Hi there.

I maintain several domain names for various clients. One domain name today suddenly went offline. When I check the namecheap.com account to see what had happened I discovered that the domain name was gone.

It had not expired it was just gone and pointing to enom. Upon further inquiry I discovered that the domain name had been pushed to another account without permission.

The customer service person told me that they would get it sorted out shortly. 2 hours.

I contacted them again the second person closed the ticket without resolving it.

Now namecheap.com is an enom reseller and they have been a good company for the years that I have been with them.

The thing that surprises me is that there was no notification, there was no message. Nothing to let me know that an email had been pushed from my account, except for the obvious fact that I was missing it. If it was a lesser used domain name I would never have know or been notified.

I am wondering if anyone else has ever had a domain name hijacked or stolen this way, and what did you do?

I am still waiting to hear back from namecheap. I am sure they will handle this in a professional way and restore the domain name, but while I wait, I was just wanting to get some feedback.

Thanks.

I have found these threads online of other individuals that have had similar experiences with namecheap.

http://www.v7n.com/forums/domain-name-forum/63465-namecheap-what-s-going.html

http://www.webhostingtalk.com/showthread.php?t=605461&highlight=namecheap+domain+hack

Ok I finally have a response from Jerry. They are looking into it. I guess cause it's the long weekend it's taking longer. The other guy in the thread above had his problem fixed in an hour. I know that staff there is pretty good, so I hope this get's fixed right away like his did.

I guess cause it's the long weekend it's taking longer.

And it's Labor Day in the U.S., too. I doubt it'll be resolved in a few hours given the unfortunate timing, but for sure they'll investigate it exhaustively.

The first person I spoke to said it was an error and that it would be resolved in 2 hours. Then it's now being looked into. I just don't understand why it takes so long considering that the guy who had this happen in the other thread had this all resolved in 1 hr.

Oh well with the holidays in mind. I hope they will have this fixed early tomorrow, because the site has been offline ever since.

What I really don't understand is how this happens without consent. I mean to transfer a domain name you have to get all these emails, then a code etc. It should be a similar process for pushing a domain name. I bet that would cut down on fraud.

Have you checked your security settings at Namecheap? Are you sure you have all those emails turned ON. I was pleasantly surprised by the level of security settings you could turn on and off.

There was no email sent. The domain name was transfered out of my account to what looks like an enom account. There is no owner listed. It just says enom for the domain name info.

It happened this morning, suddenly the site went offline. Check to see what was up with the domain name and voila it was gone.

There was no email. The security settings are always on do not transfer. Therefore instead of stealing it that way, someone tried to steal it by moving it to another account.

Well actually what I was told at first is that it was an error and would be corrected in a couple of hours, now I have to wait till tomorrow.

Had this not been an active site, then it might have been missed. The other guy in the thread above had his domain name missed for over three months. Also if your domain name is transfered or pushed to another account you don't get those your domain name is about to expire warnings and it just expires. So then someone else can register it. That is another way of stealing a domain name.

I just think there should be more secuirty. Look at all the steps you have to go through to do a transfer. There should at least be an emial sent out letting you know what is happening. Do you approve this push, yes no? Nothing like that from what I can see.

They could have stolen other domain names for all I know. Cause I really don't keep track of all the unused domains. If they are pushed to another account, you get no warning when they are about to expire and there it goes. Keep that in mind with your own domain names. I think there should be more security to push domain names. Not just for http://www.Namecheap.com, but for all registars.

Hello Cardsites,

Our staff responded to you with the following:

Hello,

"This domain has been suspended for the paypal phishing attack on:

http://www.xxxxxxxxxxxxxx***********/Community/uploads/avatars/secure/ssl/www/www.paypal.com/paypal-update/index.htm

Account owner has been informed about this suspension, however since you are not account owner, we cannot provide you any further information, for obvious reasons. Hope you understand."

There was no email sent. The domain name was transfered out of my account to what looks like an enom account. There is no owner listed. It just says enom for the domain name info.

Other than a possible hijacking, that's the only other time one isn't necessarily notified when a domain name's been transferred. As Richard from NameCheap eventually answered, it's eNom who "took" that domain name, more so not letting you know since you're not the account holder.

Unfortunately NameCheap and eNom can't help you directly. Your client is going to have to be the one to contact eNom and deal with it as humanly calm as possible.

Hmm, seems like the potential phishing is so severe it warranted being shot now and asked questions later. It's obviously not good, but a difficult and urgent choice had to be made based on the situation.

Hope things somehow work out.

The domain was used for Phishing



http://www.puretalkforum.com/f2/paypal-phishing-e-mail-4444.html





http://www.phishtank.com/phish_detail.php?phish_id=497361

I think the problem was a vulnerability in the forum which had, the phising is within the directory /Community/uploads/avatars/

Oh my gosh, are you kidding me.

This is the response from name cheap and they stole the domain name.

Hello,

This domain has been suspended for the phishing attack on:

http://www.targetedindividuals.com/Community/uploads/avatars/secure/ssl/www/www.paypal.com/paypal-update/index.htm

Account owner has been informed about this suspension, however since you are not account owner, we cannot provide you any further information, for obvious reasons. Hope you understand.

Thank you.

We are closing this ticket.


--
Arunas
NameCheap.com

I admin the domain name for this person, and I was not informed by namecheap of this to my knowledge. Then without notice the domain name is transfered to another account. I should still have the domain name in my account.

This is a support site. What can be done, cause this has to be illegal, and you can supply me with more information, cause I registered the domain name on behalf, and administer it, therefore take responsibility for it.

Has anyone heard of this before, where the domain host removes a domain name from the owner, because of phsiing, even if that is true.

I suspect it has more to do with the fact that that domain name is a support site for Targeted Individuals. You can read more by going here http://www.TargetedIndividuals.org.

Even if the domain name was used due to a volnerability, there was no email sent to me the admin, and why was the domain name removed from my account?

I am the owner of the domain, and you are doing the dirty work of those that have been trying to get this domain and other sites like it shut down.

I would like to have the domain name back.

Again we also seem to be deviating from the original issue. The issue here is still, why was the domain name removed from my account, when I admin it. Now you are telling me you can't provide me with more information, cause I am not the owner. Yet I registered it and admin it, and am responsible for it. You are helping to highjack the domain name.

So I guess your company is the one that moved the domainname into the other acocunt. So you can move it back, so I can move the domain name to another company, if you no longer wish to host it. I have no problem with this.

Thanks.

They have closed the ticket saying that they can not provide me with any information for the domain name. Yet the information for the domain name is what is listed below. Until yesterday, my admin information is what was used for the domain name.

Can anyone provide some quick legal advise.

Address lookup
lookup failed targetedindividuals.com
Could not find an IP address for this domain name.

Domain Whois record
Queried whois.internic.net with "dom targetedindividuals.com"...

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: TARGETEDINDIVIDUALS.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Status: clientTransferProhibited
Updated Date: 01-sep-2008
Creation Date: 20-oct-2007
Expiration Date: 20-oct-2008

>>> Last update of whois database: Tue, 02 Sep 2008 08:43:21 EDT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Queried whois.enom.com with "targetedindividuals.com"...

=-=-=-=
Visit AboutUs.org for more information about targetedindividuals.com
<a href="http://www.aboutus.org/targetedindividuals.com">AboutUs: targetedindividuals.com</a>

Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
Visit: http://www.namecheap.com/

Domain name: targetedindividuals.com

Registrant Contact:
NameCheap.com
NameCheap.com NameCheap.com

8939 S. Sepulveda Blvd. #110 - 732
Westchester, CA 90045
US

Administrative Contact:
NameCheap.com
NameCheap.com NameCheap.com (support@NameCheap.com)
+1.6613102107
Fax: +1.6613102107
8939 S. Sepulveda Blvd. #110 - 732
Westchester, CA 90045
US

Technical Contact:
NameCheap.com
NameCheap.com NameCheap.com (support@NameCheap.com)
+1.6613102107
Fax: +1.6613102107
8939 S. Sepulveda Blvd. #110 - 732
Westchester, CA 90045
US

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

Creation date: 20 Oct 2007 17:43:02
Expiration date: 20 Oct 2008 17:43:02
=-=-=-=
The data in this whois database is provided to you for information
purposes only, that is, to assist you in obtaining information about or
related to a domain name registration record. We make this information
available "as is," and do not guarantee its accuracy. By submitting a
whois query, you agree that you will use this data only for lawful
purposes and that, under no circumstances will you use this data to: (1)
enable high volume, automated, electronic processes that stress or load
this whois database system providing you this information; or (2) allow,
enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic
mail, or by telephone. The compilation, repackaging, dissemination or
other use of this data is expressly prohibited without prior written
consent from us.

We reserve the right to modify these terms at any time. By submitting
this query, you agree to abide by these terms.
Version 6.3 4/3/2002

G Bailey,

Do you honestly think we have any interest in this domain at all? If you are going to come one here and make your wild accusations then atleast post the truthful responses coming from our support staff. They are the following(I won't post any of your emails to us but I think the folks around here can fill in the blanks):

Posted on: 02 Sep 2008 12:23 PM

--------------------------------------------------------------------------------
Hello,

Since you are contacting us from email address that we don't have on file for your account, we are unable to provide you any information at all. Hope you understand.

Thank you.


--
Arunas
NameCheap.com


E-mail: arunas.internal@namecheap.com




Posted on: 02 Sep 2008 12:33 PM

--------------------------------------------------------------------------------
Hello,

The account owner HAS been informed about this in due course.

Sorry, we are closing this ticket as we cannot disclose any information to the third parties (and you are third party as your email does not match the one we have on file for the account).

Thank you.


--
Arunas
NameCheap.com


E-mail: arunas.internal@namecheap.com



Posted on: 02 Sep 2008 12:41 PM

--------------------------------------------------------------------------------
Hello,

A paypal phishing site is not a game, but a federally prosecuted crime. This domain is *not* hijacked. It is suspended and nullrouted. We are waiting for the account owner to contact us. Hope you now understand.

Thank you.


--
Arunas
NameCheap.com


E-mail: arunas.internal@namecheap.com


Posted on: 02 Sep 2008 12:52 PM

--------------------------------------------------------------------------------
Hello,

Sorry, we are not able to understand your last question properly.

We *still* have targetedindividuals.com within our system and are waiting for the account owner to contact us from the email address we have on file for his/her account.


--
Arunas
NameCheap.com


E-mail: arunas.internal@namecheap.com

G. Bailey,

I have instructed our fraud department to re-instate the domain name on our end to the original account so if you do have access to that account or someone you know does, do let them know. I am doing this because I see this could have been a security breach on the site, whomever it may belong to.

I would suggest you fix this immediately as we cannot continue to allow this to happen on the same domain name.

Hello everyone.

I wanted to throw my input in here to prevent a phisher from having his site restored.

I received one of the phishing E-Mails sent out by this website, and posted about it on my site. The thread is located here:

Edit: Realized I can't link it. It was posted somewhere else in this thread anyway.

I run multiple forums on a vast number of forum software. I'm pretty well versed on vulnerabilities in such software.

You'll notice that the phishing page was located here:

/Community/uploads/avatars/secure/ssl/www/www paypal com / paypal-update/ index.htm

The fact that the secure and ssl folders even exist is proof that this was done intentionally by the administrator. By placing these, it helps to pull off a fake secure connection, like that of the actual PayPal site.

.htm files are not allowed to be uploaded as an avatar on any forum software.

In my opinion, this was simply a Fail-Safe System instituted by those running this operation so that in the event of detection, they were covered. It's happened before on other sites.

It is my honest recommendation that this site not be restored or transferred back to its original owner. It's a threat to consumers, PayPal, and many others.

They have closed the ticket saying that they can not provide me with any information for the domain name. Yet the information for the domain name is what is listed below. Until yesterday, my admin information is what was used for the domain name.

And NameCheap has already said they require the account holder to contact them, not the administrative contact. You may feel cheated or what not, but that won't change how NameCheap chooses to approach this.

Have you let the account holder know what happened? If not, you might want to do so as delaying the inevitable is only going to prolong this.

I received one of the phishing E-Mails sent out by this website, and posted about it on my site. The thread is located here:

Edit: Realized I can't link it. It was posted somewhere else in this thread anyway.
http://www.puretalkforum.com/f2/paypal-phishing-e-mail-4444.html

Thanks, Techno!

Basically you tried to steal the domain name. I find it reprehensible that this was done. These sites that are there supporting targets of Gang Stalking and Targeted Individuals are being attacked the same way over and over again.

Now conviently you have someone telling me, that the phishing was done on purpose. To what end?

The site is there to support people that are having their lives ruined by their own government, innocent individuals might I add. Sites like this that have been set up to support them, are constantly being attacked one way or another, this being the latest in a series.

Having followed what's happening to many of these people, I am disgusted, shocked and appauled, but proud to be admining the domain.

I however find it interesting that the thread is being used to justify the gorlilla tactics that were just used to steal the domain name. You can mask it under phishing, no one connected with that site, cares about paypal. They are there to be a support site for innocent people being targeted and followed around by Citizen Informants.

I think you did the only thing that could be done in restoring the site. I could go on, but I won't. I also do not think this will be the last attack on these sorts of sites.

I wonder if anyone here does hosting, other than namecheap, who is good at preventing phishig attacks, that can maybe host the domain name?

Thank you for all who gave feedback, and better methods will be used to secure the site, now that the vulnerability has been brought to light, but as long as this site and others like it try to help and do what they can, they will be targeted, just like the innocent people, they are trying to help. Shame. Oh well such is life. :-)

Cardsites,

Yes, this is all a ploy by us to "snatch" your domain. We sent out teams of people to follow you around and say your site was used for phishing.

Honestly, you are grasping at straws here. Members from this very board are pointing out evidence of your actions.

I will also point out that your choice of username, "cardsites" as in "carders", does not instill much confidence either.

Either way, feel free to take your business elsewhere.

I don't even pretend to know what a carders is, clearly it's not my name. I telling you that sites such as this get attacked, taken offline, and these sites have been attacked like this before. Never the domain name being taken, at least not that I am aware of. It's not grasping at straws.

I do thank people for pointing out evidence of phishing, for a site that they don't know, because vulnerablities do not happen. I have spoken to the hosting company and it was some sort of php injection or something along that line. Apparently there is an exploit, that was taken advantage of.

Richard, I really liked your company, but this was wrong. It was so wrong, I can't even begin to express how wrong I felt that this was. Since I do admin the domain name, the email would have been sent to me, it was not. Regardless of such, the domain name was moved, without an email. Then someone there, tried to keep it telling me I was not the owner. I do however admin the domain name, by moving it to antoher account, there is no way I would have access to it. Via email or other.

I am glad the domain name is restored. I personally did not have a problem with your company before this, and hope not to again after this. However what was done, was not right, and I can't say anything else on the subject.

The domain is restored. No one tried to pish, but I do believe there is an exploit that was not caught, and thanks to the many posters who know a great deal about phishing it will be cleaned up, ASAP.

As a suggestion Richard, because the same thing has happen to others using your company, without phishing involved, might I suggest, or recommend that some additional security measures be put in place for when a domin name is pushed? Again the reason being that it's a good way to steal a domain name.

The person in the other thread had his domain name out of his account for three months, and if it had come up for renewal the domain name would have been lost.

As for the other issues of these sorts of domains being targeted, I have read that several such sites over the last few years have been attacked and taken offline. Thus I do not think it's grasping at straws.

Errors happen with your companies security, based on the links, however I am sure if someone came and shut down your company and accused you of fraud everytime, you would be a little frustrated.

I take this as a learning experience for me, and the feedback will be given, and I hope you won't mind my feedback regarding the suggested extra measures for pushing a domain name.

I have used your site for several years, and this was the first time I can think of having a negative experience. Previous to this, I have always found the staff helpful, and the service without reproach, but with this situation it was very surprising.

I will leave it at that, and try to take measures to see that this does not happen again, but when someone is purposly targeting a site, there will be learning curves.

Cardsites, an email was in fact sent wether you choose to acknowledge that or not.

This is directly from our fraud departemnt:

"We had disabled this domain the same minute we had a phishing report and confimred it. We then properly informed the account owner (he was listing xxx@*********** as his email then)."

If you'd like we can send you the email we sent including headers. Also, seeing that in your correspondence with us, you changed your email address atleast three times, I suspect you probably had no idea which email was listed. The email address that was listed for the NameCheap account itself has also been updated in the last 24 hrs so I am assuming someone somewhere realized that their email address was not up to date.

Either way, it is up to you to secure your site properly. For you to come on these boards and make accusations that we were somehow trying to steal your domain when it was your own security and email issues that caused these problems to begin with, is what has warranted my replies here. I suggest you take responsibility for your own actions next time.

In my review of our staff actions and replies in this situation, every procedure was followed properly in regards to a confirmed phishing report.

I was taking responsibility, everyone here knows that errors happen, you secure your site, but still domain names get stolen. Does that mean you don't take ownership? No it does not. I had to update the email, cause your support site require a different email for support, than for the main account. You are right the email was updated a few times, due to this.

I contacted you about 10 minutes after getting info that the site was down, why didn't someone there just explain that in the ticket, which was being sent to me still at that time? Or in any of the proceding emails?

The accusations are being made because I do think there is validity to them, based on what I have seen, and because I know what I have seen, I do know these sorts of sites get attacked more so than average, and better precautions should be taken for them. For that you are correct.

I will kindly agree to disagree on the staff actions. Though I do hold the majority of your staff in high regard, I do not agree with the actions, especially moving the domain name, then refusing to place it back when asked by the admin.

The matter is resolved. Better care will be taken in the future if possible.

I am not personally blaming you Richard, I am just starting to see that this is the way the world works with somethings.

I will take better care with admining the domain names, and I would hope that you and your staff will take better care with how domain names are pushed in future for the sake of all your customers.

Show up in person on their doorstep... I had to do that to get back my domain. They were scarred senseless

Show up in person on their doorstep... I had to do that to get back my domain. They were scarred senseless

Care to clarify? I don't think you're talking about us are you?

I don't recall any such incidents. Either way, that'd be a very long flight for you to take from New Orleans.

For anyone who uses the mybb forum, which is a free feature packed forum, check this out. http://secunia.com/advisories/21645
It's an exploit that caused the phising.

If anyone uses the mybb forum, you might want to look into this as well.

Interesting: today the subject URL (http://www.targetedindividuals.com/Community/uploads/avatars/secure/ssl/www/www.paypal.com/paypal-update/index.htm) redirects to:

http://www.secretservice.gov/financial_crimes.shtml

It looks like the Men In Black from NSA ('No Such Agency') took over your domain...

Interesting: today the subject URL (http://www.targetedindividuals.com/Community/uploads/avatars/secure/ssl/www/www.paypal.com/paypal-update/index.htm) redirects to:

http://www.secretservice.gov/financial_crimes.shtml

It looks like the Men In Black from NSA ('No Such Agency') took over your domain...

Class!!! As the nameservers are websitewelcome.com I wonder who did it? :D

Fantastic. That's awesome!

All phishing sites should redirect to the Secret Service - it would definitely cut down on crime.

I hope that Cardsites and his buddies are punished to the fullest extent of the law. Why? Because the vulnerabilities he claims couldn't have happened. It doesn't make sense! I run websites and forums, much like many others here - don't try to fool people. And anyway, if in some crazy universe the exploit did occur, you should still be held responsible due to the severity, unless you can provide proof against your involvement or knowledge of such a vulnerability.

He's lying and becoming defensive, in addition to trying to make himself look like the victim. Typical behavior of a criminal.

Namecheap - please don't return his domain. Doing so would be dangerous to consumers everywhere.

If I can help in any way, let me know.

Interesting: today the subject URL (http://www.targetedindividuals.com/Community/uploads/avatars/secure/ssl/www/www.paypal.com/paypal-update/index.htm) redirects to:

http://www.secretservice.gov/financial_crimes.shtml

It looks like the Men In Black from NSA ('No Such Agency') took over your domain...


What's really funny is the target website http://www.TargetedIndividuals.com changed location over 24 hrs ago, and the forum was not reloaded. The forum has been offline since the day the domain name was stolen. I find it interesting that the link still works. Maybe someone could shed some light on this. Is it a form of domain name masking, how is it working. Some people in this thread seem to be a bit more knowledgeable about this.

The server was taken offline, yet the old url associated is still working. Fascinating. Can anyone shed some light on this?

That is again just one more reason why I know that the site is being targeted and obviously somone knows what they are doing. Good stuff.

Fantastic. That's awesome!

All phishing sites should redirect to the Secret Service - it would definitely cut down on crime.

I hope that Cardsites and his buddies are punished to the fullest extent of the law. Why? Because the vulnerabilities he claims couldn't have happened. It doesn't make sense! I run websites and forums, much like many others here - don't try to fool people. And anyway, if in some crazy universe the exploit did occur, you should still be held responsible due to the severity, unless you can provide proof against your involvement or knowledge of such a vulnerability.

He's lying and becoming defensive, in addition to trying to make himself look like the victim. Typical behavior of a criminal.

Namecheap - please don't return his domain. Doing so would be dangerous to consumers everywhere.

If I can help in any way, let me know.

This post is almost not worth responding to. Maybe you can explain it. The server attached to that link is offline. The forum was never uploaded to the new site, yet the link still works. Seems some people in this thread know more than I do about what is going on. That is interesting. I will leave it at that. If I had doubts, I think this prooved it.

Kovich just wondering, how did you find this thread?
You clearly registered for this thread, you have never posted at WHT before, but how did you find it so quickly?

I got a phishing email, let me search the net for threads connected to that phishing email, this could not have shown up in a search engine, so how did you find the thread?

Just wondering? You seem to know a lot about how these exploits could and could not work.

Somebody in this thread linked to the thread I created about this on my forum.

Therefore, the vBulletin LinkBack Modification told me that had occurred, and I came here to check it out.

It just so happens that I use namecheap for several of my domains, so it was a good idea to register anyway. Plus - the forum looks pretty good and I'll post more when I have the time.

And yes, I know a lot about phishing because I run multiple campaigns to fight it. I'm currently working on developing an organization dedicated to the protection of consumers from threats such as E-Mail based phishing scams. Also, being a webmaster provides me with a suitable amount of knowledge and information.

It's not entirely unexpected that you're now trying to point fingers at me. You really must be guilty. ;)

Namecheap also did an illegal transfer of one of my sites also.
Took it right from my account.
I thought they were a good company, but there has been a lot of negative comments recently.

First of all - it's not illegal.

And Cardsites - making multiple accounts and encouraging friends to sign-up to bash Namecheap is pretty low. Can we raise the maturity level beyond 12, please?

Namecheap also did an illegal transfer of one of my sites also.
Took it right from my account.
I thought they were a good company, but there has been a lot of negative comments recently.

Another one post wonder. I guess you didn't even bother to read the thread here did you?

Funny you don't bother posting the details. We do not now nor have we ever blocked or removed a domain from someones account other than for a proven and/or flagrant violation of our terms of service or for non payment.

Sorry but if you expect to run phishing sites or other illegal activities via a name registered with us or you would like to use stolen credit cards on our website and get away with it, I would suggest you choose another registrar.

Ok nightstalker03, using your username here I managed to find your ticket and did some research. As suspected, there is more to this than meets the eye. According to you, you purchased a domain from one of our clients in the aftermarket somewhere and then we "removed" the domain from your account afterwards.

As our support explained to you clearly, you never had access to the account this domain is in. I checked the entire push history of this domain name and it was never at any time in your personal account with us or any other account associated with you.

All you did was forward us some emails with you and the seller and a paypal receipt to the seller but you never took control of the domain name. Once again, it is your responsibility, not ours, to secure that the domain name was in your account, which it never was.

Our staff replied to you with the following:

"Dear,

The domain is under the account of its original owner. He states he has not received your money for this domain therefore. Unfortunately, we cannot disclose any contact information of our customers to the third parties except in cases when a subpoena is received. We accept your explanation, however we are not responsible for any domain sales except the sales at our own marketplace.
If you were scammed, please contact the corresponding authorities since such issues are beyond our control or responsibilities."

Once again, the seller is disputing your claims of payment but either way, we are not in a position to serve as judge or jury in these cases and since you never controlled this domain in a namecheap account under your name, we would be unable to take any action in case of an illegal transfer.

Hmm. yes it was in my account.
I moved the site and changed nameservers from my account. I even sent all the payment info to namecheap and the sellers email comfirming push to my account. As you know you can't change the nameservers if you don't have access to it

As you know you can't change the nameservers if you don't have access to it

Yes, you *can*, in NameCheap. The original owner most probably granted you limited rights to modify/manage this domain. That's all. I do not know the details, but I think it will be safe to guess that it has never been within your account, 100%.

Hmm. yes it was in my account.
I moved the site and changed nameservers from my account. I even sent all the payment info to namecheap and the sellers email comfirming push to my account. As you know you can't change the nameservers if you don't have access to it

Your original email to us was stating that you had no idea what the username or password for the account with us or even the email address associated with it. This, even though you had a regular account with us that you used to purchase other domains. You had no problem accessing your own account at all at that time.

We have all the facts and logs here so there's no way to get around the real proof that surrounds your claims and you stating so will not change those facts. I can provide those at any time, just give me the word.

Somebody in this thread linked to the thread I created about this on my forum.

Therefore, the vBulletin LinkBack Modification told me that had occurred, and I came here to check it out.

It just so happens that I use namecheap for several of my domains, so it was a good idea to register anyway. Plus - the forum looks pretty good and I'll post more when I have the time.

And yes, I know a lot about phishing because I run multiple campaigns to fight it. I'm currently working on developing an organization dedicated to the protection of consumers from threats such as E-Mail based phishing scams. Also, being a webmaster provides me with a suitable amount of knowledge and information.

It's not entirely unexpected that you're now trying to point fingers at me. You really must be guilty. ;)

Nice. All I know is that someone most likely aware of this thread, or watching this thread is trying to make the site look guilty. I am looking for agenda's. Think I found one. Funny about who is really trying to point a finger, and who really must be guilty.

Anyways. The matter I came here for is resolved.

First of all - it's not illegal.

And Cardsites - making multiple accounts and encouraging friends to sign-up to bash Namecheap is pretty low. Can we raise the maturity level beyond 12, please?


Working overtime with the unfounded accusations? I would love to waste the time, but I have domain names to admin.

I have domain names to admin.

Looks like this is exactly what you are NOT doing properly as they fall victim of a phishers, so you can come and whine here.

We do not now nor have we ever blocked or removed a domain from someones account other than for a proven and/or flagrant violation of our terms of service or for non payment.

Sorry but if you expect to run phishing sites or other illegal activities via a name registered with us or you would like to use stolen credit cards on our website and get away with it, I would suggest you choose another registrar.

As you can see in the info I sent to the fraud department, the domain was paid for.
Not a phishing site and payment came from bank account via paypal. He used a broker (as stated in the email copies sent to namecheap)so if he never got paid it was from him not me. So nothing out of the normal here.

We have all the facts and logs here so there's no way to get around the real proof that surrounds your claims and you stating so will not change those facts. I can provide those at any time, just give me the word.

You should have the facts, I sent more to you via the support desk. Which included the invoice, payment received notice, email asking for my namecheap user so they could push to my account,
and verification email from them that the push was done to my account. You have all my contact info, give me a call around 12pm so we can get this matter settled. Thanks

Nightstalker03,

No, you did not send us evidence that the domain was pushed to your account. All you did was send us some emails between you and a broker(not even the actual domain owner)and a paypal reciept to the broker. All of which proves nothing to us.

We are not here to insure that your deals go through or not. If the domain had ever actually been in your possession then that would be something else. For all we know you forged those emails and or charged the paypal payment back. We cannot and will not turn over a domain in someone elses account based on a paypal email receipt and an email saying you bought the domain from someone. Otherwise, anyone could simply do the same(forge a paypal reciept and send some fake email communication) for any domain we manage and gain possession. Now that wouldn't be very secure of us now would it? Now if you have real evidence directly from us(not an email from the broker) that the domain was ever in your possession with us go ahead and post it. What you sent us was the following which were login details to a webhosting account and not a namecheap account:

| New Account Info |

+===================================+

| Domain: xxxxx.com

| NameServer1: ns15.xxxxxxx***********

| NameServer2: ns16.xxxxxxxxxx***********



Hosting Cpanel Access

***********/cpanel

UserName: xxxxxxx
PassWord: xxxxxxxxxxx


Website Login: Log into the website from the main page.

user; xxxxxxx
pass: xxxxxxxxxx

once logged in you will see a link to go to the admin panel. Click on that link and it will take you to the admin panel so you can setup the site sections, advertisements ect.





Outlook Email Setup Information

support@xxx***********

Mail Server User Name: support+xxxx***********

Incoming Mail Server: mail.xxxxx***********

Outgoing Mail Server: mail.xxxx*********** (server requires authentication)

Supported Incoming Mail Protocols: POP3, POP3S (SSL/TLS), IMAP, IMAPS (SSL/TLS)

Supported Outgoing Mail Protocols: SMTP, SMTPS (SSL/TLS)





Database Name:

xxxxxxxxxxx

UserName: xxxxxxxxxx
PassWord: xxxxxxxx

This thread should just be closed.

Cardsites, Nightstalker, and the rest of their buddies are too incompetent to listen to reason. This is going no where.

Keep the domain, Namecheap - don't return it to a phisher. This will protect consumers. Then protect consumers from having to read more ridiculous claims of theft from Cardsites and company by closing this.

One more thing I am wondering. Maybe someone from namecheap can answer this. How was the phishing site still running, when the domain name servers were moved over to enom?

Also even after the domain was moved to another server, where the files were not active, the link was still working. Since your fraud department looked into this, can someone there tell me how you were sure that the domain name was involved in phishing? Cause the link still worked while the name servers were pointing to enom. I also see that the link was still working even when the files were not active, even after the domain was moved.

I am looking into the possibility of domain name spoofing, or any other options.

Since your fraud department looked into this, I was just wondering?

It can take up to 48 hours for the new nameservers to resolve.

It can take up to 48 hours for the new nameservers to resolve.

When the NASA link showed up, it was over 48 hrs. Also the website had been resolving to it's new home for at least 24 hrs with the new nameservers.

I will also point out that your choice of username, "cardsites" as in "carders", does not instill much confidence either.


I notice the domain was only just registered when this incident occurred and it was only registered for one year, these are typical signs of fraudulent activity.

http://danscomp.net/whois/index.php?domain=targetedindividuals.org&lookup=%3E%3E&clean=1&hilite=1

I notice the domain was only just registered when this incident occurred and it was only registered for one year, these are typical signs of fraudulent activity.

http://danscomp.net/whois/index.php?domain=targetedindividuals.org&lookup=%3E%3E&clean=1&hilite=1

Then it's a good thing that the actual domain name in question http://www.TargetedIndividuals.com has been registered for close to a year. That is the domain name in question, if you read over the thread.

I guess a years worth of registration must be proof of none fradulent activity if we go by your logic.

When the NASA link showed up, it was over 48 hrs. Also the website had been resolving to it's new home for at least 24 hrs with the new nameservers.

So what is your point with this reply? You asked in another post why it didn't resolve immediately. So I was explaining why that can happen.

So what is your point with this reply? You asked in another post why it didn't resolve immediately. So I was explaining why that can happen.

No I was just saying that it was resolving at the new site and the server at the old site for about a day or so was even offline.

It's ok. I think I have what was used.

http://web.nvd.nist.gov/view/vuln/detail;jsessionid=e86a794a01b2e01c54b90a94ada9?execution=e1s1

It's apparently a more recent one.

That's common also. It's not just 100% old site then click 100% new site. It takes time for it to resolve over the internet 100%. It might be 40% on day 1, 40% on day 2, and 20% on day 3, for example.

That's common also. It's not just 100% old site then click 100% new site. It takes time for it to resolve over the internet 100%. It might be 40% on day 1, 40% on day 2, and 20% on day 3, for example.

Thanks for clearing that up.

Here is that link again.
http://web.nvd.nist.gov/view/vuln/detail?execution=e3s1

YOu might have to scroll down.

Hey Kovich,

I just got this forwarded to me.


Subject: Interview Opportunity
From: kovich@intellecttoday.org
Date: Mon, September 1, 2008 1:29 am
To: *****@TargetedIndividuals.com
Priority: Normal
Options: View Full Header | View Printable Version |

Download this as a file




Hello.

My name is Michael Kovich. I am the Founder and

Administrator of a popular website
known as PureTalkForum.com

After discovering this website, I thought it would be

interesting to write an
article about your site and what it does.

If you would be interested in setting up an interview,

please contact me at your
earliest convenience.

I can be reached via E-Mail at kovich@intellecttoday.org

or over the phone at: (570)
582-****.

Thank you!

Apparently you contacted them around the day that the phishing started, for an interview? Tell me again how someone just linked you to this forum?

If you thought these people were so guilty of phishing why not just send an email saying as much, but instead you ask for an interview?

I can't give absolute proof of what was done, but the picture looks a little clearer everytime, especially the role some persons might have played in this. No legit hacker is going to take the time to re-direct some website to a NASA site. Which brings me back to my point that the site was set up on purpose.

For anyone who uses the mybb forum, which is a free feature packed forum, check this out. http://secunia.com/advisories/21645
It's an exploit that caused the phising.

If anyone uses the mybb forum, you might want to look into this as well.

I find it funny you are warning people about 2 year old software that isn't even available for download now (and this vulnerability you pointed out was patched days after being found meaning it wasn't the one used against your site). LoL.

re-direct some website to a NASA site.

<OFFTOPIC>

This is the second time you are referring to NSA as NASA. A BIG mistake, I would say.

</OFFTOPIC>

I will ask a very simple question:

The domain that was locked out by Namecheap - was it used for phishing, actively transmitting files or actively providing prompts, forms etc. for users to fill out with data? Or was it taken over simply because a URL with a phantom link appeared in a mass email?

If not, it's apparent that Namecheap took over a spoofed site. It could have been WebHostingTalk.com for all we care.

The domain that was locked out by Namecheap - was it used for phishing, actively transmitting files or actively providing prompts, forms etc. for users to fill out with data?

The answer to above is yes. I have personally seen that URL 'in action' and can confirm it was a Paypal phishing attack. I cannot neither confirm nor deny it was actively spamvertised though; I personally have not received any unsolicited emails with the URL in question.

I will ask a very simple question:

The domain that was locked out by Namecheap - was it used for phishing, actively transmitting files or actively providing prompts, forms etc. for users to fill out with data? Or was it taken over simply because a URL with a phantom link appeared in a mass email?

If not, it's apparent that Namecheap took over a spoofed site. It could have been WebHostingTalk.com for all we care.

I don't know a lot or I know very little about phishing, but this is what I was trying to confirm as well. Since the original server was taken offline, and the phishing or NSA link was still active, I assumed they were just sticking in the website name, and yes in that case they could have just used Webhostingtalk.com/Community/Uploads/etc that is what I have been trying to figure out.

I thought that is what had been done, simply because the link was still active, when the files associated with that link were offline, when the server was taken offline. Also again the DNS information had changed over to enom.

I don't know enough to confirm what I suspect, and this is why I have been asking for feedback on this.

Thanks to the person in the thread who corrected me, the link was changed to NSA and not NASA.

The answer to above is yes. I have personally seen that URL 'in action' and can confirm it was a Paypal phishing attack. I cannot neither confirm nor deny it was actively spamvertised though; I personally have not received any unsolicited emails with the URL in question.

Is there a way that I could confirm if it was spamvertised? (If spam vertised means using a phantom url to make it seem as if it was the url in question.)

I just don't like what was attempted, and the fact that a domain company wittingly or unwittingly then moved the domain name out of the account. If this can happen to this site, it could possibly happen to others. Such as for example.
http://www.Webhostingtalk.com/Community/Uploads/Phishing/Paypal/etc

Heres an idea learned from Namecheap.com, when you own a web hosting/domain business, do a search on your name often to find out what people say about you, that way you can post your side of the story. lol :-)

Good thinking NameCheap.com

Waiting on the next reply from cardsites, I want to see how this ends up.