Acro.net – Technology Rants & Raves by Acroplex®

Here’s the summary for the impatient:

The domains jis.com, Leading.net, Southeast.net and Jaxnet.com are currently in the hands of a person who took control of a managing domain’s account and impersonated its owner.

I’m sure you want the juicy details, so please bear with me for a while, as I take a trip down memory lane.

The year is 1998 and I’ve just landed my first job in the US.

The company name: Leading Network Solutions – headquartered in Jacksonville, Florida.

As the newly hired web & graphics designer I’m substituting a good-for-nothing “photographer”; along with a ColdFusion programmer we start churning out the new web site for this “mom and pop” ISP, along with web sites for numerous clients.

Leading Net, as it was called for short, was by no means small but it was led by a married couple of Floridians who loved technology and aspired to make it big – and they did only because of hard work and honest hands.

Karl Renaut and his wife, Loretta managed a team of less than 20 people, including the Creative Services team that I was part of. There was tech support personnel for the dial-up services, support for web hosting, network engineers and system operators; we had sales guys and two shifts of ladies at the front desk. Creative Services had a designer/developer (me), a developer/programmer and during the summer of 1999 we had a really talented intern – the CS team was managed by an ambitious young man, Jason, fresh out of college, who nowadays runs his own PR firm in Jax.

From that old building in downtown Jax, we created what would become a chain of events – forging a path, a positive flow of happenings that took each of us who worked there to bigger and better things.

Karl Renaut was always soft-spoken, almost shy, a very respected guy who knew how to delegate. He gave us the go ahead, we simply had to make it happen. And we did.

Every Friday, Karl Renaut bought Papajohns pizza for the entire staff. Now, I’ve worked for some really large corporations and I can tell you that nobody else did that; at least, not every single week of the year for the entire staff and certainly not Papajohns! So Fridays were extra productive, but in all true sense we were a team of young people who loved and cared for our employers. On Karl’s birthday we were all invited to his house; we had a great time, co-workers and owners, spouses and kids, eating food and drinking beer by the pool. I will honestly say that I’ve never felt the same since; our passion was unparalleled.

In less than 6 months after I was hired we were growing fast and on July 9, 1999 the company merged with a Florida CLEC called Florida Digital which was based in Orlando. Suddenly, our “mom and pop” ISP became part of a corporate network named FDN.com; In the end of 1999 Creative Services was shut down and I moved to Orlando to become the FDN.com corporate designer and webmaster.  FDN continued to grow by leaps and bounds and as our paths separated eventually, I never stopped reminding myself what a great experience all this has been in such a short period of time.

End of story: This post is not about me, it’s about FloridaDigital.net and four stolen domains: jis.com, Leading.net, Southeast.net and Jaxnet.com – by now you know what the long introduction was about.

So let’s roll forward to the present – at a time when, a few weeks ago, I was surprised to see Elliot Silver making a post at his blog titled “How great domains drop“.

It was devastating to read that recipe for disaster, essentially a manual on how to hijack a valuable domain name with Karl Renaut as its registrant – jis.com – by grabbing its controlling domain, FloridaDigital.net that was expired. Was Elliot trying to publicize the incident in order to prevent any wrong-doings, or was that post simply a big gaffe?

As Murphy’s Law predicts, Karl Renaut was unreachable during exactly that time that I needed to regain contact with him. Having moved out of state, the soft-spoken software engineer had moved from FDN onto Nuvox and then Windstream; in a series of what I’d like to call “life upgrades”. Along with those came phone and address changes that took us apart for several years. The old team had a reunion last year but Karl was not present, as he moved out of Florida.

As Elliot’s commentators predicted, on July 19th – like clockwork – FloridaDigital.net entered auction at Namejet, where it was sold three days later for $2,500. A small price to pay for the keys to owning an aged three letter domain, JIS.com

In the days that followed, I was still trying to get hold of Karl Renaut and I finally did last week after he accepted my LinkedIn invitation. I was, after all, the “front end” guy, the one who redesigned Leading.net oh-so-long ago, before it was sold to FDN.

So what is the situation right now?

I’ll start by stating that FloridaDigital.net - the domain that was purchased for $2,500 on Namejet – was used by its Namejet winner as a Trojan horse to recreate Karl Renaut’s email account and to gain access to the Network Solutions account that manages (at least) four more domains that I’m aware of.

In the past few days, I made extensive use of DomainTools to daily capture the WHOIS changes for all four domains, all of which were systematically altered – but not much as not to raise any suspicion of activity.

Here’s a timeline:

• July 22 – Namejet account ‘freddt’ wins FloridaDigital.net for $2,500
• JIS.com – the domain that Elliot’s post disclosed to be linked to FloridaDigital.net – was to enter auction on August 1st. It never did, as you will see.
• July 23 – FloridaDigital.net WHOIS changes to a person in Rhode Island. I won’t be posting his info – not just yet – because it might be faked.
• July 24 – FloridaDigital.net nameservers change from NetSol’s “pending renewal” DNS to NS/NS1.FloridaDigital.net and GoDaddy web hosting IP’s. Our guy is getting ready for the big grab.
• July 31 – FloridaDigital.net WHOIS info changes to “Pending Renewal or Deletion”. This information is fake, because the DNS servers remain the same as before and the domain was renewed through the Namejet purchase. Our guy is trying to cover his tracks but he’s really an amateur.

So that’s when the use of FloridaDigital.net ends. Note the last day of change – July 31: the last day JIS.com would be available for renewal before entering Namejet’s auctions. It’s important to note that 139 people expected the domain to drop, pre-bidding up to $5,225 for it; little did they know that one “smart” guy had them all suckered.

Apparently, between July 29 – 30 our guy recreated the managing account “krenaut@floridadigital.net” which controlled the Network Solutions account. Since there are no records of those two days on DomainTools, we need to examine JIS.com next.

• July 30 – JIS.com still has the “pending renewal or deletion” nameservers from Network Solutions.
• July 31 – As if by magic, the old “Karl Renaut” account comes live in the WHOIS. Our guy creates “krenaut@floridadigital.net” and this is the time he accesses the NetSol account. Once there, he simply resets the password, creates a new one and has full access to the account and its domains.
• August 1 – All information remains the same, except for the registrant email, which is changed to “krenaut@gmail.com” apparently to use temporarily. Once used, that email is attempted to be deleted and it’s not accepting email currently.
• August 4 – A new email comes into play: “krenaut8@gmail.com”. Note that both emails are made so as to not raise suspicion of any foul play; as if indeed, Karl Renaut himself was tweaking things. Our guy knows, after all, that he’s probably under watch from the people that commented at Elliot’s post. Who knows, perhaps he’s one of them

No further changes to JIS.com are made. It appears as if the domain is dormant, yet not renewed despite being expired. Perhaps it’s a choice made by our guy, because despite his original focus on getting JIS.com as a bonus for gaining FloridaDigital.net, it’s now too hot to handle. It’s interesting to note that while DomainTools shows the domain as still expired, the NetSol WHOIS shows that it expires in 2011 with a last update date of July 30th. This would mean that it has been renewed by the guy who took over Karl Renaut’s account at NetSol.

In fact, our guy has discovered that Karl Renaut’s account has three more nice domain names, all aged and with former traffic and glorious history:

• JaxNet.com – Registered in 1993 by Karl Renaut as part of his original Jacksonville, FL BBS
• Southeast.net – Registered in 1994 as Karl’s business expanded into south and east Florida and bearer of the corporate name, Southeast Network Services Inc.
• Leading.net – Registered in 1997 – What would become Florida’s largest ISP until the merger with Florida Digital and the formation of the largest CLEC in Florida.

All three domains are now managed by the email “krenaut8@gmail.com” with the DNS being untouched; the exception being Southeast.net that is being tested on PIPEDNS.com servers with an IP of 69.175.54.106 as of August 10.

Let’s recap: Guy spends $2500 on Namejet, knowing he can also get the valuable domain JIS.com for that low price, after reading an interesting, detailed post at Elliot’s blog. Once he realizes the domain is under scrutiny, he treads slowly, but not before he takes over Karl Renaut’s NetSol account which contains three more domain names, on top of JIS.com

It’s important to note one thing: while FloridaDigital.net expired and was lawfully acquired by that gentleman through the Namejet auction, all three domains listed above have not expired. They are, therefore, the property of Karl Renaut and of the entities that were formed from the various corporate mergers, thus they currently belong to communications giant Windstream.

Also an important thing to note: Karl Renaut did not create those monkey accounts at Gmail and did not recreate his old FloridaDigital.net account and he did not reset his old password at Network Solutions. What we have here is a case of identity fraud, impersonation and felony theft of goods valued greater than $5,000.

Karl Renaut is fully aware of this situation and pretty soon Windstream will be very interested in claiming back their stolen assets that amount in the thousands of dollars.

As for our guy, he might as well keep the domain he paid for and hopefully he will learn a lesson in the process. I somehow hope he has the decency and understanding to acknowledge his huge mistake and to timely return the domains he didn’t pay for back to their legitimate owners.

From behind the iron curtain of a middle Eastern nation known for its anti-American sentiment, a self-proclaimed hacker seems to be the perpetrator of a series of recent, high profile purchases of domains – using stolen credit cards.

Using proxy servers located in Iraq, he took control of a Network Solutions user account and its main domain, Get-Hosted.com. Then, using either a credit card associated with the account or other stolen credit cards, he made purchases of domains offered for sale via the Network Solutions marketplace. These domains are brokered by two major players in the domain after-market field, BuyDomains and Fabulous.

Apparently, he tried the fraud scheme first at Fabulous, as their domains are typically priced lower. After testing the waters of his process by making several small purchases, he turned his attention to the higher-priced domains offered by BuyDomains. A week or so later, his appetite was large enough that one of these purchases made it on DNJournal: DomainTools.net was sold for $4,088.

Fabulous reacted quickly, reversing between 5 and 6 purchases of about $350 each and regaining control of the domains within days of the incident. The perpetrator, having gained experience from this test run, then decided to alter his process; the roughly 6 large purchases he made from BuyDomains were immediately transfered out to the compromised Network Solutions account and WHOIS protection was added.

Having used stolen credit cards – in other words, other people’s money – it was time now for the hacker to capitalize on the value of the assets; an estimated $25,000 worth of domains. Not too shy about declaring his location (Iraq), he created two accounts at DNForum and offered the domains for a quick sale, at extremely low prices. These aged or otherwise generic names were being offered for $200 to $500 each, with a couple of others seeking offers.

The DNForum sales thread about one of these domains, xdev.com, had a short lifespan; the domain was still listed for sale at Afternic by BuyDomains with a hefty $9,700 price tag on it. And yet, the seller was eager to take any amount of money, ranging from $1,500 up to a BIN price of $5,000. After all, he never paid a penny out of pocket for these domains. The DNForum community was quick to determine that the sale was extremely suspicious and to alert the moderators about the ongoing scam.

Other domains offered for sale included Getting.net, DomainTools.net, DoTrust.com and OrbitPay.com – all of them were being offered at unreasonably low prices. Thankfully, DomainTools.com maintains historical data on domain ownership; it was easy to see that all these domains followed the same pattern: they were sold recently by BuyDomains and were instantly transferred to Network Solutions, to an account with WHOIS shield.

It’s probably the first time that several major players in the domain market were involved as the direct victims of a scam:

• BuyDomains and Fabulous were defrauded, giving up domains in exchange for stolen funds
• Network Solutions & potentially Afternic were used as a Trojan Horse to facilitate the purchases through their respective marketplaces
• Sedo was consequently used by the scammer as a point of sale for some of these domains

Additionally, Visa and Mastercard obviously had to reimburse funds and to reverse charges to the legitimate owners of these credit cards.

Currently, all of the domains appear to have been recovered in a special trust account at Network Solutions. The investigation is ongoing, with regards to the legal ramifications of this act which could amount to tens of thousands of dollars in billable time. It would not be surprising if finally the FBI and Interpol are involved in this case.

Over the course of recent years, Internet scams have proliferated into segments of the global market that were left untouched by traditional crime. It’s imperative that international politics ensure a smoother relationship and cooperation between nations, instead of leaving predatory “black holes” such as Iran, Iraq and North Korea. These criminals operating from such countries feel untouchable by the lack of law and punishment in their own countries and often engage in these acts as a “sport” or a “hobby” – gaining bragging rights among their peers.

However, when other people’s money is involved, it’s not a game anymore.