Thieves are trying to steal our domain names using Afternic and GoDaddy

Thieves are trying to steal our domain names while Afternic and GoDaddy are asleep at the wheel.

In the past few hours I have received requests from my registrar to approve Fast-Transfer on Afternic for several of my domain names.

Apparently my domains are added on Afternic by crooks that are trying to steal them. I will not talk about how easy this can be done as people in the industry already know about this.

It is quite easy to click on some of these approvals if you are dealing daily with Afternic.

And even worse. It is quite easy to batch approve Fast-Transfer for several domains at your registrar while some of these domains are listed by you and others by a thief.

The problem is that Afternic does not require a verification when you try to add domains in your account. They only ask for verification if the domains are already listed at some other account!

And the registrars only ask domain owners for Fast-Transfer verification, NOT for adding the domains on Afternic.

My domains requested today are all 4-letter domains. I checked and these domains are not on Afternic yet… (or the domains were deleted before I checked)

(BTW I am not alone here. This has been done in the past but never at this scale. More and more complaints for similar emails are appearing on Twitter.)

But…

I got the first batch of verification emails on January 12th for a few of my 1-word .com domains.

(Apparently these are the same domains on several emails from scammers trying to buy them for cheap. Is it a coincidence?)

So I went to my Afternic account and tried to add these 1-word domains and guess what?

The domains are listed at a thief’s account and Afternic is ASKING ME to verify my own domains!

Seriously? 11+ days and you people at Afternic and GoDaddy still have no idea what is going on?

What kind of business are you running there? I am sure that you have no automated system… But really? No one cares to check accounts for suspicious activities?

So here it is:

Afternic and GoDaddy, I give you 24 hours to find the account(s), ban them and delete all my domains in there. I gave you one of my domains and that should be more than enough to help you.

I will try and add my domains in my account tomorrow. If I can’t, I will explore my options with an attorney.

Sold.Domains

About Konstantinos Zournas

I studied Computer Engineering and Computer Science in London, UK and I am now living in Athens, Greece. I went online in 1995, started coding in 1996 and began buying domain names and creating websites in 2000. I started the OnlineDomain.com blog in 2012.

12 comments

  1. I’ve been getting the same with many names at dynadot, seems to be names listed at Dan without a BIN, I believe the ones with an BIN automatically go into afternic. So I guess for unpriced names I would have to list directly with afternic, perhaps it’s Godaddy doing this to list with BIN price.

    This shit is so easy for them to fix, they obviously don’t want to.

  2. I just can’t get my head around why they fail to fix this. Simply requiring sellers to verify domains via DNS/text record should be pretty straightforward to implement, and not at all daunting for registrants. It just makes no sense that they leave this gapping loophole in their systems.

    That said, I’ve always assumed that Afternic is running a monolith codebase which simply can’t hold up to change.

  3. Think you for bringing this issue up.

    It happen to me like a year ago .

    Someone listed my one word domain at afternic for $25k and I got an invitation to transfer the domain to “ premium promotion listings program ”.

    Guess what I have closed my afternic account long time ago !!I could not even login again to change or cancel this listing.

    If I had clicked on that link , domain may get sold immediately since i everything is set up .

    Sorry my one word domain is worth a lot more !

  4. Godaddy and Afternic in a box of continually unpleasant surprises.
    Very little control and no verification in Afternic

  5. Again, today I got many invitations from afrernic and Godaddy to transfer my domains.

    Can someone tell me how to stop this? We should all report these emails as spam!

    • Konstantinos Zournas

      The emails are coming from our registrars! Reporting these as spam means you will not know if this happens again, domains are going to leave your account and you will never find out, you will miss renewals, etc.

    • We can all suffer from TMI, even with a dedicated email for domain management I get thousands of emails.

      So what I do is use rules that look at the sender and the subject then put them in specific folders, if I have domains “in play” I create folders beginning with # or $ so they appear at top and I put rules higher up the process to move them into those folders.

      If I get approvals requests they are already in a folder where I process and move emails daily, I then compare any new requests with what is in play and if not it sets alarm bells ringing.

      You can’t mark these emails from Afternic and GoDaddy as spam but you can have a rule put them in a #URGENT-SCAM folder also you can report Afternic/GoDaddy to ICANN and Gov as not fit and proper organisations because they lack the processes to prevent Fraud.

      Now they will argue that sending you the email is their verification but there should be additional layers, a means to recover domains approved in error and perhaps a requirement to change whois privacy.

      Some Registrars also use two factor authentication via independent companies like Authy which is part of Twillio (better than Google because Gmail may be compromised). It is like Hosting, you never want to use the same company as you register the domains with.

      https://authy.com/download/

      AUTHY not only adds two factor to Logging into your Domain Registrar account but also to actions like second level locks on domains.

      You need to get into your brain that anything that asks for authentication needs very careful handling and it should take more than clicking a button.

      However, the real issue here is GoDaddy/AFTERNIC not verifying the seller, first against WHOIS, but also basic ID Check and if they are from China, India, Russia, Iran or similar countries then they should need a solid source to vouch for them. It might be a US/EURO/UK bank or some other entity. I know for example that some FX trading companies do this no matter how big the client or the trade, you first have to prove yourself.

      India is hackcentral as their local Police are easily bribed while their central Government turn a blind eye, I think we should impose a scammer tax on all invoices to and from India, the money to be put into a fund to reimburse people who have been scammed by Indian scammers.

      It is easy to fool sites to thinking you are from China with VPN’s and proxies, China and Chinese hack themselves so they leave servers insecure so they can hide in plain sight and have plausible denial “oh it is students at university” blah blah blah.

      Before a domain owner gets asked to approve a listing should the assumption be that the person listing it fake and they have to first confirm ownership. I have done this in domain negotiations by changing tech contact name in whois without any risk to the domain. It just shows I have control of the domain.

  6. Why is anyone surprised by total and utter incompetence with anything related to StopDaddy?

    I mean seriously, they had had utter contempt for customers since day 1, it is their core principle to make fools of people.

    Thanks for the heads up on domain stealing, it seems that one needs to make sure that numerous methods and factors of authentication are used.

    If GoDaddy were to acquire any company I use I would immediately leave, it is that simple, changing the culture of a company is near impossible when the original owner is still a shareholder or on the board.

    I don’t understand why people stick with them, every part of the company that I have deal with from Auctions, Domain Management, Email, Hosting and Tech, all of it has either been egregiously incompetent or of questionable ethics.

    Even when I used Auctions I would transfer the domain out at the earliest opportunity and God knows they made that hard enough with their games blaming ICANN for shit that was clearly designed into their system at the time.

    No, for me, if you use anything GoDaddy and get screwed, then you had it coming.

    Elephants never forget and nor should we!

  7. Just found one of my ‘not for sale” 3 letters .com listed on Afternic

    Phone Customer support down…

    Godaddy from bad to worse

    Constantino, Thank so much for the heads up… (you should post at NP)

  8. Listing integrity is something we take seriously. We have an automated review system that flags domain names before they are listed for sale. We continue to refine our system. In the example you gave, teleferique.com, this was flagged on Jan. 11 and never listed. It was then added to a block list that requires a new lister to verify the ownership before it can be added.

    You can verify this by searching at Afternic.com to see that it is not available for sale. Despite being caught by our systems, the opt-in emails are being triggered simultaneously to registrants in this scenario, something that we’re working with our team to re-configure to not send until after it has cleared an active status.

  9. The worst part is that if a customer accepts the fast transfer by mistake then he wont get an intimation emailfrom the registrar as well in case the domain happens to be removed from this accont. I asked Dynadot support to send me a list of all my domains which were Sold/transferred cause of Afternic Fast Transfer and they replied to me that they cannot send me this list as there is no such way to send the list. I mean atleast the authentic buyer can inform Afternic immediately in case he receives an email of the domain getting sold under some past owners/conmans account. This is big RED FLAG indeed.

  10. thanks for raising this issue. indeed a serious threat and here’s hoping they close this loophole soon.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.