About how my domain was stolen, and I stole it back
Dear habravchane! Stories, one of which happened to me, happen all the time, but the ending in my case is quite rare.
For certain reasons, in this article I will not indicate the domain and name of the reseller. Those who can identify them, I earnestly ask you not to make them public in the comments.
It happened in October 2010. Six months before this - in early May - I bought the site without re-registering, fortunately everything indicated that my seller was already its fifth or sixth owner. The transaction price amounted to 24 thousand rubles. I received:
-login / password for the admin panel of the domain reseller;
-password to the mailbox xxx@mail.ru;
-login / password for access to the firstvds.ru account, on which the site was located;
-login / password for access to the administrative part of CMS Wordpress.
About six months have passed since the purchase, everything went on as it had once, when one day at the end of September I received a message in my mail about the password recovery to Wordpress. Very quickly, I found that I no longer have access to the xxx@mail.ru mailbox and the domain reseller admin area. Having looked at the corresponding entries on the root ns-servers, I saw that the pointers of my domain already refer to another hosting - vds64.com. The answer to how this could happen came very quickly: I did not bother to change the recovery options for the xxx@mail.ru mailbox (security question and phone number), and someone, using them, also took access to the reseller’s admin panel, so how she was tied to this mailbox. All that remains is access to the host account, because there I still changed the contact mail address. It didn't matter at that time, however, looking ahead, I’ll say that this is what saved me. There could be no doubt that this one is none other than my seller. As luck would have it, I found out about all this on my birthday.
After spending a couple of days in understandable thoughts about myself, I went to one very famous forum where the status of Silver Member and registration almost from the beginning of its foundation implies a certain level of trust in me, and went to a person who provides services for ... Let's just say: to restore access to stolen mailboxes. Three days later, my new friend surprised me by telling me the current password from the stolen mailbox. The issue price was 1500 WMR.
Encouraged by how quickly everything resolved, I went into the mail and went to regain access to the reseller admin panel. Here I was very disappointed: to get a password, you need to know the answer to a secret question that I didn’t have ...
When examining the mailbox, I found that it was carefully cleaned: there were no outgoing letters at all, in the inbox there was a letter from the reseller with a link to resetting the password, which, of course, didn’t work anymore, as well as a ticket to my seller’s question about why Modified ns servers have not yet been applied. In the question cited in the ticket, my seller indicated a code word. Looking ahead again, I will say that this was his first strategic mistake.
Also in the box was a letter to the administration of the Sape exchange asking them to recall the login in their system, while telling the story that, using the saving of accounts in the Opera browser, as a result of the failure, this data was lost. From this, I concluded that my seller is quite young if he uses such “social engineering”, not realizing that he thereby only takes time from technical support.
One or two days passed, and in the whois-domain data I saw another registration postal address. I bring it as is: babuwkamisha@gmail.com. Probably, my seller discovered the fact of the loss of the mail.ru mailbox and transferred the domain to another reseller account.
A little distracted and briefly describe the security policy of the reseller: the login is a mailing address that may not coincide with the address from whois, there is a code word for communicating with tech support and a secret question for password recovery. Communication with the reseller should occur from the login email address, for which the fight will unfold.
Having visited the reseller’s password recovery page, I indicated a new mailbox and received an offer to answer a secret question. This meant that the account with this address at the reseller exists, and my domain is most likely located in it.
I again turned to my new friend:
-Gmail box?
-I take to work.
Imagine my surprise when after three days I again received the current password now from the mailbox on Gmail. I will write about the hacking method in a note. The issue price was 80 WMZ.
I must say that when ordering this second job, my hopes for success were already close to zero, because, as I described above, access to mail is not enough to regain control of the domain. As I expected, the box was pristine clean ...
With nothing to do, I tried to enter the Wordpress admin panel with the password I received. And, lo and behold, the password came up! Unfortunately, the administrator part of the reseller did not work at that moment. Reseller explained this by an accident in the data center. I can not express with what impatience I was waiting for the restoration of her work. It happened a day later, the password approached, I changed it to a new one, changed the dns servers at the reseller, the recovery details in the Gmail inbox, and went to bed happy.
Waking up in the morning, I found that I did not have access to the mailbox and domain again. What the hell!..
From hopelessness, I went to the Google account recovery page. I want to say that, unlike Mail.ru, this service works very quickly. A little distracted and I will say a few words about it: once in the mailbox, a person receives almost unlimited data to restore access to it. Not only that, if you recently changed your password, then a person who knows the previous password may need just one look at your monitor to pick up your inbox for good.
So, after about an hour, I received a link from Google to restore access.
The reseller admin panel already had another password unknown to me, and in order to receive it I needed to know the answer to the secret question. I wrote a letter to reseller tech support asking them to “remind” him, indicating the code word I knew from the previous account for luck, after which the reseller kindly informed me that “my favorite city” is Marseille. Thus, my seller did not bother to change the code word on the new account, and this was his second strategic mistake.
Again, I changed all the details in the reseller admin panel, mainly dns servers, since the mailbox cannot be changed. After that, my seller, who, according to Gmail, was in Ukraine and appeared on the Web exclusively at night, again took it to himself in the same way.
This dragging of the box to each other lasted three days.
Further actions were obvious: it was necessary to transfer the domain to a new account on which the login email did not coincide with the data from whois. The problem was that the domain was transferred a week ago, and the reseller has a 30-day restriction on re-transfer.
It was the third day of my possession of the mailbox, it was about 19 hours. Shortly before that, I threw 80 rubles into my account to “mark” my wallet in it, as the payer's wallet number is an important element of the reseller’s security policy. Suddenly it dawned on me that the remaining three weeks I could not stretch out: by the time of transfer of access to the box I might no longer have. I wrote a letter to the reseller with my suspicions that someone was using my mail (which, in fact, was so, although the box was not entirely mine) and asked to remove the time limit. An hour later I was informed that the restriction was lifted, and I, using a password and a code word, very quickly transferred the domain to a pre-prepared account. And quite on time: from that moment I did not receive links to the restoration of access to the box from Google. Among other things I threw 500 rubles into a new account. and renewed the domain, since the renewal term ended in a month or two.
In the evening, my seller again got access to the mailbox, then to the reseller’s admin panel, went into it and ... did not findhis domain of mine there. I believe that at that moment he was in a panic, because in the restored box he forgot to remove the forwarding to my other address, so I got the opportunity to read all his correspondence with the reseller. Realizing how happy I was, because, as you know, who owns the information - that owns the world, and when I saw his first letter, I burst out laughing. Here it is (read from the bottom up, because the reseller letter is a response to the previous letter from my seller):
Hello,
To transfer a domain, you need to know the code word. It turns out the attacker knew your code word?
From which wallet did you replenish your balance with us?
> 10/06/2010 22:35 - Mikhail Babushkin wrote (a):
> Client Mikhail Babushkin with an e-mail address babuwkamisha@gmail.com addresses
> the question:
> Good day.
> I recently bought the xxx.ru domain from Sergey Semenov without renewal. Code
> word: xxx. Secret Question: Your favorite city, answer: Marseille.
> I transferred this domain to my mailbox: babuwkamisha@gmail.com. But a couple of days ago,
> soap was stolen from me by phishing a bunch of passwords and got full access to both
> soap and the domain admin panel, and changed the DNS servers to their own. Today, I
> through Google regained access to my email, and now I regained access to
> admin panel reg.ru, but I didn’t find a domain here. How to track where it was
> domain transferred and how to return it? Thanks in advance.
The letter was clearly written in a hurry.
Right after that the same night the reseller wrote me a question:
Hello!
Could you explain the origin of the domain XXX.RU on your account?
Are you the owner of this domain?
A claim has been received about your ownership of this domain.
I replied that my mailbox was stolen with all its contents. And also that I bought the domain six months ago for $ 800, that all this time it was on the FirstVDS server, it was paid from my wallet, and I can prove it.
Then followed the continuation of the correspondence of my seller:
Hello,
How much did you pay for the domain when buying? I recognized this amount.
This domain has been attached to FirstVDS from May 7 to the present. Those. the attacker turns out the domain is not attached anywhere. Do you have access to your account on FirstVDS? The domain is obtained all the time attached to the same hosting. If you are its rightful owner, it will not be difficult for you to make any test page on the site and place a confirmation text there.
> 07.10.2010 00:35 - Babuwka Misha wrote (a):
> I had a letter from the seller with all the data to the domain in my inbox.
> It was from the email: xxx-ru@mail.ru
> And this letter contained various information about the site (here is a piece from the letter):
-> Access to the wordpress admin area
-> http://www.xxx.ru/wp- login.php
> Login: admin
> Password: xxx
> https: // reseller
> Codeword: xxx
> Favorite city? Marseille
> I filled in the exact same code word and security question in my account so as not to forget when
> I transferred the domain from xxx-ru@mail.ru to my gmail account. Apparently having access to my email and to
> incoming letters, I learned the code word and the answer to the secret question.
> Top-up by 80 rubles. I didn’t. Of course, I was going to soon renew the domain,
> since, in my opinion, the domain expires on November 21, but I never entered the money into your system,
> that is, you can cancel these 80 rubles, this is not from my wallet.
> And more information about this domain that Sergey Semenov provided to me:
> ------------------------------------------------- -
> DOMAIN
> ---------------------------------------------- ----
> http: //resellerxxx2@mail.ru
> old PassWord: xxx
> new password: xxx
> That is, initially the domain was registered at xxx2@mail.ru, then Sergey
transferred it to xxx- during the > sale ru@mail.ru. And after that I transferred it on the 20th of September to
> babuwkamisha@gmail.com. Such information, I think, is unlikely to be found by an attacker if you> ask him about this domain.
> In the response letter I want to hear what actions I can now carry out or have I lost
> this domain forever?
Next letter:
Hello
You wrote in the first letter that your email was stolen from you babuwkamisha@gmail.com...
And now you are already writing about xxx@mail.ru
> 10.10.2010 20:10 - Babuwka Misha wrote (a):
> Yes, the hosting of this domain is attached to firstvds.ru initially, and I had access to it through soap
> xxx@mail.ru, as well as access to everything backward, and everything was fine before until
> until the revenge soap xxx@mail.ru was stolen from me .
> I can’t get access to firstvds either because I changed my password there, and the firstvds account
> is attached to that soap xxx@mail.ru. From here all the problems started. I can’t return that soap,
> and that’s why I started recently transferring a domain from one account on your site to another
> account. Knowing the secret question and the code word, I easily did this at the end of September. And it was because of
> loss of hosting on firstvds that I recently bought a new VDS on vds64.com, firstly it
works faster > (server specifications are better), and secondly, I configured it there so that access
> could be restored anytime from my mobile phone, as security now
> I really need.
> In the domain admin panel after the transfer, I recently interrupted DNS (or NS, I don’t know how to do it) on
> this is my new VDS purchased (ns1.vds64.com and ns2.vds64.com). And the attacker kidnapped again
> the domain again attached it to the old firstvds, which he has access to.
Imagine the reaction of a technical support employee, who gradually learns that two mailboxes were stolen from a client in two different systems, a secret answer and a code word, i.e. stole everything and everything. The funny thing is that it was just like that.
Hello,
you still haven’t answered how much you bought this domain.
> 10.10.2010 21:20 - Babuwka Misha wrote (a):
> And he was stolen and a new email. But this one, due to the fact that I created it myself, thanks to Google services, I
already restored 3 > times and lost this soap again. For the time being, I did not install it from Google yesterday - the program
> PC Tools Spyware Doctor. The same threat was found on my laptop and PC:
> Trackware.TrackingCookies. All because of this infection.
Further.
Hello,
Do you have contact with the domain owner from whom did you buy it?
> 10/07/2010 10:15 PM - Babuwka Misha wrote (a):
> for $ 800.
Another letter:
Hello,
Do you have confirmation of the purchase process for this domain?
> 10/08/2010 00:10 - Babuwka Misha wrote (a):
> There is no contact left. When he was selling, he said that he was going into an offline business, or
> something else was opening a car repair shop. He is no longer on VKontakte, etc.
I must say that for some time I had suspicions that this subject is a poor fellow to whom my seller has just once again sold a domain. However, over time, doubts dissipated: all the same children's "social engineering", of course, is my seller. In addition, some of the information and the term “offline business”, which was very rare for my hearing, I already heard when buying via icq.
After that, the reseller suggested that I send screenshots of Kiper and FirstVDS billing to confirm the purchase and payment of the hosting over the past six months. It seemed strange to me that the reseller decided to embark on these clarifications, since the domain was transferred in accordance withall the rules and all the rules. However, it was even better - I had all the “trump cards”. I sent the required data.
Hello,
How did you pay for hosting FirstVDS when it was still controlled by you?
> 10/08/2010 00:45 - Babuwka Misha wrote (a):
> No. I bought in cash, but at the same time I got full access without re-registering the domain.
After this letter, my seller disappeared and the more I heard nothing about him. From time to time, I sent him messages disguised as spam to check if the forwarding to me works. It is included so far.
It would be very interesting to find out what they thought about this story in reseller tech support: they probably decided that we had a fight and then fought for the domain.
Note: I think my seller was right, and the Google account was really “hacked” through a phishing link. Having access to the mailbox, I received a letter from a certain Urals Bank, where they sent me “my new details” with an attached document. Having looked closely, I noticed that the “attachment” is actually in the body of the letter and is simply stylized as an attachment. When I clicked on the download link, I got to a copy of the Gmail homepage. This should have led me to the idea that the session was reset by timeout, and you need to log in again. The link address was very long, it contained the word "google", but, of course, not at the second level. Probably, one of these letters my seller caught.
Thanks for reading my article. I hope it seems interesting and useful to you.
UPDIn this story, the following seemed strange to me:
1. The reseller does not maintain long IP-logs for its admin panel, otherwise the Ukrainian registration of the original owner would be obvious.
2. The reseller does not keep logs of the change of ns-servers, and he found out from me that they pointed to Firstvds.ru. Although before the theft, I hosted the domain with another provider.
3. And the strangest thing: at about the described period, the domain went into Verified status. This means that someone sent scans of their passport to the registrar. This man has not yet appeared.
Letters are still being sent to babuwkamisha@gmail.com: spam from VKontakte, information about registering a new domain name. My seller has posted a copy of my site on another domain and does not know that in the next update of the mirror, his site, according to robots.txt, will become a mirror of mine. I wonder if he reads Habr?
And about the lack of re-registration: the risk was laid in the price of the site, it was clearly underestimated for him. In addition, it is obvious that my seller is not a formal owner and is not familiar with him.
For certain reasons, in this article I will not indicate the domain and name of the reseller. Those who can identify them, I earnestly ask you not to make them public in the comments.
It happened in October 2010. Six months before this - in early May - I bought the site without re-registering, fortunately everything indicated that my seller was already its fifth or sixth owner. The transaction price amounted to 24 thousand rubles. I received:
-login / password for the admin panel of the domain reseller;
-password to the mailbox xxx@mail.ru;
-login / password for access to the firstvds.ru account, on which the site was located;
-login / password for access to the administrative part of CMS Wordpress.
About six months have passed since the purchase, everything went on as it had once, when one day at the end of September I received a message in my mail about the password recovery to Wordpress. Very quickly, I found that I no longer have access to the xxx@mail.ru mailbox and the domain reseller admin area. Having looked at the corresponding entries on the root ns-servers, I saw that the pointers of my domain already refer to another hosting - vds64.com. The answer to how this could happen came very quickly: I did not bother to change the recovery options for the xxx@mail.ru mailbox (security question and phone number), and someone, using them, also took access to the reseller’s admin panel, so how she was tied to this mailbox. All that remains is access to the host account, because there I still changed the contact mail address. It didn't matter at that time, however, looking ahead, I’ll say that this is what saved me. There could be no doubt that this one is none other than my seller. As luck would have it, I found out about all this on my birthday.
After spending a couple of days in understandable thoughts about myself, I went to one very famous forum where the status of Silver Member and registration almost from the beginning of its foundation implies a certain level of trust in me, and went to a person who provides services for ... Let's just say: to restore access to stolen mailboxes. Three days later, my new friend surprised me by telling me the current password from the stolen mailbox. The issue price was 1500 WMR.
Encouraged by how quickly everything resolved, I went into the mail and went to regain access to the reseller admin panel. Here I was very disappointed: to get a password, you need to know the answer to a secret question that I didn’t have ...
When examining the mailbox, I found that it was carefully cleaned: there were no outgoing letters at all, in the inbox there was a letter from the reseller with a link to resetting the password, which, of course, didn’t work anymore, as well as a ticket to my seller’s question about why Modified ns servers have not yet been applied. In the question cited in the ticket, my seller indicated a code word. Looking ahead again, I will say that this was his first strategic mistake.
Also in the box was a letter to the administration of the Sape exchange asking them to recall the login in their system, while telling the story that, using the saving of accounts in the Opera browser, as a result of the failure, this data was lost. From this, I concluded that my seller is quite young if he uses such “social engineering”, not realizing that he thereby only takes time from technical support.
One or two days passed, and in the whois-domain data I saw another registration postal address. I bring it as is: babuwkamisha@gmail.com. Probably, my seller discovered the fact of the loss of the mail.ru mailbox and transferred the domain to another reseller account.
A little distracted and briefly describe the security policy of the reseller: the login is a mailing address that may not coincide with the address from whois, there is a code word for communicating with tech support and a secret question for password recovery. Communication with the reseller should occur from the login email address, for which the fight will unfold.
Having visited the reseller’s password recovery page, I indicated a new mailbox and received an offer to answer a secret question. This meant that the account with this address at the reseller exists, and my domain is most likely located in it.
I again turned to my new friend:
-Gmail box?
-I take to work.
Imagine my surprise when after three days I again received the current password now from the mailbox on Gmail. I will write about the hacking method in a note. The issue price was 80 WMZ.
I must say that when ordering this second job, my hopes for success were already close to zero, because, as I described above, access to mail is not enough to regain control of the domain. As I expected, the box was pristine clean ...
With nothing to do, I tried to enter the Wordpress admin panel with the password I received. And, lo and behold, the password came up! Unfortunately, the administrator part of the reseller did not work at that moment. Reseller explained this by an accident in the data center. I can not express with what impatience I was waiting for the restoration of her work. It happened a day later, the password approached, I changed it to a new one, changed the dns servers at the reseller, the recovery details in the Gmail inbox, and went to bed happy.
Waking up in the morning, I found that I did not have access to the mailbox and domain again. What the hell!..
From hopelessness, I went to the Google account recovery page. I want to say that, unlike Mail.ru, this service works very quickly. A little distracted and I will say a few words about it: once in the mailbox, a person receives almost unlimited data to restore access to it. Not only that, if you recently changed your password, then a person who knows the previous password may need just one look at your monitor to pick up your inbox for good.
So, after about an hour, I received a link from Google to restore access.
The reseller admin panel already had another password unknown to me, and in order to receive it I needed to know the answer to the secret question. I wrote a letter to reseller tech support asking them to “remind” him, indicating the code word I knew from the previous account for luck, after which the reseller kindly informed me that “my favorite city” is Marseille. Thus, my seller did not bother to change the code word on the new account, and this was his second strategic mistake.
Again, I changed all the details in the reseller admin panel, mainly dns servers, since the mailbox cannot be changed. After that, my seller, who, according to Gmail, was in Ukraine and appeared on the Web exclusively at night, again took it to himself in the same way.
This dragging of the box to each other lasted three days.
Further actions were obvious: it was necessary to transfer the domain to a new account on which the login email did not coincide with the data from whois. The problem was that the domain was transferred a week ago, and the reseller has a 30-day restriction on re-transfer.
It was the third day of my possession of the mailbox, it was about 19 hours. Shortly before that, I threw 80 rubles into my account to “mark” my wallet in it, as the payer's wallet number is an important element of the reseller’s security policy. Suddenly it dawned on me that the remaining three weeks I could not stretch out: by the time of transfer of access to the box I might no longer have. I wrote a letter to the reseller with my suspicions that someone was using my mail (which, in fact, was so, although the box was not entirely mine) and asked to remove the time limit. An hour later I was informed that the restriction was lifted, and I, using a password and a code word, very quickly transferred the domain to a pre-prepared account. And quite on time: from that moment I did not receive links to the restoration of access to the box from Google. Among other things I threw 500 rubles into a new account. and renewed the domain, since the renewal term ended in a month or two.
In the evening, my seller again got access to the mailbox, then to the reseller’s admin panel, went into it and ... did not find
Hello,
To transfer a domain, you need to know the code word. It turns out the attacker knew your code word?
From which wallet did you replenish your balance with us?
> 10/06/2010 22:35 - Mikhail Babushkin wrote (a):
> Client Mikhail Babushkin with an e-mail address babuwkamisha@gmail.com addresses
> the question:
> Good day.
> I recently bought the xxx.ru domain from Sergey Semenov without renewal. Code
> word: xxx. Secret Question: Your favorite city, answer: Marseille.
> I transferred this domain to my mailbox: babuwkamisha@gmail.com. But a couple of days ago,
> soap was stolen from me by phishing a bunch of passwords and got full access to both
> soap and the domain admin panel, and changed the DNS servers to their own. Today, I
> through Google regained access to my email, and now I regained access to
> admin panel reg.ru, but I didn’t find a domain here. How to track where it was
> domain transferred and how to return it? Thanks in advance.
The letter was clearly written in a hurry.
Right after that the same night the reseller wrote me a question:
Hello!
Could you explain the origin of the domain XXX.RU on your account?
Are you the owner of this domain?
A claim has been received about your ownership of this domain.
I replied that my mailbox was stolen with all its contents. And also that I bought the domain six months ago for $ 800, that all this time it was on the FirstVDS server, it was paid from my wallet, and I can prove it.
Then followed the continuation of the correspondence of my seller:
Hello,
How much did you pay for the domain when buying? I recognized this amount.
This domain has been attached to FirstVDS from May 7 to the present. Those. the attacker turns out the domain is not attached anywhere. Do you have access to your account on FirstVDS? The domain is obtained all the time attached to the same hosting. If you are its rightful owner, it will not be difficult for you to make any test page on the site and place a confirmation text there.
> 07.10.2010 00:35 - Babuwka Misha wrote (a):
> I had a letter from the seller with all the data to the domain in my inbox.
> It was from the email: xxx-ru@mail.ru
> And this letter contained various information about the site (here is a piece from the letter):
-> Access to the wordpress admin area
-> http://www.xxx.ru/wp- login.php
> Login: admin
> Password: xxx
> https: // reseller
> Codeword: xxx
> Favorite city? Marseille
> I filled in the exact same code word and security question in my account so as not to forget when
> I transferred the domain from xxx-ru@mail.ru to my gmail account. Apparently having access to my email and to
> incoming letters, I learned the code word and the answer to the secret question.
> Top-up by 80 rubles. I didn’t. Of course, I was going to soon renew the domain,
> since, in my opinion, the domain expires on November 21, but I never entered the money into your system,
> that is, you can cancel these 80 rubles, this is not from my wallet.
> And more information about this domain that Sergey Semenov provided to me:
> ------------------------------------------------- -
> DOMAIN
> ---------------------------------------------- ----
> http: //resellerxxx2@mail.ru
> old PassWord: xxx
> new password: xxx
> That is, initially the domain was registered at xxx2@mail.ru, then Sergey
transferred it to xxx- during the > sale ru@mail.ru. And after that I transferred it on the 20th of September to
> babuwkamisha@gmail.com. Such information, I think, is unlikely to be found by an attacker if you> ask him about this domain.
> In the response letter I want to hear what actions I can now carry out or have I lost
> this domain forever?
Next letter:
Hello
You wrote in the first letter that your email was stolen from you babuwkamisha@gmail.com...
And now you are already writing about xxx@mail.ru
> 10.10.2010 20:10 - Babuwka Misha wrote (a):
> Yes, the hosting of this domain is attached to firstvds.ru initially, and I had access to it through soap
> xxx@mail.ru, as well as access to everything backward, and everything was fine before until
> until the revenge soap xxx@mail.ru was stolen from me .
> I can’t get access to firstvds either because I changed my password there, and the firstvds account
> is attached to that soap xxx@mail.ru. From here all the problems started. I can’t return that soap,
> and that’s why I started recently transferring a domain from one account on your site to another
> account. Knowing the secret question and the code word, I easily did this at the end of September. And it was because of
> loss of hosting on firstvds that I recently bought a new VDS on vds64.com, firstly it
works faster > (server specifications are better), and secondly, I configured it there so that access
> could be restored anytime from my mobile phone, as security now
> I really need.
> In the domain admin panel after the transfer, I recently interrupted DNS (or NS, I don’t know how to do it) on
> this is my new VDS purchased (ns1.vds64.com and ns2.vds64.com). And the attacker kidnapped again
> the domain again attached it to the old firstvds, which he has access to.
Imagine the reaction of a technical support employee, who gradually learns that two mailboxes were stolen from a client in two different systems, a secret answer and a code word, i.e. stole everything and everything. The funny thing is that it was just like that.
Hello,
you still haven’t answered how much you bought this domain.
> 10.10.2010 21:20 - Babuwka Misha wrote (a):
> And he was stolen and a new email. But this one, due to the fact that I created it myself, thanks to Google services, I
already restored 3 > times and lost this soap again. For the time being, I did not install it from Google yesterday - the program
> PC Tools Spyware Doctor. The same threat was found on my laptop and PC:
> Trackware.TrackingCookies. All because of this infection.
Further.
Hello,
Do you have contact with the domain owner from whom did you buy it?
> 10/07/2010 10:15 PM - Babuwka Misha wrote (a):
> for $ 800.
Another letter:
Hello,
Do you have confirmation of the purchase process for this domain?
> 10/08/2010 00:10 - Babuwka Misha wrote (a):
> There is no contact left. When he was selling, he said that he was going into an offline business, or
> something else was opening a car repair shop. He is no longer on VKontakte, etc.
I must say that for some time I had suspicions that this subject is a poor fellow to whom my seller has just once again sold a domain. However, over time, doubts dissipated: all the same children's "social engineering", of course, is my seller. In addition, some of the information and the term “offline business”, which was very rare for my hearing, I already heard when buying via icq.
After that, the reseller suggested that I send screenshots of Kiper and FirstVDS billing to confirm the purchase and payment of the hosting over the past six months. It seemed strange to me that the reseller decided to embark on these clarifications, since the domain was transferred in accordance with
Hello,
How did you pay for hosting FirstVDS when it was still controlled by you?
> 10/08/2010 00:45 - Babuwka Misha wrote (a):
> No. I bought in cash, but at the same time I got full access without re-registering the domain.
After this letter, my seller disappeared and the more I heard nothing about him. From time to time, I sent him messages disguised as spam to check if the forwarding to me works. It is included so far.
It would be very interesting to find out what they thought about this story in reseller tech support: they probably decided that we had a fight and then fought for the domain.
Note: I think my seller was right, and the Google account was really “hacked” through a phishing link. Having access to the mailbox, I received a letter from a certain Urals Bank, where they sent me “my new details” with an attached document. Having looked closely, I noticed that the “attachment” is actually in the body of the letter and is simply stylized as an attachment. When I clicked on the download link, I got to a copy of the Gmail homepage. This should have led me to the idea that the session was reset by timeout, and you need to log in again. The link address was very long, it contained the word "google", but, of course, not at the second level. Probably, one of these letters my seller caught.
Thanks for reading my article. I hope it seems interesting and useful to you.
UPDIn this story, the following seemed strange to me:
1. The reseller does not maintain long IP-logs for its admin panel, otherwise the Ukrainian registration of the original owner would be obvious.
2. The reseller does not keep logs of the change of ns-servers, and he found out from me that they pointed to Firstvds.ru. Although before the theft, I hosted the domain with another provider.
3. And the strangest thing: at about the described period, the domain went into Verified status. This means that someone sent scans of their passport to the registrar. This man has not yet appeared.
Letters are still being sent to babuwkamisha@gmail.com: spam from VKontakte, information about registering a new domain name. My seller has posted a copy of my site on another domain and does not know that in the next update of the mirror, his site, according to robots.txt, will become a mirror of mine. I wonder if he reads Habr?
And about the lack of re-registration: the risk was laid in the price of the site, it was clearly underestimated for him. In addition, it is obvious that my seller is not a formal owner and is not familiar with him.