Web sites 'stolen' by cyberthugs

[William Knowles <wk () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2580039,00.html?chkpt=zdhpnews01

By Bob Sullivan, MSNBC
May 31, 2000 5:24 PM PT

Two small Internet companies on opposite sides of the globe with
valuable domain names had their Web sites "stolen" over the weekend.

Computer criminals plucked "Web.net" and "Bali.com" right out of the
database where Internet addresses are reserved. Five days later, the
Web sites are still broken and the domain names are registered to
someone else. Both firms were likely victims of the third publicized
attack in the past six weeks on one of the Internet's core
technologies.

It's a complicated story but a simple problem: Computer criminals have
figured out how to trick the Internet domain-name system so they can
take control of some valuable Web addresses. In the case of this
weekend's apparent heist, that means Web.net and Bali.com currently
don't work.

"We're a small, not-for-profit organization, I don't know why someone
would do this to us," said Tonya Hancherow of Web Networks Inc., the
rightful owner of Web.net. The small Canadian Internet service
provider has 3,500 customers and supports 700 Web sites. "Our
customers are all nonprofits and charities. I don't know what to do
for all my customers," Hancherow said.

On Friday, the domain-name records for Bali.com and Web.net were
changed so someone named Billy Tandoko, a resident of Jakarta,
Indonesia, was listed as site owner. The sites were also redirected to
point at a non-working IP address owned by ReserveMe.com, a New
York-based Web hosting provider.

The connection between the two Web heists was discovered by Toronto
Star technology columnist K.K. Campbell, who will report on the
incident in Thursday's editions. Campbell thinks the two sites were
targeted because the domain names themselves could fetch a hefty price
if they were sold.

Valuable properties "These are valuable names," he said. "They both
fit into that 'Grade A' name space. Each is worth at least $100,000."

By today, the contact information for both sites had been changed
again. Bali.com is currently registered to Anton Widodo, allegedly of
Madrid, and Web.net to Paul Vernon of Hong Kong. Widodo, Vernon and
Tandoko did not reply to e-mails.

"In our case I don't understand the motive except doing us harm," said
Peter Rieger, who operates Bali.com. His site is a tourist portal for
Bali and gets about 20,000 unique users per month. "The damage is
quite substantial. We are losing a lot of business because of this."

Rieger is also concerned that as time passes -- and registration
information continues to be changed -- it will become harder to
reverse the changes made by the computer vandals.

Ready Net access The Internet's domain-name system -- a database that
links U.S.-based Web site nicknames such as msnbc.com to their
numerical IP addresses -- is maintained by the nonprofit Internet
Corporation for Assigned Names and Numbers. But there are about 80
private companies that have access to the database, and most allow
customers to update information about their domain over the Internet.
Usually, such updates involve simple adjustments like changing contact
phone numbers.

The criminals are apparently exploiting a quirk in the domain
registration system that allows domain holders to change the numeric
IP address a domain name points to.

In mid-April, Solid Oak Software in California briefly lost control of
"WhoAmI.com." Later that month, a series of high-profile Internet
sites were hijacked, rendering the home pages of Adidas and Manchester
United temporarily unavailable. Also hit: LucasArts.com, Viagra.com,
Slovenia.com, Croatia.com, Washington.com and Canada.com. Some of the
sites were redirected to a political message that read "Kosovo is
Serbia."

In all those cases, computer vandals used a technique called
"spoofing" to trick Internet registrar Network Solutions Inc. into
believing that they were the rightful owners of a Web domain name.
Then, with just an e-mail message, they were able to alter the domain
information.

Under investigation A spokesman for Network Solutions said Bali.com
and Web.net were likely victims of the same trick, but he said the
incident is still under investigation.

"It's happened in the past, but fortunately infrequently," said Brian
O'Shaughnessy. "It happens to names of some merit rather than names of
no merit." He said Network Solutions handles up to 30,000 database
changes every day.

When a change request is made, the rightful owner of the Web address
is notified via e-mail and asked to verify the change. Rieger said he
wrote back immediately to Network Solutions and asked that the change
not be made, but that didn't help.

"That's an incredible amount of volume, and in some cases the request
is sent out to the rightful owner and his response may get caught up
in that," O'Shaughnessy said.

The e-mail trail The original e-mail request to change Bali.com's
account information was sent by someone identifying himself as Billy
Tandoko from "dnsmaster () jspnetwork com," according to e-mails supplied
to MSNBC by Rieger. JSPNetwork.com is owned by a California company.
The cellular phone number listed in the domain name database for the
company was not operating when called by MSNBC.

Tandoko then switched to "gudangduit () yahoo com," a free e-mail
address, when the final changes to Bali.com were made. That same
address was listed as the contact for Web.net until Wednesday morning.

So far, there are no other known domain-name heists connected to
Tandoko, and O'Shaughnessy said Network Solutions investigators are
only aware of the two incidents. But the domain-name system database
indicates one other Billy Tandoko using another free e-mail account,
billyas () hotmail com, to register a Web site -- but which site is not
known. The domain-name database does not allow members of the public
to find domain names by contact information. E-mails sent to that
account were not returned.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".