I thought I will start my first post with how some of the domains get owned without much technical work. Lets go through a simple step by step that one might go through in order to get a domain. At the end of the article I will show you how it can be stopped.
So I wanna get this domain called, lets name it "www. some name . com", for some reason I liked this domain and so I send an email to the owner asking him, if he would like to sell the domain. After waiting for a day or two I get a reply back and the owner wants $50,000 for a shitty domain which is not even worth $10. But at the same time, its totally fine because he is the owner and he got it first so in a way for him it seems to be a good price, but a poor guy like me can't pay $50k for a junk.
So here is how I go on about getting this domain the other way around.
The first thing I will do is gather as much information as possible, because then its just a matter of few calls and getting things done.
1. As you may recall, I sent an email to the owner asking him for the domain. When he replied back I got his IP. The IP is in the headers of the email but an easy way would be to use a service such as ReadNotify, which makes it a lot easier, the moment the receiver opens the email you will get an alert. This service can be very useful specially if you want to save the hassle of doing reverse look up, finding his location etc. I suggest you try this if you want to makes things easier but the old free way works as well.
Once you have the user IP, either by ReadNotify or through your mail you can then move on to the next step where we will do some more Digging.
2. If I were using ReadNotify, some of steps can be ignored here because ReadNotify actually gives you all the info. But lets go through the steps anyways.
a) I have the IP I will do a look up and try to find who is the host (Internet Service Provider). There are many services that you can use, Windows OS comes with one and Linux also has one. But I will be using a free internet service for this job. Such as IpLookupNet, they are free and most of all doesn't require any clicking all you do is copy paste the IP in the box provided and it will do the rest for you.
So lets take an example of my IP (I have blanked out the info for security purposes) I put it in the box and press Enter.
I get the following information --
Based on this, I know few things now, the person is from Canada, and the his Internet Service Provider is TekSavvy. Seems pretty useless but just watch what this little useless info can do. Iplookup service gives a lot of more info than just that, they have other information such as --
All you have to do is click over any of them and it will give you more information, for us the most important ones are WHOIS information. That will give all the information you need about their Internet Service Provider. It will be very useful to us as you will find later on, for now I know where he is from? What ISP he is using and some other information which seems totally USELESS.
Now that I know where he is from, and I know about the ISP, we will move on to the next step of Domain Stealing which is some reverse engineering.
3. Without much thinking I come up with a simple yet brutal way to get more information. And I do not have to think much because I have tons of domains myself and been doing all kinda internet marketing stuff for long time. I do a whois on the domain name, in this example lets say their domain was "www. some name . com."
I will then go to, WHOIS SEARCH, and do a whois on this domain name to get some info about the owner. Now let me remind you that in some cases this website will not work because for example for GoDaddy.Com domains you will have to visit GoDaddy's url which WHOIS search provide you and it is always in this format --
http://who.godaddy.com/WhoIs.aspx?domain=DOMAINNameHERE&prog_id=GoDaddy
Once you have entered the domain name and clicked search it will then show you all the information you need about the owner of the domain unless it is protected by Privacy.
You will get information such as -
Full Name
Full Address
Contact for Admin, Technical Support, Customer Support Etc
Telephone Number
Fax Number
Now not all the domains will have all the fields sometimes you will fund just junk because the owner didn't want to give his real info in that case, things will be just easier for you, which will be the 2nd scenario we will be looking at.
So lets say we got all the information we needed from WHOIS.
4. Now that we have the name and other information, we will be giving a call to the owner of the website and act as if we are his Internet Service Provider.
Here is one of the ways we might start the talk --
====================================================================
Hello Danny Crane from TekkSavvy
Hi
We are calling to inform you that we will be going through some server updates and you may experience some disconnectivity during this period, the update will be done later today during the evening hour to be exact 9 PM - 11 PM, thus we are calling all of our customers to let them know that the service will be back once the update takes place. We do this routinely to avoid the number of calls that we receive during this update.
Thank you for your time, if you have any questions please let us know.
Oh ok thank you for informing..
Call ends here
====================================================================
Looks like a stupid call, well it is not because what we have done there is created a simple rapport between the DomainOwner and one of the workers at his ISP. Now this DomainOwner will know of Danny. And as you know there will be no updates and there will be no disconnectivity, because it was all a setup. And we had to do this to execute our next step.
Remember the word UPDATE.
Call number 2
====================================================================
ISP - Hello Danny Crane from TekkSavvy
Owner - oh ya? you just called earlier
ISP - Yes Indeed, earlier I forgot to add that we will be doing a routine checkup of the contact information of the customers, I wanted to make sure that your current account information is correct, so if you could please confirm it.
ISP -Your Full Name
Owner - Mark John (sample name)
ISP - yes I have it has Mark John with an "e" after "n" is that correct or it is just an "n?"
Owner - No there is just an "n"
ISP - Address please, are you still living at "Ottawa?"
Owner - yes still there. (gives full info)
ISP - your phone number seems to be the same as we have in account right?
Owner - yes.
ISP - thank you, I have set the information accordingly
ISP - Last question, as we are upgrading the systems we would like to take note of our current speeds and what we will be getting after. Could you please tell me what sort of speed do you get when downloading files?
Owner - man its slow, really slow I thought you guys are good but download speeds are not that great.
ISP - Thank you for your insight, but I see in your account you should be able to download at very high speeds.
Owner - Oh ya? I was told the same but I get shitty 50kbs.
ISP - Please give me a minute let me go over your connection.
Owner - oh ok.
ISP - I went through your log files and connection it looks like there is some registry problems with your Operating Systems, you can download SpeederFix and it will fix this problem, if it still does not work I will get back to you after the update. But first you will have to see if SpeederFix can fix the problem or not.
Owner - Alright where do I get it?
ISP - Visit www. hacker website . com and download the file, once downloaded before running it, click Start then Run and type Regedit and then enter on keyboard. Tell me do you see a window open and do you see Local Machine Folder there?
Owner - yes I do
ISP - Good thing the software will work on your PC.
Owner - ok download is finished and I tried to run it and I am getting and error.
ISP - Looks like there is some problem on your side, I will get back to you after the update and then we can fix it.
Owner - ok thank you.
ISP - you are welcome, do you have any other questions?
Owner - no tthanks..
ISP - thank you for using TekkSavy
Call ends
=====================================================================
lets look at the 2nd call, as you can see the reason for UPDATE gave the attacker a chance to make sure all the information is correct in case he needs any of the information later in the attack. And after that he asked a question which i call "DRAGGED" and that being, is your speed good or bad? Now from what I know and I have had tons of friends working for ISP, nobody is happy with their SPEED, never ever, even if you have the fastest connection there are times that you hate it and people whine about it. The attacker is exploiting something that he knows 99.9% of common people will say yes. This gives the attacker a chances to further exploit the victim but as you can see, he did not ask the user to run the file but rather asked him to go to start and then run, registry edit to see if there is a folder and the victim replies yes, this is just a bogus question, the attacker is just trying to fool the victim into thinking that whatever he will be doing with the software will only help solve his speed problem nothing else, this builds trust and
doesn't give chance for the victim to think, as things are happening fast, now as you may know people now a days have no patience so in this case the victim ran the file without even questioning because of what earlier happened. And then by now the job is done. The attacker has infected the PC successfuly and without any hacking knowledge.
Now you must be thinking, why would the victim download a file and not make sure the website is a fake one, well like I said people have no patience and as you may have recalled this same Danny guy earlier called the victim to inform him about something and then he also helped him update his account. By then the human mind is too fragile to think of anything bad about Danny. By nature we are very open we wanna help people and we like people who help us we do not doubt them. In this case Danny is the nice guy who is trying to help the victim.
This scenerio can be taken to a level that even the SMARTEST of domainer will be fooled by it. By using tools such as BlackWidow and PageRedirects etc, things can be setup in a way so that the victim is fooled on the spot.
The attacker can even use blinders to blind in the Trojan with another file to make it look legit, there are tons of ways, but this simple one does the work.
Once the trojan is executed all the Attacker has to do is gather all the info and let some time pass and then grab the domain without the knowledge of the victim something which is very easy once the work is done. In most cases the victim will not even know about his/her domain until he/she goes through the list of their domains to find out if there is one missing. If the victim had a huge collection then knowing about a low level domain from the list becomes hard.
Lets look at it, if the whois information was fake and misleading, then it makes things even easier, all you have to do is give a call to the domain owner and act as if you are their registrar and ask them that company is doing ICANN updates and their information is not matching their account information, if they can update it because else they will lose the domain name according to ICANN rules..
As you can see just a little info can do a big damage, if you are thinking that you are SAFE no you are not. Your antivirus, your firewall cannot do when it comes to mind games, trojans can bypass antivirus and if someone really wants the domain he will go to high levels to get it. What I have shown is a very basic method that works on almost everyone. I myself am vulnerable to this type of attack. But there are ways you can stop the attacker at the very start so that he will not go any further and give up.
Lets look at ways we can avoid this whole ATTACK.
1. If you have important domains, your should do a Private Registration. Thus hiding your personal info. What I have shown here is just a Domain Hack but there are tons of other things an attacker can do with your information.
2. If you do not want to do private registration or if it costs you much more than normal registration then your next step should be that, you should create a seperate email just for your domain profiles so that if someone tries to contact you and ask you some random questions about other stuff then you know it can't be possible as the email is only for domain and you have never given it anywhere else.
3. Make a policy around your house that if there is a call from the Internet Provider, make sure you are being told and that nobody should install anything if asked by the provider, further they must make sure that they say who they are. Thus they have to give some sort of information that validates their identity. This is not possibly for some ISPs that is why you should never execute anything on your pc.
4. If the ISP person asks you for the information, you should always know that if they are in your account they know all your information already you do not have to provide them every detail, they can confirm it with you, but this actually never happens, it does happen when you call your ISP just so they can confirm its you. They will ask you some questions but your ISP will never call you to confirm your status. And if they do, your first initial move should be, take their name, their post number and tell them that you will call them back. This kills the attack on the stop because if it was not a legit call you will know it by calling to your ISP, as the attacker cannot call from the exact post or phone number as your ISP. Thus this steps is a must.
5. Always have latest Antivirus and latest Firewall updates on your computer, specially in Windows where everything is uncertain, Antivirus and Firewall can help stop many of these issues. I recommend using some of the good ones out there, McAfee and Norton are joke, they used to be good but not anymore. If you are looking for safety and stability then I recommend using AVG antivirus they have lots of different versions, last I checked they had a complete security edition with antivirus and firewall, that would be your best bet, but you can also go for different firewall and Antivirus, if you are looking for a good firewall I have found out that ZoneAlarm is really a good one with lots of features and compared to many Firewalls out there, once its installed it does really good job even with default settings. So ZoneAlarm is a good way to go.
6. Always update your Windows system with latest patches and updates. You would be amazed to know that sometimes there are bugs that require no knowledge to exploit all the attacker has to do is send you to a URL or make you open a TXT file yes, a notepad file and he will have full control on your pc. So always update your Windows System, I use Ubuntu it is 100x better than windows systems, its cheap and it is free, and you do not even have to install it to use it, you can run it from PC and then if you like it you can install it. Ubuntu is one of my favorite OS when it comes to ease of use and security.
7. I highly recommend you also install Firefox NoScript Plugin, as it will stop most of the browser attacks. But your first move should always be, never to visit a webpage that is being sent by an unknown person, if you do visit make sure you have FireWall, Antivirus and NoScript plugin running to ensure highest possible security.
8. Even if you have all the security tools running, some of the stuff are still not safe, I recommend going to the page through a Proxy such as Ctunnel or you can find tons of other proxies from www.proxy.org, that is one of your best bets.
But the best security is to never open any program that you do not have knowledge about, if someone knows you got some good domains then he will do anything to get them, and do not just stay in hopes that if he steals you can get it back no you can't, the way ICANN and registrars work once you have pushed your domain to someone you can't get it back in most cases its gone.
So you should have secure policies on how you do things.
If you run a business and your domains are managed by another individual then you should have a policy that nobody has the right to run any program on the machine without your permission. These kinda attacks take place mostly on people who are customer support because they are too helpful and their nature gets exploited.
You are not safe, I am not safe? Digital information is not safe specially if you know how to use Google and one can do a lot of damage just with your email because by Googling your email the attacker can find information related to you.
In next article we will look at how some Blackhat SEO guys get high PR backlinks with brute force, and brute attacks without even bothering with asking or buying paid links. This is an issue that is overlooked by many and the pros know it and do it all the time..
Do not let anyone fool you into helping you, always follow your your rules and policies. Please leave your comments and questions.
Showing posts with label domainer. Show all posts
Showing posts with label domainer. Show all posts
Thursday, January 1, 2009
Subscribe to:
Posts (Atom)