Barefootsies

What would you do if a criminal stole something very personal, and very valuable from you?

What if they were able to target your business and criple your income?

You wouldn?t be too happy now, would you?

What if you also discovered that this was happening because of a Google security infection that can affect every GMail user on the planet?

That?s what has just happened to me, and here I?m going to tell you my story. I will detail everything I know about the web pirates who are threatening my livelihood, and tell you what you need to know in order to avoid the same thing happening to you.

Kit Kat packaging

On November 20th 2007 I left the UK to spend a month?s holiday in India. I?d been planning this break for over a year, and was looking forward to taking my girlfriend away on our first foreign trip together. Prior to leaving, I published a blog post to let my readers know I?d be away for a while, and that my blog would be a quiet place in my absence.

All my clients were informed, bills paid, loose ends tied up, and off I went on a new adventure.

I arrived in Mumbai on November 21st, and on the journey from the airport to the Colaba district, was punched in the face by an Indian youth, but that?s another story.

Mumbai India

During the month ahead, I knew I?d be irregularly checking my emails, but only to let my loved ones know everything was fine. This holiday was to be a break from work, and a break from computers.

Indeed everything was fine for a few weeks, until December 15th (five days before I was due to return from holiday). I called into an internet café in Goa, and read some worrying emails from good friends of mine. I was informed that my website had disappeared, and that my domain name (www.davidairey.com) was now redirecting to some random website - bebu.net.

I was confused, and anxious. How could this happen? I hadn?t received any notification of my domain name expiry, and I never divulge any passwords to anyone. The only possible explanation for me was that somehow, the domain name had expired without me receiving any notice, and that some domain poacher had snapped it up before I got a chance to renew.

My website had been pulling in over 2,000 unique daily visits. Not a massive amount by any stretch of the imagination, but for a one-man operation, 700,000+ annual visitors can generate a nice amount of new logo design business.

So I ran a WHOIS check on davidairey.com, hoping to find an email address for the new owner. The search yielded this email address: [email protected] and here?s the email I sent:

Hello,

Please can I purchase my old domain name from you. It seems it expired without my knowledge.

www.davidairey.com

Kind regards,

David

I found it hard to believe that I?d let my domain name expire, but thought it a good idea to send an email nonetheless.

On the very same day, I received a reply. It came from one supposed Peyam Irvani, telling me the following:

Hello,
Please send me your high offer !
Regards

By this stage, I?d already had some back and forth email discussions with close friends, wondering what exactly could have happened. I also contacted my web host company, ICDSoft, asking them to help. They were the ones who sold me the domain name after all. Shouldn?t they have informed me?

This is when I found a disturbing support ticket, posted in my web host support panel. It was supposedly from me, addressed to ICDSoft?s support team, and was created on November 20th, the exact date of my departure from the UK. It read the following:

Subject: Davidairey.com Transfer

Hello,

I want to transfer davidairey.com to another registrar please unlock it and send me the EPP transfer code.

Kind regards,

David

Within just one minute (ICDSoft?s support team are very fast) the following response had been supplied:

Hello,

We unlocked your domain name as requested. Here is its EPP code:

Domain name: davidairey.com
Auth/EPP key: 6835892AE0087D66

Best Regards,
Support

I immediately typed a reply to this ticket, asking for help, and wanting to know what I could do to resolve the situation. Here?s what I was told by the support team:

Unfortunately, the domain name has been transferred successfully, and it cannot be reverted. The current registrar may be able to give you more information.

The original ticket message was sent from this IP address: 207.36.162.100

The person who posted it must have had access to your email, too, because transfers have to be approved by the administrative contact in order to be successful.

What? Not only did the hacker gain access to my web host control panel, but they also squirmed their way into my email account? This is when I began to get very worried. I kept a lot of personal emails behind my username and password, and this was a real invasion of privacy. For a few minutes I sat in the net café, my girlfriend beside me, and I didn?t know what to think.

I sent an email to GoDaddy, where my domain had been illegally transferred to, and asked them to prevent any further transfers. I wanted the domain in one place whilst I investigated. Here?s what GoDaddy said:

Unfortunately if a transfer request is made and completed we will not be able to prevent this unless we receive the notice from a court or arbitration forum? I apologize for any inconvenience this may cause.

Okay, so GoDaddy can?t help until the matter is taken to court.

This whole process ran over a few days of my holiday, as GoDaddy took over 48 hours to respond. At this point, and on December 19th (four days after my first email to the web pirate, ?Peyam?), I thought I?d send a reply, and here?s what I said:

Hello Peyam,

Well, congrats on your hack. I?d love to know how you did it.

Before this moves through the courts, in order to settle the dispute, I don?t suppose you?d be so kind to give me my domain back? It?d really save me a lot of hassle, but if that?s what it takes, so be it.

I saw no point in being aggressive, wishing to keep them ?on-side? as much as possible.

Again, that same day, I received a response:

)
Im sorry to say but its not possible to have it or it take about 1 month if you try hard to have it again ) and you lose your visitor ?.hahaha
You can purchase it for 650 $ And we will use escrow sevices ;) that will done in less than 2 days !

Now my domain name was being held to ransom, and the hacker was taunting me. What I had spent more than a year building into a sound marketing plan had been severed at the knees.

I?m not the type of person who will hand any money over to a criminal, so I didn?t reply, instead focusing on stopping this hacker from stealing any more of my property.
How was I being hacked?

cont...

http://forums.digitalpoint.com/showt...54#post5780424

__________________
Should You Email Your Members?

Link1 | Link2 | Link3

Enough Said.

"Would you rather live like a king for a year or like a prince forever?"

madfuck

Damm Thats Some Shit, Thks For The Info Good Lookin Out

Barefootsies

I figured a lot of peeps use the ole gmail. So best to warn people. Even the domainers.

__________________
Should You Email Your Members?

Link1 | Link2 | Link3

Enough Said.

"Would you rather live like a king for a year or like a prince forever?"

uno

tsk tsk, linkin to another forum?

__________________
-uno
icq: 111-914
CrazyBabe.com - porn art
MojoHost - For all your hosting needs, present and future. Tell them I sent ya!

uno

Why not link to the digg story?

__________________
-uno
icq: 111-914
CrazyBabe.com - porn art
MojoHost - For all your hosting needs, present and future. Tell them I sent ya!

Barefootsies

I thought I had copied the digg, or blog where it came from. Must have missed in my haste.

The story was a bit long for me to copy all of it. Not that most will read it anyways. My intention was not to link the forum, but to warn people since many use gmail.

I honestly didn't even notice the forum. My bad for that. But my intention was to warn people to check their filters and be aware of this.

Nothing more.

__________________
Should You Email Your Members?

Link1 | Link2 | Link3

Enough Said.

"Would you rather live like a king for a year or like a prince forever?"

d-null

can you explain this flaw in gmail?

__________________

__________________

Barefootsies

Actually if you go to the originator's site,
http://www.davidairey.co.uk/StaticPage.html

You can see where you go in to check the 'filters' tab and make sure nothing it forwarding. He goes into a step by step detail, with screen shots, to show you what to look for.

__________________
Should You Email Your Members?

Link1 | Link2 | Link3

Enough Said.

"Would you rather live like a king for a year or like a prince forever?"

who

This story has fuck all to do with Gmail. It's a registrar issue mate. He's somehow avoided the 'confirmation' email.

who

I stand corrected - possibly

uno

I don't really care, I just hate to click through 3 sites to get to a story.

__________________
-uno
icq: 111-914
CrazyBabe.com - porn art
MojoHost - For all your hosting needs, present and future. Tell them I sent ya!

Doctor Dre

And what is your proof agaisn't gmail ?

__________________

Dirty F

You read that whole story in 4 mins? Very impressive.

NinjaSteve

So this is a filter. I think you can do this in yahoo or hotmail too, setting up some filter or rule. I don't understand how his email account was hacked. Even the screen shots show Person1 is already logged into Person2's email. Person1 puts filter on Person2's email. It doesn't say anything about Person1 hacking into Person2's Gmail. So does that mean Person2 aka David didn't have a good password or left himself logged in at a public computer?

__________________
...

Iron Fist

no one hacked gmail here.. what a waste of freakin time reading all that bullshit. Someone socially engineered the support system at his webhost and got the auth code on the domain - once you've got that, you've got the domain.. period.

__________________
i like waffles

baddog

How long did it take you to read it?

papill0n

you may want to read this

they had to approve the transfer via email

http://www.davidairey.co.uk/StaticPage.html

Doctor Dre

Yeah can be 100s other things. His home computer might have been compromised, one of the computer at the internet cafe he was, matching passwords in databases from another site... tons of stuff.

__________________

Dirty F

I didnt time it. You?

Actually he mustve read it in something like 3 mins.

TimBlaze

i read the whole thing and its pretty scary shit b, regardless of how it was done... but chances are it was a matching password

__________________
Roll that shit, light that shit,

Steve Awesome

who's to say that this guy didn't get hacked because he's a frequent visitor of internet cafes. All it takes is one douchebag to surreptitiously browse an internet cafe's browser history to see if previous users accidentally stayed logged in and then add the filter. Once you're in someone's email, they frequently keep old emails with records of passwords. It's a major cluster fuck. Download all your shit into your computer. Encrypt it. Mirror it. And that's it. I use Keepass for all my passwords (and it generates them -- nothing from the top of my head is good enough). It's a sad story but then again 40,000 people die in car accidents every year and you don't hear people bitching about car manufacturers in GFY threads as frequenty as you hear about people who get hacked. Ah, this damn red wine is making me rant.

Merry Christmakwanzahanamas.

__________________

Nasty

Using a free email account for your domains is just plain stupid

__________________

“Ours is a world of nuclear giants and ethical infants. We know more about war than we know about peace, more about killing than we know about living. If we continue to develop our technology without wisdom or prudence, our servant may prove to be our executioner.” ― Omar Bradley (1948)

Matt 26z

Anyone sticking up for Google in this thread is doing so blindly. Google fucked up, and they FUCKED UP BIG...

http://blogs.zdnet.com/security/?p=554

Apparantly Google has fixed the problem, but hacked accounts prior to the patch will still be compromised. Everyone needs to check for suspicious filters immediately!

I can't believe Google didn't post a warning about this right on their main page. Obviously they swept it under the rug and hoped to save themselves the embarrassment. It's also a shame that the big media didn't cover this story. This is a massive security threat that put every single GMail user at risk of identity theft.

V_RocKs

Crazy shit

rogue employee

you got owned!

rogue employee

Exactly.

Internet cafe computers are always full of spyware, trojans, keyloggers and so on.

Buy a notebook and travel with it. Otherwise be robbed like a noob.

WarChild

Don't worry, I hear Minusonebit is going to take up this guy's cause. She be resolved pronto with that kind of internet weight behind it.

__________________
.

siccmade

He was logged into his gmail account. Then he visited some malicious webpage that automatically set up the filter. He did not set the filter. He didn't even know about it.

Then, because of the filter the malicious web page inserted into his account, certain emails were being forwarded to the hacker. In this case, his domain emails.

__________________
Adult XXX Hits - Adult Traffic Exchange. Get free traffic!

DaddyHalbucks

If you had used Moniker, this never would have happened.

Moniker is the most secure registrar on the planet.

__________________
Boner Money

Murderous

yes moniker, get it, moniker, yes,that was moniker






























moniker