Someone shared a story on NamePros about the alleged purchase of PDD.com, and it is eye opening.. From what I understand, it looks like the buyer agreed to buy PDD.com for $42,000, used Escrow.com to transact, had the domain name in his Network Solutions account for a brief period of time, instructed Escrow.com to release the funds, and then had the domain name removed from his Network Solutions account. It is eye opening and probably something every domain investor fears.
I quickly scanned the thread and took a look at the ownership history of PDD.com using the invaluable DomainTools Whois History Tool. For quite some time, it looks like the registrant email address was first initial last name @pdd.com. That is what the current Whois record shows as well. At some point in late October or early November, the Whois email address changed to an @gmail.com address. It looks like the other fields stayed the same. This is a red flag. A second red flag would be the alleged seller’s email address not matching the Whois email address.
This is really eye opening because even though there were two red flags that I could see, this is not necessarily a dealbreaker. I have bought names where the seller changed the email from @domainname in preparation for a sale. Someone who used the domain name for email would likely change the email prior to the sale so they could continue to communicate after the sale. In addition, people don’t always use the same email for escrow as the Whois email address. Those two factors would cause concern for me, and I probably would have picked up the phone and called the Whois phone number (from before any changes if different) to confirm the offering was legitimate.
It is going to be interesting to see what happens in this situation. The alleged bonafide buyer is out tens of thousands of dollars and doesn’t have the domain name. Escrow.com will hopefully help the buyer track down where the funds were disbursed, but it could be expensive to hire an attorney to use the legal system to get the funds returned. I am not sure if Escrow.com has any recourse to recover the funds if it was a case of theft or some other type of illegal activity. It is also interesting to see what Network Solutions has to say in this matter. If they can see an account was compromised (if that is what happened), is it ok for them to take the domain name from one account and return it to the owner? What would prevent someone from faking a theft in the future to make it look stolen and have a registrar return it? I don’t have the answers to this hypothetical.
As a domain investor, this deal is eye opening and concerning. I will be monitoring the thread to see what comes of this.
my concern is that the previous address had rights under the new TRANSFER POLICY, what if a tricky seller, changed the email, let the transfer go through, then receives the 60 day notice and they decline it….
does the account move go through long enough to get the escrow to close, then get undone?
Page Howe
This exact story happened to me with Pam.com bought off flippa. Same thing. There used to be a full site, the owner switched to a gmail. I assumed because they wanted to sell Pam.com so that all made sense.
Days after the sale I update the name servers and I get contacted by someone that claims to be former owner saying it was stolen.
I then contact escrow but they had released funds (or said they did)
After A TON of threats on my part they claim to somehow get the funds back.
They never tell me where the party had them wired.
Afterwards someone from escrow tells me the wire and the seller both went to neitherlands. So pretty slim chance of that.
Overall big scam. Not sure who was in on it or helped make it happen. I sent the site back got my money back and the previous developed site was never restored.
IMHO, before the purchase, you should have at least called on the phone the owner according to Whois (the one with a corporate email) to be sure they were selling the domain.
I see several Whois changes in a few years for PAM.com, with different emails, but the addresses are all in The Netherlands.
I remember the horror well, Bill – I am glad it was all resolved 🙂
Always do a proper Due Diligence BEFORE buying/selling a domain (before starting any Escrow transaction), not only on the name but also on the buyer/seller.
Unfortunately in this specific case many red flags were ignored by the Chinese buyer.
Why would I call the owner … at which point would I determine the Whois to be the real one?
If you have access to change Whois you can change number also. So hows that any different then email confirmation.
Onus is on the owner to maintain accurate Whois records.
In the PDD case, the only thing I noticed change was the email. I would have called the phone number, which was the same before and after, to confirm whomever was selling the name had the right to sell it. Had the buyer done that, I presume he would have learned the domain name wasn’t for sale.
That’s exactly what I meant in my post above to Bill Kara.
Normally fraudsters change the email only, they are attentive to keep the Whois as unchanged as possible in order not to raise suspects.
Thanks Elliot. 🙂
Elliot, This EXACT same thing just happened to me. I just lost CQD.com ($25,000). GONE. Bought it using Escrow.com for $25k. Had it in my Network Solutions account. Released the funds. 2 weeks later I log in and the name is gone. I call Network Solutions and they tell me the owner contacted their legal team so they released the name back to the owner. Well the owner was in fact the seller! So the seller got $25,000 and the name back. I am now left with NOTHING. Any advice?
https://www.fbi.gov/investigate/cyber
Who did you talk to? a Rebecca Burns?
I see a recent email change to a Yahoo email …
This is the last WHOIS, as of now:
Domain Name: CQD.COM
Registry Domain ID:
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://www.networksolutions.com
Updated Date: 2017-12-26T17:17:27Z
Creation Date: 2017-10-25T08:31:47Z
Registrar Registration Expiration Date: 2020-08-12T04:00:00Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8003337680
Reseller:
Domain Status:
Registry Registrant ID:
Registrant Name: ComQuest Designs LLC
Registrant Organization: ComQuest Designs LLC
Registrant Street: 22580 NW 142ND AVE
Registrant City: HIGH SPRINGS
Registrant State/Province: FL
Registrant Postal Code: 32643-3783
Registrant Country: US
Registrant Phone: +1.3528705272
Registrant Phone Ext:
Registrant Fax: +1.9999999999
Registrant Fax Ext:
Registrant Email: rjbtwinsis@yahoo.com
Registry Admin ID:
Admin Name: ComQuest Designs LLC
Admin Organization: ComQuest Designs LLC
Admin Street: 22580 NW 142ND AVE
Admin City: HIGH SPRINGS
Admin State/Province: FL
Admin Postal Code: 32643-3783
Admin Country: US
Admin Phone: +1.3528705272
Admin Phone Ext:
Admin Fax: +1.9999999999
Admin Fax Ext:
Admin Email: rjbtwinsis@yahoo.com
Registry Tech ID:
Tech Name: ComQuest Designs LLC
Tech Organization: ComQuest Designs LLC
Tech Street: 22580 NW 142ND AVE
Tech City: HIGH SPRINGS
Tech State/Province: FL
Tech Postal Code: 32643-3783
Tech Country: US
Tech Phone: +1.3528705272
Tech Phone Ext:
Tech Fax: +1.9999999999
Tech Fax Ext:
Tech Email: rjbtwinsis@yahoo.com
Name Server: NS1.STARTLOGIC.COM
Name Server: NS2.STARTLOGIC.COM
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-01-10T00:43:58Z <<<
While this is the WHOIS as of Sept 2017:
Admin Contact
The Admin Contact is the person or organization who controls the domain.
Burns, Rebecca (1)
Changes: +0 ccTLD: 0
Name
CQD Inc (1)
Changes: +0 ccTLD: 0
Org.
becky@CQD.COM (1)
Changes: +0 ccTLD: 0
Email
1920 NE 55 Blvd (1)
Changes: +0 ccTLD: 0
Street
–
Street 2
Gainesville (49,998)
Changes: -20,988 ccTLD: 734
City
FL (4,540,422)
Changes: -576,733 ccTLD: 48,008
Region
32641 (528)
Changes: -134 ccTLD: 6
Zip / Post
UNITED STATES (63,781,675)
Changes: -22,114,274 ccTLD: 1,182,874
Country
3523781465 (1)
Changes: +0 ccTLD: 0
Phone
3523736677 (1)
Changes: +0 ccTLD: 0
As far as I can see, the Yahoo email is owned by Rebecca Burns as well:
REBECCA BURNS
Address:PO BOX 358521, GAINESVILLE, FL 32635 Phone: (352) 505-0879 Gender: F Email: rjbtwinsis@yahoo.com
During the escrow transaction, did the seller use the same email as to the whois for the domain name?
BS booth! i DID NOT SELL MY DOMAIN. You bought a STOLEN domain! YOU did NOT verify me! YOU did not authenticate me! YOU did everything wrong to gain my 22yo 3L top domain FAST. i can’t even describe here with the words i want to use on your excitement to get it!
To add. I called the Whois number. Spoke to them there. Spoke to the number on the website also. Used domain IQ and emailed previous emails who also confirmed everything. Everything seemed fine.
Did you have a signed contract? I presume you could lean on that in court, although it can probably get very expensive very quickly (unless you get awarded fees).
https://www.fbi.gov/investigate/cyber
None of these suggestions like calling or looking back to previous records and this that would prevent fraud. Onus is on the owner to maintain secure and accurate Whois records. Period.
The argument that hackers only change email and not phone numbers is absurd.
The only one not at fault is the buyer. The owner didnt secure his Whois and the hacker stole so why would the buyer be the only one to pay the price.
The former owner needs to now make the effort to recover funds/press charges because for 1/1000 of that effort those Whois records would have been secure.
If you can do domain charge backs even when dealing with the formal recorded owner this industry is finished.
In the PDD.com case, the email seems to be the only thing that changed. If the buyer called the Whois number and spoke with someone to confirm the sale, it is likely he would have found out the domain name was not for sale (assuming it was a case of theft). Obviously, every situation is different.
Regarding the other points – that was a big reason why this was an eye opening scenario for me. I would not have suspected the registrar would have pulled the domain name out of the registrant’s account without a court order. I presume it passed whatever threshold they have for (I assume) theft so they put it into the original registrant’s account, but I didn’t know they could do that.
“The argument that hackers only change email and not phone numbers is absurd.”
It’s not absurd at all, fraudsters know that rarely buyer would call the phone number on the Whois to double-check, and that’s exactly what happens in many cases, same occurred for PDD.com.
Hackers usually change as little as possible to (try to) go unnoticed.
And if they can pull of email Im sure changing a phone number is even easier as at least with email most get an email change confirmation. In any event your suggestion is terrible as if they can change one field changing 2 fields is certainly not going to stop anything.
Sure, but you can call the original phone number (that was the same for 10+ years) to confirm that they sold the domain name to whomever is offering it for sale.
It would be an even bigger red flag to me if the Whois email and phone number changed (especially if phone number is in a different area than the original registrant) when the registrant name remained the same.
Finally, if I did call the new number and the person had an accent that wasn’t from Indiana, I would be even more troubled if they claimed to be the same person.
All situations are different. Scammers do different things to gain trust. I am only discussing this particular case if I was the prospective buyer.
I agree fully there is a due process that must happen. In my case I put pam.com under Godaddy certified protection, emailed them and told them there is some dispute and to lock the domain down entirely till its solved. Once escrow got my funds back (which I still dont know how that happened as you can reverse a wire) I released the domain back to the guy claiming to be the owner and confirmed with escrow that was a valid return email.
The entire process was full of question marks and escrow.com was not forthcoming into who the “seller” was. It was actually Kevin at Flippa that said its going to the same country.
So in a case like this whats to stop people from running a scam. One guy sells the domain, the other claims it back. Unless the buyer presses charges for funds the 2 parties have very little to lose.
In my case I requested a local police file be opened, I requested outgoing records from Flippa and escrow.com and Kevin at Flippa was great. Everyone else I was going to list on kissmyass.com till the entire thing was sorted out.
They decided to sort it out, in that I got my money back, but the domain and the entire process left me missing Brandon at escrow.com very much.
I never said changing a phone number is difficult, read again what I wrote before commenting.
You are totally missing the point.
My suggestion is terrible only if you don’t get what it means, as you did.
And maybe you should be less arrogant, Mr Karamouzis, a too big ego doesn’t help.
You can call as many numbers as you want, if you can find them, or you can and we all can require a valid whois.
Hi my name is Elliot and 10 years ago you sold a domain to X person is that true? Hi my name is Elliot and 7 years ago you sold a domain to X person is that true? ect…
Good luck with that.
The phone number from October 2017 was the same for a long time. I would have called that number and said, “hey, I just want to make sure you’re the guy I’ve been emailing about regarding my purchase of PDD.com.” If he said no or I wasn’t comfortable with a non-response, I would not have moved forward given the other red flags. Since the only thing that changed was the email address, the registrant of PDD.com should have been the same before and after.
Incidentally, I saw a LLL.com name on NamePros last year that seemed like a great deal. The Whois had recently changed, and it turns out, the former registrant’s company is located 15 minutes from my house. I drove over to the shop, and he confirmed the name was stolen and was working with his registrar to recover. Long story short, he ended up working with Stevan Lieberman to recover the domain name, which he still uses for his business. Had I not taken this extra step, I would have ended up owning a stolen domain name. The first red flag was a recent registrant change and a relatively cheap price had it been recently sold before.
I wish you could just trust the current Whois records, but as you can see in this scenario, that doesn’t really work.
It’s way more than that.
I see you have little experience about investigations.
Anyway, I stick to my view, and I definitely know how to do an in-depth due diligence.
Good luck to you. 🙂
Im not being arrogant, your suggestion to prevent fraud by calling a number, as if email is not valid enough puts the onus back on the buyer and not the seller to maintain accurate whois records. If there are zero requirements to have accurate whois records then how does buying and selling a domain work? A urine sample from the last 5 owners?
Keep your accounts secure, your valuable names under additional locked services and if you mess up expect to work with the courts to get made whole by the fraudster. Not the legitimate buyer.
A domain is valuable, treat it as such.
So if I wanted to sell a domain and scam someone I would … change the email to something random. Have a friend in a shitty country sell it. Wait til funds move to said shitty country were contracts are hard to enforce and then do a claw back from the registar?
If you think that’s a valid processes you dont buy and sell domains for a living.
I buy and sell domains for a living. Driving to peoples homes is not a reasonable expectation. It’s quite silly in fact to even suggest it.
Oh hi Im Bill… are you reaaaaaalllly selling your domain name?
Come on now lol
Again, I never suggested that you can prevent a fraud by calling a number, can’t you read? 🙂
That’s just the first very basic thing to do, but a complete due diligence, as I said above, is more complex and time-consuming than that.
I’ve been working in the financial industry for 20+ years, also advised in cases of fraud and bankruptcy, in court as well, thanks but I know what a scam and a proper due diligence are.
And we advise and do business in the domain space as well.
It’s the same telephone number that the 20+ year user of the site had posted on their website for just as long. A hacker can change a telephone number in WHOIS. Changing a telephone number on an archived screenshot at screenshots.com from three years ago is a little trickier.
In any event, Elliot, are you troubled by Twitter restoring Mike Berkens’ account without a court order?
Twitter owns all accounts and can do whatever it wants with them. Network Solutions does not own the domain names registered there 🙂
I wondered, and remember talking to you about this (NOT that it would have solved anything) if the owner was the scammer – even though he claimed innocence and that he himself was the real victim.
Talking to the FBI was also “fun” but I was horrified, although I suppose not terribly surprised, to learn that recourse across borders for this kind of theft is slim-to-none.
That fact you got your money back was one of the happier memories of my Flippa time…
just do not buy .coms stick with new gtlds ))
Good luck with that philosophy.
Im going to have coffee and tea with every seller while I have them fill out a 23andMe ancestry kit before I buy any domain name going forward.
What’s even worse is that, as John Berryhill noted in his posts on NamePros, Escrow.com “confirmation of received funds” are not reliable, to use a euphemism …
He wrote (page 6 of NP thread) “Twice in the last year, I have seen instances in which Escrow.com falsely confirmed receipt of funds and then, to cover up their error, started flinging bizarre accusations at others.” …
and
“For those playing along at home: A buyer in an Escrow.com sent Escrow.com a fake wire transfer document, which Escrow.com then relied upon in order to issue a payment confirmation – instead of checking their own bank account to see if they had received the payment.”
“I’m pretty sure the California Financial Code Section 17414 assumes, that the business of a licensed escrow company is to accurately confirm whether they have been paid or not, before they issue a confirmation of payment.”
IMHO an Escrow company should have their license revoked in those cases …
BTW, great post by Brandon on NP, he’s the only one who mentioned the Suspicious Activity Report you can file to FinCEN in case of a suspected incident of money laundering or fraud.
There needs to be domain title insurance it would seem…
Pretty scary stuff. Especially what Berryhill has to say about Escrow.com at NamePros.
If he is right, they couldn’t care less as long as they get their fee. I fully understand it is buyer’s obligation to do the due diligence, but didn’t Escrow.com begin verifying accounts?
I am frankly astonished this does not happen more often. It’s terrifying to think that identity theft cuts both ways in this regard (someone impersonating whichever party is needed to approve/authorize either the asset transfer or release of funds). The fact that this isn’t a “regular” thing and the fact there aren’t any sure-fire solutions (other than registrar lock-down, 2FA, Escrow scrutiny) are kind of surreal.
Could this happen with Godaddy auctions ?
I get the escrow.com part – ie the confirmation before having cleared funds which is insane but the network solutions part I dont get. How did the thief actually convince netsol to transfer the domain name back to him / her ? Just by doing what exactly ?
tip number 1: when buying a domain always transfer it to your registrar. do not leave it in the current registrar.
OMG. this sounds like a match to my CQD.com situation.
I am the originator and rightful owner of CQD.com
i DID NOT SELL MY DOMAIN.
Booth: You bought a STOLEN domain!
YOU did NOT verify me!
YOU did not authenticate me!
You NEVER spoke to me. My cell phone bill will prove i never had conversations with you!
YOU did everything wrong to gain my business brand, my 22yo 3L top domain FAST. i can’t even describe here with the words i want to use on your excitement to get it!
James Booth emailed me and said he did not post a comment that was here before so I deleted it.
Maybe somebody should start a GoFundMe for Rebecca. Why should she bear the extra expenses alone. If she wins, every one wins.