Dynadot

report The strange case of World.com and Network Solutions hijacked domains

Spaceship Spaceship
Watch
This is a story about one of the top holders of premium domain names, World Media Group, LLC (World.com), and the odd case of several domains hijacked mainly from Network Solutions accounts, typically when the owners are unreachable, using administrative email addresses from domains belonging to World.com's portfolio.


Once upon a time, in 2009, I came across with KIP.com that was expired.


I made it thru the WHOIS details an reach the owner (Komatsu Corp) that was not willing at the time to make a deal with an individual and was also not interested in keeping the domain name.

The domain went expired and apparently got renewed in the last days around December 2009.

The odd thing started from this point onward. The domain was managed by an employee of this company named Ken Nouji. Ken was not reachable but the WHOIS of the domain got changed in the administrative email to “[email protected]”, a domain belonging to World.com.

A few weeks later the domain landed a sale of $80k to an end-user. A nice flip from a person who supposedly managed the domain but started using an email from a domain available only to World.com.



Then there was the case of BEF.com in 2014. The domain was listed on the name of Mark Vandegrift / BEF Corporation that were not reachable.

Before the domain expired it got renewed and the administrative email changed to “[email protected]” which again is a domain belonging to World.com.


Before:


Domain Name: BEF.COM

Registry Domain ID:

Registrar WHOIS Server: whois.networksolutions.com

Registrar URL: http://www.networksolutions.com/en_US/

Updated Date: 2006-06-28T00:00:00Z

Creation Date: 1996-07-11T00:00:00Z

Registrar Registration Expiration Date: 2014-07-10T00:00:00Z

Registrar: NETWORK SOLUTIONS, LLC.

Registrar IANA ID: 2

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: 1-800-333-7680

Reseller:

Domain Status: clientTransferProhibited

Registry Registrant ID:

Registrant Name: BEF Corporation

Registrant Organization: BEF Corporation

Registrant Street: 1670 E Race St

Registrant City: Allentown

Registrant State/Province: PA

Registrant Postal Code: 18103

Registrant Country: US

Registrant Phone: 999 999 9999

Registrant Phone Ext:

Registrant Fax: 999 999 9999

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID:

Admin Name: Vandegrift, Mark

Admin Organization: null

Admin Street: 1670 E. Race Street

Admin City: Allentown

Admin State/Province: PA

Admin Postal Code: 18109

Admin Country: US

Admin Phone: (610) 266-8080

Admin Phone Ext:

Admin Fax: (610) 266-8094

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID:

Tech Name: Vandegrift, Mark

Tech Organization: null

Tech Street: 1670 E. Race Street

Tech City: Allentown

Tech State/Province: PA

Tech Postal Code: 18109

Tech Country: US

Tech Phone: (610) 266-8080

Tech Phone Ext:

Tech Fax: (610) 266-8094

Tech Fax Ext:

Tech Email: [email protected]

Name Server: DNS.ENTER.NET

Name Server: NS2.ENTER.NET

DNSSEC:

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of whois database: Sat, 11 Jan 2014 18:48:28 UTC <<<


and after:


Domain Name: BEF.COM

Registry Domain ID:

Registrar WHOIS Server: whois.networksolutions.com

Registrar URL: http://networksolutions.com

Updated Date: 2014-03-11T16:11:58Z

Creation Date: 1996-07-11T04:00:00Z

Registrar Registration Expiration Date: 2014-07-10T04:00:00Z

Registrar: NETWORK SOLUTIONS, LLC.

Registrar IANA ID: 2

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.8003337680

Reseller:

Domain Status: clientDeleteProhibited

Domain Status: clientTransferProhibited

Domain Status: clientUpdateProhibited

Registry Registrant ID:

Registrant Name: BEF Corporation

Registrant Organization: BEF Corporation

Registrant Street: 1670 E Race St

Registrant City: Allentown

Registrant State/Province: PA

Registrant Postal Code: 18103

Registrant Country: US

Registrant Phone: +1.9999999999

Registrant Phone Ext:

Registrant Fax: +1.9999999999

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID:

Admin Name: Vandegrift, Mark

Admin Organization: null

Admin Street: 1670 E. Race Street

Admin City: Allentown

Admin State/Province: PA

Admin Postal Code: 18109

Admin Country: US

Admin Phone: (610) 266-8088

Admin Phone Ext:

Admin Fax: (610) 266-8094

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID:

Tech Name: Vandegrift, Mark

Tech Organization: null

Tech Street: 1670 E. Race Street

Tech City: Allentown

Tech State/Province: PA

Tech Postal Code: 18109

Tech Country: US

Tech Phone: (610) 266-8088

Tech Phone Ext:

Tech Fax: (610) 266-8094

Tech Fax Ext:

Tech Email: [email protected]

Name Server: DNS.ENTER.NET

Name Server: NS2.ENTER.NET

DNSSEC: not signed

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of whois database: Sat, 17 Jan 2015 01:15:35 GMT <<<


Notice any differences?



From this time I begun to find this odd since I had seen also other similar strange cases.


IEZ.com on 2015 was listed with Bentley and managed by a previous employee named Geoff Bartlett at “[email protected]” that was not reachable.

The domain was set to expire on 2015:


Domain Name: IEZ.COM

Registry Domain ID:

Registrar WHOIS Server: whois.networksolutions.com

Registrar URL: http://networksolutions.com

Updated Date: 2013-03-19T12:39:59Z

Creation Date: 1995-09-25T04:00:00Z

Registrar Registration Expiration Date: 2015-09-24T04:00:00Z

Registrar: NETWORK SOLUTIONS, LLC.

Registrar IANA ID: 2

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.8003337680

Reseller:

Domain Status: clientTransferProhibited

Registry Registrant ID:

Registrant Name: Bentley Systems, Incorporated

Registrant Organization: Bentley Systems, Incorporated

Registrant Street: 685 Stockton Drive

Registrant City: Exton

Registrant State/Province: PA

Registrant Postal Code: 19341

Registrant Country: US

Registrant Phone: +1.6104585000

Registrant Phone Ext:

Registrant Fax: +1.6104581060

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID:

Admin Name: Bentley Systems, Incorporated

Admin Organization: Bentley Systems, Incorporated

Admin Street: 685 Stockton Drive

Admin City: Exton

Admin State/Province: PA

Admin Postal Code: 19341

Admin Country: US

Admin Phone: +1.6104585000

Admin Phone Ext:

Admin Fax: +1.6104581060

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID:

Tech Name: Bentley Systems, Incorporated

Tech Organization: Bentley Systems, Incorporated

Tech Street: 685 Stockton Drive

Tech City: Exton

Tech State/Province: PA

Tech Postal Code: 19341

Tech Country: US

Tech Phone: +1.6104585000

Tech Phone Ext:

Tech Fax: +1.6104581060

Tech Fax Ext:

Tech Email: [email protected]

Name Server: NS1.BENTLEY.COM

Name Server: NS2.BENTLEY.COM

DNSSEC: Unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of whois database: Fri, 23 Jan 2015 17:34:04 GMT <<<


but then it got transferred to GoDaddy and the WHOIS changed to this:


Domain Name: iez.com

Registry Domain ID: 778895_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.godaddy.com

Registrar URL: http://www.godaddy.com

Update Date: 2015-09-27T17:50:47Z

Creation Date: 1995-09-25T04:00:00Z

Registrar Registration Expiration Date: 2017-09-24T04:00:00Z

Registrar: GoDaddy.com, LLC

Registrar IANA ID: 146

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.4806242505

Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited

Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited

Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited

Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited

Registry Registrant ID:

Registrant Name: Geoff Bartlett

Registrant Organization:

Registrant Street: 772 E High St

Registrant City: Pottstown

Registrant State/Province: Pennsylvania

Registrant Postal Code: 19464

Registrant Country: United States

Registrant Phone: 610.829.9315

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID:

Admin Name: Geoff Bartlett

Admin Organization:

Admin Street: 772 E High St

Admin City: Pottstown

Admin State/Province: Pennsylvania

Admin Postal Code: 19464

Admin Country: United States

Admin Phone: 610.829.9315

Admin Phone Ext:

Admin Fax:

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID:

Tech Name: Geoff Bartlett

Tech Organization:

Tech Street: 772 E High St

Tech City: Pottstown

Tech State/Province: Pennsylvania

Tech Postal Code: 19464

Tech Country: United States

Tech Phone: 610.829.9315

Tech Phone Ext:

Tech Fax:

Tech Fax Ext:

Tech Email: [email protected]

Name Server: NS1.BENTLEY.COM

Name Server: NS2.BENTLEY.COM

DNSSEC: unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of WHOIS database: 2015-10-17T11:00:00Z <<<



Notice any differences?

Again, the domain “alumni.com” belongs to World.com but somehow Mr. Geoff Bartlett, believing on the WHOIS, got access to this domain email system and kept the information on the WHOIS very similar.

IEZ.com eventually got washed and went to Oliver Hoger in 2016.



Next we have GBR.com in 2015.

Listed in the name of GBR Systems Corporation had the primary account role managed by a former employee named Jeffrey Elzinga at “[email protected]”.

The company had been acquired by Sensible Technologies, LLC in 2013 and the domain went lost in the paper work. The WHOIS showed the domain using a privacy proxy and renewed until 2017:


Domain Name: GBR.COM

Registry Domain ID:

Registrar WHOIS Server: whois.networksolutions.com

Registrar URL: http://www.networksolutions.com/en_US/

Updated Date: 2011-05-10T00:00:00Z

Creation Date: 1996-02-26T00:00:00Z

Registrar Registration Expiration Date: 2017-02-27T00:00:00Z

Registrar: NETWORK SOLUTIONS, LLC.

Registrar IANA ID: 2

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: 1-800-333-7680

Reseller:

Domain Status: clientTransferProhibited

Registry Registrant ID:

Registrant Name: GBR Systems Corporation

Registrant Organization: GBR Systems Corporation

Registrant Street: ATTN insert domain name here care of Network Solutions PO Box 459

Registrant City: Drums

Registrant State/Province: PA

Registrant Postal Code: 18222

Registrant Country: US

Registrant Phone: 570-708-8780

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email:

Registry Admin ID:

Admin Name: Brewer, Jeffrey H

Admin Organization: GBR Systems Corporation

Admin Street: ATTN insert domain name here care of Network Solutions PO Box 459

Admin City: Drums

Admin State/Province: PA

Admin Postal Code: 18222

Admin Country: US

Admin Phone: 570-708-8780

Admin Phone Ext:

Admin Fax:

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID:

Tech Name: Inc., Interland,

Tech Organization: null

Tech Street: ATTN insert domain name here care of Network Solutions PO Box 459

Tech City: Drums

Tech State/Province: PA

Tech Postal Code: 18222

Tech Country: US

Tech Phone: 570-708-8780

Tech Phone Ext:

Tech Fax:

Tech Fax Ext:

Tech Email: [email protected]

Name Server: NS61.WORLDNIC.COM

Name Server: NS62.WORLDNIC.COM

DNSSEC:

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of whois database: Sat, 11 Jan 2014 20:00:37 UTC <<<


but then in 2015 the domain went out of privacy and the WHOIS revealed new information about the owner.


Domain Name: GBR.COM

Registry Domain ID: 1295470_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.networksolutions.com

Registrar URL: http://networksolutions.com

Updated Date: 2015-09-17T17:15:59Z

Creation Date: 1996-02-26T05:00:00Z

Registrar Registration Expiration Date: 2017-02-27T05:00:00Z

Registrar: NETWORK SOLUTIONS, LLC.

Registrar IANA ID: 2

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.8003337680

Reseller:

Domain Status: ok https://www.icann.org/epp#OK

Registry Registrant ID:

Registrant Name: Elzinga, Jeffrey

Registrant Organization:

Registrant Street: 45 Old Ridgefield Rd

Registrant City: Wilton

Registrant State/Province: CT

Registrant Postal Code: 06897

Registrant Country: US

Registrant Phone: 8603081451

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID:

Admin Name: Elzinga, Jeffrey

Admin Organization:

Admin Street: 45 Old Ridgefield Rd

Admin City: Wilton

Admin State/Province: CT

Admin Postal Code: 06897

Admin Country: US

Admin Phone: 8603081451

Admin Phone Ext:

Admin Fax:

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID:

Tech Name: Elzinga, Jeffrey

Tech Organization:

Tech Street: 45 Old Ridgefield Rd

Tech City: Wilton

Tech State/Province: CT

Tech Postal Code: 06897

Tech Country: US

Tech Phone: 8603081451

Tech Phone Ext:

Tech Fax:

Tech Fax Ext:

Tech Email: [email protected]

Name Server: NS61.WORLDNIC.COM

Name Server: NS62.WORLDNIC.COM

DNSSEC: Unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of whois database: Sat, 20 Feb 2016 21:28:52 GMT <<<


Again, by an extreme coincidence, “appraiser.net” is a domain belonging to World.com and the previous manager kept his personal information but managed to get access to an email from this domain name.

The domain was placed with a transfer lock off but somehow it didn’t get transferred, probably because the true owners (that are still today) got alerted to this strange situation.

The domain even went to expiration but was recovered by the real owners that finally managed to put a correct WHOIS information in 2017.



The year of 2015 was very peculiar as it did not settle down without yet another strange event this time around HFH.com.

Incorrectly reported as sold on an expired auction at GoDaddy for $163,000 USD it got renewed on the last days before the auction got completed.

The domain had WHOIS privacy for years but when it got expired at GoDaddy it revealed this:


Domain Name: HFH.COM

Registry Domain ID: 556671_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.godaddy.com

Registrar URL: http://www.godaddy.com

Update Date: 2012-02-13T15:01:33Z

Creation Date: 1994-11-04T05:00:00Z

Registrar Registration Expiration Date: 2015-11-03T05:00:00Z

Registrar: GoDaddy.com, LLC

Registrar IANA ID: 146

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.4806242505

Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited

Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited

Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited

Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited

Registry Registrant ID:

Registrant Name: HFH IT

Registrant Organization: Highland Financial Holdings

Registrant Street: c/o GoDaddy Redemption Services

Registrant Street: 14455 N. Hayden Road, Suite 219

Registrant City: Scottsdale

Registrant State/Province: AZ

Registrant Postal Code: 85260

Registrant Country: United States

Registrant Phone: +1.4805058877

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email:

Registry Admin ID:

Admin Name:

Admin Organization: Go Daddy Redemption Services

Admin Street: 14455 N. Hayden Road, Suite 219

Admin City: Scottsdale

Admin State/Province: AZ

Admin Postal Code: 85260

Admin Country: United States

Admin Phone: +1.4805058877

Admin Phone Ext:

Admin Fax:

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID:

Tech Name:

Tech Organization: Go Daddy Redemption Services

Tech Street: 14455 N. Hayden Road, Suite 219

Tech City: Scottsdale

Tech State/Province: AZ

Tech Postal Code: 85260

Tech Country: United States

Tech Phone: +1.4805058877

Tech Phone Ext:

Tech Fax:

Tech Fax Ext:

Tech Email: [email protected]

Name Server: NS01.DOMAINCONTROL.COM

Name Server: NS02.DOMAINCONTROL.COM

DNSSEC: unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of WHOIS database: 2015-12-08T16:00:00Z <<<


I managed to get a hold on the owner that first thought that he was no longer the owner, then he got an offer to buy it during the auction period, since the price hit got spread out thru the domaining community.

The domain then got renewed supposedly by the owner and showed this:


Domain Name: HFH.COM

Registry Domain ID: 556671_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.godaddy.com

Registrar URL: http://www.godaddy.com

Update Date: 2015-11-15T14:54:53Z

Creation Date: 1994-11-04T05:00:00Z

Registrar Registration Expiration Date: 2017-11-03T05:00:00Z

Registrar: GoDaddy.com, LLC

Registrar IANA ID: 146

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.4806242505

Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited

Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited

Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited

Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited

Registry Registrant ID:

Registrant Name: HFH IT

Registrant Organization: Highland Financial Holdings

Registrant Street: 381 Park Avenue South

Registrant Street: Suite 1609

Registrant City: New York

Registrant State/Province: New York

Registrant Postal Code: 10016

Registrant Country: United States

Registrant Phone: 2126795220

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID:

Admin Name: HFH IT

Admin Organization: Highland Financial Holdings

Admin Street: 381 Park Avenue South

Admin Street: Suite 1609

Admin City: New York

Admin State/Province: New York

Admin Postal Code: 10016

Admin Country: United States

Admin Phone: 2126795220

Admin Phone Ext:

Admin Fax:

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID:

Tech Name: HFH IT

Tech Organization: Highland Financial Holdings

Tech Street: 381 Park Avenue South

Tech Street: Suite 1609

Tech City: New York

Tech State/Province: New York

Tech Postal Code: 10016

Tech Country: United States

Tech Phone: 2126795220

Tech Phone Ext:

Tech Fax:

Tech Fax Ext:

Tech Email: [email protected]

Name Server: NS01.DOMAINCONTROL.COM

Name Server: NS02.DOMAINCONTROL.COM

DNSSEC: unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of WHOIS database: 2015-12-09T11:00:00Z <<<


Once again the domain “execs.com” belongs to World.com. The WHOIS kept showing this information for a few weeks until it got washed to a NameSilo account.

The real owner did not knew the domain had been recovered and transferred out. He then reached GoDaddy that reportedly told him that the domain had expired…



In 2016 we got PRF.com. Listed in the name of Pacific Rim Forum belonging to Alan Carroll, the domain had been listed for years under privacy and the owner was unreachable.

But then it got renewed and revealed this:


Domain Name: PRF.COM

Registry Domain ID: 2532876_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.networksolutions.com

Registrar URL: http://networksolutions.com

Updated Date: 2016-10-04T15:11:03Z

Creation Date: 1998-09-22T04:00:00Z

Registrar Registration Expiration Date: 2017-09-21T04:00:00Z

Registrar: NETWORK SOLUTIONS, LLC.

Registrar IANA ID: 2

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.8003337680

Reseller:

Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

Registry Registrant ID:

Registrant Name: Michael Pickering

Registrant Organization: Michael Pickering

Registrant Street: 20 Kimberley Road

Registrant City: London

Registrant State/Province: Surrey

Registrant Postal Code: SW9 9DG

Registrant Country: GB

Registrant Phone: +44.9999999999

Registrant Phone Ext:

Registrant Fax: +44.9999999999

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID:

Admin Name: Pickering, Michael

Admin Organization: Michael Pickering

Admin Street: 20 Kimberley Road

Admin City: London

Admin State/Province: Surrey

Admin Postal Code: SW9 9DG

Admin Country: GB

Admin Phone: +44.9999999999

Admin Phone Ext:

Admin Fax: +44.9999999999

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID:

Tech Name: Pickering, Michael

Tech Organization: Michael Pickering

Tech Street: 20 Kimberley Road

Tech City: London

Tech State/Province: Surrey

Tech Postal Code: SW9 9DG

Tech Country: GB

Tech Phone: +44.9999999999

Tech Phone Ext:

Tech Fax: +44.9999999999

Tech Fax Ext:

Tech Email: [email protected]

Name Server: NAMESERVER.HOTSPACE.NET.AU

Name Server: NAMESERVER2.HOTSPACE.NET.AU

DNSSEC: Unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of WHOIS database: 2016-10-17T22:06:48Z <<<For more information on Whois status codes, please visit

https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en.


“dr.com” is once again a domain owned by World.com. I could not establish however a connection between Mr. Michael Pickering and Pacific Rim forum so I will assume that this has been a legit domain sale/buy.

As for PRF.com it quickly got washed in the next months.



Still in 2016 we had QCO.com. Owned by QC Optics Inc. / Qco Services Inc, it had Guy Johnson as president and with the primary contact role for the domain. It had been renewed since 2012 until 2022 under privacy but the WHOIS then show this:


Domain Name: QCO.COM

Registry Domain ID: 820153_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.networksolutions.com

Registrar URL: http://networksolutions.com

Updated Date: 2016-06-03T12:59:09Z

Creation Date: 1995-02-28T05:00:00Z

Registrar Registration Expiration Date: 2022-03-01T05:00:00Z

Registrar: NETWORK SOLUTIONS, LLC.

Registrar IANA ID: 2

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.8003337680

Reseller:

Domain Status: ok https://icann.org/epp#ok

Registry Registrant ID:

Registrant Name: Johnson, Guy

Registrant Organization:

Registrant Street: 337 Commercial St

Registrant City: Manchester

Registrant State/Province: NH

Registrant Postal Code: 03101

Registrant Country: US

Registrant Phone: 603-363-0038

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID:

Admin Name: Johnson, Guy

Admin Organization:

Admin Street: 337 Commercial St

Admin City: Manchester

Admin State/Province: NH

Admin Postal Code: 03101

Admin Country: US

Admin Phone: 603-363-0038

Admin Phone Ext:

Admin Fax:

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID:

Tech Name: Johnson, Guy

Tech Organization:

Tech Street: 337 Commercial St

Tech City: Manchester

Tech State/Province: NH

Tech Postal Code: 03101

Tech Country: US

Tech Phone: 603-363-0038

Tech Phone Ext:

Tech Fax:

Tech Fax Ext:

Tech Email: [email protected]

Name Server: NS51.WORLDNIC.COM

Name Server: NS52.WORLDNIC.COM

DNSSEC: Unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of whois database: Sun, 05 Jun 2016 06:25:00 GMT <<<


“technologist.com” is also a domain owned by World.com. QCO.com was placed with transfer lock off but has not been transferred.

Interestingly, the WHOIS is still the same until today and the email at “technologist.com” replies back. It is nice to see World.com supporting email for other persons on their names.



Again in 2016 we have JAT.com. Registered to Jugoslovenski Aerotransport / Air Serbia had the following WHOIS:


Domain Name: JAT.COM

Registry Domain ID:

Registrar WHOIS Server: whois.networksolutions.com

Registrar URL: http://networksolutions.com

Updated Date: 2015-01-18T07:50:02Z

Creation Date: 1997-03-18T05:00:00Z

Registrar Registration Expiration Date: 2016-03-19T04:00:00Z

Registrar: NETWORK SOLUTIONS, LLC.

Registrar IANA ID: 2

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.8003337680

Reseller:

Domain Status: clientTransferProhibited

Registry Registrant ID:

Registrant Name: Jugoslovenski Aerotransport

Registrant Organization: Jugoslovenski Aerotransport

Registrant Street: Bulevar Umetnosti 16

Registrant City: Beograd

Registrant State/Province: Serbia

Registrant Postal Code: 11000

Registrant Country: YU

Registrant Phone: +54.9999999999

Registrant Phone Ext:

Registrant Fax: +54.9999999999

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID:

Admin Name: Ristic, Veljko

Admin Organization: Air Serbia

Admin Street: Bulevar Umetnosti 16

Admin City: Beograd

Admin State/Province: null

Admin Postal Code: 11170

Admin Country: RS

Admin Phone: +381.112010509

Admin Phone Ext:

Admin Fax:

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID:

Tech Name: Jugoslovenski Aerotransport

Tech Organization: Jugoslovenski Aerotransport

Tech Street: Bulevar Umetnosti 16

Tech City: Beograd

Tech State/Province: Serbia

Tech Postal Code: 11000

Tech Country: YU

Tech Phone: +54.9999999999

Tech Phone Ext:

Tech Fax: +54.9999999999

Tech Fax Ext:

Tech Email: [email protected]

Name Server: DNS1.JAT.RS

Name Server: DNS2.JAT.RS

DNSSEC: Unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of whois database: Sat, 24 Jan 2015 16:39:50 GMT <<<


but before expiring on Network solutions the domain got transferred to GoDaddy and started showing this:


Domain Name: jat.com

Registry Domain ID: 186883_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.godaddy.com

Registrar URL: http://www.godaddy.com

Update Date: 2016-03-04T21:54:03Z

Creation Date: 1997-03-18T05:00:00Z

Registrar Registration Expiration Date: 2017-03-19T04:00:00Z

Registrar: GoDaddy.com, LLC

Registrar IANA ID: 146

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.4806242505

Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited

Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited

Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited

Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited

Registry Registrant ID: Not Available From Registry

Registrant Name: Vukasin Smiljanic

Registrant Organization:

Registrant Street: Djordja Stanojevica 14

Registrant City: Beograd

Registrant State/Province: Beograd

Registrant Postal Code: 11070

Registrant Country: RS

Registrant Phone: +381113204718

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID: Not Available From Registry

Admin Name: Vukasin Smiljanic

Admin Organization:

Admin Street: Djordja Stanojevica 14

Admin City: Beograd

Admin State/Province: Beograd

Admin Postal Code: 11070

Admin Country: RS

Admin Phone: +381113204718

Admin Phone Ext:

Admin Fax:

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID: Not Available From Registry

Tech Name: Vukasin Smiljanic

Tech Organization:

Tech Street: Djordja Stanojevica 14

Tech City: Beograd

Tech State/Province: Beograd

Tech Postal Code: 11070

Tech Country: RS

Tech Phone: +381113204718

Tech Phone Ext:

Tech Fax:

Tech Fax Ext:

Tech Email: [email protected]

Name Server: DNS1.JAT.RS

Name Server: DNS2.JAT.RS

DNSSEC: unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of WHOIS database: 2016-03-22T19:00:00Z <<<


Vukasin Smiljanic is an employee of AirSerbia and once again it seems we found another person that managed to get an email from a domain belonging to World.com, in this case “europe.com”…

The owners were oblivious to the fact that the domain had been transferred, for once because the DNS servers remain the same, and have since then tried to recover it.

Not sure if it was because of this but the domain went to expiration in 2017 and, for what I could found out, the auction didn’t complete but somehow the domain got renewed:


Domain Name: jat.com

Registry Domain ID: 186883_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.godaddy.com

Registrar URL: http://www.godaddy.com

Update Date: 2017-05-02T06:25:46Z

Creation Date: 1997-03-18T05:00:00Z

Registrar Registration Expiration Date: 2018-03-19T04:00:00Z

Registrar: GoDaddy.com, LLC

Registrar IANA ID: 146

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.4806242505

Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited

Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited

Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited

Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited

Registry Registrant ID: Not Available From Registry

Registrant Name: Domain Admin

Registrant Organization:

Registrant Street: Singapore

Registrant City: Singapore

Registrant State/Province: Singapore

Registrant Postal Code: 700700

Registrant Country: SG

Registrant Phone: +65.888123123

Registrant Phone Ext:

Registrant Fax: +65.888123123

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID: Not Available From Registry

Admin Name: Domain Admin

Admin Organization:

Admin Street: Singapore

Admin City: Singapore

Admin State/Province: Singapore

Admin Postal Code: 700700

Admin Country: SG

Admin Phone: +65.888123123

Admin Phone Ext:

Admin Fax: +65.888123123

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID: Not Available From Registry

Tech Name: Domain Admin

Tech Organization:

Tech Street: Singapore

Tech City: Singapore

Tech State/Province: Singapore

Tech Postal Code: 700700

Tech Country: SG

Tech Phone: +65.888123123

Tech Phone Ext:

Tech Fax: +65.888123123

Tech Fax Ext:

Tech Email: [email protected]

Name Server: NS33.DOMAINCONTROL.COM

Name Server: NS34.DOMAINCONTROL.COM

DNSSEC: unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of WHOIS database: 2017-05-04T10:00:00Z <<<



Finally on 2017 we have ZAV.com.

Registered for long to James Wadkins of ZAV Services Inc / VTAT Inc the WHOIS got changed from:


Domain Name: ZAV.COM

Registry Domain ID: 1632182_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.networksolutions.com

Registrar URL: http://networksolutions.com

Updated Date: 2017-03-05T18:05:46Z

Creation Date: 1996-04-18T04:00:00Z

Registrar Registration Expiration Date: 2018-04-19T04:00:00Z

Registrar: NETWORK SOLUTIONS, LLC.

Registrar IANA ID: 2

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.8003337680

Reseller:

Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

Registry Registrant ID:

Registrant Name: ZAV Services, Inc.

Registrant Organization: ZAV Services, Inc.

Registrant Street: 4640 S VALLEY VIEW BLVD STE D

Registrant City: LAS VEGAS

Registrant State/Province: NV

Registrant Postal Code: 89103-5531

Registrant Country: US

Registrant Phone: +1.9999999999

Registrant Phone Ext:

Registrant Fax: +1.9999999999

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID:

Admin Name: Wadkins, James

Admin Organization: VTAT, Inc

Admin Street: 3062 Via Del Corso Ct

Admin City: Henderson

Admin State/Province: NV

Admin Postal Code: 89052

Admin Country: US

Admin Phone: +1.7028766289

Admin Phone Ext:

Admin Fax: +1.7028766573

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID:

Tech Name: Wadkins, James

Tech Organization: VTAT, Inc

Tech Street: 3062 Via Del Corso Ct

Tech City: Henderson

Tech State/Province: NV

Tech Postal Code: 89052

Tech Country: US

Tech Phone: +1.7028766289

Tech Phone Ext:

Tech Fax: +1.7028766573

Tech Fax Ext:

Tech Email: [email protected]

Name Server: NS59.WORLDNIC.COM

Name Server: NS60.WORLDNIC.COM

DNSSEC: Unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of WHOIS database: 2017-03-20T08:28:56Z <<<


to:


Domain Name: ZAV.COM

Registry Domain ID: 1632182_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.networksolutions.com

Registrar URL: http://www.networksolutions.com

Updated Date: 2017-03-05T18:05:46Z

Creation Date: 1996-04-18T04:00:00Z

Registrar Registration Expiration Date: 2018-04-19T04:00:00Z

Registrar: NETWORK SOLUTIONS, LLC.

Registrar IANA ID: 2

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.8003337680

Reseller:

Domain Status:

Registry Registrant ID:

Registrant Name: ZAV Services, Inc.

Registrant Organization: ZAV Services, Inc.

Registrant Street: 4640 S VALLEY VIEW BLVD STE D

Registrant City: LAS VEGAS

Registrant State/Province: NV

Registrant Postal Code: 89103-5531

Registrant Country: US

Registrant Phone: +1.7028766200

Registrant Phone Ext:

Registrant Fax: +1.9999999999

Registrant Fax Ext:

Registrant Email: [email protected]

Registry Admin ID:

Admin Name: Wadkins, James

Admin Organization: VTAT, Inc

Admin Street: 3062 VIA DEL CORSO

Admin City: HENDERSON

Admin State/Province: NV

Admin Postal Code: 89052-4137

Admin Country: US

Admin Phone: +1.7028766200

Admin Phone Ext:

Admin Fax: +1.7028766500

Admin Fax Ext:

Admin Email: [email protected]

Registry Tech ID:

Tech Name: Wadkins, James

Tech Organization: VTAT, Inc

Tech Street: 3062 VIA DEL CORSO

Tech City: HENDERSON

Tech State/Province: NV

Tech Postal Code: 89052-4137

Tech Country: US

Tech Phone: +1.7028766200

Tech Phone Ext:

Tech Fax: +1.7028766500

Tech Fax Ext:

Tech Email: [email protected]

Name Server: NS59.WORLDNIC.COM

Name Server: NS60.WORLDNIC.COM

DNSSEC: Unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of WHOIS database: 2017-06-20T23:18:23Z <<<


Notice any differences?

“techie.com” belongs to, you guess it, World.com. However, a few months later the WHOIS was restored to the previous information. Don’t know if the owner detected in time something fishy...



There were other cases but for which I do not have sufficient evidence that can establish this odd coincidence of administrative emails linked to domains belonging to World.com.


For instance, the case of FPF.com in 2008.

The domain was listed to Heather Bloy at “[email protected]” but was not reachable directly. The domain “accountant.com” ended up with World.com. In this case the owner still is the legitimate owner until today, even with this outdated email.

Similar thing happened to HBB.com in 2009. Listed to Cevin Reers at “[email protected]”, the domain “execs.com” ended up with World.com. The domain HBB.com however got sold in the meantime.



Long story short, TL;DR:
I don't believe in coincidences but I have an open spirit. maybe this is one of them. several ones...
 
Last edited:
10
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
That’s a lot work. Thanks for posting and sharing it.
Just imagine if you tracked other names! LLL’s I know from your past participation in that thread you stay updated. Nothing surprises me anymore after 2017’s numerous scandals and situations.

When you mention “washed” are you referring it is a fake sale or move between accounts or domainer to domainer trading?

I have been amused when noticing some of these “news” reports of “sales” for 6 figures, of which get reported (with never any documentation provided) and everybody posts likes in the thread. To me they appear somebody pretends to sell or flip a name, which could likely be simply a “broker” publicity stunt ego trip (never was their money anyway as was prefunded $$ by the ultimate investor who wants to remain quiet) and then wind up in the hands of the same person or “group”. Then the next week it’s repeated. Kind of a “coincidental” thing just like you mention here.
 
1
•••
"washed" i mean move an asset quickly, either by selling it or by moving it through different registrars to hide tracks and get it more difficult to recover a domain name.
 
1
•••
Long story short, TL;DR:
I don't believe in coincidences but I have an open spirit. maybe this is one of them. several ones...[/QUOTE]

Interesting case study...Thanks!
 
0
•••
How do they manage to do this? What is Network Solutions role in this?

And why are all these people appearing in WHOIS on various world.com domains?
 
0
•••
Network Solutions role is being one of the most wacky and insecure registrars in the market, which given their quality portfolio of managed domains (by being the first registrar that appeared) places a huge risk on valuable domains.

In all fairness, since Web.com took over they have strengthen the security of NS, but still they have many lose ends.

The issue of domains with their WHOIS info that show administrative/registrant emails from domains belonging to World.com is that they must be usable for an hacker to transfer the domain out (because they need to get the transfer email request from the new registrar). So the question is, why someone has access to emails on those domains? And why this pattern is showing up in so many cases of clear hijacks?

On the other end, why would someone not use just a disposable yahoo or gmail address? Maybe because these attract more suspicions...
 
1
•••
And why are all these people appearing in WHOIS on various world.com domains?

the question is: how is the WHOIS subtly changed to the previous manager of the domain but using an email address that seems to be only in control of World.com. And only they can then accept a transfer request to another person.

it is not a million dollar question yet, but several hundreds of thousands dollars question already...
 
0
•••
My guess:
1.Someone/some company tried to reach contact of LLL .com's.
2.No response
3.After research, the same person/company discovered a list of LLL .com's that appears not to be in use and whois contact is not reachable.
4.Magically acquire those LLL.com domains.(this kind of magic could be performed by hackers and or insiders of the losing registrar)
4.5Optional wait time to see if there is any action from the original owner
5.Flip to another party.
6.Profit.
 
0
•••
My guess:
1.Someone/some company tried to reach contact of LLL .com's.
2.No response
3.After research, the same person/company discovered a list of LLL .com's that appears not to be in use and whois contact is not reachable.
4.Magically acquire those LLL.com domains.(this kind of magic could be performed by hackers and or insiders of the losing registrar)
4.5Optional wait time to see if there is any action from the original owner
5.Flip to another party.
6.Profit.

yes, that is the process I envision. but the question is: how do the hackers use email addresses from World.com controlled domains?...
 
0
•••
@tonecas How many of the domains from your examples have been reported as stolen?
 
1
•••
@tonecas How many of the domains from your examples have been reported as stolen?

AFAIK only two were/are known to be stolen by their rightful owners.
 
2
•••
yes, that is the process I envision. but the question is: how do the hackers use email addresses from World.com controlled domains?...
Right, I have the same question.
Especially some of the @<world.com domain> email has matching address as the original one(before @ part)
 
1
•••
Really nice work @tonecas. Thanks for making all your efforts public. Really appreciated
 
3
•••
Back