CSS-Tricks and others affected by extortion scam
As outlined by Chris Coyier in a post on CSS-Tricks, a number of sites in the web design community have had their accounts hacked and domains stolen. The perpetrator has attempted to extort thousands of dollars from the domain owners, demanding money for the return of the domains. The registrars and hosts involved are varied and have also differed in their responses, ranging from quick and helpful acts of cooperation to miring owners in bureaucratic wrangling. In the case of kirupa.com, Coyier remarks that "NetworkSolutions currently doesn't believe Kirupa Chinnathambi that he was the original owner of the domain, which is batshit crazy."
We spoke to three of the site owners affected by the scam to see what was going on. Designer and entrepreneur David Appleyard told us while it was hard to be certain that design blogs were specifically targeted, "based on the fact that the hacker was ultimately trying to extort people, I expect he was going after domains and sites that were large enough to have a decent income".
As for how the domains were stolen, developer David Walsh said that "the possibility of a specific domain registrar being hacked was dispelled by the wide range of registrars affected", and he thought it was his email that was compromised: "Email filters were created to hide the transfer request and account change emails from me, and the domain was moved right from under my nose." Appleyard and Daniel Adams, Chief Editor of InstantShift both suggested password issues were to blame. Appleyard admitted to using the same password for his domain host and elsewhere, although said, "it was complex enough that guesswork alone was unlikely". Similarly, Adams was, at the time, using the same password across his domain host and Gmail account.Domain rescue
In order to guard against this happening to you, those involved suggested ramping up the complexity of passwords, not using the same one for any two services, and utilising two-factor authentication where possible. Appleyard added that this kind of situation is easier to resolve when caught early, and suggested "regularly checking the WHOIS entry for your domain, or using a monitoring tool to receive an immediate report if anything changes".
Should your domain be stolen, contact the registrar you use as soon as possible, since only they can initiate a reversal request. Adams adds that keeping in sync with multiple communication services might assist regarding proof of identification. Walsh said that if your registrar is slow to reach, it's also "important to contact them quickly and often to increase their urgency – email daily, tweet many times a day, write on their Facebook wall. Make it perfectly clear that you aren't going anywhere until they return your domain."
At the time of writing, the fortunes of those hit by the scam were mixed. Appleyard considered himself fortunate, because the fraudster didn't change his site's name servers: "This meant our site remained online for all but a brief period, and we haven't suffered from any extensive downtime." But Adams told us "the last five days have been stressful, especially when the hijacker removed our name-servers". He added that downtime and bad web performance costs money, is taken into account by search engines, and can even be interpreted by people as a sign of incompetency. "Also, there's no mail support related to domain, so we're cut-off from our readers."
Walsh's situation is somewhere in-between, with registrars responding well, but with little urgency. "My blog was only down for a day, so my sponsors haven't missed too much," he told us. "But from a personal standpoint, this incident took a large toll on me. My blog has helped me get jobs, travel to Europe to speak at events, and meet lots of great developers. The thought of losing the domain I've worked so hard to promote is terrifying. I've spent dozens and dozens of hours contacting the various parties involved to get the domain back, still without result. It's shocking my accounts could be so easily compromised – it's been a scary, scary wake-up call."