Sophos Cloud Optix
Jordan Reid, a blogger and what one news outlet called “A star of the post-expertise how-to landscape”, learned on Saturday that her “Ramshackle Glam” site was gone – poof!
Suddenly, the site that had been hers for five years was whisked away.
After getting a heads-up from a friend that something was fishy, she found her domain up on the auction block at Flippa.com, “The #1 place to buy and sell websites, domains and apps”.
For several days last week, Reid writes on that same, snatched-back site, some guy going by the name of “bahbouh” was promising that the winning bidder – or buyer, given that you could “Buy It Now” for $30,000 (£18,080) – would get her traffic, her files, and her data.
To add insult to injury, bahbouh suggested that Reid would be available “for hire” to keep writing posts.
Unless, that is, the buyer wanted to hire bahbouh himself to provide “high-quality articles” and “SEO advice” to maintain the site’s traffic post-sale.
Reid didn’t panic. The auction site was located in Australia and didn’t appear to have a phone number, so she sent an email with a scanned ID and proof of ownership.
What she got back, a form letter, wasn’t very encouraging.
Next, she called HostMonster, which hosts her lifestyle blog. Unfortunately, she was no longer the owner of the site, so they couldn’t help her.
The crook who stole her site had used the email confirmation system to authorize the transfer of her domain name into a private account at GoDaddy, a web registrar where Reid is also a client.
Reid said it never really occurred to her that she might be victimized, nor that it would be a big deal to fix things if she were, she writes:
Of course I've heard of identity theft, and of cyber hacking, but honestly, my attitude towards these things was very much "it could never happen to me." And even if it did... I didn't exactly understand why it was such a huge deal. Couldn't you just explain to people what had happened, prove who you were, and sort it all out? We live in such a highly documented world, it seemed completely impossible to me that someone could actually get away with pretending to be someone else with any real consequences beyond a few phone calls and some irritation.
Oh, it’s quite possible.
It’s happened to others, of course, such as technology journalist Mat Honan, who was attacked by a member of the UGNazi hacktivist group and had his Gmail account hijacked, and his iPhone, iPad and MacBook Air remotely wiped.
Another recent case was that of Naoki Hiroshima, a software developer whose valuable @N Twitter handle was socially engineered and extorted away from him.
He got his handle back after a month, after going through what Reid went through to get hers back, and more.
It wasn’t just his attractively succinct @N Twitter handle that had been socially engineered away from him; as well, Hiroshima’s GoDaddy, PayPal and email accounts were hijacked.
Reid’s hijacking didn’t go quite that far: it didn’t extend beyond her domain.
But one thing that Reid’s site-kidnapping did have in common with Hiroshima’s @N-napping and other hacked accounts: unhelpful registrars.
Neither Hiroshima nor Reid got any significant help from GoDaddy.
When Hiroshima called GoDaddy to explain his own situation, the agent asked for the last 6 digits of his credit card, as a method of verification, but the hacker who targeted him had already changed the credit card on the account.
Likewise, Reid says that from Sunday to Tuesday, she spent much of her days and nights on the phone with GoDaddy and HostMonster, with the answer from multiple employees amounting to “Sorry, can’t help you.”
In the aftermath of Hiroshima’s identity attack, GoDaddy, for one, owned up to its role, admitted that an employee had been socially engineered into giving up his account information, said it would make changes to employee training, and modified its account policies.
As far as Reid is concerned, the registrar hasn’t improved much since then, however.
In her write-up of the hijacking, Reid takes a hard line on HostMonster and GoDaddy – companies which, she believes, knew that she was the rightful domain owner but were staffed with employees who were uninformed about how to handle such a situation.
Once she got beyond front-line staffers and supervisors and managed to reach people who could have frozen her domain and prevented it from being sold or destroyed, they wouldn’t, she claimed, instead choosing to hide behind their legal departments.
HostMonster and GoDaddy actually pointed fingers at each other, each shifting the onus for fixing the situation to the other, she said during an interview.
She is, in fact, considering legal actions against the companies. (See Tech News Today. Fast forward to 30:50 for comments on legal action.)
Bear in mind that this is only Reid’s side of the story. I’ve reached out to GoDaddy and HostMonster to get their input and will update this article if and when they respond.
So how did she lose control of her domain in the first place?
Reid doesn’t appear to know. Her write-up seems to reflect suspicions that weak passwords were at play, given that she’s now changing her passwords, every few days, to very complicated, unpronounceable strings.
How did she get the domain back?
She says she took a three-pronged approach:
1. Directly calling GoDaddy and HostMonster. Not effective, but what finally made at least a little bit of difference was that she cited ICANN’s policy on Domain Name Dispute Resolution.
The policy calls for registrars to establish a Transfer Emergency Action Contact (“TEAC”) for urgent communications relating to transfers. Its goal: “to quickly establish a real-time conversation between registrars (in a language that both parties can understand) in an emergency. Further actions can then be taken towards a resolution, including initiating existing (or future) transfer dispute or undo processes.”
This didn’t result in action – the people she spoke with at GoDaddy and HostMonster didn’t seem to be familiar with the policy – but it did get her case upgraded, Reid said.
2. She called the FBI. The FBI, to her surprise, responded “immediately.” She had expected to leave a voice message in a general mailbox. Instead, the agency jumped on it, with follow-up phone calls and emails, an in-person interview with two special agents at her house within 24 hours, and a follow-up visit from two agents.
3. She dealt directly with the hijacker. She calls the operation Hollywood-worthy, a “sting operation that probably should have starred Sandra Bullock”.
Well, maybe that’s what it felt like, but in spite of a rather glamorous photo of herself at “3AM, on the phone with HostMonster trying to get the site frozen”, what it amounted to was cooking up her own identity fraud.
In a nutshell, a friend posed as an interested buyer. Hemming and hawing ensued, with the crook demanding cash before he relinquished the site.
So Reid wired money to bahbouh and then waited, with bated breath, until he released the domain.
As soon as he gave it up, Reid jumped on it, quickly switched it to another account, and canceled the wired funds.
An FBI investigation is ongoing, Reid said.
What’s the takeaway?
Of course, strong passwords are important, as is making sure that passwords for everywhere you go online are unique. If a cybercrook gets hold of your password for your email account, you don’t want him to then be able to use it to get into your PayPal, bank or Facebook account, for example.
In fact, maintaining strong, unique passwords for each service and website that you use is so important it has a place on our list of 3 essential security tasks.
Another takeaway is that yes, absolutely, do call the FBI or your own country’s cyber response people as Reid did, and do it fast.
Make sure to keep notes and take screenshots where appropriate, as Reid suggests. Don’t delete any emails or other information, given that they may help in an investigation.
Naked Security has published a series of articles on how to report computer crimes.
Here’s one on unauthorized email account access that gives instructions on how to report a cybercrime in the US, the UK, Canada and Australia.
Should you follow Reid’s lead and try to conduct a Sandra Bullock-esque sting? Even she admits it’s risky.
The last thing you want to do is get swindled out of both your digital accounts and the money you thought would get them back.
Update: Here’s GoDaddy’s side of the story. There are two requirements to file a TEAC. First, you need to be the registrar that lost the name (in this instance, GoDaddy received the name, so it wouldn’t be eligible). Second, a TEAC is filed only if the losing registrar (in this case, a company called FastDomains Inc., which provides the registration that HostMonster sells) can’t get a response from the gaining registrar in five business days.
GoDaddy says it’s always responsive to requests from losing registrars, so it hasn’t been an issue for them.
Here’s a statement from GoDaddy Domain Services Director Laurie Anderson:
Every day, we receive reports domain names have been stolen. In order to protect our customers and other users of the internet from having domain names maliciously taken, we have developed best practices. Part of those practices include verifying the identity of the complainant. For increased security, we require multiple forms of identification and if we are unable to receive that data, we are unable to provide access to the domain.
While this is no doubt a frustration for some people in some cases, it has saved countless domain names from being transferred incorrectly.
Image of ‘For Sale’ sign courtesy of Shutterstock.
I think an important missing point here to prevent this type of attacks is the use of 2-fact authentication. Godaddy supports it and might prevent a simple password hijacking.
Nice Article, only missing one small point. If an attacker gains access to your email, chances are they can reset passwords to most of your accounts. 2 Factor Authentication by token is probably the best option.
Thanks to both of for the input on 2FA. Absolutely spot-on, yes, it might have prevented a password-based breach if that in fact were the issue. The reason I didn’t delve very deeply into password issues is that we don’t even know for sure that a weak password was what enabled the theft. It’s only conjecture based on the fact that Jordan mentioned, in her advice, to avoid weak passwords, among a lot of other tips, and is changing hers quite frequently (not sure that’s such a good idea; if you’ve got a password with super duper entropy, why do you need to change it?)
Most security professionals I’ve heard that chime in on this topic advise you to change your passwords every 3 months, regardless of the entropy. Having a high entropy password doesn’t give you 100% protection, it just means it takes longer for the bad guys to crack. If you have a large enough botnet army though, even a high entropic password can be cracked in a couple weeks time.
That is sort of a misleading claim. If you’re using a password with the standard mix (0-9, a-z, A-Z) and it’s just 16 digits long the keyspace is mind bogglingly large. Even if an attacker could test a quadrillion passwords per second, single-handedly consuming the bandwidth of more than a thousand Internets with their login requests, it would still take a million and a half years to test the entire address space. Even if the password falls within the first 1% an attacker decides to test, the password is effectively good forever.
You’re more likely to be compromised by a failure on the part of the service provider to either secure the password correctly or a social engineering attack that causes the password to be bypassed entirely such as a CSR mistakenly doing a password reset.
This assumes a brute-force attack, which is rarely used anymore.
so, whats the naked security best recommendation – beside choosing a strong password- to protect our business from such attacks.?
This once again proves how important secure passwords are doesn’t it? I see Sophos keeps on at everybody about them, same as I do every time I rescue some poor person’s computer. Begs the question, “Why aren’t they listening?”
The place I get secure passwords from is usually the generator on GRC.com (Gibson Research) but a good host will provide a secure generator in the site tools,.. as mine does,.. and if they don’t, it pays to spend the extra effort and find a host who does.
Also I save all my security logo details in a little USB drive I wear on a chain, NOT in my computer! There over a hundred in there and to date I’ve only had idiots use my email address in a forged header, probably out of frustration that they couldn’t actually hi-jack my email accounts?
The disappointing take-away here is the only reason she was able to take back control is she was able to steal back control. The authorities were useless in righting this wrong.