ESE.com hijacked at moniker

[alldig]

On August 20th a person named "j p" ( originalprogz@gmail.com ) contacted me via email and I agreed to sell him ese.com for 33k via sedo.

On September 2nd we entered into an agreement on sedo at US $33,000.

On September 4th I received the following email from colin.finnan@sedo.com :

Dear Mr. Ambrose,

Congratulations on your purchase.

Before you can begin the process to assume ownership of this domain you need to place your payment for this domain in escrow on our escrow account.

For your records we have created a payment request for this transaction that you can access in your account under the "Billing" section. Please feel free to print or use this invoice as necessary. This invoice also contains information on the possible ways of paying the money into our account, as well as our own account/Paypal details.

Shortly after we confirm receipt of payment we will inform the seller and send an email instructing you as to what steps are needed to process the ownership change. It is often the case that certain preparatory steps need to be taken with the seller prior to providing you with further instructions, so we ask for your patience in this matter.

Should you have any questions or concerns please feel free to contact us at the email address listed below.

This is an automatically generated notification. Please do not reply to this email.

Best regards,

Colin
--
Colin Finnan
Key Accounts Manager/Transfer Consultant
Sedo.com :: 161 First Street :: Cambridge, MA 02142
tel: 617-499-7205 :: fax: 617-499-7203
email: http://www.sedo.com :: colin.finnan@sedo.com

Confidentiality Statement: This e-mail, including attachments,
may include confidential and/or proprietary information, and may
be used only by the person or entity to which it is addressed.
If the reader of this e-mail is not the intended recipient or his or her
authorized agent, the reader is hereby notified that any
dissemination, distribution or copying of this e-mail is prohibited.
If you have received this e-mail in error, please notify the sender
by replying to this message and delete this e-mail immediately.

I pushed ese.com to the moniker account listed in the email shortly after.

On September 5th I received the following email from andygrow@yahoo.com :

hi
it this your domain ese.com?
i wan't to buy this domain from some one ....
i think he is hacked this domain ......
im waiting your response

thanks

Just a few hours ago I received a phone call from Martin Osusky of Sedo notifying me that the email that was sent on September 4th from colin.finnan@sedo.com was a spoof email and that I had pushed ese.com to the hijackers Moniker account. Luckily Martin caught this early on and he has already contacted Moniker. The domain was on ACTIVE status but about 30 minutes ago it was changed to REGISTRAR LOCK.

[Carter]

Bad story man! :(
I've thinked to buy ESE.com in Latona newsletter few weeks ago.

Tell me If I can help you.

[alldig]

Bad story man! :(
I've thinked to buy ESE.com in Latona newsletter few weeks ago.

Tell me If I can help you.

Monte and the Moniker have put the domain on lock and are investigating this case. When the domain is pushed back to my Moniker account it will be for sale again (an offer around the 30k mark will secure the domain). Thanks for the support.

I copy / pasted the wrong email into my initial post. The email I received from colin.finnan@sedo.com on september 4th read:

Dear Mr. Ambrose,

Now that the buyer has made payment into Our escrow account you can push the ese.com domain
into our Moniker account and finish your part of this transfer.

Please log into your Moniker account, Go to your Domain management ,Click on Push Button

And Do The Push with following information:

Account number: 77514
Authorization Code: FFC97F476A
Email: transferserives@sedo.com
domain name: ese.com

As soon as the domain is in our Moniker account, we will be able to process
your payment.

Now would be a good time to ensure that your payment information with Sedo is
accurate. Please click on the following link:

http://www.sedo.com/member/bankdata.php4

and login to your Sedo account, in order to verify your information.

Should you have any questions or difficulties with this step please let us
know.

Best regards,

Colin Finnan
Domain-Transfers
--
Sedo GmbH :: Im Mediapark 6 ::50670 Cologne (Germany)
tel +49 221.34030.188 :: fax +49 221.34030.109
http://www.sedo.com :: mailto: colin.finnan@sedo.com

District Court of Cologne HRB 35019
Board of Management: Tim Schumacher, Ulrich Priesner, Marius W?

Confidentiality Statement:
This e-mail, including attachments, may include confidential and/or proprietary
information, and may be used only by the person or entity to which it is
addressed. If the reader of this e-mail is not the intended recipient or his or
her authorized agent, the reader is hereby notified that any dissemination,
distribution or copying of this e-mail is prohibited. If you have received this
e-mail in error, please notify the sender by replying to this message and
delete this e-mail immediately.

[Acro]

Yet another Sedo flaw that goes back to the days of the NetSol transfer email spoofing. Sedo should not send these emails out - some containing auth keys - they should ONLY send notifications asking you to log into your account to perform the task.

Can you post the email headers here?

[rentdn]

I never thought about such scam before , that a**holes are making everything just to get something which they do not deserve to own

[randomo]

There were some dead giveaways in the September 4th email: the wording was rough, and the capitalization and punctuation were poor. Scammers seldom speak the Queen's English.

Having said that ... whenever I receive a request to perform an action on a Sedo sale, I always log into my Sedo account and make sure that the progress of the transaction is correctly reflected there, before I make the payment or push the domain.

Good luck, glad to hear that Moniker seems to have things under control for you!

P.S. Sedo has been around a long time, and they have a much smaller Moniker account number than the one in that letter!

[Carter]

Acro it's time to create a new article on your blog about this new scam.

[gemsergio]

Wow I would have probably fallen for it.

[alldig]

Yet another Sedo flaw that goes back to the days of the NetSol transfer email spoofing. Sedo should not send these emails out - some containing auth keys - they should ONLY send notifications asking you to log into your account to perform the task.

Can you post the email headers here?

Return-Path: <pejudgem@tmz.tmzhosting.com>
Received: from smtp6.hushmail.com (smtp6.hushmail.com [65.39.178.137])
by imap9.hushmail.com (Cyrus v2.2.12-Invoca-RPM-2.2.12-8.1.RHEL4) with LMTPA;
Thu, 04 Sep 2008 16:06:54 +0000
X-Sieve: CMU Sieve 2.2
Received: from tmz.tmzhosting.com (2a.88.5546.static.theplanet.com [70.85.136.42])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by smtp6.hushmail.com (Postfix) with ESMTP
for <admin@domainhighway.com>; Thu, 4 Sep 2008 16:06:52 +0000 (UTC)
Received: from pejudgem by tmz.tmzhosting.com with local (Exim 4.69)
(envelope-from <pejudgem@tmz.tmzhosting.com>)
id 1KbFih-00039Q-1s; Thu, 04 Sep 2008 09:21:59 -0500
To: admin@domainhighway.com
Subject: Transfer of ese.com
X-PHP-Script: www.foolex.com/fake/ese/email.php for 91.98.154.140
From: "colin.finnan@sedo.com" <colin.finnan@sedo.com>
Reply-To: "colin.finnan@sedo.com" <colin.finnan@sedo.com>
To:<admin@domainhighway.com>
Mime-Version: 1.0
Content-type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
Message-Id: <E1KbFih-00039Q-1s@tmz.tmzhosting.com>
Date: Thu, 04 Sep 2008 09:21:59 -0500
X-TmzHosting-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-ID: 1KbFih-00039Q-1s
X-TmzHosting-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details
X-TmzHosting-MailScanner-SpamCheck:
X-TmzHosting-MailScanner-From: pejudgem@tmz.tmzhosting.com
X-Spam-Status: No
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - tmz.tmzhosting.com
X-AntiAbuse: Original Domain - domainhighway.com
X-AntiAbuse: Originator/Caller UID/GID - [32209 32212] / [47 12]
X-AntiAbuse: Sender Address Domain - tmz.tmzhosting.com

It looks like the guy used www.foolex.com/fake/ese/email.php to generate/send the email. If you click on that link the same exact email that I received on Sept 4th will be sent to admin@domainhighway.com

[Acro]

http://whois.domaintools.com/foolex.com is a newly registered domain from Iran.

The IP is also in Iran.

[owntag]

The fake email script is hosted at tmzhosting? I have an account there on their server.

[Acro]

Contact TMZHosting.com to let them know that they have a thief on their network.

They also own this domain http://whois.domaintools.com/pejudgement.com

[Carter]

These bastards...

[Acro]

This might also be of interest.

Also this one.

Start digging here...the vermin's nest.

Some more trails. All point to Iran.

[bdjuf]

I recently was contacted also by a gmail address asking me to sell my domains via sedo.
We agreed on a price for both domains, but Sedo canceled the transactions letting me know that something did not seem right about the bidder.
The bidder never replied to Sedo's emails, and 1 day after my accounts were all hacked.
I don't know if there is a link between the buyer and my hacked accounts, but it seems like these bidders are throwing you into sedo and then causing some damage somehow...

[James]

So how was it hijacked from moniker as stated in the thread title ??
You pushed it to a user account and moniker locked it when notified from sedo ??
Sorry but hijacked..to me ..means taken from..not pushed to
But at least it was caught..thanks for the heads-up..will more closely at those sedo emails

jim

[Carter]

I recently was contacted also by a gmail address asking me to sell my domains via sedo.
We agreed on a price for both domains, but Sedo canceled the transactions letting me know that something did not seem right about the bidder.
The bidder never replied to Sedo's emails, and 1 day after my accounts were all hacked.
I don't know if there is a link between the buyer and my hacked accounts, but it seems like these bidders are throwing you into sedo and then causing some damage somehow...

Same thing happen to me more than one month ago.
I've had to change all my usernames, passwords, accounts.
Here too.

[sdsinc]

Any E-mail can be faked, including paypal notifications.
Always log in to your paypal account to check if the money actually is there.

Also have look at this:
http://www.foolex.com/fake/

The scummer is ready to strike against other domains

[Acro]

Looks like EYS.com is being worked on!!
http://whois.domaintools.com/eys.com

Check out the whois.

[Carter]

Looks like EYS.com is being worked on!!
http://whois.domaintools.com/eys.com

Check out the whois.

This rat love LLL.com's starting with "E"