RealTime IT News

Hijacking of Hate Site a Warning to Domain Holders

The recent hack of a notorious anti-gay website should spur Web site owners to take action to prevent similar domain name hijackings, Internet experts warned Friday.

Late Wednesday afternoon, ownership of godhatesfags.com, a site operated by the family of Pastor Fred Phelps, was surreptitiously transferred to Kris Haight, systems administrator for Sugar River Valley Online, an Internet service provider in western New Hampshire. Instead of being greeted by information about why Phelps believes homosexuality is a sin, visitors were redirected to Haight's gay-friendly rebuttal site, godlovesfags.com.

According to Haight, the transfer was effected by an unknown third party. On Tuesday night, the individual sent him an e-mail informing him to "pay close attention to the godhatesfags.com Internic information over the next few days." Less than 24 hours later, Haight received a notice from Network Solutions' automated registration system informing him that the godhatesfags.com site had been transferred to him. After deliberating for about an hour, Haight decided to modify the Internic records to redirect traffic from Phelps' domain to his site.

"The switch appeared to be perfectly legal, and once the ownership has been changed, I can do whatever I want to," Haight told InternetNews.com.

Network Solutions spokesperson Brian O'Shaughnessy said the company is still investigating the matter and couldn't comment on precisely how the transfer was accomplished.

Domains registered by NSI are protected from unauthorized updates by a free authentication scheme called the Guardian System. Under that system, domain registrants can choose from one of three levels of protection. By default, only the most basic scheme is used, which verifies whether requests for changes match the e-mail address that's on file for the domain's administrative or technical contact. The other options include password protection, and authentication using PGP.

O'Shaughnessy of NSI couldn't confirm which level of protection the godhatesfags site was using. But if it was the basic MAIL-FROM option, an authorized transfer would be simple to do, according to Russ Smith, operator of a site called Consumer.Net who said he has twice been the victim of forged transfer requests.

"All they have to do is change their email client to the address of the administrative contact of the domain and then send in a transfer request -- that satisfies NSI's requirements so they will make the change," Smith said. Undoing such a transfer is possible, he said, but could take several days.

Haight refused to disclose the identity of the person who sent him the heads-up message, except to say that it's not somebody he knows. He suspects the transfer may have been an inside job, pulled off by a disgruntled member of the Phelps clan who had access to the Hotmail email account of Ben Phelps, the site's webmaster, from which all the transfer forms appear to have been sent.

Despite the ease with which they can be done, such unauthorized transfers are quite rare, said Mark Jeftovic, vice president of technology for EasyDNS, a Toronto-based DNS hosting service.

"For most people this is never an issue, but if this starts a run on domain hijacking, it could become an issue. If you're concerned about someone taking your domain offline, you should at least put password protection on your domain," he said.

In July, some of Network Solutions corporate websites were redirected by unauthorized third parties. In that instance, traffic from NSI's sites was sent to that of ICANN, the net's new governance group, and to the Internet Council of Registrars. NSI has not revealed technical details on how those tranfers were accomplished; an FBI spokesperson Friday said its investigation is still ongoing.

The godhatesfags.com site has faced other hacking attempts in the past, including denial of service attacks. In June of this year, someone cross-posted a message to several Usenet newsgroups devoted to hacking. The message, apparently from someone calling himself Logan Ryan, challenged hackers to focus their efforts on hate sites such as Phelps', rather than government sites.

"This is the kind of page that I'd take down if I were a hacker," read the Usenet posting.