This is a true cybercrime story, which hit my friend Tom. Click here to read the story from the beginning. OR Click here to read the whole story as a single page.
Sunday, March 28, 8:06 PM EDT
“They stole vl.com!!!!!!!!!!!!!!!!!!!!!!!!”
By 7:45, Glen had discovered that the attacker had been manipulating the DreamHost support people in order to crack into Tom’s account and steal VL.com, a tactic called “social engineering.” Glen discovered this just minutes too late.
Glen immediately promised to gather forensic evidence in order to get back Tom’s domain, to insist on reforms of DreamHost’s policies and practices, and to pursue prosecution. He confirmed that there had been a security breach at DreamHost, and that the support people on chat were not supposed to be making changes on customers’ accounts. DreamHost serves as registrar for over a half-million domain names, and hosts close to a million websites, and the attacker could have gone after any of these— and still could. No doubt, the story, as he reconstructed it, stunned and panicked him and everyone else at DreamHost.
In most incidents of stolen domains, once the domain is transferred away, there’s little the rightful owner can do to get it back. File a police report: check. But aside from the blank stares, you’re likely to get little response. File a report with the FBI: check. But while the FBI is very interested in being informed, unless there’s substantial monetary loss, they can’t justify the resources needed to investigate and prosecute. Challenge the domain on trademark grounds, but that will cost thousands of dollars and take God-knows-how-long. You could even beg with the foreign registrar, but without conclusive evidence of fraud, they won’t undo the transfer. Most businesses who lose their domains to domain hijacking or domain theft, they simply give up.
The break in the case was perhaps Glen’s enthusiasm. Many companies would have clammed up in the face of these circumstances— Indeed, many have done so, whether to avoid being sued or just to avoid being bothered. And without DreamHost’s help, Tom’s situation would have been as bleak as the rain-soaked skies that week. If Tom had complained to the registrar in the Bahamas, they probably would have dismissed him. But when an official DreamHost representative did so, they listened. They locked down the domain, which at least kept Tom’s Internet services up and running. They considered the evidence that Glen had dug up, which clearly showed fraud. And they promised to return the domain, once the paperwork had been processed.
Interestingly enough, the cracker refused to give up. He opened a fake Gmail account, impersonating Tom, in an attempt to trick the registrar in the Bahamas into releasing the lock on the domain. And he hit DreamHost support again at about the same time, trying to get them to stop asking for the domain back. Then he attempted again to break in to Tom’s Google-hosted domain, by trying to trick DreamHost into modifying the domain configuration— using the same MO: claim he tried to make the change himself, make up a story about encountering an error, and ask the support person to make the change for him. This would have allowed him to access all the email stored in all the accounts on that domain. But he probably only wanted to impersonate Tom, in order to call off the investigation. He may have made other attempts as well, attempts that we do not know of yet.
But the real question is how to proceed going forward.
This story is not about DreamHost. It’s about the domain industry. Domain theft happens on the Internet, and social engineering is one of the thief’s primary tactics. The most famous case is probably the theft of Sex.com, which is probably famous because of the letters S, E, and X. It took Gary Kremen years to get that domain back.
Moving my domains away from DreamHost doesn’t necessarily solve the problem. Because a cracker can attack any registrar. If I have a diamond necklace worth $100,000, I can keep it in a bank safe-deposit vault. And short of a Mission-Impossible-style heist, I can feel pretty safe that it’ll remain in my possession. If I have a domain name worth $100,000, there is no safe-deposit vault, and the quality of security at different registrars varies.
Additionally, the law is only beginning to see domain names as “property,” even though, of all the things we call “intellectual property,” domain names bear the closest similarity to real property. Until the law catches up to modern technology, we have to fend for ourselves.
As a defense, maybe there’s some value in looking for a registrar who’s as paranoid as I am. Maybe right now, that’s still DreamHost, because they’ve been spooked. And maybe there’s also some value in a registrar who will come clean when there’s a break-in, and do their best to set things right. Maybe that, too, is DreamHost. But I find it disheartening that if I go into a crowded room full of IT gurus and ask, “Where can I register my domain to keep it safe?” the best I get is, “Well, I’ve been happy with such-and-such a registrar, but no one’s ever tried to rip me off before.” No one cites any systematic studies of domain registrar security practices, and there’s no single registrar that comes to the top as the name in domain security for the average business.
Even so, there’s some value in looking for registrars that offer increased security and services, even at slightly increased prices and with longer waiting times:
- positively identifying the domain owner before releasing a domain to another registrar, such as with two-factor authentication being offered by some registrars;
- confirming domain transfers through phone calls or cellphone text messages, as well as the standard email;
- approving domain transfers through multiple, independent means, or multiple, independent accounts, all of which must approve before the transfer goes through;
- effective crisis procedures, when a break-in does occur;
- effective forensic and recovery procedures, when a theft occurs;
- insurability—if a domain name is stolen, the insurance company will pay for recovery or losses.
Notice I did not include domain locking in the above list, even though that’s the first thing most people mention when they talk about protecting your domain. Why not? Because (1) it’s a standard feature, (2) usually all the cracker has to do to turn it off is to click a button on some administrative panel, and (3) it can’t protect you from lax security at your registrar or a break-in of your account. However, I might add confirmed domain locking to the list, that is, require approval through an independent email address or cellphone text message before anyone can unlock the domain.
Changes to approval email addresses also should use the same approval process. So for example, no changes should be made to my account email address without affirmative approval via that email address. The current standard system, which at best sends out a “email address has changed” message, that’s inadequate for domain security, because a secure system is only as strong as its weakest link.
Even registrars of high-profile domains such as Amazon.com, BarnesAndNoble.com, and Coke.com don’t offer services like these. And some high profile domains (such as Comcast.net) have indeed been hijacked. Fortunately, if you’re Amazon or Coke, you can probably get your domain back pretty quickly with a simple phone call. But if you’re not, you need a registrar that’s going to stand up for you, no matter how small you are. And you can expect it to take days at best, or weeks, or months, or years, or forever.
There are some additional safety measures you can take to slow up a thief trying to steal your domain:
- Use a secret email address for your account email.
- Always use a secure computer and encrypted connection to download email.
- Use long, random passwords for each email and domain account.
- Use secure secrets for any “secret question,” obscure facts that no one else can find out.
- If you have multiple domain names or web holdings, split them up between multiple registrars and hosting services.
- Use low-value domains for daily activities, if possible. (So if someone steals away VL.com, your email will still continue uninterrupted through VentureLogic.com.)
- Know how to get in touch with your registrar in an emergency, whether by phone, email, or web form, even if you’ve been locked out of your account by an attacker.
- Establish secure, authenticated communication channels with people you are likely to work with to resolve a crisis: obtain email certificates, exchange public keys, and set up secure IM.
- At least ask yourself, “Will that busty model come to my rescue when I have a problem with my domain?”
Unfortunately, as long as an attacker can trick the registrar to bypass security, neither strong passwords nor two-factor authentication nor double confirmation nor any other security measure will be effective.
Conceptually, you could even test a domain registrar. Try to convince them to shortcut security for you, in order to make legitimate changes to your account. And if they do, bolt. I can’t comment on whether that’s legal or not. But as for me, I’d be interested in a broad-based study of how tight security really is at the Internet’s top domain registrars.
- Interview with Bjørn K. Andersen, who had Direction.com stolen.
- The story of the theft of P2P.com, and the first ever criminal prosecution of a domain thief.
- 2005 ICANN SSAC report on domain hijacking.
- DynDNS on domain hijacking.
- Moniker.com, a registrar that advertises a higher than average level of domain security.
Other mentions of the theft of VL.com:
- Report on the theft, on Domain News Wire.
- Boston Linux & Unix users’ group discussion, as the story unfolded
- Boston PerlMonger’s discussion
- Hacker News discussion