wow.

Hello,

I wonder how the thief really proceeded, but it sounds scary.

I didn't know it was still possible to steal a domain , considering all the procedure you have to go through to transfer it, and all the notifications sent to each contact (admin, tech, owner).

If you know how to fix this sort of thing, we'd like your help.

They should bring the case to the Verisign and ICANN. They have the power to fix this. And since it's big domain, with a background, it should not be hard to prove the stealing.

There are a lot more domain names stolen every day than most people realize. In the case of Perl, there were a few others that were stolen at the same time as that particular domain. Stolen from Netsol and then transferred over to Key Systems. In this case, my understanding is that the thief used social engineering to steal the domains. It wasn't just Perl, there were other domains stolen at the same time. The thief apparently used web chat and fake documents like a fake ID, fake business license, and some other documents.

I'm currently working with several other domain owners whose domains have been stolen (I'm Chief Data Scientist at a domain protection company that protects domains and recovers stolen domains). There are several ways that domains get stolen, and oftentimes it does involved a hacked account at registrar. Some registrars are, in fact, just more susceptible to hacking and aren't as secure as others.

I didn't know it was still possible to steal a domain , considering all the procedure you have to go through to transfer it, and all the notifications sent to each contact (admin, tech, owner).

Turns out that ICANN and Versign don't really care about stolen domains. It's really up to the registrars themselves to take care of these issues when they occur. There are policies in place that are 'supposed' to take discourage it, such as the 60 day lock on domains when transferred, but that won't stop someone from stealing a domain.

What does happen is is that when the thief gets into an account at a registrar, they will put the domain on privacy for a period of time and then they will transfer the domain name out to another registrar. Then, they will typically put the old WHOIS data back so it looks like the owner they stole it from still owns the domain (even though they don't). 99 percent of the time you can look at the WHOIS history of changes and spot if the domain has been stolen or not. However, there are some TLDs that actually don't show an expiration date on the WHOIS record. So, it's impossible to tell if the domain was stolen or if the domain simply expired and the owner didn't renew it. In that case, it's obviously not a stolen domain if it expired.

In any case, the quicker it's noticed that the domain is stolen the easier it is to deal with. For example, a domain can get stolen, the owner doesn't notice it, it gets transferred out to another registrar, it's sold a few times to other people, and then the owner notices it's stolen. Well, in that case, it's much more difficult to deal and prove than if a transfer happens and you notice it within a few days.

In the case of Perl and the other domains, they did notice it quickly, and we were in touch with the domain registrar it was transferred to--and they were on top of it quickly.

I believe the thiefs need to transfer the stolen domain to a new registrar, into their own account? Such transfers are tracked and notifications are sent to the owner's email?
Or, my second guess would be to steal the access to both registrar account and the domain owner email? So that s/he is completely unaware of what is going on?

You can find a post-mortem analysis at [perl.com...]

We think that there was a social engineering attack on Network Solutions, including phony documents and so on.