alert Stolen Names

[jberryhill]

The following names have been stolen from Name.com and moved to Namecheap:

AAO .com PL .com W3 .com LAS. com TKM .com HKE .com HHT .com WBN .com KVL .com IJA .com LVL .com

 

[Keith]

Namecheap should freeze the account activity as a start.

Unreal!

 

[Future Sensors]

Thanks for the warning @jberryhill

Feel free to provide some context if possible.

 

[bhartzer]

Thanks for mentioning, @jberryhill . If you have any additional information, I'd be happy to investigate and get those domains back to their owners.

I would be personally doing this, as DNProtect has been shut down and I no longer provide stolen domain name recovery services through DNProtect.

 

[Future Sensors]

DNProtect has been shut down and I no longer provide stolen domain name recovery services through DNProtect.

Feel free to provide some context if possible.

 

[jberryhill]

Feel free to provide some context if possible.

Sure.

The names belong to well-known domainer Gregg Ostrick:

https://domaininvesting.com/its-you-no-its-not-yahoo-its-my-friend-gregg-ostrick/

https://targetedtraffic.com/speakers/view-speaker.php?speaker=Gregg Ostrick&rurl=2013-speakers


Several are protected by US registered trademarks:

Thank you for the offer @bhartzer . We are in touch with the legal teams at both registrars and will try to informally resolve this first.

 

[bhartzer]

Feel free to provide some context if possible.

Not much more to say, as it appears that Epik has shut down DNProtect. I am no longer associated with DNProtect or Epik.

I don't really want to hijack this thread, as it's about the stolen domain names that @jberryhill posted about.

 

[jberryhill]

Not being associated with Epik is a good career move. Congratulations.

 

[Ostrados]

Watching

 

[soidav]

That's a big sized theft. Wonder how they compromised Gregg's account at Name.com

 

[Embrand]

I consider Name.com to be one of the safer registrars. For example, you get an email the instant someone logs into your account.

I hope these very valuable names are returned to Gregg.

 

[xcloud123]

months ago，i even asked W3. com ‘ price

 

[Cal2]

The following names have been stolen from Name.com and moved to Namecheap:

AAO .com PL .com W3 .com LAS. com TKM .com HKE .com HHT .com WBN .com KVL .com IJA .com LVL .com

Anyone with any ideas as to why they thought to move them to Namecheap and not somewhere else.

 

[Pramanthas]

I consider Name.com to be one of the safer registrars. For example, you get an email the instant someone logs into your account.

I hope these very valuable names are returned to Gregg.

Safer? Maybe.. Maybe not.

https://www.namepros.com/threads/attempted-domain-hijacking-at-name-com.995505/#post-5942236

This happened a few years back to one of my domains there.

TL;DR:
I purchased an expiring domain at another registrar and transferred it to my Name.com account after the lock been duly lifted.
Six months after that, the earlier owner of the domain who let it expire, maliciously complains to them that the domain was stolen.
Name.com sends me an email warning me to provide proof of purchase - else they will transfer my domain to the complainant "within the next 2 days".
If I hadn't replied with the proof, they would have given my domain away.

Cost to the complainant - nothing.

I haven't kept in touch with their policies after that, but I think they instituted a $50 fee for such complaints - still practically nothing for a thief attempting to steal domains from their paying customers.

 

[bhartzer]

For example, you get an email the instant someone logs into your account.

That "kind of" helps, but hackers getting into the account can get around it. Or, if they're fast enough, they usually will get into the account while you're sleeping and not checking email.

I can't tell you how many stolen domain names I've recovered that had this "feature" turned on.

If you're thinking that your registrar having this email notification feature gives you peace of mind and that it will stop someone from stealing your domain, you're sadly mistaken, unfortunately.

Many domains are stolen because someone hacked into the email account. And if they don't change the password on your email account, then they're going to just delete those notification emails. You'll never see them.

 

[bhartzer]

Anyone with any ideas as to why they thought to move them to Namecheap and not somewhere else.

Yeah, kind of an amateur-ish move to move them to Namecheap. If they knew what they were doing, they would have moved them to a Chinese registrar, outside of the USA. If it's moved to a Chinese registrar, given the current environment, you're pretty much NOT going to get those domain names moved back to a US-based registrar unless you file a UDRP.

I've personally recovered stolen domains that were transferred out to a Chinese registrar and the only way we could "get them back" was by filing a UDRP.

 

[DN Universal]

That "kind of" helps, but hackers getting into the account can get around it. Or, if they're fast enough, they usually will get into the account while you're sleeping and not checking email.

I can't tell you how many stolen domain names I've recovered that had this "feature" turned on.

If you're thinking that your registrar having this email notification feature gives you peace of mind and that it will stop someone from stealing your domain, you're sadly mistaken, unfortunately.

Many domains are stolen because someone hacked into the email account. And if they don't change the password on your email account, then they're going to just delete those notification emails. You'll never see them.

Very interesting! So basically there are times when the hackers DONT want to change your email password, they just monitor the hacked email messages and delete pertinent notification emails to cover their tracks...

 

[bhartzer]

Very interesting! So basically there are times when the hackers DONT want to change your email password, they just monitor the hacked email messages and delete pertinent notification emails to cover their tracks...

Yes, that is correct.

 

[jberryhill]

Yeah, kind of an amateur-ish move to move them to Namecheap.

Isn't that odd? It's really bizarre for them to have used a destination registrar which is easily reachable and responsive. Both Namecheap and Name.com are investigating, and will reach some idea of what the situation looks like from their ends. There was a period of time quite a number of years ago during which a lot of stolen names seemed to end up there, but that was something like 2005ish. Then, for a long time a good deal of them went to Ename and other Chinese registrars. I don't think it was for any other reason than the language and cultural differences can make communication and establishing credibility difficult. Many registrars do have a procedure for investigating these situations and requiring indemnification by the victim for claims that might arise from unwinding the theft.

@bhartzer is absolutely correct on all counts above. Compromising the email account but not letting the owner know what's going on is key in these situations. I have to believe that some of them set up monitors so they receive text notifications when emails are received, so they can wake up from whatever hole they are living in order to deal with ongoing correspondence.

In addition to using two-factor authentication, it is a good idea to check the procedure for turning OFF two-factor authentication. Obviously, if there is any process by which someone can compromise the account email and manage to turn off two-factor authentication without having to use it, then that is an attack vector.

In this instance, the most likely route of attack appears to have been the hosting company for the account contact email address.

 

[tonyk2000]

In this instance, the most likely route of attack appears to have been the hosting company for the account contact email address.

So, there is another security tip btw. In todays environment, domainers should maintain unique e-mail boxes for each registrar, and these emails should not be used anywhere else. Neither in whois (private or public), nor for correspondence (except with the registrar in question). If the hacker does not know account contact email, he will have difficulties determining the email hosting company to attack...