Victims of a big fraud - And now what ?

[DomainEmpire.com]

It's the first time in my 19yr experience in the domain business that we get victims of a big fraud and I can't yet believe that, to be honest.

Well, in the first week of September I saw a domain auctioned at Flippa and I made a bid but the reserve didn't get met so the auction ended with the name unsold.

The auctioner approached me privately and proposed to close a deal out**** so we reached an agreement on a fair price and used Sedo.com for the private transaction (we had some credit there so we decided to use it despite the fact we paid a bit higher fee than on Escrow).

The transfer has successfully completed in few days so he proposed a second domain and we reached a fair agreement as well ... Again we used Sedo to close this deal and anything worked fine till Thursday when GoDaddy removed both names from our account by following an US court order.

Oh, we got shocked ! It seems this guy stolen both names from the original registrant and sold them fraudolently.

Well, we've lost an high $xx,xxx in favor of this scammer ... What next ?

Obviously we know nothing about him, we're aware of the identity theft fraud and similar stuff so, it's really worth investing on a legal action/investigation to try getting our money back ?

Obviously no, I'd say ... but I'd like to know your advice.

The only 'real data' is the bank account he has surely used to cash funds from Sedo so I've some questions here: let's suppose a judge should order Sedo rto reveal his bank account details then we should find a second judge belonging to that jurisdiction ready to order the bank to reveal their client details but what next ?

No bank account is anonymous, he might have used a nominee to open that account or who know what other dirty trick.

What's your thought ? It was really hard to suspect a fraud considering he was auctioning one of his domain at Flippa without being apparently in a rush to sell ...

But now I've other concerns regarding our future purchases too: let's say we find a domain listed with a fixed BIN of $200k on a public marketplace and we close a deal then few weeks later a court order force our registrar to move the domain back to his original registrant. How may we avoid similar frauds to happen again ? What should we do to prevent them ? Things are not so easier as in the past when all public details where listed in whois so it was easy querying whois history, calling the person who owned it till few months before (in case of a recent registrant change) and checking nobody stolen his name.

In the past we risked to be victims of a similar fraud but some lucky circumstances made as suspicious so we avoided it at the last second.

In that case, the hacker didn't change whois info (so there was no recent update to the whols record) because he gained control over the registrant email so it was very hard suspecting something was wrong there ...

 

[DomainRecap]

Everyone seems like assuming there is only one scammer with limited resources.

Agreed, and in some 3rd-world countries there are entire districts filled with buildings full of scammers calling companies all day long, and social engineering trick to try and gain access to user accounts, bank data, personal info, etc.

A lot of these "hacker hives" are in places cops won't even go, or are paid enough not to go there.

 

[Bob Hawkes]

This is so unfortunate @DomainEmpire.com. Many people have offered good suggestions for us all to learn from the experience.

I have a couple of questions. This auctioneer who reached out, was someone from Flippa, or do you mean the person who was selling the domain name?

So when a service like Sedo, DAN, Epik, or Escrow handle a transaction, do they have any liability? That is legally is it that they are processing a transaction, or is it like they are reselling the domain essentially. If the latter, I would have thought they are responsible for the loss as they handled a transaction for a stolen good.

What was the date on the court order, or was it provided to you, or did GoDaddy simply say they had one. Are court orders matters of public record? If so, they must provide at least a summary of the sequence of loss of the domain name, which might help trace the fraudster.

I really hope somehow some amount gets recovered. Thanks for sharing the warning through this thread.

Bob

 

[Lord Voldo]

Have you asked GoDaddy what were the court order details ? From whom the domain was stolen ,how and when ?
Because even if its a well planned duping , inquiry must be done as to how so many accounts (email, dynadot,sedo) were hacked.
What surprises me is that none of them had 2FA enabled.

 

[Keith]

Have the domains been mentioned? No need to hide this aspect.

 

[DNGear]

is there any chance the real owner took the money as a seller and claimed it was a stolen property?

 

[Keith]

is there any chance the real owner took the money as a seller and claimed it was a stolen property?

This...this is a real scam. But if the selling platforms aren’t held accountable it will continue.

 

[Domain_savvy]

It is highly possible what @DNGear said. I am suspecting this scenario.

 

[poweredbyme]

Agreed, and in some 3rd-world countries there are entire districts filled with buildings full of scammers calling companies all day long, and social engineering trick to try and gain access to user accounts, bank data, personal info, etc.

A lot of these "hacker hives" are in places cops won't even go, or are paid enough not to go there.

If this is the case, it's impossible to get the money back. Which lawyer will go to a place to ask for the money back that cops don't go? If you can't get your money back, knowing ID and other details is worth nothing.

 

[DomainRecap]

What surprises me is that none of them had 2FA enabled.

Maybe they did, and the 2nd Factor got social engineered was well.

If you use a phone, don't assume it's bulletproof as all the big cell providers are giving away numbers like candy to scammers. They change the SIM (which is incredibly easy to do) then your precious 2FA is DOA.

 

[DomainRecap]

If this is the case, it's impossible to get the money back. Which lawyer will go to a place to ask for the money back that cops don't go? If you can't get your money back, knowing ID and other details is worth nothing.

Exactly, but who knows who is pulling this scam? It could be some kid jacking domains to pay for his Fortnite extras.

The key here is the email address used to access the account - how was it hacked and do they have any IP info what would tell you the Geo location of the scammer.

If it's somewhere like Nigeria, Kenya or Morocco, then just forget about it, as it's most likely organized crime.

 

[MapleDots]

Maybe they did, and the 2nd Factor got social engineered was well.

If you use a phone, don't assume it's bulletproof as all the big cell providers are giving away numbers like candy to scammers. They change the SIM (which is incredibly easy to do) then your precious 2FA is DOA.

Well lets work on that

You need 2fa on email and at the registrar, in that case both have to be hacked.
When you combine 2fa x2 with two different strong passwords then you just lessened the odds dramatically.

Now I take it a step further and have Vault enabled by LastPass (Similar to google vault) and godaddy wont release my domain unless I give them that code. This is also mute if someone has your phone so you have to make sure you have a strong password on your Vault Authentication program as well.

Then last of all, I have a strong password on my phone and if you use a code make sure it is at least 7 characters long, the standard 4 is a joke.

 

[poweredbyme]

So when a service like Sedo, DAN, Epik, or Escrow handle a transaction, do they have any liability? That is legally is it that they are processing a transaction, or is it like they are reselling the domain essentially. If the latter, I would have thought they are responsible for the loss as they handled a transaction for a stolen good.

Big companies feed an army of lawyers. They can defend themselves better than a single victim.
In such a case, in fact they may not even need a lawyer army.
Stolen good is not stolen until they learned it's stolen. They can easily defend themselves if you can't prove they sold you stolen domains knowingly. You need to prove it. Because you will be accusing them for selling stolen goods. Accuser needs to prove and everyone is innocent until proven guilty.

 

[DomainRecap]

Well lets work on that

You need 2fa on email and at the registrar, in that case both have to be hacked.
When you combine 2fa x2 with two different strong passwords then you just lessened the odds dramatically.

We've talked about this before, and while there are ways to mitigate the risk (like specifically locking your SIM card), but I could hardlock a personal email far better than most people do their ISP email + generic cell phone.

Remember, the code you put in the phone doesn't carry over to a new phone on a stolen SIM, and few people hardlock their SIM, let alone know how.

 

[DomainRecap]

Accuser needs to prove and everyone is innocent until proven guilty.

Not under Civil law, which a lot of countries use, including a province in Canada.

 

[offthehandle]

Hardly

https://domainnamewire.com/2018/04/05/gdpr-will-make-domain-name-transfers-more-difficult/

Someones comment, not mine but that says it all.

“I’m still at a huge loss as to why the world is changing whois based on some European law. Couldn’t registries based anywhere else get around the law since…well they aren’t in their jurisdiction? Just put in the TOS that people from countries with this law must use whois privacy or don’t allow these people to be customers at all..Seems absurd that the world is being punished because of this.”

Without a persons name, phone or address just an email enables the above OP’s scenario. Sure those things could be old or faked also, but picking up the phone or skype ID check in video realtime, as I suggested is pretty simple solution that is not 100%, but better than an email only.

https://domainnamewire.com/2018/12/27/year-in-review-gdpr/

I think if you read all the the comments there and here and study further, many of us outside the EU have no inclination to care anything about EU laws as they apply only to EU entities. The knee jerk reaction and popups on US news websites too is highly annoying. Same with US banking laws being forced on non-US banks, and transactions requiring compliance with KYC, many non US people disagree with them, rightly so but unlike GDRP, KYC actually are relevant to protect from financial fraud.

And what true benefit is GDRP to anyone including the EU?

This thread too.

https://www.namepros.com/blog/whois-display.1107830/

 

[DomainRecap]

Without a persons name, phone or address just an email enables the above OP’s scenario.

But the point is that allowing private information like a persons name, phone or address to be freely visible to every social engineering scammer and criminal organization in the world enables the above "stolen domain" scenario to happen.

If you doubt this, then go buy a few .US domains (which do not allow WHOIS) with your PERSONAL email, phone/cell, and address on it, and watch what happens.

There is absolutely no valid reason why someone's personal home address and phone/cell number needs to be visible worldwide in order to own a domain (name + email would suffice) and the only ones who dispute this a) hide behind a company or b) have a financial motive for saying so.

 

[offthehandle]

But the point is that allowing private information like a persons name, phone or address to be freely visible to every social engineering scammer and criminal organization in the world enables the above "stolen domain" scenario to happen.

If you doubt this, then go buy a few .US domains (which do not allow WHOIS) with your PERSONAL email, phone/cell, and address on it, and watch what happens.

Third time. Call via skype, look at the local ID or Passport. Talk to the person, and ask tough questions, be a sleuth. I can assume you know what I am saying. My experience with scammers and Social engineering people is if you twist it around and ask them questions, they will hang up. I do not trust any insolicited phone call or inquiry and this is going back to to the 90’s. You qualify the other person up front with simple open ended questions, and depending upon their delay in responding, you can tell. Email provides no instant human interaction, and time for the scammer to invent and look up information. Hitting someone with a difficult or hard question to answer like the police do, point blank over the phone or in person is the best way to sus out people. My success in business has been based on verbal questions I ask, and control the situation. Email sucks.

 

[DomainRecap]

Third time.

I'm clearly referring to the social engineering of stealing the domain in the first place, not chasing the perp after he's already stolen it:

But the point is that allowing private information like a persons name, phone or address to be freely visible to every social engineering scammer and criminal organization in the world enables the above "stolen domain" scenario to happen.

Think "Back to the Future": where if the original owner had hidden WHOIS, the domains most likely wouldn't have been stolen.

Since I added Private WHOIS for everything, I have not had a single intrusion at all. Before that, not so lucky and it's patently obvious 3rd-world social engineers use WHOIS data to run their scams and domain thefts. If you prevent stolen domain crimes from happening, that is a far more proactive approach than trying to catch the criminal *after* the domain theft has happened.

 

[MapleDots]

“I’m still at a huge loss as to why the world is changing whois based on some European law. Couldn’t registries based anywhere else get around the law since…well they aren’t in their jurisdiction? Just put in the TOS that people from countries with this law must use whois privacy or don’t allow these people to be customers at all..Seems absurd that the world is being punished because of this.”

I think you hit it right on, for those of us in North America this whole whois privacy is lunacy. They should go back to the old system and let the Europeans fight their own privacy wars. So basically when we deal within our own borders we don't have to worry about this lunacy.

Won't help us when dealing with someone from Europe but in all my years of business I have rarely done business in Europe so a North American WHOIS system would benefit me greatly.

Next France or some country will say we are not allowed to look at dns servers and instantly the whole world panics. We should just change it for the countries that are mandating it and when they see the troubles it causes they can change back if they want to.

 

[cooljub]

Next France or some country will say we are not allowed to look at dns servers and instantly the whole world panics.

Wouldn't surprise me, especially with that little world statesman they have in charge.

The EU knows how people should live their lives don't you know?

 

[offthehandle]

I think you hit it right on, for those of us in North America this whole whois privacy is lunacy. They should go back to the old system and let the Europeans fight their own privacy wars. So basically when we deal within our own borders we don't have to worry about this lunacy.

Won't help us when dealing with someone from Europe but in all my years of business I have rarely done business in Europe so a North American WHOIS system would benefit me greatly.

Next France or some country will say we are not allowed to look at dns servers and instantly the whole world panics. We should just change it for the countries that are mandating it and when they see the troubles it causes they can change back if they want to.

Welcome back, I asked where you went on another thread but see you returned.

Credit goes to the person who commented on DNW, I just put it up in quotes that statement, but reflects my thinking.

This entire world of attempted global control under one umbrella sucks too, that is the bigger picture and lunacy behind this sort of change. So, like for example the OECD based in France is forcing various Countries, abeit smallest or poor ones to comply with onerous new structural govt regulations in order to trade in the world. Cultures are all different, business norms and record keeping is different. They want all these databases online across countries for audit. No more SA’s for example in certain locations in Latin America, but more taxes to pay for these stupid French and their pals regulations too. Also such compliance it increases work for societies “overhead” Lawyers, accountants, banks and bookkeepers wealth. One woman who cuts my hair makes under probably $800 a month, she closed up her shop, shares a chair now has to comply with ridiculous costly new tax reporting to pay meager taxes all due to such laws from these changes imposed from the EU, by the OECD, etc.

In years of non-domain business I rarely had inquiries from any European Countries even though the niche products I sold were not always available in Europe. They usually bought locally, and were loyal to some smiley sales rep who visited them in person. Which is fine, its the culture. The Amazon thing and Google privacy Lawsuits though are backlash to undercutting locals. I get it, but then EU ISP’s should block Google or IP’s of External websites that are non compliant with GDRP. Their problem.

The US used to be sales rep oriented like that too, but that behavior has changed completely and it was good for my small Company for a decade.

Look at retail and Forever 21 restructuring or closing up yesterday. I read that they blame a Swedish and Spanish company (m&k and zara) on US soil. Too bad really a private US company with $1 billion in debt, didnt compete. Not sure what happened, but going to read more about it.

I wasnt retail, so had plenty of Customers though in Canada and Mexico and South America and parts of Asia/Pacific though who bought direct from us. No problems really until the internet growth and expansion.

 

[poweredbyme]

Exactly, but who knows who is pulling this scam? It could be some kid jacking domains to pay for his Fortnite extras.

The key here is the email address used to access the account - how was it hacked and do they have any IP info what would tell you the Geo location of the scammer.

If it's somewhere like Nigeria, Kenya or Morocco, then just forget about it, as it's most likely organized crime.

If someone can login to random email and registrar accounts without knowing nothing about login details, I am sure that person will be intelligent enough to hide his/her IP even if he/she is from those countries. Not only to hide but also using multiple IP may be a technical necessity as most servers block attacking IP for x hours/days after a several failed login attempts. I would be surprised if a hacker was caught by IP. Current web tracking technology is focused on identifying devices instead of IP. So even if hackers always hide IP, their identified devices can be tracked. This is how ad companies display targeted ads. However if hacker uses the same device for only once after a successful hack device tracking also can not help.

I agree. The hacker may be earning very little portion of stolen things, may be a victim, may be threatened for something. Intelligent persons always avoid harming innocent people unless they are under some heavy pressure, are kids with bad parents or had serious traumas in the past so they have lost ability to know what is right or what is wrong. In any of these most likely scenarios getting the money back is almost impossible. Because the money would be in hands of idiot persons with little empathy, in other words, bad persons who have no exceptional skill except being very bad for lack of a normal level intelligent. Most illegals have low IQ. Intelligent persons have highly developed empathy sense and obey all the laws and rules more than most people. Under normal conditions they are the last people who will do bad things.

 

[offthehandle]

I'm clearly referring to the social engineering of stealing the domain in the first place,

Bud, I don’t communicate here well in writing with you I guess for some reason, I am sorry for whatever I suggested being misunderstood .

I never suggested chasing down someone after the domain was stolen. Why would I suggest you or anyone call someone after the domain was stolen? Makes no sense. I suggested up front, OP could have done what I suggested to confirm sellers Identity. Seems like a solution available to me, maybe not others who don’t speak good english, or uncomfortable talking on the phone.

Even with privacy is in place, my inbox and spam box is loaded with spam forwarded via privacy forwarded registrar addresses and also scam emails. I get emails daily for renewal scammers which I sold or dropped. GDRP has done nothing for my inbox.

 

[equity78]

This is so unfortunate @DomainEmpire.com. Many people have offered good suggestions for us all to learn from the experience.

I have a couple of questions. This auctioneer who reached out, was someone from Flippa, or do you mean the person who was selling the domain name?

So when a service like Sedo, DAN, Epik, or Escrow handle a transaction, do they have any liability? That is legally is it that they are processing a transaction, or is it like they are reselling the domain essentially. If the latter, I would have thought they are responsible for the loss as they handled a transaction for a stolen good.

What was the date on the court order, or was it provided to you, or did GoDaddy simply say they had one. Are court orders matters of public record? If so, they must provide at least a summary of the sequence of loss of the domain name, which might help trace the fraudster.

I really hope somehow some amount gets recovered. Thanks for sharing the warning through this thread.

Bob

Bob I have been working on a big post on this for awhile, Sedo and GoDaddy's position they are not responsible and they will not reimburse you. @Reza did reimburse someone who got scammed at GoDaddy because they were involved somewhere in the chain.

 

[poweredbyme]

Not under Civil law, which a lot of countries use, including a province in Canada.

Do you mean cops collect proofs in behalf of victims? It's correct. But in the end, proofs are needed. If you will accuse someone for something (ie. marketplaces/escrow services for selling stolen goods) you, cops or someone else need to prove they are really selling stolen goods knowingly and planned.