What would you do if a criminal stole something very personal, and very valuable from you? What if they were able to target your business and cripple your income?
What if you also discovered that this was happening because of a Google security infection that can affect every Gmail user on the planet?
That’s what has just happened to me, and here I’ll share my story. I’ll tell you everything I know about the web pirates who are threatening my livelihood, and tell you what you need to know in order to avoid the same happening to you.
And so it began
On November 20th 2007 I left the UK to spend a month in India. I’d been planning this break for more than a year, and was looking forward to taking my girlfriend away on our first foreign trip together. Prior to leaving, I published a blog post to let my readers know I’d be away for a while, and that my blog would be a quiet place in my absence.
All my clients were informed, bills paid, loose ends tied-up, and off I went on a new adventure.
I arrived in Mumbai on November 21st, and on the journey from the airport to the Colaba district, was punched in the face by an Indian youth, but that’s another story.
During the month ahead, I knew I’d be irregularly checking my emails, but only to let loved ones know everything was fine. This holiday was to be a break from work, a break from computers.
Everything was fine for a few weeks, until December 15th (five days before I was due to return). I called into an internet café in Goa, and read some worrying emails from good friends of mine. They told me that my website had disappeared, and that my domain name (www.davidairey.com) was now redirecting to some random website — bebu.net.
I was confused, anxious, how could this happen? I hadn’t received any notification of my domain name expiry, and I never divulge any passwords to anyone. The only possible explanation for me was that somehow, the domain name had expired without me receipt of notice, and that some domain poacher had snapped it up before I got a chance to renew.
My website had been pulling in over 2,000 unique daily visits. Not a massive amount by any stretch of the imagination, but for a one-man operation, 700,000+ annual visitors can generate a healthy amount of new design business.
So I ran a WHOIS check on davidairey.com, hoping to find an email address for the new owner. The search yielded this email address: DAVIDAIREY.COM@domainsbyproxy.com and here’s the email I sent:
“Hello, please can I purchase my old domain name from you. It seems it expired without my knowledge. www.davidairey.com. Kind regards, David”
I found it hard to believe that I’d let my domain name expire, but thought it a good idea to send an email nonetheless.
On the very same day, I received a reply. It came from one supposed Peyam Irvani, telling me the following:
“Hello, please send me your high offer! Regards”
By this stage, I’d already had some back and forth email discussions with close friends, wondering what exactly could have happened. I also contacted my web host company, ICDSoft, asking them to help. They were the ones who sold me the domain name after all. Shouldn’t they have informed me?
This is when I found a disturbing support ticket, posted in my web host support panel. It was supposedly from me, addressed to ICDSoft’s support team, and was created on November 20th, the exact date of my departure from the UK. It read the following:
“Subject: Davidairey.com Transfer
“Hello, I want to transfer davidairey.com to another registrar please unlock it and send me the EPP transfer code. Kind regards, David”
Within just one minute (ICDSoft’s support team are very fast) the following response had been supplied:
“Hello, we unlocked your domain name as requested. Here is its EPP code: Domain name: davidairey.com – Auth/EPP key: 6835892AE0087D66. Best Regards, Support”
I immediately typed a reply to this ticket, asking for help, and wanting to know what I could do to resolve the situation. Here’s what I was told by the support team:
“Unfortunately, the domain name has been transferred successfully, and it cannot be reverted. The current registrar may be able to give you more information. The original ticket message was sent from this IP address: 18.104.22.168. The person who posted it must have had access to your email, too, because transfers have to be approved by the administrative contact in order to be successful.”
What? Not only did the hacker gain access to my web host control panel, but they also squirmed their way into my email account? This is when I began to get very worried. I kept a lot of personal emails behind my username and password, and this was a real invasion of privacy. For a few minutes I sat in the net café, my girlfriend beside me, and I didn’t know what to think.
I sent an email to GoDaddy, where my domain had been illegally transferred to, and asked them to prevent any further transfers. I wanted the domain in one place whilst I investigated. Here’s what GoDaddy said:
“Unfortunately if a transfer request is made and completed we will not be able to prevent this unless we receive the notice from a court or arbitration forum… I apologize for any inconvenience this may cause.”
Okay, so GoDaddy can’t help until the matter is taken to court.
This whole process ran over a few days of my holiday, as GoDaddy took over 48 hours to respond. At this point, and on December 19th (four days after my first email to the web pirate, ‘Peyam’), I thought I’d send a reply, and here’s what I said:
“Hello Peyam, well, congrats on your hack. I’d love to know how you did it.
“Before this moves through the courts, in order to settle the dispute, I don’t suppose you’d be so kind to give me my domain back? It’d really save me a lot of hassle, but if that’s what it takes, so be it.”
I saw no point in being aggressive, wishing to keep them ‘on-side’ as much as possible.
Again, that same day, I received a response:
“:)) Im sorry to say but its not possible to have it or it take about 1 month if you try hard to have it again :)) and you lose your visitor ….hahaha
“You can purchase it for 650 $ And we will use escrow sevices ;) that will done in less than 2 days!”
Now my domain name was being held to ransom, and the hacker was taunting me. What I had spent more than a year building into a sound marketing plan had been severed at the knees.
I’m not the type of person who will hand any money over to a criminal, so I didn’t reply, instead focusing on stopping this hacker from stealing any more of my property.
How was I being hacked?
After a little research, I found this exposé into Google’s Gmail deficiencies: Google Gmail E-mail Hijack Technique
It details the exact Gmail hijack that I have just found applied to my account (right whilst writing this blog post).
Here’s an excerpt:
“The victim visits a page while being logged into Gmail. Upon execution, the page performs a multipart/form-data POST to one of the Gmail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forwards them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.”
And here’s a three step illustration of just how this threat works (click each image for a larger version):
Images courtesy of GNUCITIZEN
I took a look at the “filter” option in my own Gmail settings, and it turns out that you can easily set incoming emails containing specific words to be forwarded automatically. For example, if you want any emails containing the word password to be sent to another address, no problem. It also appears that the filter can delete the email from your Gmail inbox as soon as it has been forwarded, so you’d be none the wiser if a hacker was playing havoc with your incoming mail.
IMPORTANT: If you use Gmail, it’s absolutely vital that you check your account settings now.
Here’s what to do:
When logged into Gmail, click on the “settings” tab in the upper right of the screen. Then check both the “filters” and the “forwarding and POP” sections. This is what I only just found in my filters tab:
“The following filters are applied to all incoming mail:
“Do this: Forward to email@example.com, Skip Inbox, Delete it
“Do this: Forward to firstname.lastname@example.org, Skip Inbox, Delete it”
I have absolutely no idea who’s email address that is, but it seems to me that some of my personal emails were bypassing my inbox entirely, instead being forwarded to the yahoo.com address.
It appears that the Gmail security issue is fixed (link removed due to expired domain — 09 April 2010), but that won’t remove any previously installed filters from your Gmail account.
What do I know about the hacker stealing my property?
I have a Gmail address, email@example.com, and what’s possibly some fictitious name, Peyam Irvani.
There’s also the Yahoo email address, firstname.lastname@example.org, where my emails were being forwarded to through the malicious filter.
ICDSoft provided me with the IP address from where the fraudulent support ticket originated (22.214.171.124), and it’s possible to search for it’s physical location using a free online IP address locator. I’d never used one before, but gave it a shot…
According to IP Global Positioning, the IP is in the United States. Fort Lauderdale, Florida, to be more precise, and the Internet Service Provider is known as Cybergate INC (based in Mississippi, USA).
I’m not entirely sure just how much this information can help me, if at all, but I thought it might be useful.
A little unexpectedly, I received a third email from ‘Peyam’ on December 21st, saying:
“Helli David, we can use escrow and you can have your domain name again :)
Only for 250 $ !
Do you want it ?!
Its special christmas offer ! haha
I like to see you have that domain name again :) “
I don’t care if it costs $0.02. I won’t give my money to a criminal.
Update: 27 December 2007
My domain name has been returned, and you can read exactly how in this blog article.
You might be wondering what I did to resurrect my website from oblivion. You’re reading this post after all. Before the theft, I had both davidairey.com and davidairey.co.uk, with the .co.uk permanently redirecting to the .com (I felt it would make more business sense to use the .com as my main address due to its ease of memorability.
I’m now using www.davidairey.co.uk domain as my main address. What does this mean? It means that all my organic search results are reset to zero. Whereas once I was on the first page of search results for graphic designer, I’m now nowhere to be found.
It also means that my business cards are now incorrect, and my email addresses too. Quite an expense, but I’d rather fight in the courts than give one penny to the person who did this.
Help with domain name disputes
This is the stage I’m at now, weighing up my options before it comes to paying legal fees. This is also where I’m calling on your valued help. I know that many of you are much more clued up on this than I am, and if you can spare some advice in the comments here I’d be very appreciative.
In my email communications with GoDaddy (the company where my .com domain name is now registered), a representative had this to say:
“Should we receive notice of a pending dispute from a court or arbitration forum, we will lock the domain name so it cannot be transferred or have the registrant information modified. Likewise, when we receive a decision from the legal body, we will update the domain name accordingly.”
They then directed me to the WIPO website (World Intellectual Property Organization, email@example.com) where there’s a section for domain name dispute resolution resources, including the following:
It seems I have to pay a minimum of $1,500 for the pleasure of initiating a court case. All fees are listed here.
It’s not clear how long the process lasts.
What should I do?
From what I understand, the only option is to proceed with legal action (again, I’m not paying the thief one penny).
- Do you know any different?
- Do I have a good case to proceed with?
- Is there any other information available online about the pirate who is blackmailing me?
If you can provide any of these answers, it would mean a lot.
Thank you so much to those of you who kindly emailed me at the start of this situation: Vivien, Ben, Tammy, Armen, Dawud, Ed and Jamie. I know that more of you tried, but that I didn’t receive your emails because my accounts no longer existed.
Thank you also, to everyone who is lending their support in the comments of my previous blog post, David Airey.com hacked. Many of you have also published my news on your own blogs, and this really lifts my spirits, showing just how great the people in the blog world are:
Here’s a sampling of your kind help:
- David Airey Hacked
- Links Important Enough To Write About On A Saturday
- Your Help Needed: David Airey.com hacked
- If you link to David Airey please read this
- What Happened To David Airey?
- Where-oh-wherey is David Airey?
- David Airey – Designer, Blogger, Information Sharer
- davidairey.com hacked and hijacked!
- Fellow Blogger David Airey Gets Hacked
- David Airey’s Domain Hacked!
- David Airey is Back (but has a new domain)
- David Airey’s Graphic Design Site Has Been Hacked
- Great graphic design stuff and theiving bastards
- Warning: Your Blog Could Be Hacked
- David Airey Hacked?
- Don’t tell someone about vacation
- Pedere un dominio troppo facile
It’s fantastic that you’d go to this effort. If there’s anything I can do in return, do let me know.