Web Hosting Talk : Web Hosting Main Forums : Domain Names : Namecheap.com domain name stolen.

[cardsites]

Hi there.

I maintain several domain names for various clients. One domain name today suddenly went offline. When I check the namecheap.com account to see what had happened I discovered that the domain name was gone.

It had not expired it was just gone and pointing to enom. Upon further inquiry I discovered that the domain name had been pushed to another account without permission.

The customer service person told me that they would get it sorted out shortly. 2 hours.

I contacted them again the second person closed the ticket without resolving it.

Now namecheap.com is an enom reseller and they have been a good company for the years that I have been with them.

The thing that surprises me is that there was no notification, there was no message. Nothing to let me know that an email had been pushed from my account, except for the obvious fact that I was missing it. If it was a lesser used domain name I would never have know or been notified.

I am wondering if anyone else has ever had a domain name hijacked or stolen this way, and what did you do?

I am still waiting to hear back from namecheap. I am sure they will handle this in a professional way and restore the domain name, but while I wait, I was just wanting to get some feedback.

Thanks.

[cardsites]

I have found these threads online of other individuals that have had similar experiences with namecheap.

http://www.v7n.com/forums/domain-nam...t-s-going.html

http://www.webhostingtalk.com/showth...ap+domain+hack

[cardsites]

Ok I finally have a response from Jerry. They are looking into it. I guess cause it's the long weekend it's taking longer. The other guy in the thread above had his problem fixed in an hour. I know that staff there is pretty good, so I hope this get's fixed right away like his did.

[Dave Zan]

Quote:

Originally Posted by cardsites

I guess cause it's the long weekend it's taking longer.

And it's Labor Day in the U.S., too. I doubt it'll be resolved in a few hours given the unfortunate timing, but for sure they'll investigate it exhaustively.

[cardsites]

The first person I spoke to said it was an error and that it would be resolved in 2 hours. Then it's now being looked into. I just don't understand why it takes so long considering that the guy who had this happen in the other thread had this all resolved in 1 hr.

Oh well with the holidays in mind. I hope they will have this fixed early tomorrow, because the site has been offline ever since.

What I really don't understand is how this happens without consent. I mean to transfer a domain name you have to get all these emails, then a code etc. It should be a similar process for pushing a domain name. I bet that would cut down on fraud.

[stub]

Have you checked your security settings at Namecheap? Are you sure you have all those emails turned ON. I was pleasantly surprised by the level of security settings you could turn on and off.

[cardsites]

There was no email sent. The domain name was transfered out of my account to what looks like an enom account. There is no owner listed. It just says enom for the domain name info.

It happened this morning, suddenly the site went offline. Check to see what was up with the domain name and voila it was gone.

There was no email. The security settings are always on do not transfer. Therefore instead of stealing it that way, someone tried to steal it by moving it to another account.

Well actually what I was told at first is that it was an error and would be corrected in a couple of hours, now I have to wait till tomorrow.

Had this not been an active site, then it might have been missed. The other guy in the thread above had his domain name missed for over three months. Also if your domain name is transfered or pushed to another account you don't get those your domain name is about to expire warnings and it just expires. So then someone else can register it. That is another way of stealing a domain name.

I just think there should be more secuirty. Look at all the steps you have to go through to do a transfer. There should at least be an emial sent out letting you know what is happening. Do you approve this push, yes no? Nothing like that from what I can see.

They could have stolen other domain names for all I know. Cause I really don't keep track of all the unused domains. If they are pushed to another account, you get no warning when they are about to expire and there it goes. Keep that in mind with your own domain names. I think there should be more security to push domain names. Not just for http://www.Namecheap.com, but for all registars.

[enetwork]

Hello Cardsites,

Our staff responded to you with the following:

Hello,

"This domain has been suspended for the paypal phishing attack on:

http://www.xxxxxxxxxxxxxx***********...date/index.htm

Account owner has been informed about this suspension, however since you are not account owner, we cannot provide you any further information, for obvious reasons. Hope you understand."

[Dave Zan]

Quote:

Originally Posted by cardsites

There was no email sent. The domain name was transfered out of my account to what looks like an enom account. There is no owner listed. It just says enom for the domain name info.

Other than a possible hijacking, that's the only other time one isn't necessarily notified when a domain name's been transferred. As Richard from NameCheap eventually answered, it's eNom who "took" that domain name, more so not letting you know since you're not the account holder.

Unfortunately NameCheap and eNom can't help you directly. Your client is going to have to be the one to contact eNom and deal with it as humanly calm as possible.

Hmm, seems like the potential phishing is so severe it warranted being shot now and asked questions later. It's obviously not good, but a difficult and urgent choice had to be made based on the situation.

Hope things somehow work out.

[jackpx]

The domain was used for Phishing



http://www.puretalkforum.com/f2/payp...mail-4444.html





http://www.phishtank.com/phish_detai...hish_id=497361

I think the problem was a vulnerability in the forum which had, the phising is within the directory /Community/uploads/avatars/

[cardsites]

Oh my gosh, are you kidding me.

This is the response from name cheap and they stole the domain name.

Hello,

This domain has been suspended for the phishing attack on:

http://www.targetedindividuals.com/C...date/index.htm

Account owner has been informed about this suspension, however since you are not account owner, we cannot provide you any further information, for obvious reasons. Hope you understand.

Thank you.

We are closing this ticket.


--
Arunas
NameCheap.com

[cardsites]

I admin the domain name for this person, and I was not informed by namecheap of this to my knowledge. Then without notice the domain name is transfered to another account. I should still have the domain name in my account.

This is a support site. What can be done, cause this has to be illegal, and you can supply me with more information, cause I registered the domain name on behalf, and administer it, therefore take responsibility for it.

[cardsites]

Has anyone heard of this before, where the domain host removes a domain name from the owner, because of phsiing, even if that is true.

I suspect it has more to do with the fact that that domain name is a support site for Targeted Individuals. You can read more by going here http://www.TargetedIndividuals.org.

Even if the domain name was used due to a volnerability, there was no email sent to me the admin, and why was the domain name removed from my account?

I am the owner of the domain, and you are doing the dirty work of those that have been trying to get this domain and other sites like it shut down.

I would like to have the domain name back.

Again we also seem to be deviating from the original issue. The issue here is still, why was the domain name removed from my account, when I admin it. Now you are telling me you can't provide me with more information, cause I am not the owner. Yet I registered it and admin it, and am responsible for it. You are helping to highjack the domain name.

So I guess your company is the one that moved the domainname into the other acocunt. So you can move it back, so I can move the domain name to another company, if you no longer wish to host it. I have no problem with this.

Thanks.

[cardsites]

They have closed the ticket saying that they can not provide me with any information for the domain name. Yet the information for the domain name is what is listed below. Until yesterday, my admin information is what was used for the domain name.

Can anyone provide some quick legal advise.

Address lookup
lookup failed targetedindividuals.com
Could not find an IP address for this domain name.

Domain Whois record
Queried whois.internic.net with "dom targetedindividuals.com"...

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: TARGETEDINDIVIDUALS.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Status: clientTransferProhibited
Updated Date: 01-sep-2008
Creation Date: 20-oct-2007
Expiration Date: 20-oct-2008

>>> Last update of whois database: Tue, 02 Sep 2008 08:43:21 EDT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Queried whois.enom.com with "targetedindividuals.com"...

=-=-=-=
Visit AboutUs.org for more information about targetedindividuals.com
<a href="http://www.aboutus.org/targetedindividuals.com">AboutUs: targetedindividuals.com</a>

Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
Visit: http://www.namecheap.com/

Domain name: targetedindividuals.com

Registrant Contact:
NameCheap.com
NameCheap.com NameCheap.com

8939 S. Sepulveda Blvd. #110 - 732
Westchester, CA 90045
US

Administrative Contact:
NameCheap.com
NameCheap.com NameCheap.com (support@NameCheap.com)
+1.6613102107
Fax: +1.6613102107
8939 S. Sepulveda Blvd. #110 - 732
Westchester, CA 90045
US

Technical Contact:
NameCheap.com
NameCheap.com NameCheap.com (support@NameCheap.com)
+1.6613102107
Fax: +1.6613102107
8939 S. Sepulveda Blvd. #110 - 732
Westchester, CA 90045
US

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

Creation date: 20 Oct 2007 17:43:02
Expiration date: 20 Oct 2008 17:43:02
=-=-=-=
The data in this whois database is provided to you for information
purposes only, that is, to assist you in obtaining information about or
related to a domain name registration record. We make this information
available "as is," and do not guarantee its accuracy. By submitting a
whois query, you agree that you will use this data only for lawful
purposes and that, under no circumstances will you use this data to: (1)
enable high volume, automated, electronic processes that stress or load
this whois database system providing you this information; or (2) allow,
enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic
mail, or by telephone. The compilation, repackaging, dissemination or
other use of this data is expressly prohibited without prior written
consent from us.

We reserve the right to modify these terms at any time. By submitting
this query, you agree to abide by these terms.
Version 6.3 4/3/2002

[enetwork]

G Bailey,

Do you honestly think we have any interest in this domain at all? If you are going to come one here and make your wild accusations then atleast post the truthful responses coming from our support staff. They are the following(I won't post any of your emails to us but I think the folks around here can fill in the blanks):

Posted on: 02 Sep 2008 12:23 PM

--------------------------------------------------------------------------------
Hello,

Since you are contacting us from email address that we don't have on file for your account, we are unable to provide you any information at all. Hope you understand.

Thank you.


--
Arunas
NameCheap.com


E-mail: arunas.internal@namecheap.com




Posted on: 02 Sep 2008 12:33 PM

--------------------------------------------------------------------------------
Hello,

The account owner HAS been informed about this in due course.

Sorry, we are closing this ticket as we cannot disclose any information to the third parties (and you are third party as your email does not match the one we have on file for the account).

Thank you.


--
Arunas
NameCheap.com


E-mail: arunas.internal@namecheap.com



Posted on: 02 Sep 2008 12:41 PM

--------------------------------------------------------------------------------
Hello,

A paypal phishing site is not a game, but a federally prosecuted crime. This domain is *not* hijacked. It is suspended and nullrouted. We are waiting for the account owner to contact us. Hope you now understand.

Thank you.


--
Arunas
NameCheap.com


E-mail: arunas.internal@namecheap.com


Posted on: 02 Sep 2008 12:52 PM

--------------------------------------------------------------------------------
Hello,

Sorry, we are not able to understand your last question properly.

We *still* have targetedindividuals.com within our system and are waiting for the account owner to contact us from the email address we have on file for his/her account.


--
Arunas
NameCheap.com


E-mail: arunas.internal@namecheap.com