web analytics

Moniker ‘patient zero’ warned registrar on security breach in late August

ZFBot

A former Moniker customer’s rage over the recently exploited security breach, is off the charts.

He has reason to believe that his account, presumably containing valuable domains, was the first one to be targeted in late August by hackers originating from Egypt and Lebanon, who created sub-accounts.

Despite warning Moniker about the issue, he was reassured that somehow this was his own fault and the result of a weak password, which he refutes.

Indeed, Moniker used serial incremental account numbers as alternate usernames, making things easier for the hackers to infiltrate accounts; the sequential access explains the large number of accounts accessed in the breach.

Eventually, several domain names were stolen, some from high profile owners such as Elequa of Future Media Architects.

In a lengthy, detailed post at NamePros, the former customer describes what happened:

I tried to warn Moniker. The disrespect they showed my warning is indicative of the type of company they now are. You can see from my original post how adamant I was that my account from my end was 100% secure. They dismissed me. A supervisor never called me to investigate further my claims. These people are IDIOTS and I hope that Moniker falls into the abyss like RegisterFly.

I don’t think this is Shellshock because I was reporting this problem long before that bug was discovered and released. They’re just too stupid to do forensics and fix their bugs. But if I was to tell them that they wouldn’t believe it again either so what’s the point. These people are inept.

For those with suspicious logins. Check to see if any extra user accounts were created. That’s what they did with my account and I suspect that’s the origin of the exploit. For all I know they can use tamper data to alter the input of adding an extra user onto any account simply with a uid change to the input. Tried to point them in the right direction on this.

After I left I told Moniker to delete my account. Glad I did so.

If anyone plans a class-action against Moniker LMK. I’m in. You should see by my own contacts with them that a security breach had occurred and they REFUSED to do anything about it. That’s negligence. It’s cost us all time and money and for me it’s caused personal anguish and suffering. These mother F’n clowns should be put down and suffer just as much as we have. The hatred I now feel for this company is off the charts.

Looks like I got out just in time.

That’s what I told them.That a new account I did not create existed. That account somehow was able to get added and bypass their portfolio maxlock. I warned them explicitely of this but they did ZERO investigation into it. I can prove NEGLIGENCE just on the contacts I sent them.

As for credentials…Moniker used UIDs for their customer account numbers that were incremental. So account number 1000, 1001, 1002 could easily be checked. These are not based on random usernames. They are number uid’s which any hacker can exploit a LOT easier to find login credentials.

88.150.178.59 is a datacenter probably VPN for anonymity. My logins were from Egypt and Lebanon. I could very well have been the first exploited account as I’m often a personal target of these things. Once I left though my guess is that exploit was sold in the blackhat community and use maliciously across multiple accounts.

But again…Moniker was warned. They were told. They were given an opportunity to investigate this and probably stop it. They IGNORED ME and the clear danger to all their customers.

Anyone who lost high profile expensive domains and needs me to testify I’ll be very very very happy to do so. I can go to a lawyer and get an affidavit.

Punish these clowns people. Make an example of them to the Registrar community that security comes first and you don’t ignore ANY possible breach. Yes, I’m mad and angry over this.

Looking over my contacts it appears on August 27 my account was stolen. I log into it weekly to make sure it’s secure. One day my domains were redirected and I knew I had a problem at Moniker. I could still login which was nice. However upon checking I saw DNS changes to my domains and I’m like “WTF, I have portfolio maxlock and only with my 100% secure security questions can they do that”. I call Moniker immediately. I was able to undo the DNS changes but HOW did they do that was the question. IP logs showed the login from Egypt and Lebanon. But then I finally saw the extra user account and I KNEW that was the breach.

I have the contacts still from Moniker. IMHO they are 100% proof of their serious negligence.

Anyone in media wishing to ask me questions please feel free to contact me via PM. Anyone going after Moniker legally should also contact me. I’ll be super happy to help with what I know and my experience. This could have EASILY been prevented if they had simply not ignored my very clear warning about this exploit.

I gotta end this rant. I can go on all day. Sorry for the long read.


Facebooktwitterredditpinterestlinkedinmail
Copyright © 2019 DomainGang.com · All Rights Reserved.

Comments

4 Responses to “Moniker ‘patient zero’ warned registrar on security breach in late August”
  1. James says:

    The two account belonging to me that were hacked had additional users – example, I had an account number logon and user name logon.
    The accounts that were not hacked only had account number logon. The user name logons were created when the accounts were established, they were not added by the hacker. Not sure if only accounts with additional user logons were the problem?

  2. Josh says:

    One would think people in those countries, even Ukraine and Russia even, would have more pressing matters at hand than to hack and spam people around the world. Geez.

  3. DomainGang says:

    Josh – The Interpol chief announced that there are fewer than 100 cybercrime overlords in the world, and the majority are in Russian speaking nations.

  4. Josh says:

    Unreal but not surprised.

Leave a Reply

Your email address will not be published. Required fields are marked *

 characters available