The night of the zombie clones
The heartharmony.com.au domain name sat idly in the domain name repository for a while, until one day a scammer spotted an opportunity and pounced.
What did they do? First, we need to take a quick detour into some legislation. Stay with me here – you need to know this stuff!
In Australia, there are quite strict laws about who can register domain names outlined in the 2012-04 – Domain Name Eligibility and Allocation Policy Rules for the Open 2LDs. If you haven’t read it, I recommend you do so. As part of my experience, I have now become incredibly intimate with each clause and sub-clause on the policy rules.
To register a .com.au domain name, registrants must be:
- a) an Australian registered company; or
- b) trading under a registered business name in any Australian State or Territory; or
- c) an Australian partnership or sole trader; or
- d) a foreign company licensed to trade in Australia; or
- e) an owner of an Australian Registered Trade Mark; or
- f) an applicant for an Australian Registered Trade Mark; or
- g) an association incorporated in any Australian State or Territory; or
- h) an Australian commercial statutory body.
And must be:
- a) an exact match, abbreviation or acronym of the registrant’s name or trademark; or
- b) otherwise closely and substantially connected to the registrant, in accordance with the categories of “close and substantial connection” set out in the Guidelines on the Interpretation of Policy Rules for the Open 2LDs.
In other words, there are a few hoops to jump through before you can register a .com.au domain name, so the scammers needed to get a few ducks in a row to make their play happen.
In late February 2019, they registered the heartharmony.com.au domain name using the ABN details linked to a personal superannuation fund of a couple that lives in St Ives in NSW. (Yes, I did a company search on ASIC to track down information about these people).
Now, it is possible that the St Ives people named in the registration were in on the scam, but it is also likely that the scammers simply had hacked in access to the email accounts of some poor people who knew nothing about what was going on.
The scammers then took out hosting with a shonky company in Belize known to be particularly tolerant of bad behaviour.
Now comes the “cue the dark night thunderstorm and scary organ music” part.
Using either the Wayback Machine or content from a hacked server, they copied my website from approximately 2015 and cloned my old site on their hosting.
Every page, every photo of me, every word on every page, my PayPal links to saleable products … all suddenly were resurrected from the dead and made to once again dance in an unsettling zombie apocalypse sort of way.
On the surface, the zombie site looked fine, but underneath it was a toxic tar pit of slime.
They added in a stack of male enhancement and non-prescription medication websites that lived as add-on domains and bed buddies to heartharmony.com.au. Heartharmony.com.au was sleeping with some seriously horrendous bedfellows.
Finding the zombie under the bed
I would like to say that I found out instantly about the spammers as soon as the site went live. The truth is it took me three full months before I spotted the zombie, and that only happened by chance.
A client from many years ago called, and we discussed possible work. During the discussion, he questioned if he should send me an email to [email protected] or use the contact form on my site.
I laughingly said that I haven’t had that site or email for years, gave him my new details and didn’t think too much about it until I suddenly I sat bolt upright in bed at 2 am the next night after a nightmare.
I grabbed my iPad with a feeling of cold dread and typed heartharmony.com.au into my browser.
There was my zombie site, in all its flesh-dropping glory!
As soon as the dawn light peeped through my curtains, I started my research and leapt into action. I roped in some wonderful colleagues to help on my quest (huge thanks to Joe, Kay and Sheldon, who went above and beyond to help).
The tactical stuff:
- I started by screenshotting everything on the site and what was turned up in Google searches. ( A cyber safety reminder – if you do find a cloned zombie site, don’t click on any payment links or fill in any form details!)
- I ran a search on auDA to see who had registered the domain name.
- I searched the ABN and then took out an ASIC search to get the full company details.
- I ran a search through EasyCounter WhoIs to get even more details of the domain name history.
- With the help of a colleague we then ran some searches to find out who was hosting the website and it’s IP address, and email address for complaints.
- We then searched the IP address to see what else was on that same server (which is how we found all the add-on domains).
- I blocked that IP address on all of my sites via Wordfence.
The action stuff:
I started by sending off a DCMA takedown notice to the hosting company; a breach of registration notice to the domain name registrar for heartharmony.com.au as well as complaints to Google and Bing and requests to de-index the content.
I also sent a letter to the couple listed on the domain name registration papers via their solicitors listed in their ASIC records.
The hosting company and the couple listed on the domain name registration papers studiously ignored the emails while looking in the other direction.
The domain name registrar sent back a “Not our problem, mate” response. I replied, reminding them of the legislative requirements and the actions they were legally obliged to take. This was met by a bigger shrug and a duck pass.
Round 2 – Bringing in the Heavy Guns
I then lodged a complaint with auDA (Australia’s regulatory and administration body for domain names) as well as a complaint with ACORN (Australian Cybercrime Online Reporting Network).
Ten very long working days later, I received the news from auDA that they found in my favour and were de-registering heartharmony.com.au pending the expiry of an appeal period. Once the appeal clock had run down, the domain name would then be available for purchase on a first-come-first-served basis (which worked out to be a Sunday).
And the best bit? De-registering the domain name was as effective as hitting a zombie it with a flame-thrower. The zombie site was dead!
auDA advised considering taking a domain backorder service from one of the reputable domain name companies to try and be the first cab off the rank when it came up for sale.
After my first attempt at taking a backorder service failed (GoDaddy doesn’t offer a backorder service for .com.au’s), I finally paid for a service from another theoretically reputable company.
You need to be aware that no domain name back-order service is guaranteed. All they can do is monitor for changes and try to be first to pounce.
Sunday duly came around, and the domain name was publicly dropped. And my paid for service didn’t even wake up from their Sunday paper and smashed avo on toast. They didn’t even try to get the name. Great service!
Heartharmony.com.au was snapped up by an SEO company in Melbourne whose partial income strategy appears to be buying and selling domain names for a profit.
I was gutted! It was one of those ugly sobs in the kitchen over whisky sort of moments. And this was just after breakfast!
Round 4 – A Glimmer of Hope (With a Side of Rocket Launchers)
I sadly kept looking at the domain over a few hours in the same way you can’t help but stick your tongue in the gap where a fallen tooth had been. Then I saw that it suddenly was put up on an auction site and offered for sale.
I sent emails directly to the name listed on the domain name registration as well as placing an offer via the site.
I then went back and re-read the legislation as something was tickling in my brain.
Under the Domain Name Eligibility and Allocation Policy Rules for the Open 2LDs (2012-04), Schedule A, item 8 was this lovely clause:
Prohibition on registering domain names for sole purpose of resale
- A registrant may not register a domain name for the sole purpose of resale or transfer to another entity
To hedge my bets, I lodged yet another complaint with auDA about the registration of heartharmony.com.au breaching the regulations, as the domain name was obviously bought only to be sold.
The next morning, the SEO company that had bought the domain name contacted me, letting them know that auDA had been in touch with them. They offered to transfer the domain name back to me, and in return, I offered to drop the case.
This time the whisky was drunk in celebration. I now have heartharmony.com.au back under my control after many months of angst and heart-ache.
But the story is not quite finished yet.
Having your emails as part of your website hosting is the simplest way to get your email accounts with your domain name up and running. It all works well until scammers and hackers land.
If your website is hacked, the hackers get access to all your emails. ALL. OF. THEM. Think about that for a moment. Every phone bill. Every social media update. Every bank statement. Everything! They can use this to reset passwords and get access to a whole raft of options for identity theft.
In this particular case, the hackers also added in my old email addresses into their hosting and voila – they instantly had access to any new emails that went to [email protected]
I didn’t know about this particular nasty problem with hackers until a few years ago and moved my emails off my hosting as soon as I found out.
Luckily given my slow transition to heartcomms over a few years, I had changed every essential account of mine over to my new email accounts (not hosted through my website) and had deleted any links to my old email address from all my online cloud accounts, so it is probable the most the scammers got were emails from other scammers and clothes promotions from Rockmans.
Right now I am monitoring the emails off that old domain to see what other damage may have been done (and if I missed anything).
However, other people may not be so lucky.
In some eye-opening research by Gabor Szathmari, a cyber-security expert in Australia, his company re-registered six domain names of law firms in Australia that had re-branded.
They then set up catch-all email accounts to monitor emails coming into the old domain names.
What they found was an Aladdin’s cave of confidential financial and personal information, that could have ended up in the hands of scammers.
They were able to:
- access confidential documents of former clients;
- access confidential email correspondence;
- access personal information of former clients;
- hijack personal user accounts (LinkedIn, Facebook, etc.) of former staff working in their new jobs; and
- hijack professional user accounts (Commonwealth Courts Portal, LEAP, etc.) of former staff of the businesses.
Other cybersecurity researchers have suggested that scammers can reinstate web shops from old domain names and then take over any linked MailChimp or other email accounts by getting a password re-set, sending out an email blast to get users to make a purchase that would never be delivered.
In other words, if ever you have had email run through your website hosting, then you need to be triply cautious.
The first and only rule to follow is if you have ever traded or had a domain name that had content on it, congratulations! You need to keep it for life. This is especially true if you had your emails running through your account.
Never let your domain names lapse. You can let your hosting lapse if you no longer need the site, but don’t let your domain names lapse.
(Read what’s the difference between a domain name and hosting if you are not sure which is which.)
General domain name rules
- Use a quality domain name registrar.
- Know where your domain names are registered and how to access them at all times.
- Check that your domain names are registered to your details and not your web designer (Check out Domain Name Horror Stories for how to recover your domain name if your designer made a mistake).
- Register for 1-2 years and not longer. It’s easier to keep track of more frequent bills than bills once every 5-10 years.
- Keep your domain name contact details current at all times.
- Don’t use a person’s email for domain name contacts – use a generic company, one in case the person leaves. (e.g. don’t use [email protected] use [email protected]).
- Don’t use a free email address as your registration email (e.g. Yahoo) as some free services cancel email accounts that aren’t often used.
- Don’t use an internet provider email address as your registration email (e.g. Bigpond.com; optus.net.au) in case you change internet providers.
- Set up dual factor authentication with your domain name registrar if they offer it.
- Set up a domain lock with your registrar to stop your domains being transferred out without your knowledge.
- Plan for historical domain name transitions if your business is bought or sold.
- Set up a Google alert to monitor mentions of your company name (and all of its variations) in case the content is scraped and turned into a zombie. This isn’t foolproof (my alert didn’t pick up my zombie), but every bit helps.
- Move all emails off your hosting. Use G-Suite or Office365. This is not strictly to do with domain names, but has security implications.
If you are like me and missed that particular memo, there are some steps to take to protect your cyber-security and not let the zombies into your home:
- See if you can re-register your historical domain name/s.
- As soon as you can, transfer your registration to a quality domain name registrar rather than leaving it to remain on an auction site domain name registrar. (There is some research suggesting that your domain name registrar can impact on recovery if the domain name is toxic).
- Check any cloud-based services such as Dropbox, Google, Xero, Facebook, LinkedIn etc. that may have been linked to your old email address and either close the account or ensure the old emails have been unlinked.
- Make sure all your bank and PayPal details are unlinked from your previous email accounts.
- Enable dual factor authentication on all services that offer it.
- Use unique and complex passwords on every site, and get in the habit of changing your passwords on all sites at least once a year.
If you get your old domain name back
- Check the domain name history to see who else had the registration after you. If there were others, then assume the domain name is now toxic (unless you have a high-priced SEO person who can do a lot of digging and tell you otherwise).
- Check the Wayback Machine to see if you can track the changes to your site over time to check for toxic changes.
- Add a catch-all email account (and strong email spam filtering) so you can monitor emails still coming through to your old domain. Unsubscribe and notify anyone genuine who is using the old addresses. Don’t forward this catch-all email to your new email address to reduce the risks – check the emails on the hosting server.
If you are 100% sure that the domain name is NOT toxic, then forward the domain to your new website so anyone who types it into their browser will be taken to the new website.
If your old domain name IS toxic:
- Don’t reinstate your old domain on the same hosting as your current accounts. Keep it on different hosting to minimise any potential negative SEO or blacklisting impacting on your new sites.
- Put up a single landing page with either “Under Development”. After a month, then replace the Under Development page with a “We have moved” notice, with a no index, no follow link to your new website on it. (There is some research suggesting that waiting before linking out to your new site reduces the impact of any toxicity).
The bottom line is never to let old domain names that you traded under lapse. The time has gone when you could trust that your domain name would be picked up by someone decent. Assume the only people who want your old domain will be a scammer or hacker and defend yourself accordingly.
Make a new rule for your business: Business domain names are forever.
Treat your domain name with the same care and reverence as you would the deeds to your home or you may suddenly find your website cloned into a zombie and your identity taken over by a scammer.
Credits to: heartcomms.com.au