Update: woke this morning to find a short but nice letter from the receiving registrar. They have put the domain on hold so that it will not resolve to the adult site. I guess that's what prompted the change late last night. It seems like they are willing to entertain the idea of tranferring the domain back if my registrar starts the proceedings.

I'm curious as to just how this was pulled-off. While expositing the details might make it easier for other to do the same, it also could help others prevent this from happening to them.

The company that did it got access to a very old administration address, which had been changed at least 4 years ago.

Can you clarify this? What it sounds like you are saying is that the new registrant got access to an email account that used to be used to administer the domain, and then proceeded with an email exchange with either the new or old registrar.

If this is the case, it would be a good precaution for webmasters never to give up "no longer used" email addresses, and/or to avoid using Gmail, hotmail, yahoo, and address @your ISP, etc.

If you stop using one of these addresess, (in most cases) somebody else can just sign-up and get the same address! So, either don't use these in the first place, or, if you do, make sure you never give up the address, even if you stop using it.

This is a good idea in any case, as there are all sorts of other scenarios where somebody can masquerade as you and cause other kinds of trouble, by obtaining use of an email address that you used to have.

Of course, this SHOULDN'T be a problem, because the registrar shouldn't have accepted email from a non-current admin address as authoratative.

yes. That is what happened. Secretly, I think it worked like this: They used the old contact admin address to talk their way into the account. Companies are filled with real people who will be talked into anything given a convincing enough story. Proof? Not really. How would I prove that? I just know that on May 11th a very old admin address was used to transfer the domain. And at the same time, the whois record for my domain was updated so that the old admin address became the new admin address again. The thing that gets me, is that the whois information they used (including the old admin e-mail address)was not my current (just previous to May 11th) whois but some way outdated version that was still on alexa/amazon. I know this because of the addresses and telephone numbers that were used. Anyways, my registrar is claiming that they probably e-mailed me about the whois change but it got filtered. I doubt this because I check my junk mail constantly.

The good news. Both registrars are talking and they say that on Monday or Tuesday they will let me know and then 1 week later I should get it it back if all goes well.

I really appreciate the receiving registrar for putting the domain on hold so the adult site isn't showing.

PS. If this ever happens to you, scrub the internet and print off every shred of evidence that the domain is you. I've been hitting Google's cache, alexa, and many other sources. I'm finding that information is evaporating rapidly. For example, the old whois info that was on amazon.com is gone. Fortunately, I got a printout before it evaporated. I also printed off the Google's cache of my contact info (when the domain was mine).

I think the domain thief also made some very sloppy mistakes which are clearly working in my favour. Both registrars, I think, truly believe that it was a hack job and that it was unauthorized and I am sure getting them on my side can only help since they are the ones who will be transferring back should I win this dispute. I am not going to say what those mistakes were because I don't want to educate criminals. But it was sloppy to say the least.

[edited by: creepychris at 4:58 pm (utc) on May 19, 2006]

If this is the case, it would be a good precaution for webmasters never to give up "no longer used" email addresses, and/or to avoid using Gmail, hotmail, yahoo, and address @your ISP, etc.

Yes, you are correct. It was indeed a hotmail address. But I needed it at the time because it was the first domain I ever bought. And unfortunately, I have since registered many other domains under an admin address that was linked to the stolen domain. There are some definite lessons here.

Companies are filled with real people who will be talked into anything given a convincing enough story.

This is referred-to as "social engineering". It is probably the easiest hacking techniques. A combination of knowledge about procedures and some specific knowledge about the victim is all that is needed.

Keep in mind that this is routine, high-volume everyday business. A couple of anctedotes come to mind:

- I have a password on my bank account. Not an online password. There's a password that bank tellers, phone reps, etc. are required to ask for before they make any changes to my account. I have to occasionally remind a teller or phone rep that there is a password. "Are you going to ask for my password?"

- I used to have an office next door to the Central Narcotics division of the Detroit police department. One day there was a knock on the door. I called down the stairs "who is it?". The guy yelled up the stairs "your Toyota's here!". I yelled back "my WHAT?". "Your Toyota's here! Where do you want it?". "Er, I'm not expecting a Toyota!". "Central Narcotics?" "No, they're next door!"

Personally I would go straight for resolution and sue your registrar for any costs

If you read the registrar's TOS, you'll notice that's one of the things their disclaimers and limits of liability apply to. But if you insist, then be prepared for any and all potential legal consequences.

Can the new registrar transfer it back with sufficient proof that it was mine and fraudulently transferred.

As you eventually posted, yes.

From what I've read and re-read, it all started because the domain name's admin contact email was defunct but later "revived" by that other party. They most likely used that registrar's password recovery options, logged in, and you can guess the rest.

I know at least one other case where this also happened. And it's still not resolved.

So you learned a hard lesson here: as soon as your contact details are outdated (moved, defunct, etc.), change them ASAP.

In a domain hijacking incident, persistence is really your only ally.

Good luck!

Davezan,

Thanks for the well wishes. It's the weekend so not much is happening. It's hard to enjoy the time off with this on the back of my mind. Monday or Tuesday I should know more.

I've talked to both registrars now and so has my attorney. And it seems that everybody is agreeable to getting it solved. They have assured me that it is being expedited. And now people who know the exact circumstances of the case talk to me when I call (as opposed to lower level service reps).

As far as going after my registrar (or theirs), I agree that should not be a concern (at least for me). The opposing registrar has already done me a great favour by shutting it down completely so that it does not resolve to the the adult site, the domain parking service or anything. The opposing registrar was also kind enough to point me in the direction of getting it back: they nudged me into getting my registrar to start proceedings when on the first call to my registrar (a lower level service rep just shrugged it off as a done deal). You are right: Persistance is the key.

I think the nature of the content being served might have helped (children's education being hijacked by adult content) because it could potentially make the registrars look bad even if there is no fault on their part. Joe public will just see "children site hijacked by porn". I have never brought this angle up nor will I unless things are clearly not going in my favour. I want their cooperation: I have also never threatened them, nor have I gotten angry and abusive at the people I'm dealing with.

My position is simply this: Get it fixed and move on.

>> It is probably the easiest hacking techniques

and I think the most used one too.

For those interested in the issue of Domain Hijacking, I found this report at Lobo's suggestion on the ICANN website. I hope posting the link as it is from ICANN will not violate the TOS of webmasterworld. It was an interesting read and not overly technical at all.

[icann.org...]

Davezan,

From what I've read and re-read, it all started because the domain name's admin contact email was defunct but later "revived" by that other party. They most likely used that registrar's password recovery options, logged in, and you can guess the rest.

I was worried about that myself, but I was certain I had totally erased that domain from my registration data (i.e. cleaned it up years ago). Thankfully, I just discovered that there are 'whois' archive tools. And for $15.00 I just did a complete archive history of my whois info with 10 different entries. As early as 2001, any trace of the defunct email address had disappeared. I KNEW I had cleaned it up. Whew! (Sort of). I was not the sloppy one in this case. It just magically appeared on my whois info again this year at the end of March. I have no idea how. Where it used to read 'organization' (with my details), a month and a half ago it began to read 'registrant' with details that were 6 years old.

I hope this will be ammunition for me.

It just magically appeared on my whois info again this year. I have no idea how.

Nowadays many registrars are creating user levels with more or less permissions than what they'll allow. So there'll be one with full access and control, another as tech contact to change only DNS, etc.

There are at least 2 registrars I've found who actually let you put in 2 sets of contact details: one for the WHOIS (probably just for show), and another within the account who aren't necessarily shown. I wonder if this is what happened, especially if the registrar in question made some changes.

Of course, only way to know is to ask them. Speaking of which, what's the status of your hijacking issue?

The status is still the same. I am waiting for Monday morning. But, at least I have two new things to discuss with them:

From the ICANN PDF that I referenced, there is an emergency channel for dealing with this and the registrars should be able to deal with it amongst themselves. I suspect that when they told me it was to be expedited that this is what they meant.

Two, I have some hard questions for my registrar about why the whois was changed in March and why I wasn't notified. The entry that was placed in March seems harmless enough, but it was that old entry that allowed a defunct hotmail address to gain access and change the whois again in May so that when the transfer did occur, I was again not notified.

Update: under the Urgent Restoration of a Domain as outlined on page 32 of the ICANN document above (a great read), my registrar has requested the domain name back. Hopefully, the other registrar will comply (I believe they will).

Wheeeeeeeeeeeeeeeeeeeeeeeeeeeeeew! (Wipes sweat of brow)

Now on to damage control.

Thanks to all who have contributed advice via this thread and stickies.

From what you posted, it's indeed likely to be returned! Good work! :)

Keep us up-to-date on what happens.

I wish you all the best my friend, having suffered something similar just recently (nasty webhost wouldn't release my domain name in their control). We're all routing for you - good luck :)

I am still waiting. My registrar claims they sent the e-mail on Tuesday so i asked the other registrar if they could set the name servers up so it points to my host during the waiting period. The other register said no problem as soon as my registrar contacted them. SO I asked: What? My registrar didn't contact you? They said no. We are still waiting. So I contacted my registrar and they said: Oh maybe the e-mail got misplaced. I asked the other registrar if that might be the case. They said unlikely but just in case, the other registrar gave me a couple of e-mail addresses that went to specific people (people who knew about the case) and told me to tell my regitrar to resend the e-mail. There should be no mistakes about who received it this time. SO I gave those e-mail addresses to my registrar (why aren't they doing this on the phone?)and asked them to resend the e-mails. The tech guy said they would but they still haven't got back to me and when I last called they told me the guy in charge went home. Bah!

A tale of two regitrars: the other registrar has replied to every single e-mail I've sent, put the domain on hold, and given me tons of important information. My registrar hasn't contacted me once about the incident.

Tomorrow is Friday and my patience is officially up. If they haven't contacted me because they are working on it, that's fine. But at this point, there is no excuse for any more delays.

My registrar claims 'the urgent restoration of domain' e-mail has already been sent. I want some proof because then I can start to get on the other registrar's case. Well, until tomorrow morning . . .

I suspect that this may be a case of your current registrar checking they are covered before moving, realisticaly it is them who have made this mistake and want to cover their ass...

I suspect that this may be a case of your current registrar checking they are covered before moving, realisticaly it is them who have made this mistake and want to cover their ass...

That the mistake is theirs, there is no doubt. But by delaying, they are just compounding the problem. If this had been solved on Monday, Tuesday, or even Wednesday, I would have sent thank you letters and gotten on with my business. If it gets solved tomorrow, I will still be relieved enough to forget the whole thing, but I am angry now.

Registrars do have the ability to work it out amongst themselves and the gaining registrar seems to be very cooperative. And the facts are obvious.

For 6 plus years, my account info and whois had all gone back to 1 e-mail: mine. And then suddenly A 7 year old e-mail sneaks its way onto the whois and I lose the domain. Luckily the gaining registrar e-mailed me the whois that was used for the transfer. All of the contact info there was demonstrably false as it was a hack job of my current address with slight modification. This was the kind of info that got the HZ domain restored quickly (the hacked phone numbers were 123-4567 or something like that).

My registrar's biggest problem is the lack of information they are passing down. I have to talk to a different support rep every time. They refuse to let me talk to someone actually working on the case. I get everything second hand through support reps. The gaining registrar, on the other hand, has assigned one support contact for me and knows the situation well. They are looking fantastic at this moment.

The week before last, I had just gotten #1 rankings in Google for 'World Cup keyword1' and 'World Cup Keyword2'. With the World Cup a week away, you can probably feel my pain.

But even that I would gladly forget to just to have my domain back.

Wow, creepychris ... what a nightmare!

I can't even imagine what I would do but one thing I am certain of is that I wouldn't wait any longer for my registrar to get this sorted out.

Demand that they resend the letter to the gaining registrar and that they CC it to you. As soon as you receive your copy, call the gaining registrar to confirm receipt. If your registrar does not resend it within an hour of speaking to them tomorrow morning ... get your lawyer to call them immediately.

I don't want to freak you out even more than you already must be ... but the damage being done to your site may be impossible to undo! If this site provides your livlihood, you cannot wait even one more day to resolve this problem. Heck, I would be on the next plane to wherever my registrar was located ... armed with every piece of proof I could get my hands on. I wouldn't take "no" for an answer and I sure as hell wouldn't stand for no action on the registrar's part either!

Best of luck my friend. You will be in my thoughts tonight and tomorrow. Please keep us informed and thanks for sharing your trials and tribulations. I'm sure you've given many webmasters a much needed wake up call!

My search engine rankings just crashed today. Across the board.

Jeeze creepychris ... that's just horrible. What has your registrar to say? Have they sent the message to the gaining registrar? What has taken place since your last report?

What's the status?

creepychris I dont know how much it would help but I would send out an email from your site to Google,MSN and Yahoo explaining the situation and hopefully it is actually read and they act on it ..

by removing any penalties it may have picked up and sending out the bots to run through your site

Unfortunately, my registrar is dragging its feet. I still have yet to have one shred of genuine communication with them outlining the clear steps they have taken. All I get is: "we are investigating."

added: I just talked to my lawyer and it turns out that the other registrar is waiting for an indemnity agreement and then they are willing to hand it back right away. So once, my registrar signs it, I should get the domain name back. But, I don't know why my registrar has not signed the agreement yet.

Get them on the phone ... for godsake, get through to the top and tell them you need it know, get your lawyer to send an immediate recorded delivery letter with the request ..

It needs action so action it..

I am curious if Chris's attorney has filed a court order to obtain the thief's identity & contact info from the other registrar.

If this site was a primary source of income, I would definitely file criminal and civil charges against the thief.

Presenting pornography to children is a serious felony in the U.S. I think the legal system would be able to rip the thief apart easily with the documented info Chris has.

The other posts are correct, this situation has taken long enough that your website reputation has been devastated in the SE and from your regular visitors.

<snip>

[edited by: Webwork at 4:33 pm (utc) on June 2, 2006]
[edit reason] Let's not even "joke" about violent solutions. Thanks. [/edit]

If I were in your shoes....
While still fresh and angry...

Write a few pages of timeline explaining exactly what happened. Name the Names too. 100% factual.
Post to non-indexed web page - even a new site (myregistrarscrewedme.com).
Send link to attorney for preview and approval.
Send link to registrar.

They may buy the site and make you whole again.

But, I don't know why my registrar has not signed the agreement yet.

This situation is unforgiveable creepychris ... but I can't understand why you aren't ranting and raving and demanding action? Get your lawyer on them right now! You can't afford to wait any longer. (or maybe you can ... but your site reputation is being trashed while they drag their heels)

I would be a raving lunatic by now!

creepychris:

I am going to go and check my important domains now and change my passwords to.

I feel very bad for you!

Hope you get it back soon.

Indeed.

<If you check WIPO and NAF decisions you notice the frequent appearance of 2 law firms, which firms offer free initial consultations>:

esqwire.com
johnberryhill.com

[edited by: Webwork at 3:28 pm (utc) on June 7, 2006]
[edit reason] Charter [/edit]