Victims of a big fraud - And now what ?

[DomainEmpire.com]

It's the first time in my 19yr experience in the domain business that we get victims of a big fraud and I can't yet believe that, to be honest.

Well, in the first week of September I saw a domain auctioned at Flippa and I made a bid but the reserve didn't get met so the auction ended with the name unsold.

The auctioner approached me privately and proposed to close a deal out**** so we reached an agreement on a fair price and used Sedo.com for the private transaction (we had some credit there so we decided to use it despite the fact we paid a bit higher fee than on Escrow).

The transfer has successfully completed in few days so he proposed a second domain and we reached a fair agreement as well ... Again we used Sedo to close this deal and anything worked fine till Thursday when GoDaddy removed both names from our account by following an US court order.

Oh, we got shocked ! It seems this guy stolen both names from the original registrant and sold them fraudolently.

Well, we've lost an high $xx,xxx in favor of this scammer ... What next ?

Obviously we know nothing about him, we're aware of the identity theft fraud and similar stuff so, it's really worth investing on a legal action/investigation to try getting our money back ?

Obviously no, I'd say ... but I'd like to know your advice.

The only 'real data' is the bank account he has surely used to cash funds from Sedo so I've some questions here: let's suppose a judge should order Sedo rto reveal his bank account details then we should find a second judge belonging to that jurisdiction ready to order the bank to reveal their client details but what next ?

No bank account is anonymous, he might have used a nominee to open that account or who know what other dirty trick.

What's your thought ? It was really hard to suspect a fraud considering he was auctioning one of his domain at Flippa without being apparently in a rush to sell ...

But now I've other concerns regarding our future purchases too: let's say we find a domain listed with a fixed BIN of $200k on a public marketplace and we close a deal then few weeks later a court order force our registrar to move the domain back to his original registrant. How may we avoid similar frauds to happen again ? What should we do to prevent them ? Things are not so easier as in the past when all public details where listed in whois so it was easy querying whois history, calling the person who owned it till few months before (in case of a recent registrant change) and checking nobody stolen his name.

In the past we risked to be victims of a similar fraud but some lucky circumstances made as suspicious so we avoided it at the last second.

In that case, the hacker didn't change whois info (so there was no recent update to the whols record) because he gained control over the registrant email so it was very hard suspecting something was wrong there ...

 

[winst]

Wow. This is incredible, and very difficult to defend.

Here are my observations: multiple systems may be compromised and the scammer seems to be monitoring the transactions and knew exactly when to ask for money and how to conduct transactions.

It was on the news that a home buyer lost $100k because a scammer send him an email about a change in wiring instruction. The scammer knew when to send him the email instructions.

I've recently received a domain renew bill from PayPal by GoDaddy (with GoDaddy logo) but the domain was set to auto-renew the next day via credit card. The scammer knew when the domain name is expiring and I had a PayPal account (I have since changed email addresses for each)

Perhaps the Flippa auction was by the real owner, the scammer had already compromised his email, but waited for just the right time to scam the interested buyers.

Perhaps we need to rethink security best practices. Systems are being compromised everywhere. Adding authentication steps and rules seems to not help much.

 

[domainer111]

Sorry to hear about this, that is terrible.

It's definitely a strong case for crypto transactions. The best thing is to ID the person on Linkedin though this of course is far from perfect.

 

[lock]

Really sucks I have been scammed before a few times really you learn but bound to happen over 20+ years. Worst ones are just the ones when trusted people turn bad eg: accountant steals your money for casino. I see more scams than business and personal about 50% of the spam would be underhanded.

 

[Lox]

... in a crypto transaction the funds are untraceable...

that's what coiners want you to believe , every #c is traceable, even most of IDs

 

[DomainEmpire.com]

Another suspicious thing happened here: we got both names on 09/05/2019 by transferring them from Dynadot to GoDaddy (the hacker supplied the codes and called the registrar to speed up the transfer).
The court order reached GoDaddy which moved both names to another account on 09/26 ... Multiple things happened too quickly here, it's really the case to investigate a bit more because I'm starting to suspect we might not have bought from the hacker but from another victim ... Just a possibility.

 

[poweredbyme]

If the precautions mentioned above work why scams never end?

But now I've other concerns regarding our future purchases too: let's say we find a domain listed with a fixed BIN of $200k on a public marketplace and we close a deal then few weeks later a court order force our registrar to move the domain back to his original registrant. How may we avoid similar frauds to happen again ? What should we do to prevent them ?

If a deal is too good to be true, I would stay away from it. This the best protection. I am after fair deals, not very good ones.

If you can't stop looking for too good to be true type offers, stick to registrar marketplaces. They provide the best protection for buyers as well as sellers. Imagine if you bought those domains from a registrar marketplace. How likely would you get scammed? Yes they charge more than third party escrow services. Maybe their fee is not too good to be true?

 

[wwwweb]

Well maybe he is a legit buyer from a second party who had stolen it, so their escrow account could be legit.

It is basically hot potato, and the one left holding the bag, gets stuck with the bill.

 

[wwwweb]

I believe that the onus falls on the platform who ensures a secure transaction. If Flippa, Sedo, godaddy... decide to take a listing and facilitate the transaction, they are 100% on the hook if it goes south.

That’s my opinion. Selling stolen property is a crime...

As many times that has happend, I have never heard once of the platform owning up to covering the losses.

 

[DomainRecap]

You can thank the EU and their brilliance of forcing this GPRP down the throats of the world. Worse yet all Registrars complying with it too..

Hardly.

the hacker didn't change whois info (so there was no recent update to the whols record) because he gained control over the registrant email so it was very hard suspecting something was wrong there

 

[poweredbyme]

Agreed, and in some 3rd-world countries there are entire districts filled with buildings full of scammers calling companies all day long, and social engineering trick to try and gain access to user accounts, bank data, personal info, etc.

A lot of these "hacker hives" are in places cops won't even go, or are paid enough not to go there.

If this is the case, it's impossible to get the money back. Which lawyer will go to a place to ask for the money back that cops don't go? If you can't get your money back, knowing ID and other details is worth nothing.

 

[DomainRecap]

What surprises me is that none of them had 2FA enabled.

Maybe they did, and the 2nd Factor got social engineered was well.

If you use a phone, don't assume it's bulletproof as all the big cell providers are giving away numbers like candy to scammers. They change the SIM (which is incredibly easy to do) then your precious 2FA is DOA.

 

[DomainRecap]

If this is the case, it's impossible to get the money back. Which lawyer will go to a place to ask for the money back that cops don't go? If you can't get your money back, knowing ID and other details is worth nothing.

Exactly, but who knows who is pulling this scam? It could be some kid jacking domains to pay for his Fortnite extras.

The key here is the email address used to access the account - how was it hacked and do they have any IP info what would tell you the Geo location of the scammer.

If it's somewhere like Nigeria, Kenya or Morocco, then just forget about it, as it's most likely organized crime.

 

[MapleDots]

Maybe they did, and the 2nd Factor got social engineered was well.

If you use a phone, don't assume it's bulletproof as all the big cell providers are giving away numbers like candy to scammers. They change the SIM (which is incredibly easy to do) then your precious 2FA is DOA.

Well lets work on that

You need 2fa on email and at the registrar, in that case both have to be hacked.
When you combine 2fa x2 with two different strong passwords then you just lessened the odds dramatically.

Now I take it a step further and have Vault enabled by LastPass (Similar to google vault) and godaddy wont release my domain unless I give them that code. This is also mute if someone has your phone so you have to make sure you have a strong password on your Vault Authentication program as well.

Then last of all, I have a strong password on my phone and if you use a code make sure it is at least 7 characters long, the standard 4 is a joke.

 

[DomainRecap]

Well lets work on that

You need 2fa on email and at the registrar, in that case both have to be hacked.
When you combine 2fa x2 with two different strong passwords then you just lessened the odds dramatically.

We've talked about this before, and while there are ways to mitigate the risk (like specifically locking your SIM card), but I could hardlock a personal email far better than most people do their ISP email + generic cell phone.

Remember, the code you put in the phone doesn't carry over to a new phone on a stolen SIM, and few people hardlock their SIM, let alone know how.

 

[DomainRecap]

Accuser needs to prove and everyone is innocent until proven guilty.

Not under Civil law, which a lot of countries use, including a province in Canada.

 

[DomainRecap]

Third time.

I'm clearly referring to the social engineering of stealing the domain in the first place, not chasing the perp after he's already stolen it:

But the point is that allowing private information like a persons name, phone or address to be freely visible to every social engineering scammer and criminal organization in the world enables the above "stolen domain" scenario to happen.

Think "Back to the Future": where if the original owner had hidden WHOIS, the domains most likely wouldn't have been stolen.

Since I added Private WHOIS for everything, I have not had a single intrusion at all. Before that, not so lucky and it's patently obvious 3rd-world social engineers use WHOIS data to run their scams and domain thefts. If you prevent stolen domain crimes from happening, that is a far more proactive approach than trying to catch the criminal *after* the domain theft has happened.

 

[cooljub]

Next France or some country will say we are not allowed to look at dns servers and instantly the whole world panics.

Wouldn't surprise me, especially with that little world statesman they have in charge.

The EU knows how people should live their lives don't you know?

 

[poweredbyme]

Exactly, but who knows who is pulling this scam? It could be some kid jacking domains to pay for his Fortnite extras.

The key here is the email address used to access the account - how was it hacked and do they have any IP info what would tell you the Geo location of the scammer.

If it's somewhere like Nigeria, Kenya or Morocco, then just forget about it, as it's most likely organized crime.

If someone can login to random email and registrar accounts without knowing nothing about login details, I am sure that person will be intelligent enough to hide his/her IP even if he/she is from those countries. Not only to hide but also using multiple IP may be a technical necessity as most servers block attacking IP for x hours/days after a several failed login attempts. I would be surprised if a hacker was caught by IP. Current web tracking technology is focused on identifying devices instead of IP. So even if hackers always hide IP, their identified devices can be tracked. This is how ad companies display targeted ads. However if hacker uses the same device for only once after a successful hack device tracking also can not help.

I agree. The hacker may be earning very little portion of stolen things, may be a victim, may be threatened for something. Intelligent persons always avoid harming innocent people unless they are under some heavy pressure, are kids with bad parents or had serious traumas in the past so they have lost ability to know what is right or what is wrong. In any of these most likely scenarios getting the money back is almost impossible. Because the money would be in hands of idiot persons with little empathy, in other words, bad persons who have no exceptional skill except being very bad for lack of a normal level intelligent. Most illegals have low IQ. Intelligent persons have highly developed empathy sense and obey all the laws and rules more than most people. Under normal conditions they are the last people who will do bad things.

 

[offthehandle]

I'm clearly referring to the social engineering of stealing the domain in the first place,

Bud, I don’t communicate here well in writing with you I guess for some reason, I am sorry for whatever I suggested being misunderstood .

I never suggested chasing down someone after the domain was stolen. Why would I suggest you or anyone call someone after the domain was stolen? Makes no sense. I suggested up front, OP could have done what I suggested to confirm sellers Identity. Seems like a solution available to me, maybe not others who don’t speak good english, or uncomfortable talking on the phone.

Even with privacy is in place, my inbox and spam box is loaded with spam forwarded via privacy forwarded registrar addresses and also scam emails. I get emails daily for renewal scammers which I sold or dropped. GDRP has done nothing for my inbox.

 

[poweredbyme]

Not under Civil law, which a lot of countries use, including a province in Canada.

Do you mean cops collect proofs in behalf of victims? It's correct. But in the end, proofs are needed. If you will accuse someone for something (ie. marketplaces/escrow services for selling stolen goods) you, cops or someone else need to prove they are really selling stolen goods knowingly and planned.

 

[Jurgen Wolf]

Real surprising you would not use Escrow,com, even paying a higher cost at Sedo!

Sedo escrow commission is 3%.

 

[poweredbyme]

It's very important. You may ask why ID is not a big problem for illegals? How do they steal ID of people? I believe their one of the biggest sources is fake KYC requirements of irrelevant websites. We don't know do they really protect our ID or if they sell our ID's to illegals. Why? Because internet is global. Most people send their ID to another part of the World just a sell or buy something for only one time.

Assume I will start a company and want to buy a domain. It's a one time purchase. Normally it's a shopping activity. Also I am not in the same country with the company requiring my ID. How can I follow their practices in protecting my ID? I can't. Do they know this? Yes. Because they require my address documents as well, so they know my location and know I can do nothing to them for the geographical great distances. If they lose or sell my ID can I do nothing? Maybe if I learn, at least I can report them to authorities in my country and let them take care the rest. But how can I learn with no doubt they have sold or lost my ID? It's impossible to learn it. Why should take such a great risk just to purchase a domain for only time in my life? It would be one of the biggest stupid thing I did. Marketplaces are not doing finance related business, have no authority to ask for ID. Furthermore, it's almost impossible have financial services remotely over the internet. To open bank account you have to physically sign the papers in front of the bank/finance company personnel. Basically you can do almost nothing on the internet that would require your ID.

 

[namemarket]

Agreed, and in some 3rd-world countries there are entire districts filled with buildings full of scammers calling companies all day long, and social engineering trick to try and gain access to user accounts, bank data, personal info, etc. A lot of these "hacker hives" are in places cops won't even go, or are paid enough not to go there.

By a coincidence last night I was watching some very interesting YouTube Videos by several India Scam-buster channels covering the exact things you referred to above. They are genius in their scammer ability. It's really hard to believe how easily they can do it. P.S. The ones I watched were calling people in the US and UK (not companies) from call-centers and using the same methods to do the fraud.

 

[Jurgen Wolf]

KYC is almost everywhere nowadays... including popular cryptoexchanges...

 

[bidigitals]

You could have asked the seller to do a skype call, recorded it with his ID right there on screen, like Escrow too.

Wow! 26 yrs on the fringe of the industry, now fully, & applaud your suggestions as wise. Our concern is in the opposite direction, as all 8k domains were hand-registered, yet, "BOTH parties identifying themselves beyond question" is purely brilliant, and you just turned it into a 60-second secret!

@DomainRecap, you are one smart cookie I anticipate learning even more from. Huge thank you!