Sedo scammers take advantage of email predictability
It was in early 2000 when one of my few - back then - domains got hijacked by a Turkish hacker. He picked that particular domain because it’s a very common Greek cussword, shared equally among our eastern neighbors. The domain was registered with Network Solutions, which offered back then an update process via email. With each WHOIS info change, an email was sent out to be acknowledged or denied by the administrative contact.
The problem was its predictability: its format was identical each time, the changes to be made were obvious and the information conveyed was unencrypted. All a hacker had to do - and many did - was to initiate an update via the NetSol web site and then send out a fake email that appeared to come from the administrative contact, authorizing the changes!
Simple and brilliant.
What’s not simple and brilliant is that eight years later other companies continue to make the same mistakes in the way they program authorization of updates in transactions. In a recent scheme, a Sedo seller received an offer for a 3-letter .com domain; the price was agreed upon and consequently he was emailed, being told that the payment had been received and that the domain should be pushed to the buyer’s account.
The email ended up being fake, the perpetrator once again originating from Iran (oh, the surprise!). The scammer simply replicated a response email, sent often by Sedo to the participants of a transaction and spoofed the originating address, thus making the seller believe that the payment had been made. The seller pushed the domain to the scammer’s acount with Moniker. Later on, Sedo notified the seller that no such email had been sent, that the payment was still pending and that the buyer was apparently trying to defraud the seller.
Luckily, the domain was returned due to the strict safety policies of Moniker. It was proved stolen and it was returned to the owner. Sedo must stop sending out these full communication emails; they must simply prompt the parties involved in a transaction to log into their Sedo accounts to perform whatever step is needed. This way, no personal data is disclosed and no spoofing is possible. Sedo must take example from Escrow.com that has streamlined the domain transfer process to the highest degree; if they were also a registrar it’d be the ultimate in domain reselling security. Other options exist, such as Moniker’s escrow (requires the domains to be transferred to Moniker first), Afternic and the newly founded venture EscrowDNS.
It’s important to learn from the lessons of the past, to avoid the anguish in the future.