Information Security News mailing list archives
Web sites 'stolen' by cyberthugs
From: William Knowles <wk () C4I ORG>
Date: Thu, 1 Jun 2000 14:10:40 -0500
http://www.zdnet.com/zdnn/stories/news/0,4586,2580039,00.html?chkpt=zdhpnews01 By Bob Sullivan, MSNBC May 31, 2000 5:24 PM PT Two small Internet companies on opposite sides of the globe with valuable domain names had their Web sites "stolen" over the weekend. Computer criminals plucked "Web.net" and "Bali.com" right out of the database where Internet addresses are reserved. Five days later, the Web sites are still broken and the domain names are registered to someone else. Both firms were likely victims of the third publicized attack in the past six weeks on one of the Internet's core technologies. It's a complicated story but a simple problem: Computer criminals have figured out how to trick the Internet domain-name system so they can take control of some valuable Web addresses. In the case of this weekend's apparent heist, that means Web.net and Bali.com currently don't work. "We're a small, not-for-profit organization, I don't know why someone would do this to us," said Tonya Hancherow of Web Networks Inc., the rightful owner of Web.net. The small Canadian Internet service provider has 3,500 customers and supports 700 Web sites. "Our customers are all nonprofits and charities. I don't know what to do for all my customers," Hancherow said. On Friday, the domain-name records for Bali.com and Web.net were changed so someone named Billy Tandoko, a resident of Jakarta, Indonesia, was listed as site owner. The sites were also redirected to point at a non-working IP address owned by ReserveMe.com, a New York-based Web hosting provider. The connection between the two Web heists was discovered by Toronto Star technology columnist K.K. Campbell, who will report on the incident in Thursday's editions. Campbell thinks the two sites were targeted because the domain names themselves could fetch a hefty price if they were sold. Valuable properties "These are valuable names," he said. "They both fit into that 'Grade A' name space. Each is worth at least $100,000." By today, the contact information for both sites had been changed again. Bali.com is currently registered to Anton Widodo, allegedly of Madrid, and Web.net to Paul Vernon of Hong Kong. Widodo, Vernon and Tandoko did not reply to e-mails. "In our case I don't understand the motive except doing us harm," said Peter Rieger, who operates Bali.com. His site is a tourist portal for Bali and gets about 20,000 unique users per month. "The damage is quite substantial. We are losing a lot of business because of this." Rieger is also concerned that as time passes -- and registration information continues to be changed -- it will become harder to reverse the changes made by the computer vandals. Ready Net access The Internet's domain-name system -- a database that links U.S.-based Web site nicknames such as msnbc.com to their numerical IP addresses -- is maintained by the nonprofit Internet Corporation for Assigned Names and Numbers. But there are about 80 private companies that have access to the database, and most allow customers to update information about their domain over the Internet. Usually, such updates involve simple adjustments like changing contact phone numbers. The criminals are apparently exploiting a quirk in the domain registration system that allows domain holders to change the numeric IP address a domain name points to. In mid-April, Solid Oak Software in California briefly lost control of "WhoAmI.com." Later that month, a series of high-profile Internet sites were hijacked, rendering the home pages of Adidas and Manchester United temporarily unavailable. Also hit: LucasArts.com, Viagra.com, Slovenia.com, Croatia.com, Washington.com and Canada.com. Some of the sites were redirected to a political message that read "Kosovo is Serbia." In all those cases, computer vandals used a technique called "spoofing" to trick Internet registrar Network Solutions Inc. into believing that they were the rightful owners of a Web domain name. Then, with just an e-mail message, they were able to alter the domain information. Under investigation A spokesman for Network Solutions said Bali.com and Web.net were likely victims of the same trick, but he said the incident is still under investigation. "It's happened in the past, but fortunately infrequently," said Brian O'Shaughnessy. "It happens to names of some merit rather than names of no merit." He said Network Solutions handles up to 30,000 database changes every day. When a change request is made, the rightful owner of the Web address is notified via e-mail and asked to verify the change. Rieger said he wrote back immediately to Network Solutions and asked that the change not be made, but that didn't help. "That's an incredible amount of volume, and in some cases the request is sent out to the rightful owner and his response may get caught up in that," O'Shaughnessy said. The e-mail trail The original e-mail request to change Bali.com's account information was sent by someone identifying himself as Billy Tandoko from "dnsmaster () jspnetwork com," according to e-mails supplied to MSNBC by Rieger. JSPNetwork.com is owned by a California company. The cellular phone number listed in the domain name database for the company was not operating when called by MSNBC. Tandoko then switched to "gudangduit () yahoo com," a free e-mail address, when the final changes to Bali.com were made. That same address was listed as the contact for Web.net until Wednesday morning. So far, there are no other known domain-name heists connected to Tandoko, and O'Shaughnessy said Network Solutions investigators are only aware of the two incidents. But the domain-name system database indicates one other Billy Tandoko using another free e-mail account, billyas () hotmail com, to register a Web site -- but which site is not known. The domain-name database does not allow members of the public to find domain names by contact information. E-mails sent to that account were not returned. *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Web sites 'stolen' by cyberthugs William Knowles (Jun 01)