How I almost lost the "Great Words", or the "responsibility" of the Online.ua office
In November I had an interesting event - I underwent a hacker attack, the purpose of which, as it turned out later, was to take away from me the domain of my project "Great Words" - www.greatwords.ru - which you may have read about on Habr earlier. In this topic I want to tell how this happened and who, in addition to myself, is to blame (although this can be guessed from the headline). Perhaps my experience will be useful and help other people to avoid an unpleasant situation, similar to the one in which I found myself.
It all started on the morning of November 11th. I went to my sap.in site to update something and was quite surprised when I saw the ISP manager stub instead of the site. I must say, it’s ISP manager that is on my VDS, and the first thing I would do would be to look for the error on the server if it weren’t for the Flagfox plugin that I have. This plugin displays the flag of the country in which the site server is located. My VDS, like myself, is in Kiev, and now the tricolor flag of Russia flaunted in the address bar. Having executed ping sap.in, I, as expected, did not see my IP at all.
How could this happen? There are two options - either problems with my NS-servers, or someone changed the data. Having broken through the whois domain, I realized that, alas, the second - NS in the domain data were not mine.
The sap.in domain and some of my other domains are registered with Reggi.ru. When I tried to log in to the domain control panel, I received an error, an email did not arrive at the request for password recovery, and I realized that this was a serious matter.
Now you need to retreat and talk about the situation with my e-mail, in which, of course, I myself am to blame. The fact is that I became a Reggi client a long time ago, more than three years ago. Then I somehow managed to use the services of an office (this cannot be called a company, and I will explain why later) Online.ua. It was there that my mailbox was located (for the sake of safety, I will call it my-old-mail@online.ua), to which my Reggi account was registered. I didn’t use this box a long time ago, a couple of years ago I switched to GMail, and I just forwarded it. I’ll say right away that in order not to return to the subject of mail, that, in addition to my GMail (let's call it my-general-mail@gmail.com), I also used the mail of my domains using Google Apps. Then I made another mistake, but more on that later.
As expected, the password for my-old-mail@online.ua did not fit, and the answer to the secret question, too. As a precaution, I changed all the passwords that are important to me (including GMail), although at that moment I assumed that it was my-old-mail@online.ua that was hacked and considered the possibility that a Trojan was planted into me was unlikely. After that I wrote to Reggi.ru support (I take this opportunity, I want to thank them for their promptness and help in this difficult situation for me) and described the problem. Support at my request blocked the account and informed me that in order to change the contact e-mail I need to send a signed application to Moscow with a request to change the address and copies of the passport, and also, to speed up the recovery process, send scans of these documents to them by e-mail . Which I did by asking to change the address to my-general-mail@gmail.com,
After sending the documents, I went about my business and forgot about it for a couple of hours. After a couple of hours, I decided to check the mail, and was unpleasantly surprised to find that I can not log in to my-general-mail@gmail.com. When trying to reset the password, I saw that the phone number for password recovery was changed to someone else's, and the address in the .cc zone, in which I never had domains, was added to the alternative e-mail. Everything became clear. Now about my second mistake. I don’t know if Google’s defense mechanisms are such, or is it just the caretaker’s carelessness, but the list of alternative addresses for recovering the password also contains the address indicated by me. And everything would be fine, but ... It was the address on the sap.in domain, and the domain was directed to the NS cracker. Thus,
I was a little lucky - I remained logged in to my ticket, which was written by Reggi.ru. I immediately went there to report that the mail I requested access to was also hacked. An unpleasant surprise awaited me here. The following message appeared in the ticket:
Do I need to say that I did not write this message? Of course, I immediately report the situation and ask you not to unlock the account. Thanks Reggi.ru, they did not unlock it.
The situation is stalemate. I register my-temp-mail@gmail.com and send a request to restore your Google account through the appropriate form. The answer will come in a day. What else can I do? I decide to write a letter to my mailbox and get in touch with the hacker. Soon the answer comes to me:
We wrote off to ICQ the next day. I will not give the entire log, as this will take up too much space. The bottom line is: the cracker wanted to get my greatwords.ru domain. If I refuse to give it to him voluntarily, he threatened, using my scans, which, of course, were in the mail my-general-mail@gmail.com, forged my documents, put a fake seal, allegedly they were certified by a notary, and sending them the registrar, thus gaining control of the domain by force. In the case of a voluntary transfer, he even promised to pay me a certain amount.
Of course, I refused. To the threats of falsification of documents, I replied that I would fly to Moscow on an evening flight and be with the registrar before his drop. After 10 minutes of silence, the cracker informed me that I can "not steam", and that I won. It makes no sense to him to continue, because in any case I will return my own. And he promised to return everything that was stolen. Will he not inform me in this case of the password from my-general-mail@gmail.com? Of course, but only on Monday (the conversation takes place on Saturday), from work, since he has a VPN and socks there. I really wanted to believe it, but since when do you need a VPN and socks to say a password? So he's lying. I pretended to believe him. Let him think that he managed to deceive me, this will give me an advantage.
I contacted Reggi.ru. They advised me to contact the Ru-center directly - the domain name registrar greatwords.ru. There they advised to send them a regular mail letter asking them to ban the transfer of rights to the domain without my personal presence and thereby protect themselves from forgery of documents. I sent such a letter the same day. Now everything depended on the speed of the mail, on the Ru-center and on the actions of the cracker.
I will not pull the rubber. Soon a letter came to the Ru-center, and from that moment transfer of rights to the domain without my personal presence became impossible. During these few days, the cracker did not have time (or did not want) to re-register, and the domain remained with me. I also managed to regain access to my-general-mail@gmail.com. With great difficulty - it helped only that at that time I was holding the recently received Google Adsense check. Only with his help did I manage to prove to Google support that I was me. Having access to my-general-mail@gmail.com, I regained all the accounts stolen from me, and a little later, control over my Reggi account, and, accordingly, all my domains.
I pass to the final part of my story. Surely you are wondering how the attack was carried out. I deliberately separated this part from the main narrative. At first, as I mentioned, I assumed that my-old-mail@online.ua was hacked. After losing access to GMail, I was already sure that I grabbed the trojan - I did not see another explanation. But I was mistaken - there was no trojan. I managed to restore the picture of what was happening only by analyzing the contents of the box at the time when the cracker was using it, talking with support and, in part, from the words of the cracker. Everything happened as follows.
The hacker, being interested in my greatwords.ru domain, checked his whois data. There was indicated the e-mail my-old-mail@online.ua, since it was the Reggi account that was registered on it. By NS or IP, the cracker identified my registrar. Further, he wrote to the support of the sharashchina office online.ua and these idiots, at his request, deleted my account my-old-mail@online.ua without any evidence. After that, the cracker registered it and gained access to the domain control panel. Having directed the sap.in domain to his server, he picked up mail on it and, thanks to my stupidity with alternative e-mails, was able to access my-general-mail@gmail.com. This is how the human factor, combined with the complete irresponsibility of Online.ua, made this situation possible.
I want to warn everyone who uses the services of Online.ua. Be careful. Transfer all important registrations to another mail, because one day your account can simply be deleted at the request of an unknown. If your friends use Online.ua, warn them. This is an absolutely irresponsible provider who does not care about the confidentiality of your data and your security.
In conclusion, I will give the text of my forwarding with them. Yes, I wanted to talk to them after all this, although, of course, I was not going to have anything to do with them. Their reaction is very revealing.
I:
Online.ua:
I:
Online.ua:
I:
Online.ua:
I:
In response, silence. That's all.
Be careful. And do not use the services of Online.ua.
It all started on the morning of November 11th. I went to my sap.in site to update something and was quite surprised when I saw the ISP manager stub instead of the site. I must say, it’s ISP manager that is on my VDS, and the first thing I would do would be to look for the error on the server if it weren’t for the Flagfox plugin that I have. This plugin displays the flag of the country in which the site server is located. My VDS, like myself, is in Kiev, and now the tricolor flag of Russia flaunted in the address bar. Having executed ping sap.in, I, as expected, did not see my IP at all.
How could this happen? There are two options - either problems with my NS-servers, or someone changed the data. Having broken through the whois domain, I realized that, alas, the second - NS in the domain data were not mine.
The sap.in domain and some of my other domains are registered with Reggi.ru. When I tried to log in to the domain control panel, I received an error, an email did not arrive at the request for password recovery, and I realized that this was a serious matter.
Now you need to retreat and talk about the situation with my e-mail, in which, of course, I myself am to blame. The fact is that I became a Reggi client a long time ago, more than three years ago. Then I somehow managed to use the services of an office (this cannot be called a company, and I will explain why later) Online.ua. It was there that my mailbox was located (for the sake of safety, I will call it my-old-mail@online.ua), to which my Reggi account was registered. I didn’t use this box a long time ago, a couple of years ago I switched to GMail, and I just forwarded it. I’ll say right away that in order not to return to the subject of mail, that, in addition to my GMail (let's call it my-general-mail@gmail.com), I also used the mail of my domains using Google Apps. Then I made another mistake, but more on that later.
As expected, the password for my-old-mail@online.ua did not fit, and the answer to the secret question, too. As a precaution, I changed all the passwords that are important to me (including GMail), although at that moment I assumed that it was my-old-mail@online.ua that was hacked and considered the possibility that a Trojan was planted into me was unlikely. After that I wrote to Reggi.ru support (I take this opportunity, I want to thank them for their promptness and help in this difficult situation for me) and described the problem. Support at my request blocked the account and informed me that in order to change the contact e-mail I need to send a signed application to Moscow with a request to change the address and copies of the passport, and also, to speed up the recovery process, send scans of these documents to them by e-mail . Which I did by asking to change the address to my-general-mail@gmail.com,
After sending the documents, I went about my business and forgot about it for a couple of hours. After a couple of hours, I decided to check the mail, and was unpleasantly surprised to find that I can not log in to my-general-mail@gmail.com. When trying to reset the password, I saw that the phone number for password recovery was changed to someone else's, and the address in the .cc zone, in which I never had domains, was added to the alternative e-mail. Everything became clear. Now about my second mistake. I don’t know if Google’s defense mechanisms are such, or is it just the caretaker’s carelessness, but the list of alternative addresses for recovering the password also contains the address indicated by me. And everything would be fine, but ... It was the address on the sap.in domain, and the domain was directed to the NS cracker. Thus,
I was a little lucky - I remained logged in to my ticket, which was written by Reggi.ru. I immediately went there to report that the mail I requested access to was also hacked. An unpleasant surprise awaited me here. The following message appeared in the ticket:
Do I need to say that I did not write this message? Of course, I immediately report the situation and ask you not to unlock the account. Thanks Reggi.ru, they did not unlock it.
The situation is stalemate. I register my-temp-mail@gmail.com and send a request to restore your Google account through the appropriate form. The answer will come in a day. What else can I do? I decide to write a letter to my mailbox and get in touch with the hacker. Soon the answer comes to me:
We wrote off to ICQ the next day. I will not give the entire log, as this will take up too much space. The bottom line is: the cracker wanted to get my greatwords.ru domain. If I refuse to give it to him voluntarily, he threatened, using my scans, which, of course, were in the mail my-general-mail@gmail.com, forged my documents, put a fake seal, allegedly they were certified by a notary, and sending them the registrar, thus gaining control of the domain by force. In the case of a voluntary transfer, he even promised to pay me a certain amount.
Of course, I refused. To the threats of falsification of documents, I replied that I would fly to Moscow on an evening flight and be with the registrar before his drop. After 10 minutes of silence, the cracker informed me that I can "not steam", and that I won. It makes no sense to him to continue, because in any case I will return my own. And he promised to return everything that was stolen. Will he not inform me in this case of the password from my-general-mail@gmail.com? Of course, but only on Monday (the conversation takes place on Saturday), from work, since he has a VPN and socks there. I really wanted to believe it, but since when do you need a VPN and socks to say a password? So he's lying. I pretended to believe him. Let him think that he managed to deceive me, this will give me an advantage.
I contacted Reggi.ru. They advised me to contact the Ru-center directly - the domain name registrar greatwords.ru. There they advised to send them a regular mail letter asking them to ban the transfer of rights to the domain without my personal presence and thereby protect themselves from forgery of documents. I sent such a letter the same day. Now everything depended on the speed of the mail, on the Ru-center and on the actions of the cracker.
I will not pull the rubber. Soon a letter came to the Ru-center, and from that moment transfer of rights to the domain without my personal presence became impossible. During these few days, the cracker did not have time (or did not want) to re-register, and the domain remained with me. I also managed to regain access to my-general-mail@gmail.com. With great difficulty - it helped only that at that time I was holding the recently received Google Adsense check. Only with his help did I manage to prove to Google support that I was me. Having access to my-general-mail@gmail.com, I regained all the accounts stolen from me, and a little later, control over my Reggi account, and, accordingly, all my domains.
I pass to the final part of my story. Surely you are wondering how the attack was carried out. I deliberately separated this part from the main narrative. At first, as I mentioned, I assumed that my-old-mail@online.ua was hacked. After losing access to GMail, I was already sure that I grabbed the trojan - I did not see another explanation. But I was mistaken - there was no trojan. I managed to restore the picture of what was happening only by analyzing the contents of the box at the time when the cracker was using it, talking with support and, in part, from the words of the cracker. Everything happened as follows.
The hacker, being interested in my greatwords.ru domain, checked his whois data. There was indicated the e-mail my-old-mail@online.ua, since it was the Reggi account that was registered on it. By NS or IP, the cracker identified my registrar. Further, he wrote to the support of the sharashchina office online.ua and these idiots, at his request, deleted my account my-old-mail@online.ua without any evidence. After that, the cracker registered it and gained access to the domain control panel. Having directed the sap.in domain to his server, he picked up mail on it and, thanks to my stupidity with alternative e-mails, was able to access my-general-mail@gmail.com. This is how the human factor, combined with the complete irresponsibility of Online.ua, made this situation possible.
I want to warn everyone who uses the services of Online.ua. Be careful. Transfer all important registrations to another mail, because one day your account can simply be deleted at the request of an unknown. If your friends use Online.ua, warn them. This is an absolutely irresponsible provider who does not care about the confidentiality of your data and your security.
In conclusion, I will give the text of my forwarding with them. Yes, I wanted to talk to them after all this, although, of course, I was not going to have anything to do with them. Their reaction is very revealing.
I:
Hello.
First of all, thank you very much for the fact that without any confirmation they deleted my account my-old-mail@online.ua at the request of an unknown person. Thanks to your fuss, he managed to register this mail after you deleted it and steal my domains and main mail from me. So far, I have not been able to restore all this.
I demand to immediately block the account registered by the attacker and provide me, as the original owner, access to it.
Without respect,
Andrei Sabinin.
Online.ua:
Hello!
No one has deleted your account. How can you prove that this is your inbox?
I:
Here is an excerpt from a conversation with a cracker. He blackmailed me, but he didn’t succeed, after which I managed to get hacking information from him.
16:01:53 hacker: You don’t have Troy on your computer, just online.ua asshole
16:02:20 sap: I thought that you broke through online.ya at the beginning
but then I don’t understand how you got to gmail
16 : 02: 27 cracker: If you talk to them, they can remove the soap, but of course I can register it. All.
16:03:28 hacker:> sap (17:02:19 11/13/2010)
> I thought you broke through online at the beginning
> but then I don’t understand how you got to the gmail
Redirected the domain to some kind of airborne created a mailer there created soap *** @ *** retreated
And I’m sure that I really didn’t have a trojan and I don’t see other ways of hacking. Will you claim that you haven’t taken any action with my account?
What evidence is needed to restore access?
Online.ua:
Hello!
Give the answer to the security question that you indicated when registering the mailbox my-old-mail@online.ua
I:
I registered this box three and a half years ago and have not used it for more than two years.
What was the question there?
Online.ua:
Date of registration of the box my-old-mail@online.ua 11/10/2010 21:36:51 and not three and a half years ago.
I advise you not to write to the technical support service anymore. Do not waste our time and yours.
I:
Did you even read what I wrote before? Naturally, the date of new registration is 10.11, since it was registered by an attacker after you deleted it!
If you refuse to contact me by e-mail, let me know the address of your office or legal department, as well as your last name, so that I can file a complaint against you.
In response, silence. That's all.
Be careful. And do not use the services of Online.ua.