Here’s the summary for the impatient:
The domains jis.com, Leading.net, Southeast.net and Jaxnet.com are currently in the hands of a person who took control of a managing domain’s account and impersonated its owner.
I’m sure you want the juicy details, so please bear with me for a while, as I take a trip down memory lane.
The year is 1998 and I’ve just landed my first job in the US.
The company name: Leading Network Solutions – headquartered in Jacksonville, Florida.
As the newly hired web & graphics designer I’m substituting a good-for-nothing “photographer”; along with a ColdFusion programmer we start churning out the new web site for this “mom and pop” ISP, along with web sites for numerous clients.
Leading Net, as it was called for short, was by no means small but it was led by a married couple of Floridians who loved technology and aspired to make it big – and they did only because of hard work and honest hands.
Karl Renaut and his wife, Loretta managed a team of less than 20 people, including the Creative Services team that I was part of. There was tech support personnel for the dial-up services, support for web hosting, network engineers and system operators; we had sales guys and two shifts of ladies at the front desk. Creative Services had a designer/developer (me), a developer/programmer and during the summer of 1999 we had a really talented intern – the CS team was managed by an ambitious young man, Jason, fresh out of college, who nowadays runs his own PR firm in Jax.
From that old building in downtown Jax, we created what would become a chain of events – forging a path, a positive flow of happenings that took each of us who worked there to bigger and better things.
Karl Renaut was always soft-spoken, almost shy, a very respected guy who knew how to delegate. He gave us the go ahead, we simply had to make it happen. And we did.
Every Friday, Karl Renaut bought Papajohns pizza for the entire staff. Now, I’ve worked for some really large corporations and I can tell you that nobody else did that; at least, not every single week of the year for the entire staff and certainly not Papajohns! So Fridays were extra productive, but in all true sense we were a team of young people who loved and cared for our employers. On Karl’s birthday we were all invited to his house; we had a great time, co-workers and owners, spouses and kids, eating food and drinking beer by the pool. I will honestly say that I’ve never felt the same since; our passion was unparalleled.
In less than 6 months after I was hired we were growing fast and on July 9, 1999 the company merged with a Florida CLEC called Florida Digital which was based in Orlando. Suddenly, our “mom and pop” ISP became part of a corporate network named FDN.com; In the end of 1999 Creative Services was shut down and I moved to Orlando to become the FDN.com corporate designer and webmaster. FDN continued to grow by leaps and bounds and as our paths separated eventually, I never stopped reminding myself what a great experience all this has been in such a short period of time.
End of story: This post is not about me, it’s about FloridaDigital.net and four stolen domains: jis.com, Leading.net, Southeast.net and Jaxnet.com – by now you know what the long introduction was about.
So let’s roll forward to the present – at a time when, a few weeks ago, I was surprised to see Elliot Silver making a post at his blog titled “How great domains drop“.
It was devastating to read that recipe for disaster, essentially a manual on how to hijack a valuable domain name with Karl Renaut as its registrant – jis.com – by grabbing its controlling domain, FloridaDigital.net that was expired. Was Elliot trying to publicize the incident in order to prevent any wrong-doings, or was that post simply a big gaffe?
As Murphy’s Law predicts, Karl Renaut was unreachable during exactly that time that I needed to regain contact with him. Having moved out of state, the soft-spoken software engineer had moved from FDN onto Nuvox and then Windstream; in a series of what I’d like to call “life upgrades”. Along with those came phone and address changes that took us apart for several years. The old team had a reunion last year but Karl was not present, as he moved out of Florida.
As Elliot’s commentators predicted, on July 19th – like clockwork – FloridaDigital.net entered auction at Namejet, where it was sold three days later for $2,500. A small price to pay for the keys to owning an aged three letter domain, JIS.com
In the days that followed, I was still trying to get hold of Karl Renaut and I finally did last week after he accepted my LinkedIn invitation. I was, after all, the “front end” guy, the one who redesigned Leading.net oh-so-long ago, before it was sold to FDN.
So what is the situation right now?
I’ll start by stating that FloridaDigital.net – the domain that was purchased for $2,500 on Namejet – was used by its Namejet winner as a Trojan horse to recreate Karl Renaut’s email account and to gain access to the Network Solutions account that manages (at least) four more domains that I’m aware of.
In the past few days, I made extensive use of DomainTools to daily capture the WHOIS changes for all four domains, all of which were systematically altered – but not much as not to raise any suspicion of activity.
Here’s a timeline:
- July 22 – Namejet account ‘freddt’ wins FloridaDigital.net for $2,500
- JIS.com – the domain that Elliot’s post disclosed to be linked to FloridaDigital.net – was to enter auction on August 1st. It never did, as you will see.
- July 23 – FloridaDigital.net WHOIS changes to a person in Rhode Island. I won’t be posting his info – not just yet – because it might be faked.
- July 24 – FloridaDigital.net nameservers change from NetSol’s “pending renewal” DNS to NS/NS1.FloridaDigital.net and GoDaddy web hosting IP’s. Our guy is getting ready for the big grab.
- July 31 – FloridaDigital.net WHOIS info changes to “Pending Renewal or Deletion”. This information is fake, because the DNS servers remain the same as before and the domain was renewed through the Namejet purchase. Our guy is trying to cover his tracks but he’s really an amateur.
So that’s when the use of FloridaDigital.net ends. Note the last day of change – July 31: the last day JIS.com would be available for renewal before entering Namejet’s auctions. It’s important to note that 139 people expected the domain to drop, pre-bidding up to $5,225 for it; little did they know that one “smart” guy had them all suckered.
Apparently, between July 29 – 30 our guy recreated the managing account “krenaut@floridadigital.net” which controlled the Network Solutions account. Since there are no records of those two days on DomainTools, we need to examine JIS.com next.
- July 30 – JIS.com still has the “pending renewal or deletion” nameservers from Network Solutions.
- July 31 – As if by magic, the old “Karl Renaut” account comes live in the WHOIS. Our guy creates “krenaut@floridadigital.net” and this is the time he accesses the NetSol account. Once there, he simply resets the password, creates a new one and has full access to the account and its domains.
- August 1 – All information remains the same, except for the registrant email, which is changed to “krenaut@gmail.com” apparently to use temporarily. Once used, that email is attempted to be deleted and it’s not accepting email currently.
- August 4 – A new email comes into play: “krenaut8@gmail.com”. Note that both emails are made so as to not raise suspicion of any foul play; as if indeed, Karl Renaut himself was tweaking things. Our guy knows, after all, that he’s probably under watch from the people that commented at Elliot’s post. Who knows, perhaps he’s one of them 😉
No further changes to JIS.com are made. It appears as if the domain is dormant, yet not renewed despite being expired. Perhaps it’s a choice made by our guy, because despite his original focus on getting JIS.com as a bonus for gaining FloridaDigital.net, it’s now too hot to handle. It’s interesting to note that while DomainTools shows the domain as still expired, the NetSol WHOIS shows that it expires in 2011 with a last update date of July 30th. This would mean that it has been renewed by the guy who took over Karl Renaut’s account at NetSol.
In fact, our guy has discovered that Karl Renaut’s account has three more nice domain names, all aged and with former traffic and glorious history:
- JaxNet.com – Registered in 1993 by Karl Renaut as part of his original Jacksonville, FL BBS
- Southeast.net – Registered in 1994 as Karl’s business expanded into south and east Florida and bearer of the corporate name, Southeast Network Services Inc.
- Leading.net – Registered in 1997 – What would become Florida’s largest ISP until the merger with Florida Digital and the formation of the largest CLEC in Florida.
All three domains are now managed by the email “krenaut8@gmail.com” with the DNS being untouched; the exception being Southeast.net that is being tested on PIPEDNS.com servers with an IP of 69.175.54.106 as of August 10.
Let’s recap: Guy spends $2500 on Namejet, knowing he can also get the valuable domain JIS.com for that low price, after reading an interesting, detailed post at Elliot’s blog. Once he realizes the domain is under scrutiny, he treads slowly, but not before he takes over Karl Renaut’s NetSol account which contains three more domain names, on top of JIS.com
It’s important to note one thing: while FloridaDigital.net expired and was lawfully acquired by that gentleman through the Namejet auction, all three domains listed above have not expired. They are, therefore, the property of Karl Renaut and of the entities that were formed from the various corporate mergers, thus they currently belong to communications giant Windstream.
Also an important thing to note: Karl Renaut did not create those monkey accounts at Gmail and did not recreate his old FloridaDigital.net account and he did not reset his old password at Network Solutions. What we have here is a case of identity fraud, impersonation and felony theft of goods valued greater than $5,000.
Karl Renaut is fully aware of this situation and pretty soon Windstream will be very interested in claiming back their stolen assets that amount in the thousands of dollars.
As for our guy, he might as well keep the domain he paid for and hopefully he will learn a lesson in the process. I somehow hope he has the decency and understanding to acknowledge his huge mistake and to timely return the domains he didn’t pay for back to their legitimate owners.
Very interesting read. Had me on the edge of my seat. Keep us up to date.
Awesome… it will be so cool if it works out that he does not get anything but FloridaDigital.net for $2500, ha, that might not be worth reg-fee in my book.
If it does it will be in large part because of this post. Great job Acro.
Troy
One needs to understand that everything is tracked: ISP connections to the NetSol account, emails used, the credit card used to renew the domain etc.
Truly, I hope that he comes forward and IMMEDIATELY offers to hand over the domains and the account back to Karl Renaut and Windstream.
If I had a direct loss from a situation such as this, I would – perhaps – view this as a gesture of goodwill to undo part of the crime committed.
Netsol’s password recovery/reset systems needs to be revamped more thoroughly.
Hope Karl Renaut gets back his domains.
We have a good case of identity theft/wire fraud here, don’t we ?
Can’t stand lowlife thieves.
F*CK.
I hoped that publicizing this scenario would draw attention from the company who would then look into it and secure its domain names. I also thought the extra attention would prevent someone from stealing these names, knowing others would be monitoring the situation.
The other point of my article was to show others how critical it is to keep their Whois information updated and accurate.
I am terribly sorry this happened, and I hope the company recovers its domain names quickly.
Thanks for sharing these information.
We must be so careful as domainers.
Dear Acro, Could you please accept me as your trainee. I’m serious here, you doing such a good job and wish I could do the same. This guy is not smart, but he’s crook.
Please let me know if you willing to take me as your trainie, I just admire your passion to make sure the right thing done right. Thanks.
Regards,
MANO – a nappied colored baby by domaining
Wow… this is something I’ve never even considered happening by selling a domain name. What an eye opener!
Thanks Theo for a great story and even better “moral” to that story. (that buyer better reverse it ASAP or it’s grand theft).
I wouldn’t consider what he did as a ‘trojan horse’. From a legal standpoint, if he waited for the domains to expire and then claimed them during redemption status would that have been legal?
Kannan – True. As it stands it only takes knowing the email address to send an email requesting a reset. If one has then access to that email address, they can access the account. That’s not news.
Kate – Absolutely correct.
Elliot – I’m sure you meant well; it’s just that someone took advantage of it for the opposite reason.
Mano – One cannot train for life. It comes with experience.
Stephen – It’s obvious the handling of these domains constitutes fraud; whoever keeps accessing that account or testing the domains or attempts to profit from them is committing additional crimes.
Tim – Only the managing domain expired, not the ones inside the account. By acquiring the domain on Namejet, that person attempted and succeeded in gaining access to the other domains that did not belong to him.
Long story, but worth reading, very informative cautionary tale.
Dean – It’s about how life is stranger than fiction. Elliot was correct in raising red flags about how one could lose a domain due to lack of control of emails. It’s just too surreal seeing this happen to a former employer you can’t warn in time.
“Karl Renaut is fully aware of this situation and pretty soon Windstream will be very interested in claiming back their stolen assets”
nice. i love it. great detective work
Clearly, the ONLY thing that separates 1 scum lowlife cheat from another, is the extent of their pursuit.
No matter the outcome, dude’s in some deep sh*t and I hope they aim straight for his FACE when they throw the book at him!
Good lookin’ out Theo!
Very good work Acro, it’s a small world.
Yeah, good job, Acro. I hope things run smoothly and he gets his names back.
Very nice reporting! Thanks for all the hard work.
I will say that this could get really difficult for Renaut and Windstream if this loser is based in a “difficult” foreign country like China, Bulgaria, Romania, or Ukraine. Laws may not matter in the end.
Mike – Jerry – Josh – Tia – thank you. Reporting this is the least I could do.
Logan – What matters is where the Registry is based; Verisign is in the US. The idea is for the perpetrator to return the domains now in order to avoid further embarrassment and public humiliation, on top of legal charges; the contact information indicates that the account holder is in the US / Rhode Island.
How would he know what other domains floridadigital.net owns.
I am sure he somehow knew it own jis.com
I’ve never seen a list of domains owned by someone or any service that provides this.
So this person must do this as a business.
Steve – The FloridaDigital.net/jis.com link was publicized; the other domains I’m sure he discovered once he gained access to the Network Solutions account.
Not sure if he’s done that before, however it’s an unethical practice.
Acro you are an asset to the community.
I’ve got some great news – read my latest blog post 🙂
Good work man! Theo you are an asset to this industry.
Thank you Theo. If you had not taken the initiative to alert me to this my domains would have been lost.
Sincerely,
Karl Renaut
With “inside” info but great detective story! Glad you make this public. It is not the first domain being hijacked in Network Solutions. How they do it and how people still pay for a such a buggy registrar puzzles me. Information really is power… I mean, one doesn’t have to prove the identity? Is is so easy to fake someone’s identity?
Note aldo that if the scammer paid $2500 there were others maybe trying the same. Money talks…
Another one that I suspect might have been hijacked is KIP.COM, recently sold for a good amount.