Thanks to two-factor authentication, I lost all my money and 3 years of work
A post on how the Yandex.Mail phone service tied to the account of the service helped steal the domain of the online edition of Banks Today that I created. I note that in this publication I invested all my accumulated money, my soul and 3 years of painstaking work.
It all started so far today, September 25, 2019. At 15:50, I (the domain administrator), received a message from MTS on the phone: someone initiated the replacement of my SIM card:
That is, someone re-released my SIM card. How this was done is a big question that we are addressing to MTS.
Naturally, the first thing I checked was whether SMS came from scammers. After checking the number indicated in the SMS, I realized that the number is correct, which means that the problem is serious. Within a minute, I started trying to contact MTS TP. MTS phone menu quests which result in communication with the operator deserve a separate story. I will say briefly, it took me about 7 minutes to start a live conversation with a “person”.
Unfortunately, the conversation was not long, after 20 seconds the conversation was interrupted. Most likely, at the same moment the fraudster activated the SIM card, since I couldn’t make a call from my number anymore, my SIM card became inactive. From another number, I managed to get through to the MTS support service, as a result of which the number (which was attached to the mail) was blocked.
But it was too late. The attacker gained access to e-mail on Yandex, to which the personal account of the domain name registrar was registered.
By the way, two-factor authentication was connected to the mail, but it was precisely because of the binding of the phone number that the domain was hijacked. If the phone number was not attached to my mail, the fraudster could not reset my password.
Immediately, the fraudster was able to access the registrar’s personal account (reg.ru) and transferred the domain to another account. Since the domain was in the international .NET zone, transferring the domain from one account to another was not difficult.
At the moment, the website of our publication is working and today we even managed to launch the corresponding post . But I think tomorrow, after the DNS servers are updated, my ship, which I built for 3 years, will disappear beyond the horizon.
I would like to believe that all my letters to Yandex, to Reg.Ru, to MTS and to the Police (I didn’t manage to file an application today, but I’ll definitely do it tomorrow), all this will give a result.
We have never been involved in politics or written custom materials. But such a fate befell our site.
With hope for the best, co-owner of the online edition of Banks Today.
UPD Sep 26 15-00.
By filling out a long questionnaire, access to Yandex mail has already been restored. A statement was made to the police. I sent scans to TP Reg.Ru
UPD Sep 26 17-00.
A great miracle happened! Reg.Ru returned my DNS (the domain has not yet been returned). And very soon, my users will get to my site. Apparently, the fraudster was counting on the fact that while the proceedings were going on, my domain would stick together with him (I won’t shine his domain here, I think you yourself can easily recognize him). He set up the 301st redirect from all my pages - to pages already on his domain.
Our real DNS changed at about 3 a.m. today. And from 9 in the morning, more than half of our readers began to redirect to the fraudster’s domain. Attendance Dynamics:
UPD Sep 28 19-00.
At the moment, there are certain positive changes. I won’t talk about them in detail yet, but I’m thinking from Monday, we’ll get to work. How it all ends, be sure to do a detailed post with all the steps! Thanks for the tips and support!
It all started so far today, September 25, 2019. At 15:50, I (the domain administrator), received a message from MTS on the phone: someone initiated the replacement of my SIM card:
That is, someone re-released my SIM card. How this was done is a big question that we are addressing to MTS.
Naturally, the first thing I checked was whether SMS came from scammers. After checking the number indicated in the SMS, I realized that the number is correct, which means that the problem is serious. Within a minute, I started trying to contact MTS TP. MTS phone menu quests which result in communication with the operator deserve a separate story. I will say briefly, it took me about 7 minutes to start a live conversation with a “person”.
Unfortunately, the conversation was not long, after 20 seconds the conversation was interrupted. Most likely, at the same moment the fraudster activated the SIM card, since I couldn’t make a call from my number anymore, my SIM card became inactive. From another number, I managed to get through to the MTS support service, as a result of which the number (which was attached to the mail) was blocked.
But it was too late. The attacker gained access to e-mail on Yandex, to which the personal account of the domain name registrar was registered.
By the way, two-factor authentication was connected to the mail, but it was precisely because of the binding of the phone number that the domain was hijacked. If the phone number was not attached to my mail, the fraudster could not reset my password.
Immediately, the fraudster was able to access the registrar’s personal account (reg.ru) and transferred the domain to another account. Since the domain was in the international .NET zone, transferring the domain from one account to another was not difficult.
At the moment, the website of our publication is working and today we even managed to launch the corresponding post . But I think tomorrow, after the DNS servers are updated, my ship, which I built for 3 years, will disappear beyond the horizon.
I would like to believe that all my letters to Yandex, to Reg.Ru, to MTS and to the Police (I didn’t manage to file an application today, but I’ll definitely do it tomorrow), all this will give a result.
We have never been involved in politics or written custom materials. But such a fate befell our site.
With hope for the best, co-owner of the online edition of Banks Today.
UPD Sep 26 15-00.
By filling out a long questionnaire, access to Yandex mail has already been restored. A statement was made to the police. I sent scans to TP Reg.Ru
UPD Sep 26 17-00.
A great miracle happened! Reg.Ru returned my DNS (the domain has not yet been returned). And very soon, my users will get to my site. Apparently, the fraudster was counting on the fact that while the proceedings were going on, my domain would stick together with him (I won’t shine his domain here, I think you yourself can easily recognize him). He set up the 301st redirect from all my pages - to pages already on his domain.
Our real DNS changed at about 3 a.m. today. And from 9 in the morning, more than half of our readers began to redirect to the fraudster’s domain. Attendance Dynamics:
UPD Sep 28 19-00.
At the moment, there are certain positive changes. I won’t talk about them in detail yet, but I’m thinking from Monday, we’ll get to work. How it all ends, be sure to do a detailed post with all the steps! Thanks for the tips and support!
All Articles