alert Stolen Four Letter Names

[jberryhill]

The following names were stolen from a GoDaddy customer:

wumz.com
fexz.com
cclw.com
yded.com
clcy.com
kdtx.com
wohp.com
ubve.com

The names interactivebrain.com and cloneclothing.com appear also to have followed similar unauthorized transfer patterns.

The same person attempted a theft of qauf.com, but the intended victim caught the transfer email in time to stop it.

 

[lotk]

A quick update on my side, @AlejandroGarcia has refunded my purchase of ubve.com and wohp.com. I have refunded the buyer of ubve.com but will need to track down the buyer of wohp.com to give them a refund as well. That way I am not in the middle of this mess...

 

[BrandChimp]

Enable 2-factor authentication now!

 

[lotk]

I bought ubve.com and wohp.com back in December 2017 from @AlejandroGarcia and then flipped them.
@AlejandroGarcia - where did you purchase ubve and wohp from?

 

[jberryhill]

But don't they need access to the registered email id to get the password reset emails so the account can be accessed?

Yes. And things like infrequently-monitored email accounts or legacy accounts from providers like earthlink.net are prime pickings.

Another attack vector is to hope to lose the transfer and account recovery emails in a wave of spam.

 

[jberryhill]

Surely the original user can just get the domains back?

That's often easier said that done. If someone compromises your email and gets access to your domain registrar account, then the next step is to move the domain names to another registrar, change the registrant, and then launder the domain names through such mechanisms as selling them cheaply to an unsuspecting purchaser.

To unwind these things where there have been intervening registrar transfers requires a considerable amount of cooperation among the registrars through which stolen names have been transferred.

 

[winst]

Just saw a news report the other day that there has been an up-tick of email hacks. This time, the hackers are more sophisticated, they waited for the right moment to strike.

The example on the news was a home buyer was send a fake change of bank wiring instruction during the closing. The deposit was wired to the hacker's account, the buyer lost $50,000.

Here are some my suggestions:

Do not re-use passwords. Ideally use different passwords for each website.
Do not click on that suspicious link in email! Check it first
Use Multi-Factor Authentication, such as Google Authenticator.
Use different email address for your whois record from your account email.

 

[jberryhill]

I think you need to dig deeper, on where he got them from.

Just to be clear. I am legal counsel to Uniregistry, and this got onto my radar during a fraud investigation at Uniregistry, including review of his account activity log.

 

[Andish]

I confirm that as a buyer of ubve.com (I bought it in December 2017) I have been today fully refunded by @lotk right after I kindly requested it, so that means I can confirm he is a Seller of high standards. I have also asked Brandbucket to delist the domain, right after I learned that it is suspected to be stolen.
I now await instructions as to what to do with the domain in question.
So we have at least one domain sorted out.

 

[Lola Lola]

@Lola Lola has asked me to upload the attached file since she is a new member and cannot upload yet. It concerns her domain, but it is better that she explains herself I think.

Thank you embrand for posting this for me. You will notice in the image is a list of email transactions. These were all involved in the theft of my domain name. Sadly I believe Alejandro Garcia hacked my email account and used it to change all my passwords and perform transactions posing as me. He did so via comcast webmail. I did not see any of these as my email was spotty during this time. Now I know why. He had deleed the messages but Comcast helped me to restore them and you will notice in the middle of the list there is a test email from himself to my comcast account. This is 5 minutes before he recieved the transaction record for the domain transfer. Sadly I did not find any of this out until it was too late. He changed my passwords for himself then changed them all back. I had been registered at Network Solutions since 1998 and the domain was paid until 2021. They were no help nor was Icann. I could not prove that it was not me. But thanks to Embrand things are getting taken care of. I would never had proof that Alejeandro was truly involved had it not been for Embrand and his honesty and integrity,

 

[wwwweb]

This is bad news for the people who get stuck holding these hot potatoes. Another CQD scenario.

Those 4L's, look like they already had like 3-4 different owners. That is the life of low level 4L's, they just get whored from one domainer to another, hoping a little lipstick will attract the right buyer.

 

[lotk]

Could you let us know if Alejandro gave you an explanation as to what has happened?

He just let me know that he is still doing his own research on the batch of domains he purchased last year and that he issued my refund.
On a side note, I have bought several domains off of Alejandro in the past without any issues.

 

[Embrand]

@Lola Lola has asked me to upload the attached file since she is a new member and cannot upload yet. It concerns her domain, but it is better that she explains herself I think.

 

[Acroplex]

I warned about this method of domain hijacking via the sacking of secondary ISP emails a year ago:

https://domaingang.com/domain-crime...way-from-aol-yahoo-and-hotmail-accounts-fast/

And:

https://domaingang.com/domain-news/time-warner-cable-are-domains-linked-to-rr-com-emails-in-danger/

Cybercriminals compile domain lists they're interested in, then scour the WHOIS info for vulnerable domains. Rest assured that happens more often "in the wild" e.g. for domains not owned by domain investors.

 

[DomainRecap]

What's actually happening is that the 3rd-world scammers are totally bypassing any old email lists, and going straight to the WHOIS data for emails from any major Internet provider with a customer service phone number (i.e.. Verizon, AT&T, Comcast,. etc) and then forwarding these lists to massive call centers.

Then cheap labor mass-calls these providers and plays the old "I am sorry, I lost my password" social engineering trick (using your WHOIS address and phone info to authenticate) to gain access to your account, and by virtue all your emails. And then a quick password change later they are playing the "forget password" game at your registrar account and quickly transferring out all your valuable domains.

If you have 2-factor authentication, they then just call your cell phone company and port the number out (again using WHOIS address/phone data) and defeat it that way.,

The most vulnerable part of any security plan are the people sitting in CS at your local Internet provider, happily giving fully account access to Nigerian, Kenyan and Moroccan scammers who only need to provide them your address and phone number. The lack of security protocols and accountability is appalling and I highly recommend these steps to negate these CS nimrods:

1) Do not use an email for WHOIS from any source that has phone support.
2) Do not use an email for Registrar accounts from any source that has phone support.
3) Use a different email for WHOIS than you do for Registrar account access.
4) If possible, use multiple email accounts from domains that you control - zzzzz @ mysite.com for WHOIS and xxxxx @ myothersite.com for Registrar account.

Remember, these thieves are looking for quick scores from calling well known ISPs, and like any security system, you are simply trying to dissuade jokers like this from making an easy theft. They see "admin @ sdjeuyydkkes.com" and they quickly move along to the next victim.

 

[BrandMart]

Yes. And things like infrequently-monitored email accounts or legacy accounts from providers like earthlink.net are prime pickings.

Another attack vector is to hope to lose the transfer and account recovery emails in a wave of spam.

I am pretty amazed that owners of 4l.coms don't bother to have a regularly monitered and more secure email id and 2FA activated.

 

[easyDNS]

why wouldn't registrars implement such a thing? of course it wouldn't be bulletproof, but in the very least when the ip address is different.. or in very least it does not correspond to account owners country/city/province, then this would trigger some alerts.. verifications.. again, this wouldn't be bulletproof.. but at this point, any extra triggers and info can be potentially life saving for the true owner of account

I typically don't self-promote but this is a topic close to me, but at easyDNS not only can you enable 2FA, you can implement a variety of ACLs and even limit by country code, so you could say any logins from outside your home country would trigger additional 2FA. I'm not aware of any other registrar that offers this.

 

[wwwweb]

He probably received stolen merchandise. But until we know, he is the guy in possession. His last NP activity was liking Mr Berryhill's lock post

https://www.namepros.com/threads/i-...-com-help-please.1059035/page-13#post-6626095

Now isn't that one ironic LIKE.

A few posts up LOTK mentioned he has already been sold the domains, and even he flipped them down the line to someone else, I mean I know how these things just trade in bundles for a few hundred profit, until it has peaked at max valuation, so not sure how many more flips it could get until they find an actual end user.

I saw the CloneClothing thread, nobody even wanted the domain for $20, sitting there for 3 weeks.

 

[SuperBrander]

@DNWon I don't think that pic is fair. Innocent until proven guilty should mean something. I'm still down $1200 at this point in time and since realizing I was sold stolen domains- I had my fair share of doubts too. But refunds have been made to a few different people- me included, Alejandro has communicated with me several times- and what he says rings true. So let's let things play out and see what happens. Imagine being in the shoes of a seller who unknowingly bought domains from a thief, sold them to a few different people and now has to face a shit storm of confused and angry owners who want their domains back, registrars that are investigating the transactions and buyers who want their money back- and they all end up getting to you because the thief is long gone. That sounds like a nightmare to me and like something that takes time to sort out. So I for one, will give the matter a little time and have faith in Alejandro because as far as I'm concerned he isn't behaving like a thief would. Just like a guy dealing with a very big mess and trying to sort it out.

 

[MapleDots]

My piece of advice is to use a business email address in for whois as in

[email protected]

This way the person doing the hacking does not know who your email carrier is.
It's harder to hack a gmail account when you're using outlook

Most business email will use a carrier like google apps etc but like I said.... make it as hard as possible.

I use 2-factor with godaddy and 2-factor with my email and I monitor both every day for activity.

 

[alcy]

i am far from an expert on internet networking and such, but each time I login to certain sites.. I think google email is particularly sensitive to this... and my internet modem has different ip address.. due to netowkr reset or my own poweroff.. google asks me for extra authorizations..

why wouldn't registrars implement such a thing? of course it wouldn't be bulletproof, but in the very least when the ip address is different.. or in very least it does not correspond to account owners country/city/province, then this would trigger some alerts.. verifications.. again, this wouldn't be bulletproof.. but at this point, any extra triggers and info can be potentially life saving for the true owner of account

 

[wwwweb]

In the case of this thread, the domain names appear to have been stolen by a person in Mexico.

Are you saying @AlejandroGarcia stole these domains, and then tried to sell them off as low as $20 on namepros, I have done business with him way back on that other forum, and namepros, always found him to be an honest person. He has been a member of namepros for over a decade, really seems out of line for him, those names aren't even that good for someone to burn their reputation over them. Maybe others can weigh in also. I think you need to dig deeper, on where he got them from.

 

[Embrand]

I notice @AlejandroGarcia has closed his account and does not respond to emails anymore. Not a good sign.

For full disclosure I would like to state that I have bought three domains from him in recent months. I am now satisfied that one of them was indeed stolen and I will be returning it to its rightful owner.

The two others I am still looking into. None of these three names came from GoDaddy, by the way. So there may be many affected names from several different registrars.

 

[BrandMart]

How can a stranger get access to GoDaddy accounts and steal domains? I wonder what's missing here

 

[johname]

He probably received stolen merchandise. But until we know, he is the guy in possession. His last NP activity was liking Dr Berryhill's lock post

https://www.namepros.com/threads/i-...-com-help-please.1059035/page-13#post-6626095