A post about how a phone tied to a Yandex.Mail service account helped hijack the domain of an online publication I created "". I note that in this edition I invested all my accumulated money, soul and 3 years of painstaking work.
It all started today, September 25, 2019. At 15:50, I (the domain administrator) received a message from MTS on my phone: someone initiated the replacement of my SIM card:
That is, someone reissued my SIM card. How this was done is a big question that we address to MTS.
Naturally, the first thing I checked was if I received SMS from scammers. After checking the number indicated in the SMS, I realized that the number is correct, which means the problem is serious. A minute later I started trying to contact the MTS TP. Quests for passing the MTS telephone menu, the result of which is communication with the operator, deserve a separate story. I will say briefly, it took me 7 minutes to start a live communication with the “person”.
Unfortunately, the communication was not long, after 20 seconds the conversation was interrupted. Most likely, at the same moment the scammer activated the SIM card, since I could no longer make a call from my number, my SIM card became inactive. From another number, we managed to get through to the MTS support service, as a result of which the number (which was linked to the mail) was blocked.
But it was already too late. The attacker gained access to the Yandex email, to which the personal account of the domain name registrar was registered.
By the way, two-factor authentication was connected to the mail, but it was precisely because of the binding of the phone number that this “hijacking” of the domain occurred. If a phone number was not attached to my mail, the scammer would not be able to reset my password.
Immediately, the fraudster was able to gain access to the registrar's personal account (reg.ru) and transferred the domain to another account. Since the domain was in the international .NET zone, it was not difficult to transfer the domain from one account to another.
At the moment, the website of our publication is working and today we even managed to launch the corresponding . But I think tomorrow, after the DNS servers are updated, my ship, which I have been building for 3 years, will disappear over the horizon.
I would like to believe that all my letters to Yandex, Reg.Ru, appeals to MTS and the Police (I didn’t have time to apply today, but I’ll definitely do it tomorrow), all this will give a result.
We have never been involved in politics and did not write custom materials. But the same fate befell our site.
With hope for the best, co-owner of the online publication "Banks Today".
UPD 26 Sep 15-00.
After filling out a long questionnaire, access to Yandex mail has already been restored. Made a statement to the police. Sent scans to TP Reg.Ru
UPD 26 Sep 17-00.
A great miracle happened! Reg.Ru returned my DNS (the domain has not been returned yet). And very soon my users will get to my site. Apparently, the scammer was counting on the fact that while the proceedings were going on, my domain would stick together with his (I won’t show his domain here, I think you yourself can easily recognize it). He set up a 301 redirect from all my pages to pages already on his domain.
Our real DNS changed at approximately 3am today. And since 9 am, more than half of our readers began to redirect to the scammer's domain. Attendance dynamics:
UPD 28 Sep 19-00.
At the moment there are some positive changes. While I will not talk about them in detail, but I think from Monday, we will get to work. When everything is over, I will definitely make a detailed post with all the steps! Thanks for the advice and support!
Source: habr.com