Our website xlinesoft.com was down from May 24, 2019 to May 30, 2019.
First, I noticed that I cannot logon to our online helpdesk. Then the website itself started showing ads that we never had. We assumed that our server was hacked but it turned out it simply points to a different IP address now. Hacker downloaded a static copy of our website, added some ads and tried to make some money via AdSense.
I tried to logon to GoDaddy account and check DNS settings. The login didn’t work and the password reset email never arrived. Our account at GoDaddy was hacked and attackers сhanged domain name ownership data. I was relieved though, dealing with GoDaddy should be easier than negotiating with a hacker, right?
GoDaddy saga
Over these six days, I spent a dozen of hours on the phone with GoDaddy. Unfortunately, the only way to contact their fraud department is via the form on the website and they will take up to 72 hours to get back to you. So every time I submitted supporting documents I would call a regular support line and I ask them to contact someone from the fraud department and check the status of our case.
I have got exactly two one-liner replies from the fraud department over these six days and they were nothing but a joke.
This is what we got back on Day 2:
We see you recently submitted a Change Update request. We’re sorry, but this department can only make this change after verifying the consent of the registrant or account holder – and unfortunately, the consent was not provided in this case. You are not the account holder or registrant as currently recorded and no business documentation was submitted for consideration.
So they basically telling us that they contacted the hacker and the hacker didn’t agree to return our domains. What a surprise! It worth saying that all documents were provided like a scan of drivers license, company registration and Xlinesoft.com DBA (doing business as) registration.
After hours on the phone with customer support and resubmitting all the same documents we got a second reply on Day 5:
Thank you for your email. Unfortunately, we are unable to give out account information, without proper validation.
How did we get it back
At some point, we realized that GoDaddy won’t help us in any way. We were working with the lawyer to send a formal complaint to GoDaddy, to ICANN and, possibly, to law enforcement. On day five something unexpected – the hacker contacted us.
“I have your domains,” he said, “I can give it back to you for 1000 dollars”. I knew right away that he was the one, it came from the email address specified in WHOIS database as a new owner. After a few emails back and forth we decided to give it a try. And of course, he wanted money to be sent to his Bitcoin address. Luckily we had a friend who had some Bitcoins ready and this was the first time I used crypto for something useful.
The conversation with the hacker was somewhat amusing:
Please send money First otherwise i sold this domain to darkweb. there are many hackers on darkweb he can buy this domain in good rate. and Godaddy cant do anything. i am a ethical hacker and i am a muslim. i promise you when you send me a money within 1 minutes i trasfer your domain into your account . Trust Me ! .
We sent the first half and got the first domain back plus access to our account. After sending the rest we got the second domain back as well. The hacker knew what he was doing. Right after getting access to our account he transferred domains to another account at GoDaddy. Even if GoDaddy did their job and restored access to our account it would have been empty and another investigation should have been started to track those domains down.
Anyway, he did what he promised and transferred domains back to our account. Sadly enough, dealing with the hacker was more pleasant than dealing with GoDaddy. Maybe because he was an ethical hacker.
And just to give you an idea of how common this kind of crime is – we have checked all incoming transactions to his Bitcoin address. He earned about USD $50,000 since the beginning of the year. Not bad for someone living in the rural Pakistan.
Lessons learned
So it was nothing but my own stupidity that led to this snafu. It is easy to forget basic security rules when you only use some website maybe once a year. Still, it is a terrible excuse. Don’t let this happen to you.
Just a quick reminder of what needs to be done.
– Use two-factor authentication everywhere where you have anything of importance.
– Do not reuse passwords. Our account was broken in because the same password was used on some other website that had their passwords stolen.
– Do not log in using an email address from the same domain. If something happens to your domain you won’t be able to access your email and won’t be able to restore your password.
– Do not use GoDaddy. If things go south you are basically on your own.
I hate it that this happened to you. You were probably lucky the hacker only asked for $1,000 and followed through on his promise once funds were transferred. That often does not happen. And I second your opinion about GoDaddy. I recently moved most of my projects away from them for basically the same reason — terrible support.
If you have the trademark for your domain name, you can seize the domain name from them via ICANN, but you have to pay an arbitration fee of about $1,000 (last time I checked).
Considering the amount of money that was stolen, I am sure he knows that if he asks for too much money, a company will just use their trademark rights to seize the domain from the hacker, and the hacker gets nothing.