SleazyDream Hi Jacker strikes again!

[Muff]

This is mainly a warning to everyone.

I just had one of my domains stolen by the same person who recently stole one of SleazyDreams domains. The perp Xyberotica.com. The domain was also transfered to the same registrer DirectI.com

Fortuantely the DNS servers have not been changed and I may be able to scrap through this and get the domain back into my position before any major damage is done. Would rather not say the domain incase the person is reading and attempts to change the DNS info.

I would suggest doing a whois on your domain names and making sure that all the contact information is correct. I only noticed because I was lucky enough to whois my name today.

I have contacted all major parties involved and hopefully with some luck I can get my name back ASAP.

I also want to publicly thank GeorgeK for taking my call, helping and pointing me in the right direction to get this resolved.

[Spunky]

Intresting and good advice...bump this yo

[BVF]

who was your domain registered with?

[Muff]

Quote:

Originally Posted by BVF

who was your domain registered with?

Was registered with Directnic.

[Rui]

prolly DirectNic also

[shuki]

Thats some crazy shit

[ffmihai]

so whats up with directnic?

[Muff]

I was selling some domains from them recently. So my account may have been on normal security and not register lock for a period of time.

I don't put any blame on Directnic if anyone should get the blame it should be ICANN and people that like to steal.

I probably wont get any news until Monday. I will keep everyone up to speed as I get information. If you haven't already check your domains and lock them down like fort knox.

[SmokeyTheBear]

was it locked or unlocked

[SmokeyTheBear]

Quote:

Originally Posted by Muff

I was selling some domains from them recently. So my account may have been on normal security and not register lock for a period of time.

I don't put any blame on Directnic if anyone should get the blame it should be ICANN and people that like to steal.

Did you recieve a tranfer email to the email on file..

?? Its important to others to know

[brand0n]

god i wonder how much $ this guy is making.

no more mention of domain names here. seems dude is harvesting from here.

[SmokeyTheBear]

Quote:

Originally Posted by brand0n

god i wonder how much $ this guy is making.

no more mention of domain names here. seems dude is harvesting from here.

No i think he is tracking them down using a traffic trade script

Most of the previous adult domains were tgps .

And yes he is making lots , i took a look at his stats last time and he was making over a grand a day

[GeorgeK]

As Muff said, make sure you have your domains locked NOW. I notice Adult.com and some of the other prime names that used to be unlocked are now locked --- everyone else needs to do the same.

Folks might want to take a moment to complain to ICANN regarding the new transfer policies. See:

http://www.icann.org/announcements/a...nt-12jan05.htm

[Muff]

Quote:

Originally Posted by SmokeyTheBear

Did you recieve a tranfer email to the email on file..

?? Its important to others to know

No Smokey. Nothing at all. When I spoke to George this morning he told me that there are even more loopholes aside from not acting on the email. If he comes in here maybe he will elaborate on them.

[Rui]

All my domains @ Godaddy were auto-locked...wonder if it has anything to do with this highjacks...

[MetaMan]

Ambush Inteviews = Fucking Gay

[GeorgeK]

I don't want to educate the thieves by elaborating too much. But, basically relying upon the GAINING registrar, a party you have no existing contract with whatsoever, to authenticate a transfer is a stupid idea. The old system of double-authentication (where the existing registrar also had to autheticate) was safer.

The "meat" of ICANN's new policy was the requirement that registrars provide an easy to use unlock mechanism (some registrars like Totalnic were infamous for making it nearly impossible to unlock your own domains). Then, ICANN went too far, in my opinion, in reducing security by making transfers too easy. Yes, too easy for legit transfers, but also too easy for rogue transfers.

[JulianSosa]

Any one want a nice little programming idea.
Make a app that monitors the whois on a list of domains.
It can email your or page your cell phone if anything changes on your whois info. Would be a nice little program to have with all this stuff going on latetely.

[SmokeyTheBear]

Quote:

Originally Posted by Muff

No Smokey. Nothing at all. When I spoke to George this morning he told me that there are even more loopholes aside from not acting on the email. If he comes in here maybe he will elaborate on them.

hmm well WTF. Why would directnic not email you ?

I hope some answers arrive here soon, I have always trusted directnic

[Holly]

DarkJedi had a domain name jacked from Directnic last night, too.

[Muff]

Quote:

Originally Posted by SmokeyTheBear

hmm well WTF. Why would directnic not email you ?

I hope some answers arrive here soon, I have always trusted directnic

I have no idea. I will keep you informed as I get the information.

[Muff]

This is becoming an epidemic... Hopefully he posts some information in this thread that can help protect people. Also sending an email to the link George posted http://www.icann.org/announcements/...ent-12jan05.htm may eventually get ICANN to re-think their decision to loosen the transfer policies

[SmokeyTheBear]

What i want to know is HOW THE FUCK IS THE HIJACKERS WEBSITE STILL UP ??

Advertising amateurpages also still ?

and btw heres the icq numbers of the company hosting this assholes spyware

113165
10023615
10244455
106254172

[SmokeyTheBear]

heres a small few of the domains these hackers have stolen recently

china.net, distribute.com, energy.com, f3.com, k4.com, phone.com, radioactive.com, ricochet.com, shanghai.net, size.com, software.com, web.net

[GeorgeK]

If you're a domain buyer (like I am), all these thefts means you have to be very careful in buying expensive domains, lest you end up with a stolen one which can be recovered by the rightful owner at a future date, leaving you holding the bag. That means using:

1) telephone verification (most hijackers won't get on the phone with you)
2) written contracts
3) Historical WHOIS verification (get a silver membership at www.whois.sc -- it pays for itself fast).

If you see too many WHOIS changes recently, that should raise alarm bells. Try to call prior owners (before the existing registrant) to see if they had really sold the domain to the current owner.

[SmokeyTheBear]

wtf this shit is too fucking much

one of the registrars involved in the hijackings is qnic.com

Originally when this started i looked at the site and it was like an affiliate program ( or more like a toolbar program ) that you could simply open an account add any domain you wanted and they would try to transfer it over , and pay you for how many toolbars you installed.

Shortly after sleazy got his domain stolen i looked again , and the now it looks like a regular registrar again * actually i tried in between that and they were just hooking up the new interface *

So in looking up some info on these scammers i notice this as the address.

501 Silverside Road suit 105
Wilmington, DE 19809


After doing a google search i find they are quite a few different companies

http://www.kingtutshop.com/Khome/payment.htm
Egypt Cyber Trade, LLC
501 Silverside Road, Suite 105
Wilmington, DE 19809
USA
Fax: +1 800 517 9256

The check should be payable to:

Egypt Cyber Trade, LLC - Account # 0191012202 - ABA Number: 031101114

And another company / registrar

http://www.albanianyellowpages.com/c...org.pl?id=1060
MainNic mission is to provide low cost and secure domain name registration services.


Category: Internet Product & Service Providers
Established in 2003



Address:
501 Silverside Road, Suite 105

City:
Wilmington

State:
De

Zip Code:
19809

Country:
United States

Phone Number:
202-742-2403

Fax Number:
206-984-2797


ID Number:
1060

Created On:
2004-09-17

Last Updated:
2004-09-17



gee and and another

http://www.aspwebserver.com/about.asp

and another
( a muslim company ) ?
http://www.eJilbab.com


Quality & Modest Islamic fashion (Jilbabs, Abayas, & Dishdashs) manufactured by eJilbab for the contemporary Muslim woman with affordable prices.

Address:
501 Silverside Road, suite 105
-----

City:
Wilmington
Phone : 18882597454
State: Deleware Fax : 13023972109
Country:
United States
Mobile : -----
Post Code:
19809
Toll- Free : 18882597454


and another

Contact Us

If you have any queries about courseGenie please get in touch with:

US Contact:

James Cupit
US Sales Manager
CourseGenie, LLC
501 Silverside Road
Suite 105
Wilmington
DE
19809

Tel: 1-888 433 9006
Fax: 1-888 433 9007

Email: [email protected]

why do they all have the same address ?

[SmokeyTheBear]

ok wtf even stranger all those sites are basically owned by the same guy yet they have almost nothing in common..

something is very very strange, same address's multiple companies , they all boil down to the same people.

[SmokeyTheBear]

This shit is way too fucked up . ok cliff notes..

Most of the hijacked domains were stolen using a registrar www.qnic.com ( they seem to be part of the hijacks themselves )

Upon looking up there address leads me to hundreds of other websites with no correlation to qnic , but they all use contact info in WILIMINGTON the same office/drop box..

Ok so maybe its just a drop box , but looking up the whois on each of these domains , all lead in one way or another to lynden washington .. same address again.

I hate to say just because of the muslim ties this seems like a terrorist organization but wtf ??

Maybe someone can point out where i fell into the deep end ?

[Muff]

Definately something fishy going on with those companies smokey. Searching for more information now.

[uncletim]

Damn good work Smokie. Wilmington, De is not far from me. I'm going to save his address for future ref....

[Huggles]

Someone needs to get smacked the fuck up

[GeorgeK]

Given the PATRIOT act is making it harder for terrorists to move/launder money, it would not surprise me at all if terrorists would try to fund themselves through internet crime. Instead of moving money from Iraq to the USA, they could generate it onshore via webmaster programs, debit cards/Paypal, etc.

[Muff]

When I traced xybererotic.com earlier I found the final hops ending in kuwait beleive it or not. Maybe I was seeing things but I am pretty positive. Now I get timeouts for the last hops past Level3.

[SmokeyTheBear]

www.imhosted.com same address

[SmokeyTheBear]

Quote:

Originally Posted by Muff

When I traced xybererotic.com earlier I found the final hops ending in kuwait beleive it or not. Maybe I was seeing things but I am pretty positive. Now I get timeouts for the last hops past Level3.

some of the website's led to an oil company in kuwait also not sure if its connected ..

[SmokeyTheBear]

ok now im running into alot more stories of hijacks from some of the same companies using that contact info..

LMhosted and IMhosted.com both seem to be culprits

[SmokeyTheBear]

ok i tracked them down ,, all the companies listed are registered by a canadian company that registers foreign business with american address so they cant be traced..

www.valisgroupinc.com

[SmokeyTheBear]

hmm they are also frauds fuck , i think this has to be some sort of big moneylaundering scheme or just plain thefts or terrorists or something ?

[Vox]

Quote:

Originally Posted by SmokeyTheBear

ok i tracked them down ,, all the companies listed are registered by a canadian company that registers foreign business with american address so they cant be traced..

www.valisgroupinc.com

Smokey, that address you posted is only a mail drop. Foreign Companies use it to incorporate in Deleware and have a US presence.

[SmokeyTheBear]

If you find and fraud that points to the lynden washington location report to Lynden Washington police www.lyndenwa.org c/o Detective Lee Beld at [email protected]

[Muff]

Well the hosting is definately not from around here...

Tracing route to xybererotica.com [64.69.38.2]
over a maximum of 100 hops:

1 7 ms 16 ms 8 ms 10.113.120.1
2 9 ms 7 ms 7 ms gw03-vlan201.bloor.phub.net.cable.rogers.com [66
.185.90.1]
3 7 ms 46 ms 9 ms gw01.bloor.phub.net.cable.rogers.com [66.185.83.
149]
4 15 ms 7 ms 8 ms gw02.bloor.phub.net.cable.rogers.com [66.185.80.
242]
5 18 ms 16 ms 45 ms igw01.chfdrl.phub.net.cable.rogers.com [66.185.8
1.1]
6 33 ms 55 ms 47 ms if-3-0.core1.CQW-Chicago.teleglobe.net [216.6.16
.1]
7 34 ms 48 ms 32 ms if-1-0.core3.CQW-Chicago.Teleglobe.net [207.45.2
23.181]
8 32 ms 31 ms 35 ms if-7-0.core1.CT8-Chicago.teleglobe.net [66.110.2
7.77]
9 48 ms 34 ms 34 ms so-1-2-0.e1.Chicago1.Level3.net [65.59.88.193]
10 * * 33 ms so-2-1-0.bbr1.Chicago1.Level3.net [209.244.8.9]

11 99 ms 98 ms 126 ms so-0-2-0.bbr2.LosAngeles1.Level3.net [64.159.0.2
46]
12 97 ms 99 ms 98 ms so-11-0.ipcolo2.LosAngeles1.Level3.net [4.68.96.
62]
13 83 ms 82 ms 95 ms unknown.Level3.net [63.209.82.190]
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * 1772 ms 1754 ms gsr12000.calpop.com [64.27.16.17]
18 2541 ms * * gige-wcx1-pos6-0.hostingkuwait.com [64.27.16.26]

19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.

[SmokeyTheBear]

Quote:

Originally Posted by Vox

Smokey, that address you posted is only a mail drop. Foreign Companies use it to incorporate in Deleware and have a US presence.

yes i figured that out now . I assumed as much but alot of the companies are obviously the same foreign company

[Vox]

Better yet, send in an anonymous tip to homeland security telling them that the company is a front for Al queda and other Muslim terrorists.

[JFPdude]

Quote:

Originally Posted by Muff

Well the hosting is definately not from around here...

Tracing route to xybererotica.com [64.69.38.2]
over a maximum of 100 hops:

sure it is:

whois 64.69.38.2

OrgName: CoreExpress
OrgID: COEX
Address: 600 W. 7th Street
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US

NetRange: 64.69.32.0 - 64.69.47.255
CIDR: 64.69.32.0/20
NetName: COREEXPRESS-BLK-1
NetHandle: NET-64-69-32-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.CALPOP.COM
NameServer: NS2.CALPOP.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-04-11
Updated: 2004-08-06

[SmokeyTheBear]

heres the site that offers the service

http://www.valis.org/usbpp/default.html

[GeorgeK]

It didn't notice the GFY search is working again. Just for reference (and in case the search goes down again), the original thefts were described in the threads at:

http://www.gofuckyourself.com/showth...easy-dater.com
http://www.gofuckyourself.com/showth...easy-dater.com
http://www.gofuckyourself.com/showth...easy-dater.com
http://www.gofuckyourself.com/showth...easy-dater.com

I didn't notice the last thread until today -- Dotster had told me about DirectI wanting the $7 -- I was in shock then, and still in shock today. Registrars screw up, and the victims pay even more, sheesh.

I still recommend OpenSRS (although some other registrars are good too). Microsoft.com and Citicorp.com are both registered at OpenSRS, for example.

[Muff]

Quote:

Originally Posted by JFPdude

sure it is:

whois 64.69.38.2

OrgName: CoreExpress
OrgID: COEX
Address: 600 W. 7th Street
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US

NetRange: 64.69.32.0 - 64.69.47.255
CIDR: 64.69.32.0/20
NetName: COREEXPRESS-BLK-1
NetHandle: NET-64-69-32-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.CALPOP.COM
NameServer: NS2.CALPOP.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-04-11
Updated: 2004-08-06

Yeah was just checking ARIN. The Kuwait part got me thinking conspiracy theory.

[SmokeyTheBear]

lol what a service

you get your own online checking account
a visa card with a u.s. address
an llc setup
a u.s. ein #
and a u.s. merchant account

all for less than 2 grand .. wow thats not a bad deal , but the feds will eventually come knocking

[pussyluver]

Doing a whois on all your domains is a pain if you own a few. JulianSosa suggested a script to do a whois and email changes once or twice a day. Good idea.

I get email notifications of any changes now from the registrar That is all I am going to say about that in the thread.

Vox, Homeland Security?? Like they care about porn sites. This is gonna have to affect a big mainstream account or several. Maybe an RK site would get some attention, but don't wish this on anyone.

[SmokeyTheBear]

Quote:

Originally Posted by pussyluver

Doing a whois on all your domains is a pain if you own a few. JulianSosa suggested a script to do a whois and email changes once or twice a day. Good idea.

I get email notifications of any changes now from the registrar That is all I am going to say about that in the thread.

Vox, Homeland Security?? Like they care about porn sites. This is gonna have to affect a big mainstream account or several. Maybe an RK site would get some attention, but don't wish this on anyone.

Look up they didnt just hijack adult domains . The majority of the high profile names were not adult names