Sedo scammers take advantage of email predictability

It was in early 2000 when one of my few – back then – domains got hijacked by a Turkish hacker. He picked that particular domain because it’s a very common Greek cussword, shared equally among our eastern neighbors. The domain was registered with Network Solutions, which offered back then an update process via email. With each WHOIS info change, an email was sent out to be acknowledged or denied by the administrative contact.

The problem was its predictability: its format was identical each time, the changes to be made were obvious and the information conveyed was unencrypted. All a hacker had to do – and many did – was to initiate an update via the NetSol web site and then send out a fake email that appeared to come from the administrative contact, authorizing the changes!

Simple and brilliant.

What’s not simple and brilliant is that eight years later other companies continue to make the same mistakes in the way they program authorization of updates in transactions. In a recent scheme, a Sedo seller received an offer for a 3-letter .com domain; the price was agreed upon and consequently he was emailed, being told that the payment had been received and that the domain should be pushed to the buyer’s account.

The email ended up being fake, the perpetrator once again originating from Iran (oh, the surprise!). The scammer simply replicated a response email, sent often by Sedo to the participants of a transaction and spoofed the originating address, thus making the seller believe that the payment had been made. The seller pushed the domain to the scammer’s acount with Moniker. Later on, Sedo notified the seller that no such email had been sent, that the payment was still pending and that the buyer was apparently trying to defraud the seller.

Luckily, the domain was returned due to the strict safety policies of Moniker. It was proved stolen and it was returned to the owner. Sedo must stop sending out these full communication emails; they must simply prompt the parties involved in a transaction to log into their Sedo accounts to perform whatever step is needed. This way, no personal data is disclosed and no spoofing is possible. Sedo must take example from that has streamlined the domain transfer process to the highest degree; if they were also a registrar it’d be the ultimate in domain reselling security. Other options exist, such as Moniker’s escrow (requires the domains to be transferred to Moniker first), Afternic and the newly founded venture EscrowDNS.

It’s important to learn from the lessons of the past, to avoid the anguish in the future.


  1. I’ve often thought about this – Whenever you receive an email from Sedo, simply login and check the status of the transfer before believing what is said in an automated templated email.

    I take this step in every transfer I make through Sedo.

  2. One thing Sedo has done for me is to only push to Sedo’s account, which is always the same account. By doing so, the worst a person can get is for the domain to be at Sedo’s brokerage account at my registrar. That has been a really good solution for my concerns and forces Sedo to walk the complicated path of explaining how to transfer or push domains to end-users who tend not to be very sophisticated or technologically-inclined.

  3. Mickie, that’s not always the case, however. At least twice I have been asked to push to the buyer’s account, and vice versa: a transfer is initiated by me to my registrar (as the buyer) directly from the seller’s account. So there are quite a few security concerns.

  4. Hi,
    I am Connie at Network Solutions. Boy, that was a long time ago. Thank goodness we are a much different company now.

    I wholeheartedly agree that we all need to collectively learn from past technical errors. There is a lot to be learned from this kind of a scenario. In some ways itโ€™s hard to share information because of wanting to contain issues, but hopefully we can use bodies like ICANN to resolve collective issues.

  5. The risk tends to be higher for internal transfers. With external tranfers, Sedo now requests that the Authorization Code is sent to Sedo, who will then pass it on to the buyer.

  6. Regardless, all this communication should not be made via emails. *Notifications* should be sent via emails, with all sensitive info – including agents’ names – disclosed only in the transaction area.

  7. Looks like Sedo has issued an update! ๐Ÿ˜€

    “With immediate effect we have updated the communication protocols used for domain purchases and sales. All correspondence related to a transaction will be made directly through the respective Sedo accounts. Emails will only be sent to indicate that there is an update and that the customer should refer to their account for the relevant information.”

  8. I do not like providing the auth. code. If I push the domain to Sedo’s escrow account, they can still push it back. But actually, they already have the buyer’s money, so nothing can happpen.

    But still, pushing the domain to Sedo (or Moniker) is always much more secure than directly to the buyer (’s “escrow”), because the provider of the escrow service knows for sure that we have done it…

Speak Your Mind