URL Highjacking For Profit

I woke up this morning semi-unemployed from a not-so non-profit charity gig that shall remain nameless. Have you ever checked out your favorite non-profits 990 tax filings? You might not want to… Some of them, the officers take ridiculous salaries—like make you want to skip breakfast salaries. Or make you want to quit your fundraising effort salaries. Anyways, I woke early and highly motivated this morning to get some coding done. I’ve recently decided to get back into Insurance & Loans for lead generation and marketing purposes. In the past few months I’ve done nothing but bounce from one dead end job to the next here in Reno, NV; not even capable of paying my regular monthly bills on a forty hour work week. So this week I’m gonna swing for the fences and spend all that job prospecting time on portfolio development instead. I’m hungry for new clients and I figure this avenue could easily net me a long-term working relationship with agents and brokers in the local community. It can’t hurt! I’m already part-time broke and basically unemployed. This might actually help me stay paid consistently. All I need is another client or two. And even if the work is meager, at least the cash and hours will be on my own terms and for my own causes.

I stayed up three past twilight, setting up InsuranceIwant.com and Loanpile.com on my local web server to showcase off these couple of old, dusty, out-dated websites to a prospective client. Kind of like a proof-of-concept to get in the door (I’m a programmer. I’m your guy.)

I thought I was prepared to go live with both sites this morning, so I went to work in my kitchen/office, created the hosting accounts, and was all-ready to upload the sites to the production server, when to my horror, both of the domain names redirected to clickbait and malware websites. Right through the browser’s address bar. Yikes!

I started to panic. My first thought was that the two old websites might contain the malware. A backdoor in the 3rd-party programs or PHP libraries, or an xhr injection through one of the javascript libraries. Or even a backdoor on my system… Instead of searching endlessly through code in a frantic panic, I tried to access the sites on different browsers not used for development last night.

Same redirect: whairtoa.com

Hosted through a Russian web hosting company: fornex.com

Now I thought it might be a virus on my laptop, so I tested other links and domains. But so far, just the two sites I was working on last night. So I tried my iPhone. Same deal. Redirect to malware. Did the virus sync with my MacBook Pro and my iPhone? I called a friend and asked him to check the url. Same redirect.

So it's a DNS issue. Did they hack my account at my domain registrar? I login into GoDaddy and to my surprise, no forward or redirect? DNS is hosted where I want it, with my hosting provider. Hmmm… My off-site hosting provider. My off-site hosting provider that requires me to input each website account into their DNS Manager… DUH!

I have a moment of clarity and grain of hope when I rush on over to manually add the two sites to the DNS Manager. And that’s when I realize how clever these whairtoa guys are. I can’t update my DNS, because the two sites insuranceiwant.com and loanpile.com are already registered with the company. There is another account that was set that claimed my two names on their own DNS manager.

How is this possible you might ask? Because I bulk changed the DNS settings on all my domains to point to my hosting provider’s own DNS servers several months ago. And then I didn’t get around to adding them to the DNS Manager till right now. So the clever hackers over at whairtoa have been able to profit off my unclaimed domain name redirects for several months.

Now I'm assuming this: They wrote a simple script to data mine whois info or registrar info on domain names. Then they cross-check to make sure the DNS is set to the hosting provider but the site is not. Then they accumulate enough domains like this at the most popular of providers, and they register their own hosting account and claim the names as their own. Probably from other people like me who bulk change all their DNS without setting up the names first. And the first thing they do is set up malware that mimics a browser fail, or plugin update, and get you to install their virus ridden software on your computer, then ransom ware you back to safety or put a backdoor on your system, or connect you as another slave in their botnet, etc. etc.

What would be nice is if the companies that host these guys would turn over the account to the NSA or FBI. But as you know, where not on good terms with Russia at the moment. So hopefully my hosting provider Vultr will hand over the info to put a dent in whairtoa’s highly illegal profit margin.

Quick Fix: Vultr doesn’t have a phone number to call, only a support ticketing system so I informed them of the issue and moved the DNS back to GoDaddy’s default DNS with an A record pointing to my hosting IP address. Problem solved. Now if only Vultr will help turn over this malicious, illegal, ill-gotten revenue account and all it’s information to the authorities, They could possibly bring down a massive scam and save consumers millions of dollars in future loss… Still waiting for a reply from them on the matter.