After detailed and lengthy investigation and consulting with a fellow domain blogger I happened to discover a security hole at Network Solutions that has allowed a pretty valuable domain name to be hijacked, while also ripping profit out of Network Solutions and NameJet.com’s pocket!
I will try my best to explain the whole process and how I see it happened. I will be displaying many screen shots to help back these up, as well as helping me explain.
The domain name PrFirm.com was owned by DB Communications LLC with the admin email address dan@danbaumcommunications.com . The domain name PrFirm.com was set to expire on 12-29-2009 and did just that. This is how I discovered the domain name because it was listed on NameJet.com in the Pre-Release domain section.
I did not know this at the time but the likely reason the domain owner did not renew was because he was not getting the renewal emails. The domain name admin contact at NSI was DanBaumCommunications.com but that domain was let expire on 3-26-2005 but the email address was still set the same just before whois records changed to Pending Renewal Deletion. (the standard "name" NSI uses with expired domains)
Since the domain name (DanBaumCommunications.com) was actually available at the time NSI was sending renewal notifications for PrFirm.com, clearly the email address on file at NSI would not work and would result in a bounced email. The domain name expires and is listed on NameJet for a pre-release domain auction. The final day for pre-release bidding closes on 2-2-2010 at 8 PM. This means, the following day the auction would start as long as the domain name is not renewed before the auction start by "the past owner"! (That last sentence is very important in this story!)
PrFirm.com had received 47 bids and a $700 price tag when Google indexed the cached results displayed above which was likely close to 2/2/2010. The domain name never made it to auction on NameJet and at the time, I thought was simply renewed by the past owner. So I thought at least! Remember DB Communications was the past owner.
A 2-2-2010 DomainTools.com whois history record shows the Pending Renewal data NSI always displays with expired domains. This was the last day of pre-bidding as well.
A 2-3-2010 DomainTools.com whois history record shows a "new" owner the very same day the pre-release expired domain auction was going to start at NameJet!
This tells me that "somebody" renewed the domain name before the auction would have started but how is this "somebody" other than DB Communications?
The Network Solutions Security Hole
Since the admin domain name used for the account at Network Solutions was actually available, the registrant according to whois detail "Romer Romero":
- Registered the available domain name DanBaumCommunications.com
- Set-up the email address dan@danbaumcommunications.com
- Used the reset password function at NSI, which sends a "new password" to the email address on file (dan@danbaumcommunications.com)
- Gain access to the account
- Renews the domain name PrFirm.com and changes Whois details
The domain name was just hijacked for about $35. How can I prove this? Because the domain name DanBaumCommunications.com was hand registered on 2-2-2010
the very same day the pre-bidding end and the whois history record matching whois information for PrFirm.com is displayed for DanBaumCommunications.com on 2-4-2010, which was the email address used for the account at NSI!
This person likely noticed the domain name for PrFirm.com was "available". Registered the available domain name at GoDaddy on 2-2-2010, set up the email address. Went to NSI and did a password reset. Gained access to the PrFirm.com account and renewed the domain.
PrFirm.com was listed on Sedo.com nearly right after the domain was renewed. You may have also noticed that in the new whois records for PrFirm.com and DanBaumCommunications.com the Country is Venezuela but Sedo’s Meet The Seller displays Denmark below. Secondly, you will notice that PrFirm.com’s seller account was created in February 2009, so this may not be the first time this process has been done. With 4 bars, this shows the seller is pretty active at Sedo.
I am pretty sure the "name" Romer Romero used for the whois records is not really the persons name. It appears as if the domain name may have been "sold" recently 3-3-2010 as whois records changed to Sedo Transfer and then to privacy at Moniker on 3-9-2010. The domain name could have sold or could also be another cover-up, simply making it look the like domain name sold. Keep in mind that you can simply change your whois to anything you wish. The domain name has held the SedoParking.com DNS ever since 2-3-2010 to this day.
It appears that DanBaumCommunications.com has been "hand deleted" at GoDaddy and likely will be released from the registry although it was just created on 2-2-2010 by Romer Romero. The whois history records will not go away.
Since the domain name was hijacked before it could go to auction, prevented the domain name from being auctioned off publicly. Secondly, the hijack prevented Network Solutions (except for the renewal) NameJet, and technically the past owner (20%) of auction domain sale (but he would not have gotten the email to accept) to profit from the sale of the expired domain name. Lastly, if the domain name was sold or will be sold in the future, it is likely the buyer will be buying into something they may not be aware of.
sing
this was a great find indeed.
Love ur blog, and u basically win me as ur regular visitor to your blog with ur investigated post.
cheers
Kevin
Good investigative work there.
But is it not fair to say this is a security problem common to all registrars (or indeed any web site that allows password resets) and not specific to just NSI?
Ross
Is this considered theft since the person is not the original owner of the domain and someone accessed the other persons aacount? I believe the person that did this is a member of the domaining community.
TeenDomainer
Great find I’m amazed someone pulled that off.
Domains
Brett Lewis covered this type of theft in CircleID a couple of years ago, but not in as much detail:
http://www.circleid.com/posts/help_domain_name_hijacked/
Good investigation and example.
Jamie Zoch
@Ross,
Theft or “stolen” etc are strong words and ones I didn’t feel comfortable using… so yes, it may be considered theft but I am also not a lawyer and didn’t read the TOS that closely.
Shashi Bellamkonda
Hi Jamie,
It is not accurate to categorize this as a Network Solutions security hole. I work for Network Solutions and we advise all domain registrants to always keep their account info updated. If your email domain name has expired you may have bigger issues than just your domain name registration. You may want to include this link where we have posted simple tips to protect domain name registration no matter who your domain name registrar is. http://blog.networksolutions.com/2008/8-tips-to-protect-your-domain-registration/ and could be useful to your readers.
Thanks,
Shashi
Jamie Zoch
@Kevin,
I am not sure how or what “all registrars” process is but it clearly could be a problem with some. NSI has a loop hole that I did not include in my story for a reason and is likely what provides somebody the ability to see the email address of the admin (which can and often is different than the one displayed in whois).
Jamie Zoch
@Shashi,
Since the domain name was registered at NSI, it is IMO. Secondly, there is a loop hole that I think, is and can be a problem providing a domains account admin contact email address and I am only aware of it at NSI. If you would like me to post it, I gladly will but I’m sure many will not be safe if I did. I agree it in not NSI’s fault the admin email was outdated, but when a password reset is done and whois details are changed that day as well, some kind of reg flag should go up. IP tracking, Payment from etc potentially all could have raised a red flag.
Ms Domainer
*
Jamie,
Great job!
I have always thought that email addresses ought to be hidden in the Whois record, perhaps a changing link similar to that of some privacy services.
That way, people could still email you, but the email itself would be hidden from nefarious eyes.
It just seems to me that registrars ought to take more care in protecting its customers’ property without gouging them for it.
On the other hand, the owner should have double checked his/her email address, and when he or she did not receive emails from the registrar, it should have been a red flag.
It’s a shame for the past owner and something that all registrars should look into, not just NSI.
*
Jamie Zoch
@ Ms Domainer,
Thank you! Most whois emails addresses displayed are not the same email address on file for an account, which is a good thing. If you do use the same email address as you do for your registrar account, you should change it. NSI is one registrar that easily allows anybody (yes anybody) access to a specific email address that IS used for an account for a domain name. I didn’t go into detail about this in my post, as that is the biggest security loop hole. I am not aware of obtaining an email address via Moniker, GoDaddy (the two I use) that I know of.
Attila
Wow, that is quite clever. Although, the only thing anyone can do is the previous owner, and he can only scream fraud as the other person mis-represented himself to be someone who he is not.
However once you cross borders (country lines), its nearly impossible to go after the individual when it concerns fraudulently impersonating an identity.
Can possibly go to ICANN and NetSol to plead your case, but I doubt they will care unless the domain is a really high level name.
chandan
i have seen several domains which have dropped domains as email address. its best to use our ISP email in account access
skyshipper
great post,indeed an eye opener, almost like a sequence from a thriller although a dark one,but registrants are supposed to keep whois updated and accurate, guess original registrant has to share blame as well, but great post