Godaddy Domain Registrar
DNForum - Domain Sales, Domain Forum, Domain Appraisals, Domain Registrars
HomeForumRegisterGetting StartedDomain ToolseBooks/ArticlesDomain Resellers AffiliatesMemberships Advertise

Go Back   DNForum - Domain Sales, Domain Forum, Domain Appraisals, Domain Registrars > Domain News, Beginners Guides and Legal Stuff! > Legal Issues
Register Search Today's Posts Mark Forums Read

Closed Thread
 
LinkBack Thread Tools Display Modes
Old 09-06-2008, 03:53 PM   #1 (permalink)
 
alldig's Avatar
 
Name: Michael Ambrose
Last Online: Yesterday 10:19 PM
iTrader: (29)
Join Date: Jul 2002
Posts: 1,198
DNF$: 130
Location: Princeton, NJ
Country:


ESE.com hijacked at moniker

On August 20th a person named "j p" ( originalprogz@gmail.com ) contacted me via email and I agreed to sell him ese.com for 33k via sedo.

On September 2nd we entered into an agreement on sedo at US $33,000.

On September 4th I received the following email from colin.finnan@sedo.com :

Quote:
Dear Mr. Ambrose,

Congratulations on your purchase.

Before you can begin the process to assume ownership of this domain you need to place your payment for this domain in escrow on our escrow account.

For your records we have created a payment request for this transaction that you can access in your account under the "Billing" section. Please feel free to print or use this invoice as necessary. This invoice also contains information on the possible ways of paying the money into our account, as well as our own account/Paypal details.

Shortly after we confirm receipt of payment we will inform the seller and send an email instructing you as to what steps are needed to process the ownership change. It is often the case that certain preparatory steps need to be taken with the seller prior to providing you with further instructions, so we ask for your patience in this matter.

Should you have any questions or concerns please feel free to contact us at the email address listed below.

This is an automatically generated notification. Please do not reply to this email.

Best regards,

Colin
--
Colin Finnan
Key Accounts Manager/Transfer Consultant
Sedo.com :: 161 First Street :: Cambridge, MA 02142
tel: 617-499-7205 :: fax: 617-499-7203
email: http://www.sedo.com :: colin.finnan@sedo.com

Confidentiality Statement: This e-mail, including attachments,
may include confidential and/or proprietary information, and may
be used only by the person or entity to which it is addressed.
If the reader of this e-mail is not the intended recipient or his or her
authorized agent, the reader is hereby notified that any
dissemination, distribution or copying of this e-mail is prohibited.
If you have received this e-mail in error, please notify the sender
by replying to this message and delete this e-mail immediately.
I pushed ese.com to the moniker account listed in the email shortly after.

On September 5th I received the following email from andygrow@yahoo.com :

Quote:
hi
it this your domain ese.com?
i wan't to buy this domain from some one ....
i think he is hacked this domain ......
im waiting your response

thanks
Just a few hours ago I received a phone call from Martin Osusky of Sedo notifying me that the email that was sent on September 4th from colin.finnan@sedo.com was a spoof email and that I had pushed ese.com to the hijackers Moniker account. Luckily Martin caught this early on and he has already contacted Moniker. The domain was on ACTIVE status but about 30 minutes ago it was changed to REGISTRAR LOCK.
__________________
-Mike
alldig is offline  
Sponsored Links
Old 09-06-2008, 04:03 PM   #2 (permalink)
Success Is My Only Option
 
Carter's Avatar
 
Last Online: 06-28-2009 06:08 AM
iTrader: (43)
Join Date: Jul 2008
Posts: 3,862
DNF$: 25,651
Location: Italy
Country:


Bad story man! :(
I've thinked to buy ESE.com in Latona newsletter few weeks ago.

Tell me If I can help you.
Carter is offline  
Old 09-06-2008, 04:12 PM   #3 (permalink)
 
alldig's Avatar
 
Name: Michael Ambrose
Last Online: Yesterday 10:19 PM
iTrader: (29)
Join Date: Jul 2002
Posts: 1,198
DNF$: 130
Location: Princeton, NJ
Country:


Quote:
Originally Posted by Carter View Post
Bad story man! :(
I've thinked to buy ESE.com in Latona newsletter few weeks ago.

Tell me If I can help you.
Monte and the Moniker have put the domain on lock and are investigating this case. When the domain is pushed back to my Moniker account it will be for sale again (an offer around the 30k mark will secure the domain). Thanks for the support.

I copy / pasted the wrong email into my initial post. The email I received from colin.finnan@sedo.com on september 4th read:

Dear Mr. Ambrose,

Now that the buyer has made payment into Our escrow account you can push the ese.com domain
into our Moniker account and finish your part of this transfer.

Please log into your Moniker account, Go to your Domain management ,Click on Push Button

And Do The Push with following information:

Account number: 77514
Authorization Code: FFC97F476A
Email: transferserives@sedo.com
domain name: ese.com

As soon as the domain is in our Moniker account, we will be able to process
your payment.

Now would be a good time to ensure that your payment information with Sedo is
accurate. Please click on the following link:

http://www.sedo.com/member/bankdata.php4

and login to your Sedo account, in order to verify your information.

Should you have any questions or difficulties with this step please let us
know.

Best regards,

Colin Finnan
Domain-Transfers
--
Sedo GmbH :: Im Mediapark 6 ::50670 Cologne (Germany)
tel +49 221.34030.188 :: fax +49 221.34030.109
http://www.sedo.com :: mailto: colin.finnan@sedo.com

District Court of Cologne HRB 35019
Board of Management: Tim Schumacher, Ulrich Priesner, Marius W?

Confidentiality Statement:
This e-mail, including attachments, may include confidential and/or proprietary
information, and may be used only by the person or entity to which it is
addressed. If the reader of this e-mail is not the intended recipient or his or
her authorized agent, the reader is hereby notified that any dissemination,
distribution or copying of this e-mail is prohibited. If you have received this
e-mail in error, please notify the sender by replying to this message and
delete this e-mail immediately.
__________________
-Mike

Last edited by alldig; 09-06-2008 at 04:15 PM.. Reason: Automerged Doublepost
alldig is offline  
Old 09-06-2008, 04:45 PM   #4 (permalink)
Jean Reno's double
 
Acro's Avatar
 
Last Online: Today 12:06 AM
iTrader: (382)
Join Date: Feb 2004
Posts: 22,121
DNF$: 3,099
Location: USA
Country:




Yet another Sedo flaw that goes back to the days of the NetSol transfer email spoofing. Sedo should not send these emails out - some containing auth keys - they should ONLY send notifications asking you to log into your account to perform the task.

Can you post the email headers here?
__________________
Domaining.com - Where Domainers read their news
Acroplex - Web & Graphics Development
Acro.net - My Blog

Last edited by Acro; 09-06-2008 at 04:45 PM.. Reason: Automerged Doublepost
Acro is online now  
Old 09-06-2008, 05:02 PM   #5 (permalink)
T_T
 
rentdn's Avatar
 
Name: Hakob
Last Online: Yesterday 07:02 PM
iTrader: (22)
Join Date: Aug 2004
Posts: 711
DNF$: 4,324
Location: Armenia
Country:


I never thought about such scam before , that a**holes are making everything just to get something which they do not deserve to own
__________________
Scuba Diving

rentdn is offline  
Old 09-06-2008, 05:11 PM   #6 (permalink)
DNF Addict
 
randomo's Avatar
 
Last Online: Yesterday 05:54 PM
iTrader: (223)
Join Date: Nov 2002
Posts: 1,865
DNF$: 4,533
Country:


There were some dead giveaways in the September 4th email: the wording was rough, and the capitalization and punctuation were poor. Scammers seldom speak the Queen's English.

Having said that ... whenever I receive a request to perform an action on a Sedo sale, I always log into my Sedo account and make sure that the progress of the transaction is correctly reflected there, before I make the payment or push the domain.

Good luck, glad to hear that Moniker seems to have things under control for you!

P.S. Sedo has been around a long time, and they have a much smaller Moniker account number than the one in that letter!
__________________
******************

Check out my portfolio at BetterDomains.net! (Reseller offers considered, PM me here.)

Last edited by randomo; 09-06-2008 at 05:13 PM.. Reason: Automerged Doublepost
randomo is offline  
Old 09-06-2008, 05:17 PM   #7 (permalink)
Success Is My Only Option
 
Carter's Avatar
 
Last Online: 06-28-2009 06:08 AM
iTrader: (43)
Join Date: Jul 2008
Posts: 3,862
DNF$: 25,651
Location: Italy
Country:


Acro it's time to create a new article on your blog about this new scam.
Carter is offline  
Old 09-06-2008, 05:34 PM   #8 (permalink)
 
gemsergio's Avatar
 
Name: sexopol deminauticus
Last Online: 06-30-2009 05:35 AM
iTrader: (5)
Join Date: Apr 2003
Posts: 691
DNF$: 560
Country:


Wow I would have probably fallen for it.
__________________
Smiletrain.org

250 USD can really change a life.

Atheist and proud.

On the first day, man created God.

Religion is regarded by the common people as true, by the wise as false, and by the rulers as useful.
gemsergio is offline  
Old 09-06-2008, 05:35 PM   #9 (permalink)
 
alldig's Avatar
 
Name: Michael Ambrose
Last Online: Yesterday 10:19 PM
iTrader: (29)
Join Date: Jul 2002
Posts: 1,198
DNF$: 130
Location: Princeton, NJ
Country:


Quote:
Originally Posted by Acro View Post
Yet another Sedo flaw that goes back to the days of the NetSol transfer email spoofing. Sedo should not send these emails out - some containing auth keys - they should ONLY send notifications asking you to log into your account to perform the task.

Can you post the email headers here?
Return-Path: <pejudgem@tmz.tmzhosting.com>
Received: from smtp6.hushmail.com (smtp6.hushmail.com [65.39.178.137])
by imap9.hushmail.com (Cyrus v2.2.12-Invoca-RPM-2.2.12-8.1.RHEL4) with LMTPA;
Thu, 04 Sep 2008 16:06:54 +0000
X-Sieve: CMU Sieve 2.2
Received: from tmz.tmzhosting.com (2a.88.5546.static.theplanet.com [70.85.136.42])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by smtp6.hushmail.com (Postfix) with ESMTP
for <admin@domainhighway.com>; Thu, 4 Sep 2008 16:06:52 +0000 (UTC)
Received: from pejudgem by tmz.tmzhosting.com with local (Exim 4.69)
(envelope-from <pejudgem@tmz.tmzhosting.com>)
id 1KbFih-00039Q-1s; Thu, 04 Sep 2008 09:21:59 -0500
To: admin@domainhighway.com
Subject: Transfer of ese.com
X-PHP-Script: www.foolex.com/fake/ese/email.php for 91.98.154.140
From: "colin.finnan@sedo.com" <colin.finnan@sedo.com>
Reply-To: "colin.finnan@sedo.com" <colin.finnan@sedo.com>
To:<admin@domainhighway.com>
Mime-Version: 1.0
Content-type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
Message-Id: <E1KbFih-00039Q-1s@tmz.tmzhosting.com>
Date: Thu, 04 Sep 2008 09:21:59 -0500
X-TmzHosting-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-ID: 1KbFih-00039Q-1s
X-TmzHosting-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details
X-TmzHosting-MailScanner-SpamCheck:
X-TmzHosting-MailScanner-From: pejudgem@tmz.tmzhosting.com
X-Spam-Status: No
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - tmz.tmzhosting.com
X-AntiAbuse: Original Domain - domainhighway.com
X-AntiAbuse: Originator/Caller UID/GID - [32209 32212] / [47 12]
X-AntiAbuse: Sender Address Domain - tmz.tmzhosting.com

It looks like the guy used www.foolex.com/fake/ese/email.php to generate/send the email. If you click on that link the same exact email that I received on Sept 4th will be sent to admin@domainhighway.com
__________________
-Mike

Last edited by alldig; 09-06-2008 at 05:47 PM.. Reason: Automerged Doublepost
alldig is offline  
Old 09-06-2008, 05:51 PM   #10 (permalink)
Jean Reno's double
 
Acro's Avatar
 
Last Online: Today 12:06 AM
iTrader: (382)
Join Date: Feb 2004
Posts: 22,121
DNF$: 3,099
Location: USA
Country:




http://whois.domaintools.com/foolex.com is a newly registered domain from Iran.

The IP is also in Iran.
__________________
Domaining.com - Where Domainers read their news
Acroplex - Web & Graphics Development
Acro.net - My Blog

Last edited by Acro; 09-06-2008 at 05:52 PM.. Reason: Automerged Doublepost
Acro is online now  
Old 09-06-2008, 05:52 PM   #11 (permalink)
Platinum Lifetime Member
 
owntag's Avatar
 
Last Online: Yesterday 08:11 PM
iTrader: (39)
Join Date: Jul 2006
Posts: 1,196
DNF$: 1,742
Location: U.K
Country:


The fake email script is hosted at tmzhosting? I have an account there on their server.
__________________
ABCDE.COM - Even your grandmother can remember!
owntag is offline  
Old 09-06-2008, 05:53 PM   #12 (permalink)
Jean Reno's double
 
Acro's Avatar
 
Last Online: Today 12:06 AM
iTrader: (382)
Join Date: Feb 2004
Posts: 22,121
DNF$: 3,099
Location: USA
Country:




Contact TMZHosting.com to let them know that they have a thief on their network.

They also own this domain http://whois.domaintools.com/pejudgement.com
__________________
Domaining.com - Where Domainers read their news
Acroplex - Web & Graphics Development
Acro.net - My Blog

Last edited by Acro; 09-06-2008 at 05:55 PM.. Reason: Automerged Doublepost
Acro is online now  
Old 09-06-2008, 05:57 PM   #13 (permalink)
Success Is My Only Option
 
Carter's Avatar
 
Last Online: 06-28-2009 06:08 AM
iTrader: (43)
Join Date: Jul 2008
Posts: 3,862
DNF$: 25,651
Location: Italy
Country:


These bastards...
Carter is offline  
Old 09-06-2008, 06:00 PM   #14 (permalink)
Jean Reno's double
 
Acro's Avatar
 
Last Online: Today 12:06 AM
iTrader: (382)
Join Date: Feb 2004
Posts: 22,121
DNF$: 3,099
Location: USA
Country:




This might also be of interest.

Also this one.

Start digging here...the vermin's nest.

Some more trails. All point to Iran.
__________________
Domaining.com - Where Domainers read their news
Acroplex - Web & Graphics Development
Acro.net - My Blog

Last edited by Acro; 09-06-2008 at 06:06 PM.. Reason: Automerged Doublepost
Acro is online now  
Old 09-06-2008, 06:24 PM   #15 (permalink)
DNF Addict
No Avatar
 
Name: Robert
Last Online: Yesterday 01:40 PM
iTrader: (57)
Join Date: Nov 2003
Posts: 1,708
DNF$: 1,083
Location: Montreal
Country:


I recently was contacted also by a gmail address asking me to sell my domains via sedo.
We agreed on a price for both domains, but Sedo canceled the transactions letting me know that something did not seem right about the bidder.
The bidder never replied to Sedo's emails, and 1 day after my accounts were all hacked.
I don't know if there is a link between the buyer and my hacked accounts, but it seems like these bidders are throwing you into sedo and then causing some damage somehow...
bdjuf is offline  
Old 09-06-2008, 06:24 PM   #16 (permalink)
DNF Addict
 
James's Avatar
 
Name: Jim
Last Online: Yesterday 11:27 PM
iTrader: (81)
Join Date: Feb 2004
Posts: 2,061
DNF$: 25,988
Location: NEPA.US
Country:


So how was it hijacked from moniker as stated in the thread title ??
You pushed it to a user account and moniker locked it when notified from sedo ??
Sorry but hijacked..to me ..means taken from..not pushed to
But at least it was caught..thanks for the heads-up..will more closely at those sedo emails

jim
__________________
Note:My posted Sales Prices are valid for 3 Days only
Most my domains listed for sale are available at sedo.com
James is online now  
Old 09-06-2008, 06:27 PM   #17 (permalink)
Success Is My Only Option
 
Carter's Avatar
 
Last Online: 06-28-2009 06:08 AM
iTrader: (43)
Join Date: Jul 2008
Posts: 3,862
DNF$: 25,651
Location: Italy
Country:


Quote:
Originally Posted by bdjuf View Post
I recently was contacted also by a gmail address asking me to sell my domains via sedo.
We agreed on a price for both domains, but Sedo canceled the transactions letting me know that something did not seem right about the bidder.
The bidder never replied to Sedo's emails, and 1 day after my accounts were all hacked.
I don't know if there is a link between the buyer and my hacked accounts, but it seems like these bidders are throwing you into sedo and then causing some damage somehow...
Same thing happen to me more than one month ago.
I've had to change all my usernames, passwords, accounts.
Here too.
Carter is offline  
Old 09-06-2008, 06:45 PM   #18 (permalink)
Missing in action
 
sdsinc's Avatar
 
Name: Kate
Last Online: Yesterday 06:11 PM
iTrader: (36)
Join Date: Jul 2005
Posts: 4,039
DNF$: 24,576
Location: Paradise
Country:


Any E-mail can be faked, including paypal notifications.
Always log in to your paypal account to check if the money actually is there.

Also have look at this:
http://www.foolex.com/fake/

The scummer is ready to strike against other domains
sdsinc is offline  
Old 09-06-2008, 06:49 PM   #19 (permalink)
Jean Reno's double
 
Acro's Avatar
 
Last Online: Today 12:06 AM
iTrader: (382)
Join Date: Feb 2004
Posts: 22,121
DNF$: 3,099
Location: USA
Country:




Looks like EYS.com is being worked on!!
http://whois.domaintools.com/eys.com

Check out the whois.
__________________
Domaining.com - Where Domainers read their news
Acroplex - Web & Graphics Development
Acro.net - My Blog
Acro is online now  
Old 09-06-2008, 06:59 PM   #20 (permalink)
Success Is My Only Option
 
Carter's Avatar
 
Last Online: 06-28-2009 06:08 AM
iTrader: (43)
Join Date: Jul 2008
Posts: 3,862
DNF$: 25,651
Location: Italy
Country:


Quote:
Originally Posted by Acro View Post
Looks like EYS.com is being worked on!!
http://whois.domaintools.com/eys.com

Check out the whois.
This rat love LLL.com's starting with "E"
Carter is offline  
Closed Thread


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 12:20 AM.
Copyright @2001-2009 DNForum.com