Internet Domain Name Hijacking

Last Update: 03/26/2006 by tpl@ieee.org

 

What do you mean that mst.com domain was hijacked?

  1. It all started when our Web Hosting ISP (www.hawkcommunications.com) went out of business or acquired by somebody around May/June 2005.  There was a ‘dark’ period that our web hosting services were in limbo.  (Note that I checked on 03/16/2006, this company came back and now becomes an Atlanta-based company.)
  2. Somebody got hold of the ‘hosting’ service and got hold of email services for mst.com and (email) automated transfer of domain from register.com to onlineNIC.com took place on 6/11/2005.  The “Admin Contact” was tplee@mst.com.
  3. By chance, this “tplee” user tried to upload/ftp a few pictures to the mst.com web site on 7/22/2005.  Nothing worked and with all passwords exhausted, this user tried to access ISP’s web and admin site; the web site for the ISP had a page equivalent to ‘stand-by and under construction’.  With google search, he found a couple of notes about hawkcommunications was out of business and/or was bought out by somebody else.  Out of distress and absolute disgust, he contacted some other ISP to do web hosting.  That was www.maum.com for now.
  4. Things did not happen as expected.  This tplee user contacted mst.com domain’s registrar register.com and he was told that the domain was transferred to onlineNIC.com on 6/11/2005.  The 60-day rule would not allow the domain to move any further.  Even if this tplee user wanted to initiate the transfer back, he has to contact onlineNIC.com to do it and with the “Admin Contact” email tplee@mst.com.  This is fishy enough and won’t work to get it transferred back, and he was advised to file a complaint with ICANN/InterNIC, which had the oversight authority.
  5. In the mean time, this tplee user found that there was suddenly a for-sale page on www.mst.com and he was desperate.  He took a screenshot of this page and used the browser “view page source” feature to save the content and identified where the form would be submitted.  In this desensitized version, say, http://www.ppppppservice.com/form.asp.  Actually, this was a sign of neophyte thief, he/she can do better by using everything from the hijacked mst.com site.  He even sent an email to tplee@mst.com (the for-sale sign contact) asking “Hi, T.P., are you there? How are you?” and got a reply a day later saying “Yes, what’s up?”.  This is the closest contact to the cyber thief.  The WHOIS database by now was mangled with a fake phone number +1.2403270207.  The city and state and zip code got changed to Marshall, KY US 21157.  Unfortunately, if you look for what city is actually covered by 21157, you’ll find that Westminster, MD is the place.  The WHOIS database also shows that iiiiHost.com (desensitized) was the owner of the mst.com domain and this was either a reseller or a customer of the registrar onelineNIC.com.
  6. On 7/27/2005, this tplee user filed a complaint to interNIC, and he also searched for ‘Internet Domain Hijacking Fraud” and the like to see how to get help.  He found IFCCFBI site and filed a complaint there.  At that time, there were 10,000 complaints filed each month.  Today, this authority is called IC3 (Internet crime complaint center) and FBI.
  7. On 7/29/2005, this tplee user finally got email reply from onlineNIC.com support folks, and he informed them about the filed complaints and possible fraud, they agreed to disable the web server for the mst.com domain.  No more for-sale sign when this was done.
  8. On 7/29/2005, register.com domain support folks suggested to have the domain locked during dispute and investigation.  On 8/1/2005, domain was locked by the new registrar and onlineNIC.com suggest arbiter WIPO http://arbiter.wipo.int/domains/ to look into this.
  9. On 8/2/2005, this tplee user looked into this arbiter service and found that he needed to spend between $1000 and $3000 for this.  He decided not to do this and filed an update to both agencies and sent the copies to onlineNIC.com and indicated that he would wait for the agencies to investigate the criminal case. 
  10. On 8/14/2005, this tplee user was happy to see the WHOIS database was updated and that the mst.com domain was transferred back to register.com with “locked” state and the content was restored to that with the previous ISP hawkcommunications.com data.  My interpretation was that onlineNIC.com considered this complaint was valid enough and decided to transfer back to avoid further involvement this is case.
  11. Although the web hosting services did not work right away, it was a pleasant event that the domain was finally transferred back.  It took some time to do proper identification and convincing with the registrar register.com to get things done.  But, we had no complaints to register.com and we were indebted to support folks there for pulling us through this mess, specifically, David, John, Jennifer, Blair, and Sara at register.com.
  12. New web hosting services started on 9/9/2005 for mst.com again.

 

How can you protect your domain from being hijacked?

1. Ask your registrar to "Lock Down" your domain.  Don't allow it to transfer with automated email acknowledgements.

2. Put a robust email address for your Admin Contact of your domain.  Imagine that if any of your registrar, your email address provider, or your web hosting ISP went out of business, can you easily find a replacement and fix/update your information?  Go through every scenario.

3. Save the paper documents on invoices, payments for the domain registrations, web hosting ISP statements and so on.  They are helpful to document your standing and ownership when your service providers are temporarily out of services.

4. Keep a journal and log on major events with your domain transactions, for example, date and person(s) you talked to and URL locations and some short summary on the conversation or email exchanges.  Snapshot or save the pages of interest and print a copy with the usual date and URL on the footer as documentation.  This is a difficult issue since the content of the URL page can change over time and you’ll have nothing to show if you don’t keep anything.

 

 

Need to File A Complaint?

1. ICANN/InterNIC  http://reports.internic.net/cgi/registrars/problem-report.cgi

2. Internet Fraud and FBI compaints@ifccfbi.gov http://www.ifccfbi.gov/  This cyber space criminal field is changing fast, search for the latest authorities if you need to file complaints.  As of this update, this authority is changed to Internet crime complaint center http://complaints.ic3.gov/.

 

Good Practices before You Buy:

1. There is no domain title insurance as far as I know; be diligent in checking out the domain information and the owner information for the domain. 

2. You need to talk and negotiate with a real person and with a real name.  Avoid getting stolen domain names, which are the same as stolen goods.

3. WHOIS information: call the phone number listed there and talk to them to confirm.  Do ZIP code and city and state actually match?  The WHOIS database was mangled by this thief at one point and have the phone number changed to +1.2403270207 and there is no ring when I checked.  The City and State and Zip code get changed to Marshall, KY US 21157.

Unfortunately, if you look for what city is actually covered by 21157, you’ll find that Westminster, MD is the place.  Is this not enough for you to get suspicious?  The whole point is that the thief does not want you to contact them in these venues and leave a trail for law enforcement agencies.

4. If the registration provider is outside the country with phone numbers like +98.07116267488.  You probably should find other means to contact them.  In general, for universal domain names, i.e., not country-specific domain names, you should expect to contact someone in the US or other countries with reasonable law enforcement protections as your fallback positions.

5. As an example, when this thief using the www.mst.com page to put a for-sale sign.  You should “view” the content of the html page and save that away.  I find that the “form’s SUBMIT button using http://www.ppppppservice.com/form.asp to process the form submission.  Visit that site and see what you can find and learn and contact.  Note that I use pppppp so as not to direct point to the site I found.

 

[End of text]