A warning to all - Beware buying stolen domains

[DomainMagnate]

While I mainly deal with sites now, I'm still also a domainer and occasionally buy/sell names whenever I find good deals.

I was looking at a few premium 1 word generics and city domains for sale yesterday, the price seemed reasonable and on the lower end. But after some short dd I found that there is a high risk that they are stolen. I'm still confirming this. But this is a fair warning to all EP'ers who occasionally buy domains - if the price seems cheap and the seller seems to be in a hurry be sure to check if they are not stolen. I've seen a few of these before and it's not always easy to figure out. Since this is fairly profitable for the theifs - we are talking about tens of thousands of dollars here in quick transactions - they frequently have an elaborate cover story and a lot background info set up.

Usually just a few google searches for the seller and the domains with the quotes and forum names, like "domain.net namepros" or "domain.net dnforum" will reveal some threads with suspicion raised about the domains that may have been stolen. You can also use the paid domaintools services to check whois history and check if there was a recent change in whois contacts and also contact the previous owner to verify that they weren't stolen.

[Kay]

Thanks for this warning, Michael. Very helpful.

Can you please explain how domains can be stolen? I can understand how people could pretend to own something they don't and try to sell it, but not how anyone could actually steal a domain.

Thanks.

[DomainMagnate]

In most cases that I'm familiar with thieves got access to the registrar contact email (apparently it's much easier if this is on a free email host like yahoo/hotmail or even gmail, than on your own domain) and from it were able to access the registrar account and moved the domains out. So that's why I wouldn't recommend using a free email account for the admin address, although most people still do it.

I'm sure there are some members here who have a better security background so they can clarify how free email accounts can be hacked. I'm assuming mostly through keyloggers/trojans, social engineering (e.g. if you find out all the data about the person from his facebook profile you can probably know answers to most of the account restoration questions.), weak passwords etc.

Also those hackers/domain thieves are frequently in countries like Iran so legal procedures won't get you far.

[Kay]

So that's why I wouldn't recommend using a free email account for the admin address, although most people still do it.

Erk. That's bizarre. If you were writing a list of ways to look unprofessional that could perhaps be at the top of the list. You might as well wear a big hat with "I am stupid!" written on it.

MySite @ gmail . com

compared to

MyName @ MySite .com

There's no contest. And I wouldn't expect anyone to take me seriously if I used the former.

[akirk]

Kay - that is only for the admin address for the domain registration - nothing to do with the email address you use for business...

e.g. you want to buy www.mybusiness.com to end up with the email of amazing.ceo@mybusiness.com - looks good... but when you register the domain you might need an email address for the regsitration, so you toddle off and secure just.another.address@gmail.com and use that to admin the domain...

etc.

Alasdair

[Matteo]

I could see thieves targeting domains using Yahoo! emails as the Admin right now with the breach problems they have been having. They could just run a script to find all public whois using Yahoo! emails.

[crabfoot]

Now, there used to be insecurities in the log-in procedures of some registrars - sometimes you could get more information out than you put in.

Once in a while, putting a garbage email into a log-in box would produce the real "control" email for a domain, ostensibly protected by privacy.

Now, for the really lucky domain thief, entering garbage into the password box using the correct domain name and control email would pop up another box to enable a password reset. That box would require an email address, but didn't compare it to the control address, it would send the password to whatever email was entered.

Not that I've ever tried to use this gambit, but I know it existed, and it might still happen with some registrars. No real need to hack into mailboxes - ask and the info was sometimes given.

[Kay]

Can someone please spell it out for me, as I'm not really understanding all this.

What action can people take to prevent their domains being stolen?

[DomainMagnate]

They sometimes end up on flippa too. Here is one of those and one more (3 letter domains are the most popular among domain thieves as they are easy to sell and have high reseller value), the thief tried to sell it, but got promptly banned. But since there is really no way for flippa verification system to determine the domain as stolen, if the name is not reported by other members it could easily sell there. In most cases the stolen domains are returned to the original owners once they realize what happened and contact the registrars.

[KenW3]

Can someone please spell it out for me, as I'm not really understanding all this.

What action can people take to prevent their domains being stolen?

Domains are usually stolen because accounts can be hacked, or social engineering is used to trick people into divulging personal information. It is a bad idea to use web-based mail such as Yahoo, Hotmail, Gmail for registrar account contact; I don't use one for the WhoIs either. Someone using the same email address for everything is in much greater danger of being hacked (i.e. Your WhoIs contact email matches your registrar contact email). Privacy adds a level of protection. Each domain name should have registrar lock set to On, unless the name is being pushed or moved.

Some registrars have additional levels of protection. Moniker and Fabulous have never had a domain stolen (that they didn't get back), from reports on the net. The most secure registrar is Fabulous, as they have a security key available. This is a USB dongle that must be inserted into the computer used for making a request for anything security related. Moniker has extra security products including Domain Name Maxlock and Portfolio Maxlock. There is a new registrar I have not yet investigated, NameSilo.com that advertises itself as the lowest (standard) cost registrar (but only offers 7 TLDs), and provides a free Domain Defender service.

There are many thousands of domain names that can be stolen today, but I won't post how that is done here. The easiest way to steal domain names is to find which accounts are not secure, then go through the list to find the valuable domains. In most every case of this I've read, the stolen domains are returned (and any buyer loses their money), if the owner is aware they are no longer in possession of the name. In many cases, however, domain name owners don't pay very close attention to their accounts.

As for public mail servers such as Yahoo and Gmail, those are much more secure than they used to be, but are still not safe enough for banking or any information needing to remain secure. Once upon a time, passwords were stored in a SQL database; You could get a program to decrypt the stored password associated with the email address, and then have access to the webmail account.