This is an ongoing situation at Flippa.com and as such, the domains won’t be revealed at this time.
In a nutshell: an unscrupulous domain thief sold stolen domains on Flippa.com and used the rules of the game to his benefit.
How did it happen?
In the course of two weeks, the Flippa.com seller managed to unload two stolen domain names, both short; a three letter .com and a number/letter .net
The Flippa.com system allows its users to build their trust: one gets points for adding a “trustworthy” phone number, adding Facebook and LinkedIn profiles and by transacting successfully on the Flippa.com domain platform.
So far so good.
Our guy, however, simply added a blank LinkedIn account with no connections and a Facebook account that was locked to the public. Adding a phone number that bears the “trustworthy” status is simple: many countries such as India don’t discriminate between disposable and subscribed cell phone numbers.
In a short period of time, by adding up these two sales of the stolen domains, the thief managed to rank a nice +10 trust score; this gave him the opportunity to scale up the sale of another stolen domain: a two letter .net
Acting upon the tip of an ethical domainer who noticed the auction, we researched that two letter .net domain and reported the active auction to Flippa. Meanwhile, we located the legitimate owner and communicated with him via email and on the phone.
The domain was hijacked from the legitimate owner’s account and was on its way to another registrar while the thief put it up on a Flippa.com auction. Flippa.com froze the auction for three days, all while expecting the Admin contact of the stolen domain to get back to them.
Naturally, having control of a stolen domain means just that: faking authorizations. The thief “confirmed” that the domain was legitimately for sale and Flippa unfroze the auction, which ended with a bidder “winning” the domain for thousands of dollars!
We contacted Flippa, urging them to instruct the buyer not to pay for the domain. Initially, Flippa.com support explained there was nothing to be done as the domain was confirmed as “legit” – by its very thief!
Upon letting Flippa.com know that the real owner was already aware of this and is currently in the process of reclaiming the domain, their support team escalated the ticket and responded by taking these actions:
- The seller had his reputation diminished to a negative number
- The buyer was instructed not to submit payment
- Flippa confirmed the real owner got in touch with proof of ownership
On top of that, we received the following statement from Flippa.com support:
Flippa will be implementing new features to verify ownership of domain names being sold on Flippa shortly.
It seems that the current domain name ownership verification process is lacking, particularly with the ability of unscrupulous sellers to create vacant profiles on Facebook or LinkedIn, thus further authorizing the sale.
Hopefully, the domain will be returned, the thief will be banned and perhaps even located; there are two more stolen domains that are now in the hands of unsuspected buyers. Flippa.com deserves recommendation for listening to our continuous requests to stop the auction and suspend the seller’s account.
Good Job. It’s about time.
Good job, guys!
Gnanes – Kudos to that ethical domainer 😉
Tia – It’s far from over with regards to the return of the domains, but at least Flippa will tighten the process quite a bit.
Another flaw is your friends can hijack the bids.
You can open as many accounts by using the different public telephones or your relatives’ phone #
Another thing I observed is the content of the websites are the same , the only different is the change of the themes and some long tail domain names.
Props for the fine work! There’s been an uptick of higher priced domains being offered on Flippa
recently and it’s important that they implement the new system as soon as possible.
It seems that it took an awfully lot of effort on your part to get Flippa to do the right thing. Sounds like they would have allowed the fraudulent sale to go through if you did not object to their initial response. This is very troubling, and does not instill confidence at all in the fairness or transparency of their auctions.
BullS – It’s the same with other auction places, e.g. eBay. If one wants to break the rules, they will.
Pub – It’s our wish too, that the new measures are soon implemented. Flippa.com has a track record of several large sales recently.
James – Correct, it took several escalating replies to the ticket to raise their concern. In fact, the auction completed after it was unfrozen! Hopefully Flippa.com’s reaction was timely and the buyer didn’t lose their money.
Ebay has a way to track who was the 2nd highest bidder on every item.
If there is a pattern that the 2nd highest bidder is the same, that brings the red flag.
Hi Lucius – Thanks for raising this one and sticking with it. We have not seen an instance of a stolen domain like this prior and the task was made more complex by the domain not appearing in the stolen domains registers that we’re aware of. You’ve managed to beat us to the punch on our domain verification initiative but agree with some of your responders that it may not have caught this occurrence due to it being stolen. Definitely something for our team to look at more closely as soon as possible.
Just to be clear on the negative trust rating – this is a result of the seller being banned from the Flippa community: they will not be able to list or bid on a Flippa auction again (we actively police attempts to re-register under a different name)
BullS – be assured we have a range of sophisticated tools in place to identify shill bidding and we delete both buyer and seller accounts when this in found to be the case. Duplicate accounts and shill bidding is something we take very seriously on Flippa given the fundamental importance of trustworthy bidding in our auction marketplace.
Lucius, thanks for pointing this out. We’re certainly moving on getting this fixed as much as possible – we want to stamp out the sale of stolen domains completely, if possible.
However, in the case of the last domain you mentioned – which is the only one I’ve personally dealt with closely – our new verification would unfortunately not have stopped the sale. The problem is that the thief appears to have had access to the registrar account in question. What this meant was that they changed the WHOIS information to use an email address which they had control of. From the outside, the only way we can verify ownership of a domain is to email the registrant address in the WHOIS—but as the thief had control of this address, they would have been able to verify ownership.
Our (about to go live) method will block most of the fraudulent domain sales we’ve seen on the site, but it definitely isn’t a 100% solution. But we don’t want stolen domain on Flippa, so I’m very much open to suggestion on a better way to do this verification. Anyone?
@Dave: Contact Domaintools to see if their whois history will accurately catch changes within the time period you need. If so then check the last updates/owners to see if anything is fishy. Costs some $$s but should be worth it for a high value transaction.
Good job .. You are helping lot of domainers.
Hope Flippa.com support will learn some lessons and safeguard the buyers.
@SL
Generally the DomainTools data is decent. But the problem is when you say “see if anything is fishy” – in order to use this, we’d need an iron-clad definition of “fishy”. A large volume of listings goes through our system, and I can tell you now that doing checks by hand isn’t acceptable. We need to have an automated check for “fishiness”.
Is it as simple as saying the WHOIS can’t have changed in the last 60 days? Or it’s only bad if the new registrant has a name which sounds untrustworthy? What if the only thing that’s changed is the registrant email address – as in this case? Despite looking at the DomainTools data, I haven’t been able to come up with a general rule which would have picked up this issue.