How I returned the stolen domain of a popular site
In 2008, he created a website that, over time, turned into a water-motor community, uniting thousands of lovers of motor boats and boats. During the season, the attendance of the resource exceeded 10,000 people per day and someone decided that he needed the site.
Having access to the admin panel of my registrar (r01.ru), the thief transferred the domain to another (internet.bs) to his account. The database and files were fraudulently obtained from the hoster.
I lost a project I worked on for about 9 years. It was possible to return the domain only after 8 months. Details below.
')
On May 19, 2017, the forum moderator Dmitry called me on the phone and said that someone had written to him and introduced himself as a new administrator, also reported on the disappearance of some messages and warning glitches. At that moment I was far from civilization and I did not even guess the seriousness of the problem.
The next day, being behind a computer, I began to figure out a new Google Adsense ad unit that struck the full width of the page. I couldn’t go to the forum under my nickname, I went to the hoster, but I couldn’t log in there either.
Calling the hoster (hts.ru), I learned that someone had requested a password from the account, providing a copy of my passport. At this request, the support service has reset the password and removed the two-factor authorization (sms). To gain access, they also asked me to send a scan of a passport. According to the regulations of hts.ru, anyone who has a passport scan has the opportunity to get access to the owner’s account. As it turned out later, it is enough to have not even a copy of the passport, but a rough fake copy. In my case, the thief sent a fake, in which there were a lot of blunders: incorrect date of issue, subdivision code, signature, someone else's photo, and the date of registration at the place of residence was earlier than the date of birth. A “scanned application” was attached to the “copy of the passport” (also the hts requirement), in which the thief asked to give access to the account on which the site is located, and signed absolutely not in the same way as in the sent “copy”. My request for an official explanation in hts was fulfilled, the truth indicated that someone had sent a copy of the passport, and not a fake.
I have been a client of hts since 2008. I didn’t expect such negligence as resetting two-factor authorization, because you could call, look at the logs of visits, even a close look at the “passport copy” would be enough ... I didn’t get any apologies or compensation from hts, I really didn’t need it.
After gaining access to the server, it came to the understanding that the site is on a different host. Whois talked about changing the registrar, as well as NS.
In the admin registrar saw that the domain belongs to me, NS - also mine.
Early on Saturday morning I called R01 receptionist and received the following information: “You are the owner, don't worry.” But how not to worry, whois shows that the recorder and NS are changed! A repeated call to R01 confirmed my concerns, the domain was transferred to another registrar (international domains are transmitted via the Internet, without documents), the information in the admin panel is updated very late. To the question: “What to do?”, They suggested writing a ticket and waiting for Monday (the legal department works on weekdays).
How to live until Monday then - I did not know. My heart sank, threw it into a fever, now in a cold, chaotic thoughts were spinning in my head.
The password from the mail and the registrar was not changed, which indicated that the thief had learned them, and this could only be done if my computer was hacked. The password from the registrar admin panel was stored in the FF browser under the protection of the master password (6 characters), and the password from the mail could be obtained in the Thunderbird mail client.
The router has become a hacking point in the home network, its firmware contained a critical vulnerability that allows executing any commands from the outside, including the inclusion of telnet, which was done.
My computer worked under Win10, stood Avast. There were two more computers in the home network (Win7 + Avast). One of them was hacked, on the router the thief set up port forwarding from this computer.
On May 6, the scammer went to my email, set up spam filters, and after that all the letters from the registrar began to fall into the Spam folder, so I did not see any warnings about changing the registrar. Judging by the logs of Mail.ru, the thief controlled the mail, periodically read letters in the Spam folder, then deleted them. Connections were made from the IP addresses of the Polish mobile operator.
In the personal account of the registrar, the transfer of the domain to another registrar (internet.bs) to the fraudster account was initiated.
The network describes many such cases, and only a small part has a happy end. I did not find a guide to action, so I began to write letters and personal messages on the forums to people who had encountered the theft of the TLD domain. One of the respondents, Dmitry, volunteered to help for a reward. I agreed, so he became my consultant.
Dmitri's case was identical to mine, the cheater’s handwriting was traced. Telephone conversation instilled optimism. He spoke about his experience. He managed to return the domain through a new registrar (internet.bs). For 3 months, he corresponded with the “abuse team” (legal department), while constantly contacting the online support service (he says, this speeds up the process) and — oh, Miracle! (as it turned out later, it was a miracle), internet.bs returned the domain!
Action Guide for returning a domain through a registrar:
1) The old registrar must write to the new that the client does not agree with the transfer of the domain.
2) Write yourself a letter to the new registrar and briefly indicate the problem, while referring to the letter from the old registrar (ticket number). The answer from internet.bs (that’s where the stolen domains are most often transferred) will be within 3-4 business days.
3) Conduct correspondence with the new registrar and provide evidence of their case. You can wait for another letter from internet.bs for weeks, running ahead - I did not wait for the final letter.
According to Dmitry’s optimistic forecast, it’s worth waiting for the return of the domain no earlier than in a month. Therefore, I decided to restore the site to a new domain.
On the night from Saturday to Sunday I practically did not sleep and decided to act with the dawn. Restored the site on a domain registered in the evening. I chose the address in the RU zone, completely identical to the old one, removing the dot before the org.
On the new forum I wrote an appeal to users and supported it with my photo with the new address of the site.
Then he sent letters to registered users (~ 14,000 people), but as it turned out later, due to limitations, the hts letters were not sent to everyone, so he sent them again later.
At that moment I did not believe that the site on the new domain would be able to replace the old with the guests. Why should they leave? However, the friendly community supported me.
Soon, in the old forum, the first person unsubscribed about the letter received from me, then the second ... then the second “thief” activated (so we called him), who did not bother to register, but wrote on my behalf and with the avatar on which was my photo. Previously, he already answered that glitches are associated with the move. The thief called me a liar, told everyone that the site was sold and now he is the rightful owner, and as proof he provided a screenshot of the letter where I thank him for the purchase, and threatened him with a court. However, few people believed the thief, people asked questions, so the thief began to delete the "inconvenient" messages and block unwanted users.
On the first day, several dozen people moved to the new forum, but some of them continued to communicate in the old one. Most of the members of the forum at first reacted with disbelief to the new site, someone did not want to sit on a deserted forum (20 people online against 500+). The situation was helped to change by activists from among those who switched to the new forum, they wrote private messages, letters, phoned friends. Only one moderator Dmitry, who first informed me about the glitches, wrote several hundred messages and letters. To protest, people deleted their posts on the old forum, edited them, leaving links to the new site, created topics about the theft of the site, which, by the way, were quickly deleted, and users blocked. By the middle of the week, the new forum became home to more than 70 active participants, while there were more new messages on it than on the old one.
The old forum was hard moderated, the new address got into the spam filter. The thief under different nicknames agitated both on the forum under control and on the new one. One of his messages: “100 escaped rats from the ship will not change anything, because more than 10,000 people attend the forum.” The thief did not take into account that it is these 100 people who make the forum.
In spite of the fact that I did not find any information about effective police assistance in the theft of international domains, but many wrote about inaction, I decided to try. I called the police, the duty officer recommended contacting department K, which deals with investigating crimes in the field of IT. I phoned to this department on Monday, May 22, and they sent me to write a statement to the regional police department, addressed to the major general of the police. I made a statement, the duty officer accepted it, assigned the incoming number and said to wait for the call. A few days later the investigator called me. At the appointed time, I went to the office of Department K, they turned out to be a young guy named Andrei, he listened to me, asked a few questions, after which I realized that the investigator is not strong in terminology and has only superficial knowledge in this matter.
My statement describing what had happened (page A4 of the printed text) was on his desk, but apparently this was not enough for the cause. Details were needed, so I had to dictate an extended version, which began with the fact that the site was created at that time, described how I learned about the theft, etc. The result was 3-4 pages of text. During the joint work, Andrei showed interest, it seemed that he wanted to help. I suggested he make inquiries in Yandex and Google, since the Adsense and Direct fraudster blocks were placed on the site. Also asked to contact the hoster (MCHost). I transmitted screenshots from Mail.ru, where I could see entries from ip addresses from Poland, as well as explanatory from my hoster and logs of actions of a fraudster on a host. Two weeks later, I called Andrew, he said that soon the case would be transferred to the police station in my district, from where the investigator would call me. Almost a month passed, but no calls were received. Then I called the district office, where I was sent to the regional administration, and from there - to the district office. He called Andrei again, he said that since they could not find him, he was most likely denied a criminal case, and in my case this is a frequent occurrence! When I called the regional police department again, I insisted on receiving information, and I received a reply from the duty officer that he did not have time to rummage through the magazines and offered to wait for the letter.
The letter of refusal did come, I received it 2.5 months after the submission of the application, but more on that below.
He waited for Monday, May 22nd, and called R01. At that moment I already knew that R01 is not my registrar, but only a reseller. The domain registrar was PublicDomainRegistry, which I discovered when looking at the archive whois.
Irina picked up the phone in R01, listened to me and said that the transfer of the domain took place without breaking the rules. The fact that I do not know how to store passwords is my problem. I told that I have been their client since 2003, then I explained about hacking mail, after which the girl asked for evidence, saying that they would be useful for contacting ResellerClub (a subsidiary of PublicDomainRegistry), it was with this company that R01 had an agreement.
It turned out to be impossible to confirm mailbox hacking in mail.ru. The answer was received within 24 hours: “Unfortunately, we do not provide such services.” I didn’t have any other evidence of hacking besides the screenshots showing the entrances from Warsaw, so I sent them to R01, then I called (Tuesday, May 23). Talked again with Irina, as in all subsequent times. The girl was polite, said she would contact the former registrar and inform him of my disagreement. Not having received the letter, on Monday, May 29, I called R01 again, Irina said that she hadn’t received an answer yet, and then I asked to write to internet.bs.
The next day, Irina forwarded a letter received from internet.bs, in which it was reported that they were ready for dialogue only with the registrar (PublicDomainRegistry).
On June 6, I finally received a letter from R01 with the following content: “We received a response from our“ account manager ”that we would be answered soon. Awaiting response. ”
On June 9, a positive letter arrived, stating that Logicboxes is ready for the TDRP (Transfer Dispute Resolution Policy), the procedure will cost $ 300. Of course, I was willing to pay this amount for the restoration of justice. Irina attached to the letter the text that I had to send to logicboxes.com (another division of the registrar). The letter sent on the same day, but the answer never came.
On June 20, I called R01, Irina promised to write another letter to ResellerClub.
On June 23, R01 again received a "reply" from the account manager, where he apologized and assured that he would soon deal with the problem.
On June 28, R01 once again received a letter in which the account manager had already informed that it was no longer necessary to contact logicboxes.com, the Dispute Resolution Department of PublicDomainRegistry would help.
In the meantime, the 60-day domain blocking period ended, after which the thief could transfer the domain to the next registrar. I made a complaint to ICANN and started actively calling R01. Irina again wrote letters to the registrar and to its subsidiaries.
And - oh, a miracle! On July 13, a few days before the end of the domain blocking period, I received a letter from the Abuse Mitigation Team PublicDomainRegistry stating that they had initiated the proceedings.
On July 14, a letter came from Internet.bs, in which it was said that the former registrar had contacted them and the trial was already underway. After this letter, clientUpdateProhibited was added to the status of the clientTransferProhibited domain (prohibition of transfer).
July 27 received a letter from PublicDomainRegistry, it was reported that internet.bs does not want to return the domain. Further, the letter was followed by a proposal to use the UDRP procedure or go to court.
On the same day I wrote a letter in internet.bs with a description of the situation and a proposal to compensate for the costs of the proceedings. On August 11, the answer came: “Our client claims to have bought a domain”.
Then I wrote another letter in which I gave evidence that I had and asked for proof of purchase. On August 15 I received the answer: “We received a letter, we will contact you soon”. After 10 days of waiting, I turned to the online-chat of the internet.bs support service, where I was told: “Ticket in work, wait for an answer”. The status of the ticket did not change even after 3 weeks, after which it decided to contact WIPO.
On May 22, I received a letter, allegedly from Roskomnadzor. It said that a complaint was received from the copyright holder (my previous website address was indicated) and the requirement to remove 3 pages containing profile books from the USSR, one of which was scanned by me personally (the images contained watermarks). Outraged, I wrote a response letter, for which I received a formal reply: “We are not in charge of the proceedings. If the owner of the site receives a complaint to the address of the copy of the site, then blocking will follow. ” Since the forum was the main thing for me at that moment, I removed these pages from publication. Seeing the effect, on May 31, the thief wrote another letter on behalf of Roskomnadzor, in which there was a requirement to remove the content of the site. Without waiting for the blocking, on the main page of the new site, instead of the content, published information about the theft, and the forum closed for viewing by unregistered users, except for one section - “Theft of the domain”. He himself began to call the Federal Roskomnadzor, but the hotline for blocked sites does not exist there. Then I called the regional one, but the respondent was incompetent. After listening to my story, he answered: “Once a letter has arrived, it means they will block”. On the same day, I sent a statement to the prosecutor’s office, and a few days later, to the prosecutor’s office for certainty. The first was a response from the Prosecutor General’s Office (July 13) via e-mail; I received a reply from the regional prosecutor’s office by mail a day later. Both informed: “Roskomnadzor has nothing to do with letters about blocking your site.”
The thief has registered a domain very similar to the official Roskomnadzor, created on it a phishing site with a feedback form. I sent letters using the box created in this domain and used the Roskomnadzor template.
You should know that Roskomnadzor blocks sites only by court order. The right holder must win the trial, and only then can the blocking follow.
After the news from the prosecutor's office returned the site to the previous form, opened a forum for unregistered visitors. By this time, the old forum was already empty, it was still being visited (thousands of people came in from the search), but, apart from messages from the newly registered, there was practically nothing to read there. Many of these messages were questions in old topics, the authors of which wrote that they would respond to a New Motorboat.
The new forum by this time was already living a familiar life, people just communicated, exchanged experiences, the number of messages from the newly registered increased. Attendance exceeded 700 people per day, only about 10% of them were from search.
Seeing the futility of fighting for the forum, the thief began to moderate raids, messages about the new address hung for several days. Starting from August, they could hang for more than a week, the thief began to be lazy to delete single messages about the new forum, and it was then that I actively joined the struggle in the old forum. I wrote a couple of times a day in each topic with new messages about website theft and a new address, I put the link through (goo.gl), because the url was added to the spam filter. The thief periodically deleted messages along with his nickname, so he re-registered and restored at least 20 recent messages. After a few weeks of such work, the old forum practically ceased to be replenished with useful messages.
From the moment of the theft I received three letters from people who were trying to sell the site. They all found through the search for a new site and refused to buy. The site was not sold directly to Telderi, but it was there that it was offered to those interested in purchasing similar sites.
He waited for the messages from the police only on August 8: “During the check, the answers to the requests were not received, as a result, it was impossible to establish an unknown person, but it was found that the“ internet.bs ”registrar is hosted by CentralNic South Site, located UK, London (ie, outside the jurisdiction of OP-3 MU, Ministry of the Interior of Russia Irkutsk). Set the amount of damage caused to the c. Ch., During the inspection, it was not possible, since the relevant documents for the domain acquisition, hosting, site creation were not provided, and it was not established how many people visited this site, advertising on the site, etc. Not reviewed PC gr. H. Considering the foregoing, the elements of the crime under Part 1, Art. 158 of the Criminal Code, it does not appear and, guided by claim 1, p. 1 st.24 st. Art. 144-145 and 148 of the Code of Criminal Procedure of the Russian Federation, it is decided to refuse to initiate a criminal case ”.
I did not appeal against the decision.
So without waiting for the promised response from internet.bs, I decided to contact WIPO (World Intellectual Property Organization). The WIPO UDRP procedure is well established.
The applicant pays a fee of $ 1,500 (one arbitrator), $ 2,000 (three arbitrators). I paid $ 1500 on the site wipo.int, using a bank card.
He refused to file a lawsuit on his own, trusted a lawyer recommended by my consultant Dmitry. At that time, Eugene (a lawyer) helped to return three sites.
According to Eugene, it is easier to return the domain of a popular site. With a total attendance of more than several million people, one can speak of an unregistered trademark, which is almost equal to the registered one.
The lawsuit was filed on September 15, arbitration is scheduled for December 5. However, it took place only on December 14, a delay of 1-2 weeks is a frequent occurrence.
On December 15, a message arrived from WIPO, where it was said that the domain should be transferred to the applicant. December 19 came an email with a signed court decision.
On December 20, I received a letter from Internet.bs, stating that the WIPO decision could be appealed by the domain owner within 10 business days, in case this does not happen, the registrar will proceed with the implementation of the court decision after January 8. As a result, I received control over the domain on January 12, there were no notifications by mail about this, just transferred the domain to my account.
1) Hide domain information. Do not publicly advertise the mail to which the domain is registered.
2) Access to mail must be protected by two-factor authentication.
3) Domain should be registered with a registrar with a good reputation.
4) Login to the registrar's account must be made through two-factor authentication.
As soon as possible, restore the site to a new domain and notify users.
The registrar who has accepted the domain is not interested in its return. In addition, he is responsible to ICANN, therefore, in the case of weaning a domain without a court decision, he may himself be punished, up to and including deprivation of accreditation.
I think that it is not worth spending time on the proceedings, you should immediately contact WIPO or any other court.
Having access to the admin panel of my registrar (r01.ru), the thief transferred the domain to another (internet.bs) to his account. The database and files were fraudulently obtained from the hoster.
I lost a project I worked on for about 9 years. It was possible to return the domain only after 8 months. Details below.
')
Wake-up call
On May 19, 2017, the forum moderator Dmitry called me on the phone and said that someone had written to him and introduced himself as a new administrator, also reported on the disappearance of some messages and warning glitches. At that moment I was far from civilization and I did not even guess the seriousness of the problem.
The next day, being behind a computer, I began to figure out a new Google Adsense ad unit that struck the full width of the page. I couldn’t go to the forum under my nickname, I went to the hoster, but I couldn’t log in there either.
Hosted Trial
Calling the hoster (hts.ru), I learned that someone had requested a password from the account, providing a copy of my passport. At this request, the support service has reset the password and removed the two-factor authorization (sms). To gain access, they also asked me to send a scan of a passport. According to the regulations of hts.ru, anyone who has a passport scan has the opportunity to get access to the owner’s account. As it turned out later, it is enough to have not even a copy of the passport, but a rough fake copy. In my case, the thief sent a fake, in which there were a lot of blunders: incorrect date of issue, subdivision code, signature, someone else's photo, and the date of registration at the place of residence was earlier than the date of birth. A “scanned application” was attached to the “copy of the passport” (also the hts requirement), in which the thief asked to give access to the account on which the site is located, and signed absolutely not in the same way as in the sent “copy”. My request for an official explanation in hts was fulfilled, the truth indicated that someone had sent a copy of the passport, and not a fake.
I have been a client of hts since 2008. I didn’t expect such negligence as resetting two-factor authorization, because you could call, look at the logs of visits, even a close look at the “passport copy” would be enough ... I didn’t get any apologies or compensation from hts, I really didn’t need it.
After gaining access to the server, it came to the understanding that the site is on a different host. Whois talked about changing the registrar, as well as NS.
Domain stolen
In the admin registrar saw that the domain belongs to me, NS - also mine.
Early on Saturday morning I called R01 receptionist and received the following information: “You are the owner, don't worry.” But how not to worry, whois shows that the recorder and NS are changed! A repeated call to R01 confirmed my concerns, the domain was transferred to another registrar (international domains are transmitted via the Internet, without documents), the information in the admin panel is updated very late. To the question: “What to do?”, They suggested writing a ticket and waiting for Monday (the legal department works on weekdays).
How to live until Monday then - I did not know. My heart sank, threw it into a fever, now in a cold, chaotic thoughts were spinning in my head.
How was the domain stolen
The password from the mail and the registrar was not changed, which indicated that the thief had learned them, and this could only be done if my computer was hacked. The password from the registrar admin panel was stored in the FF browser under the protection of the master password (6 characters), and the password from the mail could be obtained in the Thunderbird mail client.
The router has become a hacking point in the home network, its firmware contained a critical vulnerability that allows executing any commands from the outside, including the inclusion of telnet, which was done.
My computer worked under Win10, stood Avast. There were two more computers in the home network (Win7 + Avast). One of them was hacked, on the router the thief set up port forwarding from this computer.
On May 6, the scammer went to my email, set up spam filters, and after that all the letters from the registrar began to fall into the Spam folder, so I did not see any warnings about changing the registrar. Judging by the logs of Mail.ru, the thief controlled the mail, periodically read letters in the Spam folder, then deleted them. Connections were made from the IP addresses of the Polish mobile operator.
In the personal account of the registrar, the transfer of the domain to another registrar (internet.bs) to the fraudster account was initiated.
Theft of international domains
The network describes many such cases, and only a small part has a happy end. I did not find a guide to action, so I began to write letters and personal messages on the forums to people who had encountered the theft of the TLD domain. One of the respondents, Dmitry, volunteered to help for a reward. I agreed, so he became my consultant.
Dmitri's case was identical to mine, the cheater’s handwriting was traced. Telephone conversation instilled optimism. He spoke about his experience. He managed to return the domain through a new registrar (internet.bs). For 3 months, he corresponded with the “abuse team” (legal department), while constantly contacting the online support service (he says, this speeds up the process) and — oh, Miracle! (as it turned out later, it was a miracle), internet.bs returned the domain!
Action Guide for returning a domain through a registrar:
1) The old registrar must write to the new that the client does not agree with the transfer of the domain.
2) Write yourself a letter to the new registrar and briefly indicate the problem, while referring to the letter from the old registrar (ticket number). The answer from internet.bs (that’s where the stolen domains are most often transferred) will be within 3-4 business days.
3) Conduct correspondence with the new registrar and provide evidence of their case. You can wait for another letter from internet.bs for weeks, running ahead - I did not wait for the final letter.
According to Dmitry’s optimistic forecast, it’s worth waiting for the return of the domain no earlier than in a month. Therefore, I decided to restore the site to a new domain.
Site Restoration
On the night from Saturday to Sunday I practically did not sleep and decided to act with the dawn. Restored the site on a domain registered in the evening. I chose the address in the RU zone, completely identical to the old one, removing the dot before the org.
On the new forum I wrote an appeal to users and supported it with my photo with the new address of the site.
Then he sent letters to registered users (~ 14,000 people), but as it turned out later, due to limitations, the hts letters were not sent to everyone, so he sent them again later.
At that moment I did not believe that the site on the new domain would be able to replace the old with the guests. Why should they leave? However, the friendly community supported me.
Soon, in the old forum, the first person unsubscribed about the letter received from me, then the second ... then the second “thief” activated (so we called him), who did not bother to register, but wrote on my behalf and with the avatar on which was my photo. Previously, he already answered that glitches are associated with the move. The thief called me a liar, told everyone that the site was sold and now he is the rightful owner, and as proof he provided a screenshot of the letter where I thank him for the purchase, and threatened him with a court. However, few people believed the thief, people asked questions, so the thief began to delete the "inconvenient" messages and block unwanted users.
On the first day, several dozen people moved to the new forum, but some of them continued to communicate in the old one. Most of the members of the forum at first reacted with disbelief to the new site, someone did not want to sit on a deserted forum (20 people online against 500+). The situation was helped to change by activists from among those who switched to the new forum, they wrote private messages, letters, phoned friends. Only one moderator Dmitry, who first informed me about the glitches, wrote several hundred messages and letters. To protest, people deleted their posts on the old forum, edited them, leaving links to the new site, created topics about the theft of the site, which, by the way, were quickly deleted, and users blocked. By the middle of the week, the new forum became home to more than 70 active participants, while there were more new messages on it than on the old one.
The old forum was hard moderated, the new address got into the spam filter. The thief under different nicknames agitated both on the forum under control and on the new one. One of his messages: “100 escaped rats from the ship will not change anything, because more than 10,000 people attend the forum.” The thief did not take into account that it is these 100 people who make the forum.
Police
In spite of the fact that I did not find any information about effective police assistance in the theft of international domains, but many wrote about inaction, I decided to try. I called the police, the duty officer recommended contacting department K, which deals with investigating crimes in the field of IT. I phoned to this department on Monday, May 22, and they sent me to write a statement to the regional police department, addressed to the major general of the police. I made a statement, the duty officer accepted it, assigned the incoming number and said to wait for the call. A few days later the investigator called me. At the appointed time, I went to the office of Department K, they turned out to be a young guy named Andrei, he listened to me, asked a few questions, after which I realized that the investigator is not strong in terminology and has only superficial knowledge in this matter.
My statement describing what had happened (page A4 of the printed text) was on his desk, but apparently this was not enough for the cause. Details were needed, so I had to dictate an extended version, which began with the fact that the site was created at that time, described how I learned about the theft, etc. The result was 3-4 pages of text. During the joint work, Andrei showed interest, it seemed that he wanted to help. I suggested he make inquiries in Yandex and Google, since the Adsense and Direct fraudster blocks were placed on the site. Also asked to contact the hoster (MCHost). I transmitted screenshots from Mail.ru, where I could see entries from ip addresses from Poland, as well as explanatory from my hoster and logs of actions of a fraudster on a host. Two weeks later, I called Andrew, he said that soon the case would be transferred to the police station in my district, from where the investigator would call me. Almost a month passed, but no calls were received. Then I called the district office, where I was sent to the regional administration, and from there - to the district office. He called Andrei again, he said that since they could not find him, he was most likely denied a criminal case, and in my case this is a frequent occurrence! When I called the regional police department again, I insisted on receiving information, and I received a reply from the duty officer that he did not have time to rummage through the magazines and offered to wait for the letter.
The letter of refusal did come, I received it 2.5 months after the submission of the application, but more on that below.
Registrar Proceedings
He waited for Monday, May 22nd, and called R01. At that moment I already knew that R01 is not my registrar, but only a reseller. The domain registrar was PublicDomainRegistry, which I discovered when looking at the archive whois.
Irina picked up the phone in R01, listened to me and said that the transfer of the domain took place without breaking the rules. The fact that I do not know how to store passwords is my problem. I told that I have been their client since 2003, then I explained about hacking mail, after which the girl asked for evidence, saying that they would be useful for contacting ResellerClub (a subsidiary of PublicDomainRegistry), it was with this company that R01 had an agreement.
It turned out to be impossible to confirm mailbox hacking in mail.ru. The answer was received within 24 hours: “Unfortunately, we do not provide such services.” I didn’t have any other evidence of hacking besides the screenshots showing the entrances from Warsaw, so I sent them to R01, then I called (Tuesday, May 23). Talked again with Irina, as in all subsequent times. The girl was polite, said she would contact the former registrar and inform him of my disagreement. Not having received the letter, on Monday, May 29, I called R01 again, Irina said that she hadn’t received an answer yet, and then I asked to write to internet.bs.
The next day, Irina forwarded a letter received from internet.bs, in which it was reported that they were ready for dialogue only with the registrar (PublicDomainRegistry).
On June 6, I finally received a letter from R01 with the following content: “We received a response from our“ account manager ”that we would be answered soon. Awaiting response. ”
On June 9, a positive letter arrived, stating that Logicboxes is ready for the TDRP (Transfer Dispute Resolution Policy), the procedure will cost $ 300. Of course, I was willing to pay this amount for the restoration of justice. Irina attached to the letter the text that I had to send to logicboxes.com (another division of the registrar). The letter sent on the same day, but the answer never came.
On June 20, I called R01, Irina promised to write another letter to ResellerClub.
On June 23, R01 again received a "reply" from the account manager, where he apologized and assured that he would soon deal with the problem.
On June 28, R01 once again received a letter in which the account manager had already informed that it was no longer necessary to contact logicboxes.com, the Dispute Resolution Department of PublicDomainRegistry would help.
In the meantime, the 60-day domain blocking period ended, after which the thief could transfer the domain to the next registrar. I made a complaint to ICANN and started actively calling R01. Irina again wrote letters to the registrar and to its subsidiaries.
And - oh, a miracle! On July 13, a few days before the end of the domain blocking period, I received a letter from the Abuse Mitigation Team PublicDomainRegistry stating that they had initiated the proceedings.
On July 14, a letter came from Internet.bs, in which it was said that the former registrar had contacted them and the trial was already underway. After this letter, clientUpdateProhibited was added to the status of the clientTransferProhibited domain (prohibition of transfer).
July 27 received a letter from PublicDomainRegistry, it was reported that internet.bs does not want to return the domain. Further, the letter was followed by a proposal to use the UDRP procedure or go to court.
On the same day I wrote a letter in internet.bs with a description of the situation and a proposal to compensate for the costs of the proceedings. On August 11, the answer came: “Our client claims to have bought a domain”.
Then I wrote another letter in which I gave evidence that I had and asked for proof of purchase. On August 15 I received the answer: “We received a letter, we will contact you soon”. After 10 days of waiting, I turned to the online-chat of the internet.bs support service, where I was told: “Ticket in work, wait for an answer”. The status of the ticket did not change even after 3 weeks, after which it decided to contact WIPO.
Roskomnadzor
On May 22, I received a letter, allegedly from Roskomnadzor. It said that a complaint was received from the copyright holder (my previous website address was indicated) and the requirement to remove 3 pages containing profile books from the USSR, one of which was scanned by me personally (the images contained watermarks). Outraged, I wrote a response letter, for which I received a formal reply: “We are not in charge of the proceedings. If the owner of the site receives a complaint to the address of the copy of the site, then blocking will follow. ” Since the forum was the main thing for me at that moment, I removed these pages from publication. Seeing the effect, on May 31, the thief wrote another letter on behalf of Roskomnadzor, in which there was a requirement to remove the content of the site. Without waiting for the blocking, on the main page of the new site, instead of the content, published information about the theft, and the forum closed for viewing by unregistered users, except for one section - “Theft of the domain”. He himself began to call the Federal Roskomnadzor, but the hotline for blocked sites does not exist there. Then I called the regional one, but the respondent was incompetent. After listening to my story, he answered: “Once a letter has arrived, it means they will block”. On the same day, I sent a statement to the prosecutor’s office, and a few days later, to the prosecutor’s office for certainty. The first was a response from the Prosecutor General’s Office (July 13) via e-mail; I received a reply from the regional prosecutor’s office by mail a day later. Both informed: “Roskomnadzor has nothing to do with letters about blocking your site.”
The thief has registered a domain very similar to the official Roskomnadzor, created on it a phishing site with a feedback form. I sent letters using the box created in this domain and used the Roskomnadzor template.
You should know that Roskomnadzor blocks sites only by court order. The right holder must win the trial, and only then can the blocking follow.
New Motorboat
After the news from the prosecutor's office returned the site to the previous form, opened a forum for unregistered visitors. By this time, the old forum was already empty, it was still being visited (thousands of people came in from the search), but, apart from messages from the newly registered, there was practically nothing to read there. Many of these messages were questions in old topics, the authors of which wrote that they would respond to a New Motorboat.
The new forum by this time was already living a familiar life, people just communicated, exchanged experiences, the number of messages from the newly registered increased. Attendance exceeded 700 people per day, only about 10% of them were from search.
Seeing the futility of fighting for the forum, the thief began to moderate raids, messages about the new address hung for several days. Starting from August, they could hang for more than a week, the thief began to be lazy to delete single messages about the new forum, and it was then that I actively joined the struggle in the old forum. I wrote a couple of times a day in each topic with new messages about website theft and a new address, I put the link through (goo.gl), because the url was added to the spam filter. The thief periodically deleted messages along with his nickname, so he re-registered and restored at least 20 recent messages. After a few weeks of such work, the old forum practically ceased to be replenished with useful messages.
Thief sells website
From the moment of the theft I received three letters from people who were trying to sell the site. They all found through the search for a new site and refused to buy. The site was not sold directly to Telderi, but it was there that it was offered to those interested in purchasing similar sites.
Police Ordinance
He waited for the messages from the police only on August 8: “During the check, the answers to the requests were not received, as a result, it was impossible to establish an unknown person, but it was found that the“ internet.bs ”registrar is hosted by CentralNic South Site, located UK, London (ie, outside the jurisdiction of OP-3 MU, Ministry of the Interior of Russia Irkutsk). Set the amount of damage caused to the c. Ch., During the inspection, it was not possible, since the relevant documents for the domain acquisition, hosting, site creation were not provided, and it was not established how many people visited this site, advertising on the site, etc. Not reviewed PC gr. H. Considering the foregoing, the elements of the crime under Part 1, Art. 158 of the Criminal Code, it does not appear and, guided by claim 1, p. 1 st.24 st. Art. 144-145 and 148 of the Code of Criminal Procedure of the Russian Federation, it is decided to refuse to initiate a criminal case ”.
I did not appeal against the decision.
WIPO
So without waiting for the promised response from internet.bs, I decided to contact WIPO (World Intellectual Property Organization). The WIPO UDRP procedure is well established.
The applicant pays a fee of $ 1,500 (one arbitrator), $ 2,000 (three arbitrators). I paid $ 1500 on the site wipo.int, using a bank card.
He refused to file a lawsuit on his own, trusted a lawyer recommended by my consultant Dmitry. At that time, Eugene (a lawyer) helped to return three sites.
According to Eugene, it is easier to return the domain of a popular site. With a total attendance of more than several million people, one can speak of an unregistered trademark, which is almost equal to the registered one.
The lawsuit was filed on September 15, arbitration is scheduled for December 5. However, it took place only on December 14, a delay of 1-2 weeks is a frequent occurrence.
On December 15, a message arrived from WIPO, where it was said that the domain should be transferred to the applicant. December 19 came an email with a signed court decision.
On December 20, I received a letter from Internet.bs, stating that the WIPO decision could be appealed by the domain owner within 10 business days, in case this does not happen, the registrar will proceed with the implementation of the court decision after January 8. As a result, I received control over the domain on January 12, there were no notifications by mail about this, just transferred the domain to my account.
How to protect against domain theft
1) Hide domain information. Do not publicly advertise the mail to which the domain is registered.
2) Access to mail must be protected by two-factor authentication.
3) Domain should be registered with a registrar with a good reputation.
4) Login to the registrar's account must be made through two-factor authentication.
If you stole an international domain
As soon as possible, restore the site to a new domain and notify users.
The registrar who has accepted the domain is not interested in its return. In addition, he is responsible to ICANN, therefore, in the case of weaning a domain without a court decision, he may himself be punished, up to and including deprivation of accreditation.
I think that it is not worth spending time on the proceedings, you should immediately contact WIPO or any other court.
Source: https://habr.com/ru/post/346826/
All Articles