Domain Hijacking Raises Security Issue

In spite of a recent May 5th U.S. district court decision which declared that domain names are
not property, and hence, can’t be “stolen,” domain thieves last weekend
successfully hijacked two web site/domains from their rightful owners.

theft highlights the security issues surrounding domain names, particularly
the authorization schemes that are in place to protect domain owners.

What happened is this: An individual contacted Network Solutions Inc. May 29 and told NetSol to change the contact name and the DNS/IP
address (this is the “address” to which the domains are directed) of and Web Networks contends that Network
Solutions made the changes without receiving their authorization, either
electronically or by phone, and consequently pushed the changes through.
Network Solutions counters that claim by stating that Web Networks’ domain,, had the lowest level of security known as “MAIL-FROM.”

The MAIL-FROM authentification allows changes to be made if the
changes are requested through an email from one of the contacts for the
domain, listed in the whois record. Network Solutions FAQ has
the following information about the MAIL-FROM level of authentification:

Guardian was created to help protect your domain name registration,
contact record and host record from unauthorized changes. If we
receive a Service Agreement, Contact Form or Host Form from a source
other than the administrative or the technical contact/agent, we will
seek confirmation of the change from both of these contacts.

We will notify the administrative and technical contacts that a request
to make a change has been received. It is then the responsibility of one
of these contacts to acknowledge that the request is valid by replying
“ACK” or “YES” to the notification.

If we do not receive any acknowledgement, or if we are notified that the
request is not valid, we will not make the change. The administrative or
technical contact should reply “NAK” or “NO” to the notification if he
does not want the change to be processed.

Web Networks contends that the e-mail requesting the changes to their domain
did not originate from them, and that they did not provide the required
authorization to make the changes.

Network Solutions told
that the e-mail requesting the changes was “spoofed” by the thief, making it
appear to have originated from Web Networks, and that they were acting in
good faith.

On Tuesday evening, a representative from Network Solutions
confirmed to Web Networks that all of the changes to the DNS names would be
changed back to the settings, but as of Wednesday the 31st, the
domain had not been restored.

NSI Vice President of Corporate Communications Chris Clough Friday confirmed the company made the domain transfer and later learned it was fraudulent. Clough indicated that they had contacted
TUCOWS, the original registrar for the
domain, about the request Tuesday, and after realizing the fraudulent
nature of the change request, have continued to work with TUCOWS to find
the “best method of handling the return to Web Networks.”

Web Networks also spoke with Network Solutions staff, who suggested that
the thief had changed the domain record to name himself as technical
contact, making it “impossible” for Web Networks to correct these changes,
even with the required legal documentation. Network Solutions suggested
that the procedure could take some time, and that they would speak to their
Investigations Unit immediately to resolve the issue.

Network Solutions told

m that they consider this a serious offense,
agreeing that “the unauthorized transfer of a domain name and the apparent
fraud committed is a criminal act. Network Solutions is in the process of
notifying all the appropriate authorities so that they can conduct a
thorough investigation.”

The situation is currently at an impasse. The whois
still shows the site with the alleged thief, going by the name of Billy
Tandoko, registered as administrative contact, technical contact, zone
contact and billing contact for the domain. Network Solutions is still
waiting to hear back from TUCOWS about what they intend to do to correct
the fraudulent domain name transfer. TUCOWS did not respond to calls from
InternetNews for additional details.

Network Solutions’ spokesman Brian O’Shaughnessy stated, “It happens to
names of some merit rather than names of no merit,” indicating that Network
Solutions handles up to 30,000 database changes every day. “That’s an
incredible amount of volume, and in some cases the request is sent out to
the rightful owner and his response may get caught up in that,”
O’Shaughnessy said in an interview with ZDNet in an article
earlier this week. Domain owners should keep this all in mind when
they set up the authentification for their domains in the future.

Get the Free Newsletter!
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.

News Around the Web