Weekend domain hijackings

[arg]

Another high-traffic domain hijack this weekend was panix.com, an ISP.

http://news.netcraft.com/archives/20...jacking.h tml

On GFY, there were three domains reported, and KRL said he got private mail concerning three other hijacked domains. Panix.com was at Dotster hijacked to melbourneit, Sleazy's was at Dotster hijacked to Directi, KRL's other reported hijackings were at Dotster hijacked to unspecified registrars, Chris72's boobza.com was at Register.com hijacked to Directi, and Blaze's was at DirectNIC hijacked to qnic.

Dotster seems to be overly represented, and I'll be curious if they mention anything publicly about why this might be. Their failure to lock domains after ICANN's policy change seems like it might be a factor...some registrars locked all domains by default, so users have to unlock them to transfer them. Though Panix said their their domain was locked.

Of the receiving registrars, Directi is based in India, MelbourneIT in Australia, and QNic varyingly lists US contact info and illegally meaningless info on their domains. MelbourneIT said they had a loophole, now corrected, that allowed them to be used for the hijacking, though they didn't provide details.

[SmokeyTheBear]

why these retards dont think of these things BEFORE it happens. (icann)

[blazi]

how are all these hijackers on the loose? were they given a day pass from prison?

[blazi]

*bump* for hijack haters!!

[Firehorse]

That sucks. It's time they really got their shit tight!

[polish_aristocrat]

I still have most of my important domains with Dotster, I thought they were the most reliable company.

I was planning moving them to Name Cheap, so now I think I will finally do it.

[Jace]

wow, how does anyone ever let this happen? i have so much security on my domains now, it would be pretty hard (no, i am not challenging someone, haha)

[Ron Bennett]

Registrar-lock is the only real protection against bogus registrar transfers ... account passwords, etc are meaningless in that context - if the domain is unlocked (speaking of .com/.net domains) it will very likely transfer, simple as that.

And then there's the WDPRS ... a security hole still wide open - and registrar-lock doesn't even matter! The only decent protection for WDRPS http://wdprs.internic.net/ exploits at the moment is to:

1. Consolidate all domains to one or two registrars - this allows one to better track changes.

AND

2. Ensure all domains have similar email contact information - WDPRS is done via email ... miss that email and your domain(s) can be gone in mere days!

AND

3. Related to #2, have access to a computer even on holiday; don't take a holiday to begin with LOL! Every registrar I've contacted so far will suspend/delete domains in little as 5 to 15 days if the registrant doesn't respond to a Whois Data Problem Report - even if it's is obviously bogus!

Lastly, exploiting the WDPRS isn't theoretical ... it's been going on for awhile, but is still under the radar so to speak ... but don't expect that to be the case much longer - while such posts as mine likely will encourage more folks to try using the WDPRS to get already registered domains they want, hopefully ICANN will get their act together and implement meaninful security that truly protects the registrant ...

Ron

[xclusive]

I actually have an email account that i use just for all my domain registrations. I forward that to my main box and it makes it easy to keep track of all my domains.

[SmokeyTheBear]

Quote:

Originally Posted by xclusive

I actually have an email account that i use just for all my domain registrations. I forward that to my main box and it makes it easy to keep track of all my domains.

What if that email box were to be flooded with email , then those emails would bounce..

[Google Expert]

so was it a fuckup on Dotsters part ?

[DomBuyer]

You know this is all the legacy of the US courts allowing Network Solutions to avoid liability for years on stolen domains. Still amazes me. If they'd been nailed, as they should have been, you can be damn sure a domain would never get stolen from thereafter.

[Ron Bennett]

That's why #1, consolidating all domains to one or two registrars, I mentioned above is so important...

If one sees, or even suspects, their email isn't functioning properly, they can easily login to the registrar(s) and check the status of all their domains; inquire about any outstanding Whois Data Problem Reports. One can't easily do this if their domains are spread out all over numerous registrars.

There aren't any sure proof way to prevent one's email box being flooded ... with that said, it's a good idea to setup the email box to forward (and/or via some other method) a copy of the email to a second email box on another server - this won't stop DoS attacks per se, but in still offers additional security in that if the primary email box becomes corrupt/hacked, one will have copies of all emails up to the point the primary email box failed - this allows one to read any suspicious emails that may have come through before the email box failure...

Lastly, one would assume that registrars would rely more on internal message systems, but most all registrars still use email for important correspondence. I'm surprised there aren't more phishing attempts to steal people's domains - such phishing would likely work too since many folks use the same few registrars (many of which outsource some of their functions to India, etc; outsourced support is often lacking, especially in emergenies), such as Enom, BulkRegister, GoDaddy, etc ... and the format of such emails is so predictable, I'm surprised no one seems to be doing this yet - glad no one is, but surprising nevertheless. Ok, I'm digressing here, but sadly until there are some bulk/high-profile domain hijackings/thefts, things likely aren't going to change in regards to registrant security, which as of now is severely lacking.

Ron

[arg]

Quote:

Originally Posted by Cylon

so was it a fuckup on Dotsters part ?

According to the Netcraft article, Dotster.com has not automatically locked domains, as some other registrars have. And Chris72 posted a letter from Register.com that said they'd be unable to lock domains for at least a month until they upgrade their software. That's not exactly a fuckup, as ICANN doesn't require it of registrars, but they apparently chose to do nothing about the new security threats. I would guess that this alleged inaction was a factor, but it's going to be hard getting details of what exactly happened, since the registrars involved are unlikely to publicize the details.

[polish_aristocrat]

dotster has a a typical lock and a bonus "name safe" option that costs like $10 per year and i've been paying for it for a few domains..don't tell me it was wasted money

[polish_aristocrat]

btw i always thought that keeping your names in more than one registrar would be safer, f.e if they hack your dotster account, you will still have 50% of your names in your name cheap account...so you will never lose all domains

[Ron Bennett]

Yes, perhaps spreading out one's domains across 2 or 3 registrars may be safer for the reason you brought up, but beyond 2 or 3 registrars, the odds of losing track of domains greatly increases; more chances of domains being stolen - seems contradictory, but more accounts means more possible vectors of attack - and unless one is using different passwords, etc for each registrar, the benefits of using numerous registrars for security reasons may be limited utility anyways.

"Name safe" ... $10 per domain? Wow, I'm definitely in the wrong business LOL!

Save the $10/domain and just make sure registrar-lock is REALLY ON by checking the VeriSign .COM registry directly (or using one of several decent Whois services) for each domain to be sure the registrar-lock status is really on.

Ron

[nico-t]

damn now im hearing again something new.... so locking is again an other thing than parking?

[arg]

Quote:

Originally Posted by nico-t

damn now im hearing again something new.... so locking is again an other thing than parking?

Locking is very different from parking. It always has been, and they're not even similar, so I think you either misunderstood before, or else you read something from someone who was misinformed.

Parking typically means setting a domain name's web site to a simple web site, usually just one page...often registrars have a "free parking page" that will say something like "coming soon! meanwhile click on one of these links!"

Locking means setting a domain's status to "REGISTRAR-LOCK" so that it cannot easily be transferred between registrars. It can be transferred between accounts at the same registrar, but can't leave the registrar until it has been changed from status "REGISTRAR-LOCK" to status "ACTIVE." Some registrars use different terminology than "locking," referring to it instead as securing or protecting a domain. Some registrars also implement their own version of locking, and prohibit use of ICANN's locking mechanism. And some add extra protection on top of ICANN's locking mechanism. Dotster's namesafe is an example of added protection...for $10/year extra, namesafe also blocks hijacking from other Dotster customers, as opposed to just locking inter-registrar transfers.

[hova]

There are some rumours floating around about who did this

[webair]

lovely now i have to worry about my 1000 domain names?

what is the world coming to =)

[edgeprod]

Hmmmph. We lost a domain to Netsol's shitty database system. Tried to renew it on the day before it expired, but their system didn't take the payment, and they didn't tell us about the problem until a day after that. The domain? GNULinux.com. Ow, since we had gone through about 1.8 Mil in venture capital to populate it and build a network around it. heh.

[Series]

Quote:

Originally Posted by arg

And Chris72 posted a letter from Register.com that said they'd be unable to lock domains for at least a month until they upgrade their software.

Not sure when that was, but I had Register.com lock domains immediately after the policy change without problems.

[nico-t]

Quote:

Originally Posted by arg

Locking is very different from parking. It always has been, and they're not even similar, so I think you either misunderstood before, or else you read something from someone who was misinformed.

Parking typically means setting a domain name's web site to a simple web site, usually just one page...often registrars have a "free parking page" that will say something like "coming soon! meanwhile click on one of these links!"

Locking means setting a domain's status to "REGISTRAR-LOCK" so that it cannot easily be transferred between registrars. It can be transferred between accounts at the same registrar, but can't leave the registrar until it has been changed from status "REGISTRAR-LOCK" to status "ACTIVE." Some registrars use different terminology than "locking," referring to it instead as securing or protecting a domain. Some registrars also implement their own version of locking, and prohibit use of ICANN's locking mechanism. And some add extra protection on top of ICANN's locking mechanism. Dotster's namesafe is an example of added protection...for $10/year extra, namesafe also blocks hijacking from other Dotster customers, as opposed to just locking inter-registrar transfers.

Thanks for the info