One of my domains: WhoTalking.com has been stolen recently. I got it back in 4 days. So, what happened?

Saturday, 1 Sept 2012

• Found my domain WhoTalking.com has gone to a wrong location
• Couldn’t login to the reigstrar CrazyDomains.com.au
• Couldn’t get the reset password email
• Called CrazyDomains. The tech guy in CrazyDomains told me WhoTalking.com has been transferred out. He didn’t know what to do to get it back. Suggested me to call CrazyDomains again on Monday
• I started to remember there was a warning message of suspicious access in my Gmail account couple of days ago
• Immediately activated the 2-step verification of all my Gmail accounts
• Checked  the WhoIs information, found out WhoTalking.com is now sitting in BookMyName.com (in France)
• Couldn’t find the phone number of BookMyName.com on their website. But there is a contact form on the website. So I sent a message telling them WhoTalking.com is a stolen domain and I am the legitimate owner of this domain
• Called my previous colleagues who are working at a domain registration company. One of them asked me to print the historical WhoIs information(DomainTools.com) and report this to the local police office(Australia)
• Submitted a complaint form on ICANN website and sent an email to ICANN Australia office
• Went to the police office and the lady there told me she would contact the E-Crime department.
• Googled the Internet trying to find out articles about this situation
• Then I found an article(http://www.secretgeek.net/sg_hijack_1.asp) written by Leon Bambrik. His situation was quite similar to mine. And his domain has already been taken back
• Tweeted Leon. He replied me immediately. We started to talk by emails
• He gave me some very useful suggestions from his own experiences making me see some hope. And he also  told me it took about 2-3 months for him finally to get his domain back and first month was the most panicking moment
• Sent an email to CrazyDomains’ support
• Wait until midnight, No response from CrazyDomains.com.au, BookMyName.com and ICANN. Of course, it’s Saturday and the time of France and US is much later than Australia’s

Sunday, 2 Sept 2012

• Got an email from the hacker who wanted to sell the stolen domain back to me. Asking price was $500 USD
• I sent the email to Leon and police
• Replied to hacker asking how I could be sure if I paid he would deliver the domain back
• He replied saying I just had to trust him and we could talk on Yahoo Messenger
• On Yahoo Messenger, this guy told me he only accept LibertyReserve.com and Paypal Gift payment which both provide no refund policy and protection of the payer. He won’t accept other ways and said it’s risk for him. I told him I need to think.
• I decided not to pay because I don’t trust him as a thief. $500 is not much for me and can’t compare the value of my domain. But how would I know he would keep the promise
• I kept feeling frustrated and began to accept the possibility that I might never get it back. I put so much of effort and money into this website. It’s like a part of me. It’s pain to think losing it.

Monday,  3 Sept 2012

• Got an email for the hacker saying he is willing to reduce the price to $450.
• First thing after I got to my office was to call CrazyDomains. And I have to say, they are really crazy:
  • 1st call took me 20 minutes to wait, no one answered.
  • 2nd call dropped itself after 40 minutes’ waiting, no one answered.
  • 3rd call later on, no connection at all. Seemed their phone system was crashed.
  • I tweeted them on Twitter. They replied soon: Unfortunately, there is nothing we can do.
  • And they also replied the support email I sent on Saturday with the same answer: Unfortunately, there is nothing we can do.
• Leon sent me an email asking me to ignore the hacker’s offer and told me that CrazyDomains were mistaken if they believe there is nothing they can do. He says:”They need to contact the gaining registrar using the official channels that are provided to them, and notify them that the domain transfer is being disputed by the previous owner……” Also he told me it’s still quite early in Paris because of the time difference.
• I called ICANN Sydney office. It’s just an answer machine telling general information and asking me to send an email to sydney@ICANN.org for “all other enquiries”, which I have already sent one to them on Saturday. Then I filled another general enquiry form on ICANN website.
• I told the hacker the only options for him would be Escrow.com, Sedo.com and Paypal(not Gif option). He said no and suggested I could pay him(Paypal Gift) in 2 steps: pay some first then rest of them once I got my domain back. And also, the price has been raised back to $500 because I didn’t trust him.
• BookMyName.com sent me an email saying they can’t do anything at this moment and I should also contact ICANN.org and my lawyer. BUT, they were asking me for the ID and some evidences. To me, that didn’t seem they were not going to anything because they were asking me to sent my ID to them. That’s better than CrazyDomains and ICANN.
• When I got this email, I was already on my way home. I was kind of afraid to send my IDs to them because I didn’t know if the hacker and them were actually together. Then I searched Google for ICANN accredited registrars. I found BookMyName.com is one of accredited registrars. And I also called that friend in domain business, he confirmed that BookMyName is legitmate. Leon also said I should be ok to do that.
• After getting back home, I started to prepare all the documents I thought could be useful to prove I am the legitimate owner which included my driver license; the screenshot of the domain WhoIs history(from DomainTools.com), my renewal record of WhoTalking.com; my hacked Gmail warning message, the record of the domain being transfer out after the Gmail being hacked, the email of the hacker asking me to buy it back, and how the traffic dropped to zero after my domain has been stolen, etc.
• Also sent the same documents to ICANN Sydney.

Tuesday,  4 Sept 2012

• Got an email from BookMyName asking me if I had a secure email. This email from BookMyName was sent at about 2:00 PM Paris time which was 2 hours after I sent all the ID and documents to them.
• So I gave them a secured email and was wondering what’s next. I kind of felt good about them because as I said, they were the only one actually doing something
• Nothing happened during the day because it was night in Paris. So I waited.
• On my way back home at evening, I got an email for BookMyName. They were saying they were giving my domain name back!!! And they gave me an instruction of how to get in to my domain’s control panel in BookMyName.
• I couldn’t believe it!!! I got into BookMyName control panel and reset the password, changed the DNS server and did all other necessary changes. After a while, I finally saw my web content back to normal.
• I sent an email back to BookMyName to say how much I appreciated their help. I have to say: they are honest people with the highest integrity and they are the best. Most important, they make me not wait too long.

Wednesday,  5 Sept 2012

• Traffic of WhoTalking.com started to growing back slowly since back on again.
• I told this good news to Leon. We decided to write it down and share it with all other people. We hope my story and Leon’s can help others to get their stolen domains back as soon as possible.
• The police officer also sent me an email because the E-Crime department was asking for more details such as the time and IP of the theft. I provided the information to her.

Thursday, 6 Sept 2012

• Keep monitoring my domain and emails. Seemed all good.

Friday, 7 Sept 2012

• Finally got some response from ICANN telling me what I can do if I am trying to obtain the rights to a domain name that somebody else has already registered… OMG, they still haven’t figured out what’s going on. It’s a theft, not I try to get something which actually belongs to others.

Some thoughts:

1. When Google warned me about a suspicious access at the first place, I should have immediately thought of all the possibilities a hacked email could mean. However the only thing I did was just to change the password since there seemed nothing abnormal and missing. I should have checked all the settings of my Gmail account. He actually set 2 filters to filter out emails from CrazyDomains and Register.com. If I could have found out these 2 filters, I should be able to realized that the whole unauthorized access was actually about my domain.
2. I should have checked my domain settings more often. Or set up an alert of any WhoIs information change(DomainTools.com might have this kind of alert services). The first change the hacker did was just the registrant email. And he did it 1 week before I have noticed the domain has been stolen. If I have checked my domain detail more often, I might be able to stop the theft before the hacker transferred my domain out.
3. Hackers usually plan the theft at the good timing. During the weekdays, they will get the transfer done but leave the name server as normal. And just at the start of weekend or a long holiday(as for Leon, his name was transferred to a Russian register just before a long holiday of Russia), they will change the name server to let you realize your domain has gone. Why? Because during weekend and holidays, you can’t find anyone to help you. Nobody at registrars is working. All the authorities are not responsive( as they are already lazy all the time). Then you will be very panic and ready to take whatever offers they gave you.
4. Don’t use CrazyDomains. Although their domain prices are cheap, their services are much cheaper. Leon was using GoDaddy when his domain was stolen. GoDaddy at least tried to contact the gaining registrar to talk about this incident no matter it’s helpful or not in the end. It’s an attitude that your registrar is willing to do something for you. I have been with CrazyDomains for years and recommended so many people to them. What do I get from them? The only thing they did for me was keep telling me: Unfortunately, there is nothing we can do. I think this should be their slogan: “There is nothing we can do. Crazy huh? Yes we are CrazyDomains!” By today, I have already transferred out all the domains out from them. I don’t care about extra dollars spent on a better registrar as long as they care about their clients.
5. BookMyName.com is good. Why? Because they believe me and I got the stolen domain back in only 4 days. Considering in these 4 days, 2 days are weekend plus time difference between France and Australia, technically it only took them 1 day to let me get my domain back which was actually the same day they got my complaint and documents. Leon spent almost 3 months to get his domain back from a Russian registrar. And I heard someone spent months and huge amount of money on lawsuits to get their domains back.
6. Why hackers try to sell your domain back to you? Because they can’t sell to to others. Although the domain is out of your control it still belongs to you. As this hacker says to me:”There is some kind of lock on this domain and sedo(.com) is not going to pay me unless I transfer it to their account and change the WhoIs information and this is not possible. (they will find out there is something wrong with this domain and they probably going to close my account without paying me anything)”. And remember there is a 60-90 days lock on any new transferred domain during which you can’t transfer it again. So what the hacker can do is to give you the login details in the gaining registrar so you can gain the control again, if they will really do it after you pay, which is a mystery to me.
7. Before you hire a lawyer if you have to, try all other possible ways to get your domain back. Tell as many people as possible to ask for suggestions and helps.
8. Make sure your registrant email is safe. Don’t be afraid of the tedious and complicated steps of security verification. Better safe than complicated.
9. Do not choose registrars only based on the price. Choose someone is willing to give you a hand when something is going wrong. Some registrar will call you or require a call from you to unlock a domain name.

Something else:

1. Hackers will only steal valuable domains. This hacker hacked into my CrazyDomains account but only stole 1 domain and left rest of other domains untouched just because only WhoTalking.com is valuable. And that’s also why he wanted to hack my domain.
2. The only good thing hackers did for you will be: they paid for at least 1 year renewal fee when transferring your domain out.
3. Google how to avoid your domain names being stolen.
4. Do not trust the one stole things from you.
5. There are a few domain registrars (such as GetYour.iD) providing 2-step authentication now to prevent domain names being transferred out without your personal mobile phone.
6. Thanks to BookMyName.com
7. Thanks to Leon Bambrik – http://www.secretgeek.net/sg_hijack_1.asp