How I stole a domain from me, and I stole it back
Dear habravchane! Stories, one of which happened to me, happen all the time, only the ending in my case is rather rare.
For certain reasons, in this article I will not specify the domain and the name of the reseller. Those who can identify them, I convincingly ask in the comments not to make it public.
It happened in October 2010. Six months before that - at the beginning of May - the site was bought by me without re-registration, since all indicated that my seller is already the fifth or sixth owner. The transaction price was 24 thousand rubles. I got:
login / password to the admin panel of the domain reseller;
Password to the mailbox xxx@mail.ru;
-login / password access to the account firstvds.ru, on which the site was located;
login / password to access the admin part of CMS Wordpress.
About six months have passed since the purchase, everything went on as usual, when one day in late September I received a message in my email about the restoration of the Wordpress password. Very quickly, I discovered that I no longer have access to the xxx@mail.ru mailbox and the admin of the domain reseller. Looking at the corresponding entries on the root ns-servers, I saw that the pointers of my domain already refer to another hosting - vds64.com. The answer to how this could have happened came very quickly: I did not bother to change the recovery options for the xxx@mail.ru mailbox (secret question and phone number), and someone, using them, took away also the access to the admin reseller, so how it was tied to this mailbox. All that remains is access to the hosting account, because there I still changed the contact email address. At that time it did not matter, however, looking ahead, I would say that it was this that saved me. There could be no doubt that this one was none other than my seller. As luck would have it, I found out about all this on my birthday.
After spending a couple of days in clear what thoughts about myself, I went to one very famous forum where the Silver Member status and registration almost from the beginning of its foundation implies a certain level of trust in me, and went out to a person providing services on ... Let's say this: to restore access to stolen mailboxes. Three days later, my new acquaintance surprised me by telling me the current password from the stolen mailbox. Issue price was 1500 WMR.
')
Inspired by how quickly everything was resolved, I went into the mail and went to restore access to the admin reseller. Then I was greatly disappointed: to get a password, you need to know the answer to a secret question I didn’t have ...
While researching the mailbox, I found that it was carefully cleaned: there were no outgoing letters, there was a letter from the reseller in the inbox referring to password recovery, which, of course, did not work anymore, as well as the created ticket to my seller’s question about The modified ns servers have not yet been applied. In the question cited in the ticket, my seller indicated the code word. Again, looking ahead, I will say that this was his first strategic mistake.
Also in the box was a letter from the administration of the Sape exchange with a request to recall the login on their system, while telling the story that, using saving accounts in the Opera browser, as a result of the failure, these data were lost. From this I concluded that my salesman is quite young if he uses such “social engineering”, not realizing that thus only takes time from technical support.
One or two days passed, and in the whois data of the domain I saw another registration email address. I quote it as it is: babuwkamisha@gmail.com. Probably, my seller discovered the fact of losing the box to mail.ru and transferred the domain to another account with a reseller.
A little distracted and briefly describe the reseller's security policy: login is the email address, which may not coincide with the address from whois, there is a code word for communication with technical support and a secret question for recovering the password. Communication with the reseller should occur from the email address, login, for which the fight will unfold.
When I visited the reseller’s password recovery page, I entered a new mailbox and received an offer to answer a secret question. This meant that the account with the address at the reseller exists, and my domain is most likely located in it.
I again turned to my new friend:
- A gmail box?
-I take to work.
What was my surprise when, after three days, I again received the current password from the mailbox on Gmail. I will write about the “hacking” method in a note. Issue price was 80 WMZ.
I must say that ordering this second job, my hopes for success were already close to zero, because, as I described above, access to mail is not enough to regain control over the domain. As I expected, the box was pristine ...
From nothing to do, I tried to enter the Wordpress admin area with the password I received. And, lo and behold, the password came up! Unfortunately, the administrator part of the reseller did not work at that moment. Reseller explained this by accident in the data center. I can not express how impatiently I waited for the restoration of her work. It happened a day later, the password came up, I changed it to a new one, changed the dns servers at the reseller, the recovery details in the Gmail mailbox and went to sleep contentedly.
Waking up in the morning, I found that I didn’t have access to the box and domain again. What the hell!..
From despair went to the Google account recovery page. I want to say that, unlike Mail.ru, this service works very quickly. A little distracted and say a few words about it: once in the mailbox, a person gets almost unlimited data to restore access to it. Moreover, if you recently changed your password, then a person who knows the previous password may need only one glance at your monitor to pick up your mailbox forever.
So, about an hour later I received a link from Google to restore access.
In the admin reseller was another unknown password to me, and to obtain it, I needed to know the answer to the secret question. I wrote a letter to the reseller's technical support asking him to “remind” him, indicating at random the code word known to me from the previous account, after which the reseller kindly informed me that “my favorite city” is Marseille. Thus, my seller did not bother to change the code word on the new account, and this became his second strategic mistake.
Again, I changed all the details in the admin reseller, mostly - dns-servers, since the mailbox can not be changed. After that, my seller, who, according to Gmail, was in Ukraine, and appeared on the Web only at night, again took it to himself in the same way.
This dragging box to each other lasted for three days.
Further actions were obvious: it was necessary to transfer the domain to a new account, in which the login-email would not coincide with the data from whois. The problem was that the domain was transferred a week ago, and the reseller has a 30-day limit on re-transfer.
It was the third day of my possession of the mailbox, it was about 19 hours. Shortly before that, I threw 80 rubles into my account to “mark” my wallet in it, since the payer's wallet number is an important element of the reseller’s security policy. Suddenly it dawned on me that I couldn’t stretch the remaining three weeks: by the time of the transfer of access to the box, I may no longer be there. I wrote a letter to the reseller with my suspicions that someone uses my mail (which actually was, although the box was not entirely mine) and asked to remove the time limit. An hour later, I was informed that the restriction was lifted, and I, using a password and a code word, very quickly transferred the domain to a previously prepared account. And quite in time: from that moment I did not receive links from Google to restore access to the box. Among other things, I threw 500 rubles into a new account. and extended the domain, since the extension period ended in a month or two.
In the evening, my seller got access to the mailbox again, then to the admin reseller, went into it and ... did not find my domain there. I suppose at that moment he was panicked, because in the recovered box he forgot to remove the shipment to my other address, thanks to which I was able to read all his correspondence with the reseller. Realizing how happy I felt, because, as you know, who owns the information - he owns the world, and seeing his first letter, I laughed. Here it is (it should be read from the bottom up, since the reseller's letter is the answer to the previous letter of my seller):
Hello,
To transfer a domain you need to know the code word. It turns out the attacker knew your code word?
From which wallet did you replenish your balance with us?
> 10/06/2010 10:35 PM - Mikhail Babushkin wrote (a):
> Client Mikhail Babushkin with e-mail address babuwkamisha@gmail.com handles
> question:
> Good day.
> I recently bought a domain xxx.ru from Sergey Semenov without renewal. Code
> word: xxx. Secret question: Your favorite city, answer: Marseille.
> I transferred this domain to my inbox: babuwkamisha@gmail.com. But a couple of days ago
> I was stolen by soap by phishing passwords and got full access to both
> soap, and to the admin of the domain, and changed the DNS server to their own. Today I
> through Google, restored access to your email, and now restored access to
> admin.panane reg.ru, but the domain is not found here. How to track where was
> transferred domain and how to get it back? Thank you in advance.
The letter was clearly written in a great hurry.
Immediately after that, the same night, the reseller wrote me a question:
Hello!
Could you explain the origin of domain XXX.RU on your account?
Are you the owner of this domain?
You have received a claim to your ownership of this domain.
I replied that my mailbox was stolen with all its contents. And also the fact that I bought a domain six months ago for $ 800, that all this time it was located on the FirstVDS server, was paid from my wallet, and I can prove it.
This was followed by the continuation of the correspondence of my seller:
Hello,
How much did you pay for the domain upon purchase? I found out this amount.
This domain is attached to FirstVDS from May 7 to now. Those. the malefactor turns out the domain did not attach anywhere. Do you have access to your account on FirstVDS? The domain is obtained all the time attached to the same hosting. If you are its legal owner, it will not be difficult for you to make a test page on the site and place the supporting text there.
> 10/07/2010 00:35 - Babuwka Misha wrote (a):
> I have on my inbox in the letter was from the seller with all the data to the domain.
> It was from email: xxx-ru@mail.ru
> And this letter contained various information about the site (here's a piece from the letter):
-> Access to wordpress admin
-> http://www.xxx.ru/wp-login.php
> Login: admin
> Password: xxx
> https: // reseller
> Code word: xxx
> Favorite city? Marseilles
> I filled out exactly the same code word and secret question in my account so as not to forget when
> transferred the domain from xxx-ru@mail.ru to your gmail account. Apparently having access to my email and to
> incoming letters learned the code word and the answer to the secret question.
> Deposit to 80 rubles. I did not implement. Of course, I was going to extend the domain soon,
> because, in my opinion, the domain’s term expires on November 21, but it never got money into your system,
> that is, you can cancel these 80 rubles, this is not from my wallet.
> And more information about this domain, which was provided to me by Sergey Semenov:
> ------------------------------------------------- -
> DOMAIN
> ------------------------------------------------- -
> http: //resellerxxx2@mail.ru
> Old PassWord: xxx
> new password: xxx
> That is, the domain was originally registered to xxx2@mail.ru, then Sergey during
> sales transferred it to xxx-ru@mail.ru. And after that I transferred it in the 20th day of September to
> babuwkamisha@gmail.com. I think there’s hardly any such information available to the attacker if you ask him about this domain.
> In the response letter, I want to hear what actions I can now take or have I lost
> this domain forever?
The following letter:
Hello,
You wrote in a pen that your email was stolen babuwkamisha@gmail.com ...
And now write about xxx@mail.ru
> 10/07/2010 20:10 - Babuwka Misha wrote (a):
> Yes, the hosting of this domain is attached to firstvds.ru initially, and I had access to it through soap
> xxx@mail.ru, as well as access to everything else, and everything was fine before,
> while revenge xxx@mail.ru soap is not stolen from me.
> Access to firstvds is also impossible due to the fact that the password was changed there, and the account is firstvds
> attached to that soap xxx@mail.ru. From here all the problems started. That soap I can not return,
> and that is why I started recently transferring a domain from one account on your site to another
> account. Knowing the secret question and the code word, I easily did it at the end of September. And precisely because
> I lost hosting on firstvds just recently and bought a new VDS on vds64.com, firstly it’s faster
> it works (the server’s technical specifications are better), secondly, I’ve set it up there so that access
> could be restored at any time from my mobile phone, as security is now
> very necessary to me.
> In the admin panel of the domain after the transfer, I recently interrupted the DNS (or NS, I do not know how correctly) to
> here is this new your purchased VDS (ns1.vds64.com and ns2.vds64.com). And the attacker is kidnapping again
> domain again attached it to the old firstvds, access to which he has.
Imagine the reaction of a tech support employee who gradually learns that a client has stolen two mailboxes in two different systems, a secret answer and a code word, i.e. stole everything and everyone. The funny thing is that this is how it was.
Hello,
You have not answered for how much you bought this domain?
> 10/07/2010 21:20 - Babuwka Misha wrote (a):
> And he stole a new email. But this one is due to the fact that I created it myself, thanks to Google services I 3
> times already restored and again lost this soap. For the time being yesterday did not deliver from Google - the program
> PC Tools Spyware Doctor. I had the same threat on my laptop and PC:
> Trackware.TrackingCookies. All because of this infection.
Further.
Hello,
Do you still have contact with the owner of the domain from whom you bought it?
> 10/07/2010 10:15 PM - Babuwka Misha wrote (a):
> for $ 800.
Another letter:
Hello,
Do you have confirmation of the purchase of this domain?
> 10/08/2010 00:10 - Babuwka Misha wrote (a):
> No contact left. When he sold, he said that he was going into an offline business, or
> auto repair shop opens something else. He is no more vkontakte or etc.
I must say that for some time I had suspicions that this subject was a poor fellow, to whom my seller had just once again sold the domain. However, over time, doubts dissipated: the same children's “social engineering”, of course, is my seller. In addition, some of the information and the term “offline business”, which is quite rare for my ears, I had already heard when buying through icq.
After that, the reseller suggested that I send screenshots of Kiper and billing to FirstVDS to confirm the purchase and pay for hosting within the last six months. It seemed to me strange that the reseller decided to launch into these clarifications, since the domain was transferred according toall the rules and all the rules. However, it was even better - I had all the “trumps”. I sent the required data.
Hello,
How did you pay for hosting FirstVDS when it was still under your control?
> 10/08/2010 00:45 - Babuwka Misha wrote (a):
> No. I bought cash, but I got full access without re-registering a domain.
After this letter, my seller disappeared and I never heard anything about him. Periodically, I sent him letters disguised as spam to check if the transfer works to me. It is still included.
It would be very interesting to find out what they thought about this story in the technical support of the reseller: they probably decided that we had a fight and then fought for the domain.
Note: I think my seller was right, and the Google account was really “hacked” through a phishing link. Having access to the box, I received a letter from a certain Urals Bank, where I was sent “my new account details” with an attached document. Looking closely, I noticed that the “attachment” is actually in the body of the letter and is simply styled as an attachment. When I clicked the download link, I got a copy of the Gmail homepage. This should have led me to the idea that the session was timed out, and it is necessary to log in again. The link address was very long, the word “google” was present in it, but, naturally, not at the second level. Probably, my seller got one of such letters.
Thanks for reading my article. I hope it seems interesting and useful to you.
UPD. In this story it seemed strange to me the following:
1. The reseller does not keep long IP logs for his admin panel, otherwise the Ukrainian registration of the original owner would be obvious.
2. The reseller does not keep logs of the change of ns-servers, and he learned from me about the fact that they pointed to Firstvds.ru. Although before the theft, I placed the domain with another provider.
3. And the strangest thing: approximately during the described period, the domain moved to the Verified status. This means that someone sent scans of his passport to the registrar. This man has not appeared until now.
Emails are still being received at babuwkamisha@gmail.com: spam from VKontakte, information about registering a new domain name. My seller has placed a copy of my site on another domain and does not know that in the next update of the mirror system his site, according to robots.txt, will become my mirror. I wonder if he reads Habr?
And about the lack of re-registration: the risk was incorporated in the price of the site, it was for him clearly underestimated. In addition, it is obvious that my seller is not a formal owner and is not familiar with it.
For certain reasons, in this article I will not specify the domain and the name of the reseller. Those who can identify them, I convincingly ask in the comments not to make it public.
It happened in October 2010. Six months before that - at the beginning of May - the site was bought by me without re-registration, since all indicated that my seller is already the fifth or sixth owner. The transaction price was 24 thousand rubles. I got:
login / password to the admin panel of the domain reseller;
Password to the mailbox xxx@mail.ru;
-login / password access to the account firstvds.ru, on which the site was located;
login / password to access the admin part of CMS Wordpress.
About six months have passed since the purchase, everything went on as usual, when one day in late September I received a message in my email about the restoration of the Wordpress password. Very quickly, I discovered that I no longer have access to the xxx@mail.ru mailbox and the admin of the domain reseller. Looking at the corresponding entries on the root ns-servers, I saw that the pointers of my domain already refer to another hosting - vds64.com. The answer to how this could have happened came very quickly: I did not bother to change the recovery options for the xxx@mail.ru mailbox (secret question and phone number), and someone, using them, took away also the access to the admin reseller, so how it was tied to this mailbox. All that remains is access to the hosting account, because there I still changed the contact email address. At that time it did not matter, however, looking ahead, I would say that it was this that saved me. There could be no doubt that this one was none other than my seller. As luck would have it, I found out about all this on my birthday.
After spending a couple of days in clear what thoughts about myself, I went to one very famous forum where the Silver Member status and registration almost from the beginning of its foundation implies a certain level of trust in me, and went out to a person providing services on ... Let's say this: to restore access to stolen mailboxes. Three days later, my new acquaintance surprised me by telling me the current password from the stolen mailbox. Issue price was 1500 WMR.
')
Inspired by how quickly everything was resolved, I went into the mail and went to restore access to the admin reseller. Then I was greatly disappointed: to get a password, you need to know the answer to a secret question I didn’t have ...
While researching the mailbox, I found that it was carefully cleaned: there were no outgoing letters, there was a letter from the reseller in the inbox referring to password recovery, which, of course, did not work anymore, as well as the created ticket to my seller’s question about The modified ns servers have not yet been applied. In the question cited in the ticket, my seller indicated the code word. Again, looking ahead, I will say that this was his first strategic mistake.
Also in the box was a letter from the administration of the Sape exchange with a request to recall the login on their system, while telling the story that, using saving accounts in the Opera browser, as a result of the failure, these data were lost. From this I concluded that my salesman is quite young if he uses such “social engineering”, not realizing that thus only takes time from technical support.
One or two days passed, and in the whois data of the domain I saw another registration email address. I quote it as it is: babuwkamisha@gmail.com. Probably, my seller discovered the fact of losing the box to mail.ru and transferred the domain to another account with a reseller.
A little distracted and briefly describe the reseller's security policy: login is the email address, which may not coincide with the address from whois, there is a code word for communication with technical support and a secret question for recovering the password. Communication with the reseller should occur from the email address, login, for which the fight will unfold.
When I visited the reseller’s password recovery page, I entered a new mailbox and received an offer to answer a secret question. This meant that the account with the address at the reseller exists, and my domain is most likely located in it.
I again turned to my new friend:
- A gmail box?
-I take to work.
What was my surprise when, after three days, I again received the current password from the mailbox on Gmail. I will write about the “hacking” method in a note. Issue price was 80 WMZ.
I must say that ordering this second job, my hopes for success were already close to zero, because, as I described above, access to mail is not enough to regain control over the domain. As I expected, the box was pristine ...
From nothing to do, I tried to enter the Wordpress admin area with the password I received. And, lo and behold, the password came up! Unfortunately, the administrator part of the reseller did not work at that moment. Reseller explained this by accident in the data center. I can not express how impatiently I waited for the restoration of her work. It happened a day later, the password came up, I changed it to a new one, changed the dns servers at the reseller, the recovery details in the Gmail mailbox and went to sleep contentedly.
Waking up in the morning, I found that I didn’t have access to the box and domain again. What the hell!..
From despair went to the Google account recovery page. I want to say that, unlike Mail.ru, this service works very quickly. A little distracted and say a few words about it: once in the mailbox, a person gets almost unlimited data to restore access to it. Moreover, if you recently changed your password, then a person who knows the previous password may need only one glance at your monitor to pick up your mailbox forever.
So, about an hour later I received a link from Google to restore access.
In the admin reseller was another unknown password to me, and to obtain it, I needed to know the answer to the secret question. I wrote a letter to the reseller's technical support asking him to “remind” him, indicating at random the code word known to me from the previous account, after which the reseller kindly informed me that “my favorite city” is Marseille. Thus, my seller did not bother to change the code word on the new account, and this became his second strategic mistake.
Again, I changed all the details in the admin reseller, mostly - dns-servers, since the mailbox can not be changed. After that, my seller, who, according to Gmail, was in Ukraine, and appeared on the Web only at night, again took it to himself in the same way.
This dragging box to each other lasted for three days.
Further actions were obvious: it was necessary to transfer the domain to a new account, in which the login-email would not coincide with the data from whois. The problem was that the domain was transferred a week ago, and the reseller has a 30-day limit on re-transfer.
It was the third day of my possession of the mailbox, it was about 19 hours. Shortly before that, I threw 80 rubles into my account to “mark” my wallet in it, since the payer's wallet number is an important element of the reseller’s security policy. Suddenly it dawned on me that I couldn’t stretch the remaining three weeks: by the time of the transfer of access to the box, I may no longer be there. I wrote a letter to the reseller with my suspicions that someone uses my mail (which actually was, although the box was not entirely mine) and asked to remove the time limit. An hour later, I was informed that the restriction was lifted, and I, using a password and a code word, very quickly transferred the domain to a previously prepared account. And quite in time: from that moment I did not receive links from Google to restore access to the box. Among other things, I threw 500 rubles into a new account. and extended the domain, since the extension period ended in a month or two.
In the evening, my seller got access to the mailbox again, then to the admin reseller, went into it and ... did not find my domain there. I suppose at that moment he was panicked, because in the recovered box he forgot to remove the shipment to my other address, thanks to which I was able to read all his correspondence with the reseller. Realizing how happy I felt, because, as you know, who owns the information - he owns the world, and seeing his first letter, I laughed. Here it is (it should be read from the bottom up, since the reseller's letter is the answer to the previous letter of my seller):
Hello,
To transfer a domain you need to know the code word. It turns out the attacker knew your code word?
From which wallet did you replenish your balance with us?
> 10/06/2010 10:35 PM - Mikhail Babushkin wrote (a):
> Client Mikhail Babushkin with e-mail address babuwkamisha@gmail.com handles
> question:
> Good day.
> I recently bought a domain xxx.ru from Sergey Semenov without renewal. Code
> word: xxx. Secret question: Your favorite city, answer: Marseille.
> I transferred this domain to my inbox: babuwkamisha@gmail.com. But a couple of days ago
> I was stolen by soap by phishing passwords and got full access to both
> soap, and to the admin of the domain, and changed the DNS server to their own. Today I
> through Google, restored access to your email, and now restored access to
> admin.panane reg.ru, but the domain is not found here. How to track where was
> transferred domain and how to get it back? Thank you in advance.
The letter was clearly written in a great hurry.
Immediately after that, the same night, the reseller wrote me a question:
Hello!
Could you explain the origin of domain XXX.RU on your account?
Are you the owner of this domain?
You have received a claim to your ownership of this domain.
I replied that my mailbox was stolen with all its contents. And also the fact that I bought a domain six months ago for $ 800, that all this time it was located on the FirstVDS server, was paid from my wallet, and I can prove it.
This was followed by the continuation of the correspondence of my seller:
Hello,
How much did you pay for the domain upon purchase? I found out this amount.
This domain is attached to FirstVDS from May 7 to now. Those. the malefactor turns out the domain did not attach anywhere. Do you have access to your account on FirstVDS? The domain is obtained all the time attached to the same hosting. If you are its legal owner, it will not be difficult for you to make a test page on the site and place the supporting text there.
> 10/07/2010 00:35 - Babuwka Misha wrote (a):
> I have on my inbox in the letter was from the seller with all the data to the domain.
> It was from email: xxx-ru@mail.ru
> And this letter contained various information about the site (here's a piece from the letter):
-> Access to wordpress admin
-> http://www.xxx.ru/wp-login.php
> Login: admin
> Password: xxx
> https: // reseller
> Code word: xxx
> Favorite city? Marseilles
> I filled out exactly the same code word and secret question in my account so as not to forget when
> transferred the domain from xxx-ru@mail.ru to your gmail account. Apparently having access to my email and to
> incoming letters learned the code word and the answer to the secret question.
> Deposit to 80 rubles. I did not implement. Of course, I was going to extend the domain soon,
> because, in my opinion, the domain’s term expires on November 21, but it never got money into your system,
> that is, you can cancel these 80 rubles, this is not from my wallet.
> And more information about this domain, which was provided to me by Sergey Semenov:
> ------------------------------------------------- -
> DOMAIN
> ------------------------------------------------- -
> http: //resellerxxx2@mail.ru
> Old PassWord: xxx
> new password: xxx
> That is, the domain was originally registered to xxx2@mail.ru, then Sergey during
> sales transferred it to xxx-ru@mail.ru. And after that I transferred it in the 20th day of September to
> babuwkamisha@gmail.com. I think there’s hardly any such information available to the attacker if you ask him about this domain.
> In the response letter, I want to hear what actions I can now take or have I lost
> this domain forever?
The following letter:
Hello,
You wrote in a pen that your email was stolen babuwkamisha@gmail.com ...
And now write about xxx@mail.ru
> 10/07/2010 20:10 - Babuwka Misha wrote (a):
> Yes, the hosting of this domain is attached to firstvds.ru initially, and I had access to it through soap
> xxx@mail.ru, as well as access to everything else, and everything was fine before,
> while revenge xxx@mail.ru soap is not stolen from me.
> Access to firstvds is also impossible due to the fact that the password was changed there, and the account is firstvds
> attached to that soap xxx@mail.ru. From here all the problems started. That soap I can not return,
> and that is why I started recently transferring a domain from one account on your site to another
> account. Knowing the secret question and the code word, I easily did it at the end of September. And precisely because
> I lost hosting on firstvds just recently and bought a new VDS on vds64.com, firstly it’s faster
> it works (the server’s technical specifications are better), secondly, I’ve set it up there so that access
> could be restored at any time from my mobile phone, as security is now
> very necessary to me.
> In the admin panel of the domain after the transfer, I recently interrupted the DNS (or NS, I do not know how correctly) to
> here is this new your purchased VDS (ns1.vds64.com and ns2.vds64.com). And the attacker is kidnapping again
> domain again attached it to the old firstvds, access to which he has.
Imagine the reaction of a tech support employee who gradually learns that a client has stolen two mailboxes in two different systems, a secret answer and a code word, i.e. stole everything and everyone. The funny thing is that this is how it was.
Hello,
You have not answered for how much you bought this domain?
> 10/07/2010 21:20 - Babuwka Misha wrote (a):
> And he stole a new email. But this one is due to the fact that I created it myself, thanks to Google services I 3
> times already restored and again lost this soap. For the time being yesterday did not deliver from Google - the program
> PC Tools Spyware Doctor. I had the same threat on my laptop and PC:
> Trackware.TrackingCookies. All because of this infection.
Further.
Hello,
Do you still have contact with the owner of the domain from whom you bought it?
> 10/07/2010 10:15 PM - Babuwka Misha wrote (a):
> for $ 800.
Another letter:
Hello,
Do you have confirmation of the purchase of this domain?
> 10/08/2010 00:10 - Babuwka Misha wrote (a):
> No contact left. When he sold, he said that he was going into an offline business, or
> auto repair shop opens something else. He is no more vkontakte or etc.
I must say that for some time I had suspicions that this subject was a poor fellow, to whom my seller had just once again sold the domain. However, over time, doubts dissipated: the same children's “social engineering”, of course, is my seller. In addition, some of the information and the term “offline business”, which is quite rare for my ears, I had already heard when buying through icq.
After that, the reseller suggested that I send screenshots of Kiper and billing to FirstVDS to confirm the purchase and pay for hosting within the last six months. It seemed to me strange that the reseller decided to launch into these clarifications, since the domain was transferred according to
Hello,
How did you pay for hosting FirstVDS when it was still under your control?
> 10/08/2010 00:45 - Babuwka Misha wrote (a):
> No. I bought cash, but I got full access without re-registering a domain.
After this letter, my seller disappeared and I never heard anything about him. Periodically, I sent him letters disguised as spam to check if the transfer works to me. It is still included.
It would be very interesting to find out what they thought about this story in the technical support of the reseller: they probably decided that we had a fight and then fought for the domain.
Note: I think my seller was right, and the Google account was really “hacked” through a phishing link. Having access to the box, I received a letter from a certain Urals Bank, where I was sent “my new account details” with an attached document. Looking closely, I noticed that the “attachment” is actually in the body of the letter and is simply styled as an attachment. When I clicked the download link, I got a copy of the Gmail homepage. This should have led me to the idea that the session was timed out, and it is necessary to log in again. The link address was very long, the word “google” was present in it, but, naturally, not at the second level. Probably, my seller got one of such letters.
Thanks for reading my article. I hope it seems interesting and useful to you.
UPD. In this story it seemed strange to me the following:
1. The reseller does not keep long IP logs for his admin panel, otherwise the Ukrainian registration of the original owner would be obvious.
2. The reseller does not keep logs of the change of ns-servers, and he learned from me about the fact that they pointed to Firstvds.ru. Although before the theft, I placed the domain with another provider.
3. And the strangest thing: approximately during the described period, the domain moved to the Verified status. This means that someone sent scans of his passport to the registrar. This man has not appeared until now.
Emails are still being received at babuwkamisha@gmail.com: spam from VKontakte, information about registering a new domain name. My seller has placed a copy of my site on another domain and does not know that in the next update of the mirror system his site, according to robots.txt, will become my mirror. I wonder if he reads Habr?
And about the lack of re-registration: the risk was incorporated in the price of the site, it was for him clearly underestimated. In addition, it is obvious that my seller is not a formal owner and is not familiar with it.
Source: https://habr.com/ru/post/112755/
All Articles