I haven't verified it yet. But thanks @domainfor yo for wanting to help.

The community will be here for you if you continue to want to help clog some security holes, and help some possibly unknowing victims from forever losing their domains.

Also, please remember, no more trying to sell stolen domains... And more returning to the rightful owner, less selling, should be your new motto!

this shityy website is not letting me post or contact or anything

 

[The Durfer]

ty