Online Security

I was informed that my website had disappeared, and that my domain name (www.davidairey.com) was now redirecting to some random website - bebu.net.

I was confused, and anxious. How could this happen? I hadn’t received any notification of my domain name expiry, and I never divulge any passwords to anyone.

This is when I found a disturbing support ticket, posted in my web host support panel. It was supposedly from me, addressed to ICDSoft’s support team, and was created on November 20th, the exact date of my departure from the UK. It read the following:

Subject: Davidairey.com Transfer

Hello,

I want to transfer davidairey.com to another registrar please unlock it and send me the EPP transfer code.

Kind regards,

David

Within just one minute (ICDSoft’s support team are very fast) the following response had been supplied:

Hello,

We unlocked your domain name as requested. Here is its EPP code:

Domain name: davidairey.com

Auth/EPP key: 6835892AE0087D66

Best Regards,

Support

I immediately typed a reply to this ticket, asking for help, and wanting to know what I could do to resolve the situation. Here’s what I was told by the support team:

Unfortunately, the domain name has been transferred successfully, and it cannot be reverted. The current registrar may be able to give you more information.

The original ticket message was sent from this IP address: 207.36.162.100

The person who posted it must have had access to your email, too, because transfers have to be approved by the administrative contact in order to be successful.

What? Not only did the hacker gain access to my web host control panel, but they also squirmed their way into my email account? This is when I began to get very worried. I kept a lot of personal emails behind my username and password, and this was a real invasion of privacy. For a few minutes I sat in the net café, my girlfriend beside me, and I didn’t know what to think.

I sent an email to GoDaddy, where my domain had been illegally transferred to, and asked them to prevent any further transfers. I wanted the domain in one place whilst I investigated. Here’s what GoDaddy said:

Unfortunately if a transfer request is made and completed we will not be able to prevent this unless we receive the notice from a court or arbitration forum… I apologize for any inconvenience this may cause.

How was I being hacked?

After a little research, I found this exposé into Google’s GMail defficiences: Google GMail E-mail Hijack Technique

It details the exact GMail hijack that I have just found applied to my account (right whilst writing this blog post).

Here’s an excerpt:

The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forwards them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

And here’s a three step illustration of just how this threat works (click each image for a larger version):

I took a look at the ‘Filter’ option in my own GMail settings, and it turns out that you can easily set incoming emails containing specific words to be forwarded automatically. For example, if you want any emails containing the word password to be sent to another address, no problem. It also appears that the Filter can delete the email from your GMail inbox as soon as it has been forwarded, so you’d be none the wiser if a hacker was playing havoc with your incoming mail.

IMPORTANT: If you use GMail, it’s absolutely vital that you check your account settings now.

Here’s what to do:

When logged into GMail, click on the ’settings’ tab in the upper right of the screen. Then check both the ‘Filters’ and the ‘Forwarding and POP’ sections. This is what I only just found in my ‘Filters’ tab:

The following filters are applied to all incoming mail:

Matches: transfer-approval.com

Do this: Forward to ba_marame_pooli@yahoo.com, Skip Inbox, Delete it

Matches: from:(transfer-approval.com)

Do this: Forward to ba_marame_pooli@yahoo.com, Skip Inbox, Delete it

I have absolutely no idea who’s email address that is, but it seems to me that some of my personal emails were bypassing my inbox entirely, instead being forwarded to the yahoo.com address.

It appears that the GMail security issue is fixed, but that won’t remove any previously installed Filters from your GMail account.

During the site move, I found to my detriment that I was linking to my blog images entirely the wrong way. I had been uploading my picture files to a subdomain (blog.davidairey.com/images) then placing them inside my blog posts from there. This meant that whenever the domain name changed to davidairey.co.uk, so did that subdomain. It now became blog.davidairey.co.uk/images. Therefore, my site was missing every single image I’d ever added.

In order to fix this, I moved all the picture files to a new folder, in the root directory at davidairey.co.uk/images. Now, when I insert an image into a blog post, I don’t use the full URI, but cut the address to it’s bare minimum, like so: img src=”/images/example_filename.jpg”

This means that should I ever re-change my domain name, back to the .com for instance, the images will automatically pull whatever domain name I’m using, without the need for a change.

I’m now also using this technique for internal hyperlinks. Rather than linking to my contact page like so: “http://www.davidairey.co.uk/contact”, I’ll simply use “/contact”

I’m thinking the date the attack took place is a significant piece of information. It was precisely the date you would leave your web site unattended for a period of one month. You reported that you’d contacted a number of people about your plans. My guess is that within that circle you might find the culprit, — or abetter, at the very least.

It’s not easy to pinpoint physical locations attackers. The physical location in Iran may just be the location of a zombie server.

It’s a strange tale, to be sure.

You’ve just hit on one reason why you should use a redirection service for your e-mail and not depend on an e-mail linked to your web site. Both Aliencamel and PO Box are good e-mail redirection services which protect you from ever losing your e-mail.

You can direct your e-mail to two different places to avoid ever losing ANY e-mail ie. one local (on your home computer) and one to gmail. Splitting of e-mail like this is permitted by most services.

This strategy solves your e-mail problem.

The registrar of your domain name should be able to identify who paid for what and confirm that with the hosting company. The hosting company should then be able to confirm that the account has been hijacked by contacting the person who registered the account and verifying the details on file with the registrar (which the hijacker won’t have).

If they are not willing to change the address over the registrar should be able to return your URL to you once they have gathered enough info to assure themselves you are who you claim to be. This should be at no cost.

It’s my understanding that the legal process people are advising you to engage in is for cybersquatting (registering a name and then selling it to the business at a profit eg. KFC)… rather than out and out theft.

As this is a criminal offence you can also get the authorities involved… this costs nothing and will result in the hijacker being charged with a criminal offence. Once the police get involved the hosting company should return your URL… as they will probably also be asked to provide the details of the guy who they are dealing with.

There is no guarantee that paying the thief a fee will result in the return of your URL… although a escrow service is meant to assure this. However there are a number of bogus escrow services… and the thief may now be trying to get your credit card details… so if you do pay… make sure it’s only to an escrow site you know or is well known. You can also notify the escrow site that the account is being used to extort money and they may co-operate with you to pretend to pay the thief.

Forwarding the correspondence to the new hosting company will allow them to follow the dispute. Publicising it as you have will allow other people to help.

You are now engaged in a paper war… if you do the hard work you should get your URL back.

An invalid transfer of a URL is both a matter for criminal law (theft) and contract law (civil matter): the transfer of a contract is invalidated if no consideration has passed, if there was no intention to contract, etc… If you establish these things… then they have to give you your URL back… and no special forums or court proceedings should be required.

If the hosting company does not co-operate they can become liable for damages (loss of earnings) which makes it in their best interests to help you.

It is also remotely possible that the hosting company is colluding with the thief… in which case you can also have them charged.

Contacting as many law enforcement agencies as possible over this is a cheap and simple way to put a lot of pressure on the hosting company over what is for them a minor transaction that is now creating a lot of headaches (not worth it).

Of course identifying the location of the thief as precisely as possible is necessary to get things happening as fast as possible.

Get the hosting company to do a few other checks eg. If they were paid by the thief get them to check it was not a stolen credit card. If it was they won’t have been paid… and they won’t want to host the account. If the thief paid using his own money then you’ll know who the police need to ask to get details of the thief… and the thief has just put himself in the firing line.

To get more details about the thief you could ask how he wants to be paid and then contact the escrow site and ask them to help.

Dear sir:

Having just complained to the Federal Trade Commission about Best Buy advertising cheap laptops just to get people in thier store to purchase more sxpensive ones, I was informed of the following. It seems that the FTC does not investigate single complaints but will investigate when a trend of complaints happen. If you have a large group of followers they could all lauch thier own complaints, could maybe get an investigation started. This would be completely free of charge and the FTC has teeth if they are invoked. I would join in if you were to initiate such action. I am sure many others would too. I also happen to know that the FBI is swamped with cybercrime cases and that they are years behind.

Sorry to hear about your story. Good people should band together for the sake of justice. Good luck to you sir.

This is what happens when “the internets” get filled up with idiots with no true “puter” skillz.

Sh*t Happens. The point is be prepared. That being said, I feel bad for your situations, but it really is your fault.

Using gmail? Lets go for security instead of cost next time.

Using one email address for both your business and personal choices? Lets think organization.

Finally, mixing business time and personal time(which you did by using the same email address for both) major no no.

Finally, don’t you use firefox? Check your plugins and version, it most likely would’ve protected you from this. Adblock Plus, for example, would’ve most likely helped in this situation.

You have my empathy, but no sympathy. But, oh well, add it to stumbleupon and your numbers will do just fine.

Oh, and BTW, you just won the International Lottery of Istanbul, please forward $4,589.54 to me via Western Union to cover taxes and I’ll give you 1.5 Million US Dollars(Sorry, but the same guy that does that, is probably doing this domain name thing. Can we say Nigeria?

Hi David,

I have just found that my Adsense account and all associated accounts have been hijacked. The email address that is the primary address I do not recognize and I cannot change it. I have a very small adsense balance. I do not know how to rectify this situation. I was wondering whether I should close the accounts, but apparently if I close the adsense account, I cannot re-open it again. I am green about the internet - I googled for help and found this page. How do I contact Google and why can’t I change the default email address?? I am sorry, but I recognize that you have problems of your own, but you have done all the research, so you may possibly have the answers.

Karen,

Sorry to learn of your AdSense account issue.

I’m not familiar with changing the default address, and can’t advise on contacting Google either. It took a couple of months before one of Google’s employees responded to me

Identity

Use these methods to segment and conceal your identity.

Domains and Private Registration

One of the easiest ways to connect your domain network is by checking out your WHOIS information. Here's how to muddy the waters.