What would you do if someone stole something valuable and personal from you? What if, at the same time, they targeted your business and crippled your income? What if you also discovered that this happened due to a Google security infection that can affect any Gmail user?
That's what has happened to me. Read on and I'll tell you about the web pirates threatening my livelihood, and how to check Gmail to make sure it doesn’t happen to you.
On November 20th 2007 I left the UK to spend a month in India. I'd planned the break for about a year, and was looking forward to taking my girlfriend on our first foreign trip together. Before leaving, I published a brief post to say I'd be away and that the blog would be quiet in my absence. All my clients were informed, bills paid, etc., and off we went for an adventure.
We arrived in Mumbai on November 21st, and on the journey from the airport to the Colaba district, was punched in the face through the open window of my taxi, but that's another story.
I'd not be checking email much during the next month — only to keep in touch with family. This was a break from work and computers.
Everything was fine until just a few days before we were to return to the UK. I was in a net cafe in Goa and read some worrying emails from friends. My website had disappeared and my domain name was redirecting to a site I'd never heard of — bebu.net.
I got anxious. What happened? The only thing I could think of was that somehow the domain name had expired without any notification or warning, and a poacher had snapped it up before I could renew.
My site had been attracting more than 2,000 unique daily visits. So not a massive amount. But for a one-man business, 700,000+ annual visitors can generate a decent amount of new clients.
So I ran a WHOIS check on the domain, hoping to find an email address for the new owner. The search yielded this email address: DAVIDAIREY.COM@domainsbyproxy.com and here's the email I sent:
"Hello, please can I purchase my old domain name from you. It seems it expired without my knowledge. www.davidairey.com. Kind regards, David"
I found it hard to believe that I'd let my domain name expire, but thought it a good idea to send an email nonetheless.
On the very same day, I received a reply. It came from one supposed Peyam Irvani, telling me the following:
"Hello, please send me your high offer! Regards"
By this stage I'd had some back and forth email discussions with close friends, wondering what exactly could have happened. I also contacted my web host, ICDSoft, asking for help. They originally sold me the domain name. Shouldn't they have informed me?
This is when I found a disturbing ticket in my web host support panel. It was supposedly from me, addressed to ICDSoft's support team, and was created on November 20th, the exact date of my departure from the UK. It read:
"Subject: Davidairey.com Transfer
"Hello, I want to transfer davidairey.com to another registrar please unlock it and send me the EPP transfer code. Kind regards, David"
Within just one minute (ICDSoft's support team are very fast) the following response had been supplied:
"Hello, we unlocked your domain name as requested. Here is its EPP code: Domain name: davidairey.com - Auth/EPP key: 6835892AE0087D66. Best Regards, Support"
I immediately typed a reply asking what I could do to resolve the situation. Here's what the support team said:
"Unfortunately, the domain name has been transferred successfully, and it cannot be reverted. The current registrar may be able to give you more information. The original ticket message was sent from this IP address: 18.104.22.168. The person who posted it must have had access to your email, too, because transfers have to be approved by the administrative contact in order to be successful."
What? Not only did the hacker gain access to my web host control panel, but they also squirmed their way into my email account? This is when I began to get very worried. I kept a lot of personal emails behind my username and password, and this was a real invasion of privacy. For a few minutes I sat in the net café and didn't know what to think.
I emailed GoDaddy where my domain had been illegally transferred to, and asked them to prevent any further transfers. I wanted the domain in one place while I investigated. GoDaddy said:
"Unfortunately if a transfer request is made and completed we will not be able to prevent this unless we receive the notice from a court or arbitration forum... I apologize for any inconvenience this may cause."
Okay, so GoDaddy can't help until the matter is taken to court.
This process ran over a few days of my holiday, as GoDaddy took over 48 hours to respond. At this point, on December 19th (four days after my first email to the thief 'Peyam'), I thought I'd reply:
"Hello Peyam, well, congrats on your hack. I'd love to know how you did it.
"Before this moves through the courts, in order to settle the dispute, I don't suppose you'd be so kind to give me my domain back? It'd really save me a lot of hassle, but if that's what it takes, so be it."
No point in being aggressive.
Again, that same day, I received a response:
":)) Im sorry to say but its not possible to have it or it take about 1 month if you try hard to have it again :)) and you lose your visitor ....hahaha
"You can purchase it for 650 $ And we will use escrow sevices ;) that will done in less than 2 days!"
Now my domain name was being held to ransom and I was being taunted. What I had spent more than a year building into a sound marketing plan had been severed at the knees.
I'm not the type to give money to a criminal, so I didn't reply, and focused on stopping the hacker from stealing anything else of mine.
How was I being hacked?
After some research I found this exposé into Google's Gmail deficiencies: Google Gmail E-mail Hijack Technique
It details the exact Gmail hijack that I have just found applied to my account (right while writing this post).
Here's an excerpt:
"The victim visits a page while being logged into Gmail. Upon execution, the page performs a multipart/form-data POST to one of the Gmail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forwards them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google."
And here's a three step illustration of just how this threat works (click each image for a larger version):
Images courtesy of GNUCITIZEN
I took a look at the "filter" option in my own Gmail settings, and it turns out that you can easily set incoming emails containing specific words to be forwarded automatically. For example, if you want any emails containing the word password to be sent to another address, no problem. It also appears that the filter can delete the email from your Gmail inbox as soon as it has been forwarded, so you'd be none the wiser if a hacker was playing havoc with your incoming mail.
Important: If you use Gmail, it's vital that you check your account settings now.
Here's what to do:
When logged into Gmail, click on the "settings" tab in the upper right of the screen. Then check both the "filters" and the "forwarding and POP" sections. This is what I just found in my filters tab:
"The following filters are applied to all incoming mail:
"Do this: Forward to email@example.com, Skip Inbox, Delete it
"Do this: Forward to firstname.lastname@example.org, Skip Inbox, Delete it"
I have no idea who's email address that is, but it seems that some of my personal emails were bypassing my inbox entirely, instead being forwarded to the yahoo.com address.
The Gmail security issue is seemingly fixed (link removed due to expired domain — 09 April 2010), but that won't remove any previously installed filters from your Gmail account.
What do I know about the thief?
There’s the Gmail address, email@example.com, and what’s probably a fake name, Peyam Irvani.
There’s also the Yahoo address that my emails were being forwarded to via the Gmail filer, firstname.lastname@example.org.
ICDSoft gave me the IP address from where the fraudulent support ticket originated (22.214.171.124). According to IP Global Positioning the IP is in the United States — Fort Lauderdale, Florida, to be precise — and the Internet Service Provider is Cybergate INC, based in Mississippi.
I'm not sure how much this information can help me, if at all.
Then, unexpectedly, I got a third email from 'Peyam' on December 21st:
"Helli David, we can use escrow and you can have your domain name again :)
Only for 250 $ !
Do you want it ?!
Its special christmas offer ! haha
I like to see you have that domain name again :) "
I don't care if it costs two cents. I don’t pay thieves.
So you might be wondering what I did to resurrect my website. You're reading this post on davidairey.com after all. Before the theft, I owned both davidairey.com and davidairey.co.uk, with the .co.uk permanently redirecting to the .com (I thought it made sense to use the .com as my main address because as easier to remember).
I'm now using the .co.uk domain as my main address. That means all my organic search results have been reset to zero. Whereas once I was on the first page of search results for graphic designer, I'm now nowhere.
It also means that the detail on my business cards is incorrect, and my email addresses too. So quite an expense, but I'd rather fight in the courts than give a penny to the person responsible.
Help with domain name disputes
This is the stage I'm at, weighing up options before it comes to paying legal fees. This is also where I'm calling on your valued help. I know that many of you are much more clued up on this than I am, and if you can spare some advice in the comments here I'd be very appreciative.
In my emails with GoDaddy (the company where my .com domain name is now registered), a representative said:
"Should we receive notice of a pending dispute from a court or arbitration forum, we will lock the domain name so it cannot be transferred or have the registrant information modified. Likewise, when we receive a decision from the legal body, we will update the domain name accordingly."
They then directed me to the WIPO website (World Intellectual Property Organization, email@example.com) where there's a section for domain name dispute resolution resources, including the following:
It seems I have to pay a minimum of $1,500 for the pleasure of initiating a court case. All fees are listed here.
It's not clear how long the process lasts.
What should I do?
From what I understand, the only option is to proceed with legal action (again, I'm not paying the thief one penny).
- Do you know any different?
- Do I have a good case to proceed with?
- Is there any other information available online about the pirate who is blackmailing me?
If you can provide any of these answers, it would mean a lot.
Thank you so much to those of you who kindly emailed me at the start of this situation: Vivien, Ben, Tammy, Armen, Dawud, Ed and Jamie. I know that more of you tried, but that I didn't receive your emails because my accounts no longer existed.
Thank you also, to everyone who is lending their support in the comments of my previous blog post, David Airey.com hacked. Many of you have also published my news on your own blogs, and this really lifts my spirits, showing just how great the people in the blog world are:
Here's a snippet of your kind help:
- David Airey Hacked
- Your Help Needed: David Airey.com hacked
- What Happened To David Airey?
- Where-oh-wherey is David Airey?
- davidairey.com hacked and hijacked!
- David Airey's Domain Hacked!
- David Airey is Back (but has a new domain)
- David Airey's Graphic Design Site Has Been Hacked
- Great graphic design stuff and theiving bastards
- David Airey Hacked?
- Don't tell someone about vacation
It's fantastic that you'd go to this effort. If there's anything I can do in return, do let me know.
Update: 27 December 2007
My domain name has been returned, and you can read how here.