Joe on the April 28th, 2008 On Sunday, April 20, 2008, I arrived at my office to get a little work done and checked my email. Noticing that there were an unusual amount of new emails in my GoDaddy folder, I opened it up first to see what happened. I nearly had a heart attack when I saw that the 60 or so domains I had in my GoDaddy account had been transferred away to someone named Moses Francis. Luckily, the web sites, data, and any emails sent to any of my domains were never compromised, as I immediately began working with GoDaddy to recover my domain names. As you remember, I played a little trick on my readers on April first, and the result included a little bit of freaking out by people who were concerned that this affected widgets and other things served by JoeTech.com. The sites and all their data have always been secure. The real risk was in losing my domain names.
Who is Moses Francis?
Moses Francis, it seems, is someone like me, who lost his domains to a hacker. The difference is that I’ve recovered all but two of mine (still pending), while it seems he has been less fortunate (or is unaware that he’s lost his domains). Below is what the registration on many of my domains changed to:
Registrant:
Moses Francis
471 Taman Silibin
Ipoh, 30100
MalaysiaRegistered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: JOETECH.COM
Created on: 28-Mar-97
Expires on: 28-Mar-09
Last Updated on: 19-Apr-08Administrative Contact:
Francis, Moses mosesfrancis7@yahoo.com
471 Taman Silibin
Ipoh, 30100
Malaysia
3566754673Technical Contact:
Francis, Moses mosesfrancis7@yahoo.com
471 Taman Silibin
Ipoh, 30100
Malaysia
3566754673Domain servers in listed order:
DNS1.INEXO.COM
NS1.DERU.NET
You may note that the hacker left the DNS in tact. This is a blessing, but could have been a curse.
How this scam works
The hacker, who is from Indonesia in my case, steals your domains and then tries to sell them. His goal is to keep the site live and gain full control of it where possible. In my case, he was able to transfer the domains to a shell account and managed to move two of them to NameCheap, but the data and the sites themselves have not been compromised. Once the hacker has control of the sites, he tries to sell them. For example, here’s my hacker trying to sell other people’s sites on DNForum.com, and it looks like he’s making out like, well, a bandit. Buyers, unaware that they’re bidding on stolen web sites and domain names bid, thinking that they’re getting a pretty good deal. I tried several avenues of their site to contact DNForum admins, but every avenue requires me to purchase a membership upgrade with the exception of the support link, which would not let me log in. If you have an account there and have better luck than me, let them know.
How I got hacked
Technically, he just managed to get into my email via a web-based email system and a password I used in more than one place (I should know better). Once in my email, he quickly headed to GoDaddy, requested my password, and transferred the names out of my account. The whole process was pretty quick, and it was clear that he hacked my email just to get to my domains. I noticed the breech pretty quickly and changed my passwords, shut off webmail, and started investigating. Because I had become relaxed about the security of my password and accounts, this guy got in pretty easily and walked away with some great domain names.
The next step
After spending a large amount time researching and contacting registrars, I finally have all but two of my domains moved into my new account and back in my name. Besides getting the last two domains moved back to my account, I still have some work ahead of me. Because GoDaddy is an international company, they tell me that they will go after the hacker regardless of where he resides. I’d love to find out that he wound up in jail somewhere. To that end, I am gathering up my relevant server logs to send to GoDaddy’s security department, ic3 and whoever else needs to be aware of this guy. I also need to unify all my domain registration under my newly-registered company name. This makes it a little easier for me to prove ownership of my domains.
Sites for sale
What frustrated me quite a bit was the timing. I had been in the middle of preparing statistics and revenue information for a couple of my sites. I have been planning to sell most of my web sites so that I can focus on JoeTech.com and a few others. This definitely put that on hold for a couple weeks. However, I will be listing those sites for sale this week, and I will be taking what I can get for them, so look for good deals. More than the money, I just need to free up resources, so I’ll start the bidding very low for all sites and domains.
UPDATE: I was finally able to log into the support site and notify DNForum of the fraud. I also noticed that it seems they removed the seller.
| 2.5 |
del.icio.us
Stumble it!
Powered by FireStats
on April 28th, 2008 at 9:23 pm
Scary stuff man. Glad you got them back. I imagine Godaddy was pretty helpful in doing so?
Jim Kukral’s last blog post..Finance Tips For Small Businesses & Entrepreneurs
on April 29th, 2008 at 10:22 am
I guess the undo department is pretty busy, but the “office of the president” has been very helpful, and the undo department is doing a good job getting them all back for me.
on May 2nd, 2008 at 2:18 am
scary, man should use hard to crack password for email
fit’s last blog post..Convert Your Car To Burn Water + Gasoline = Double Your Mileage!
on May 2nd, 2008 at 10:13 am
If you want to contact dnforum, here’s what I found out at whois:
Administrative Contact:
Dicker, Adam
None
9251-8 Yonge Street
Suite 413
Richmond Hill, Ontario L4C 9T3
Canada
4168840535 Fax — 8003321839
Technical contact is the same.
Jeff Miller’s last blog post..Land Banking with Your IRA
on May 2nd, 2008 at 10:16 am
Interesting, they turn the emails into images.
Here’s the email: amd@highimpactsites.com
Jeff Miller’s last blog post..Land Banking with Your IRA
on May 4th, 2008 at 4:37 am
I have been a follower of yours for a while. That crap sucks big time! I am so glad it seems to have worked out well. I did a post on people like these only more of the hackers who spread viruses. What do they get? In your case I see what they get. Way to go!
ettarose’s last blog post..I Just Love Paying My Taxes!
on May 4th, 2008 at 7:17 am
Moses Francis was the original owner of wpthemesplugin.com and many other profitable sites. His gmail was hacked and all his domains transfered sometime in the begining of April. The profitable ones have been sold. He is still contemplating what to do as he has not been able to ge much help from Go Daddy or Gmail.
He has been very unfortunate.
on May 4th, 2008 at 7:42 am
Hi Joe,
I am the real Moses Francis and yes i am aware my sites and domain has been hacked, i lost a couple of my sites (wpthemesplugin.com (i’m a wordpress theme designer) & footyblog.net) to name a few and am working on getting them back soon.
Thanks for posting this as it clears my name.
Regards
Moses Francis
on May 12th, 2008 at 2:05 pm
Holy crap. That was too easy.
I use a pretty long password for most of my sites and e-mail accounts, but have been pretty lax about it. Time to set new passwords!
Mo’s last blog post..Are You Desperately Trying To Sell Online?
on May 12th, 2008 at 2:57 pm
Mo:
This was definitely an eye-opener for me. I now pay more attention to my backups, my passwords, etc.