ATTN REGISTRARS! it.com domain sunrise starts on Jan 2nd! GET READY NOW

alert Stolen Names

Catch.Club Catch.Club

jberryhill

Top Member
John Berryhill, Ph.d., Esq.
Impact
7,306
The following names have been stolen from Name.com and moved to Namecheap:

AAO .com PL .com W3 .com LAS. com TKM .com HKE .com HHT .com WBN .com KVL .com IJA .com LVL .com
 
25
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Impact
11,816
Namecheap should freeze the account activity as a start.

Unreal!
 
1
•••

Future Sensors

78% of human domainers will be replaced by robotsTop Member
Impact
16,629
Thanks for the warning @jberryhill

Feel free to provide some context if possible.
 
2
•••
Thanks for mentioning, @jberryhill . If you have any additional information, I'd be happy to investigate and get those domains back to their owners.

I would be personally doing this, as DNProtect has been shut down and I no longer provide stolen domain name recovery services through DNProtect.
 
11
•••

Future Sensors

78% of human domainers will be replaced by robotsTop Member
Impact
16,629
DNProtect has been shut down and I no longer provide stolen domain name recovery services through DNProtect.
Feel free to provide some context if possible.
 
3
•••

jberryhill

Top Member
John Berryhill, Ph.d., Esq.
Impact
7,306
Feel free to provide some context if possible.

Sure.

The names belong to well-known domainer Gregg Ostrick:

https://domaininvesting.com/its-you-no-its-not-yahoo-its-my-friend-gregg-ostrick/

https://targetedtraffic.com/speakers/view-speaker.php?speaker=Gregg Ostrick&rurl=2013-speakers


Several are protected by US registered trademarks:

Screen Shot 2023-01-04 at 2.14.56 PM.png



Screen Shot 2023-01-04 at 1.46.25 PM.png



Thank you for the offer @bhartzer . We are in touch with the legal teams at both registrars and will try to informally resolve this first.
 
7
•••
Feel free to provide some context if possible.
Not much more to say, as it appears that Epik has shut down DNProtect. I am no longer associated with DNProtect or Epik.

I don't really want to hijack this thread, as it's about the stolen domain names that @jberryhill posted about.
 
9
•••

jberryhill

Top Member
John Berryhill, Ph.d., Esq.
Impact
7,306
Not being associated with Epik is a good career move. Congratulations.
 
24
•••
Impact
4,049
Watching 🍿
 
3
•••
Impact
83
That's a big sized theft. Wonder how they compromised Gregg's account at Name.com
 
1
•••
I consider Name.com to be one of the safer registrars. For example, you get an email the instant someone logs into your account.

I hope these very valuable names are returned to Gregg.
 
1
•••

xcloud123

Established Member
Impact
793
months ago,i even asked W3. com ‘ price
 
1
•••

Cal2

Top Member
Impact
3,363
The following names have been stolen from Name.com and moved to Namecheap:

AAO .com PL .com W3 .com LAS. com TKM .com HKE .com HHT .com WBN .com KVL .com IJA .com LVL .com

Anyone with any ideas as to why they thought to move them to Namecheap and not somewhere else.
 
1
•••

pooky

Established Member
Impact
516
I consider Name.com to be one of the safer registrars. For example, you get an email the instant someone logs into your account.

I hope these very valuable names are returned to Gregg.

Safer? Maybe.. Maybe not.

https://www.namepros.com/threads/attempted-domain-hijacking-at-name-com.995505/#post-5942236

This happened a few years back to one of my domains there.

TL;DR:
I purchased an expiring domain at another registrar and transferred it to my Name.com account after the lock been duly lifted.
Six months after that, the earlier owner of the domain who let it expire, maliciously complains to them that the domain was stolen.
Name.com sends me an email warning me to provide proof of purchase - else they will transfer my domain to the complainant "within the next 2 days".
If I hadn't replied with the proof, they would have given my domain away.

Cost to the complainant - nothing.

I haven't kept in touch with their policies after that, but I think they instituted a $50 fee for such complaints - still practically nothing for a thief attempting to steal domains from their paying customers.
 
3
•••
For example, you get an email the instant someone logs into your account.
That "kind of" helps, but hackers getting into the account can get around it. Or, if they're fast enough, they usually will get into the account while you're sleeping and not checking email.

I can't tell you how many stolen domain names I've recovered that had this "feature" turned on.

If you're thinking that your registrar having this email notification feature gives you peace of mind and that it will stop someone from stealing your domain, you're sadly mistaken, unfortunately.

Many domains are stolen because someone hacked into the email account. And if they don't change the password on your email account, then they're going to just delete those notification emails. You'll never see them.
 
8
•••
Anyone with any ideas as to why they thought to move them to Namecheap and not somewhere else.
Yeah, kind of an amateur-ish move to move them to Namecheap. If they knew what they were doing, they would have moved them to a Chinese registrar, outside of the USA. If it's moved to a Chinese registrar, given the current environment, you're pretty much NOT going to get those domain names moved back to a US-based registrar unless you file a UDRP.

I've personally recovered stolen domains that were transferred out to a Chinese registrar and the only way we could "get them back" was by filing a UDRP.
 
7
•••

sharfab

Top Member
Impact
1,945
That "kind of" helps, but hackers getting into the account can get around it. Or, if they're fast enough, they usually will get into the account while you're sleeping and not checking email.

I can't tell you how many stolen domain names I've recovered that had this "feature" turned on.

If you're thinking that your registrar having this email notification feature gives you peace of mind and that it will stop someone from stealing your domain, you're sadly mistaken, unfortunately.

Many domains are stolen because someone hacked into the email account. And if they don't change the password on your email account, then they're going to just delete those notification emails. You'll never see them.
Very interesting! So basically there are times when the hackers DONT want to change your email password, they just monitor the hacked email messages and delete pertinent notification emails to cover their tracks...
 
1
•••
Very interesting! So basically there are times when the hackers DONT want to change your email password, they just monitor the hacked email messages and delete pertinent notification emails to cover their tracks...
Yes, that is correct.
 
4
•••

jberryhill

Top Member
John Berryhill, Ph.d., Esq.
Impact
7,306
Yeah, kind of an amateur-ish move to move them to Namecheap.

Isn't that odd? It's really bizarre for them to have used a destination registrar which is easily reachable and responsive. Both Namecheap and Name.com are investigating, and will reach some idea of what the situation looks like from their ends. There was a period of time quite a number of years ago during which a lot of stolen names seemed to end up there, but that was something like 2005ish. Then, for a long time a good deal of them went to Ename and other Chinese registrars. I don't think it was for any other reason than the language and cultural differences can make communication and establishing credibility difficult. Many registrars do have a procedure for investigating these situations and requiring indemnification by the victim for claims that might arise from unwinding the theft.

@bhartzer is absolutely correct on all counts above. Compromising the email account but not letting the owner know what's going on is key in these situations. I have to believe that some of them set up monitors so they receive text notifications when emails are received, so they can wake up from whatever hole they are living in order to deal with ongoing correspondence.

In addition to using two-factor authentication, it is a good idea to check the procedure for turning OFF two-factor authentication. Obviously, if there is any process by which someone can compromise the account email and manage to turn off two-factor authentication without having to use it, then that is an attack vector.

In this instance, the most likely route of attack appears to have been the hosting company for the account contact email address.
 
7
•••
In this instance, the most likely route of attack appears to have been the hosting company for the account contact email address.
So, there is another security tip btw. In todays environment, domainers should maintain unique e-mail boxes for each registrar, and these emails should not be used anywhere else. Neither in whois (private or public), nor for correspondence (except with the registrar in question). If the hacker does not know account contact email, he will have difficulties determining the email hosting company to attack...
 
6
•••

jberryhill

Top Member
John Berryhill, Ph.d., Esq.
Impact
7,306
If the hacker does not know account contact email, he will have difficulties determining the email hosting company to attack...

While that's true to an extent, I believe a more likely scenario in this instance is a general compromise of the hosting company, and that access to the email address was a bonus that was sold off along with other bounty obtained in the compromise. In other words, I do not believe that this particular domain portfolio was targeted and attacked. I believe the hosting company was generally attacked and that data and access were parceled out to purchasers by the attackers.

To put it another way, you might keep a piece of heirloom jewelry in a safe deposit box. If a gang of thieves breaks into the bank vault and steals the contents of all of the safe deposit boxes, that jewelry is going to someone who might specialize in trading stolen jewelry, but it's not as if that jewelry was specifically the target of the attack. It's just one of many prizes obtained in the broader general compromise of the bank vault and then sold to someone looking for that sort of thing.
 
Last edited:
2
•••

biggie

GreenFriendly.comTop Member
Impact
15,043
It's just one of many prizes obtained in the broader general compromise of the hosting comapny and then sold to someone looking for that sort of thing.
Hi

or... it was made to "look like" that, so that it would appear as a random prize.

in the movie "The Shooter" the suspect shot several random people outside a building, just to kill a particular person.

even though what you said may be the case, that movie came to mind when i read your post

still, really hope you recover the names and... possibly find out who the culprit is.

imo...
 
0
•••

bondage

army.com.uaEstablished Member
Impact
677
name.com - Safe, yeah! At the end of February, Russia attacked Ukraine. And so it happened that my boyfriend and I had domains in the name.com, the most expensive of what we had. And so it happened that the house was destroyed by the Russians and recouped the city. So far, we have managed to block both of our accounts in which there were 200 keywords of almost top-end ones in .xyz and twelve four-letter .com & right now we don't own anything - cool?

I even created a topic and asked for help here on the forum.

Their support, they told me that these are sanctions?
Only I did not understand for what, for the fact that we were born in Mariupol and fled from there, because our house was destroyed and we were bombed...

The most interesting thing is that I checked all the domains after a while and they also ended up in namecheap too.


Best Regards
Tatiana
 
Last edited:
1
•••
I believe a more likely scenario in this instance is a general compromise of the hosting company, and that access to the email address was a bonus that was sold off along with other bounty obtained in the compromise.
John, can you share the name of this hosting company? NP members may also have accounts with that company, so the information is important... to change passwords etc. at least...
 
0
•••
name.com - Safe, yeah
Tatiana, did I read this correctly - your name.com domains somehow ended up on NameCheap, which is in fact operated from Ukraine (and probably UA-owned) by the way, as the result of sanctions? I don't get it...

What an interesting coincidence with this stolen domains thread.
 
0
•••