So what the hell happened to us?
Mouse here. Serious post today. I have something really important to share.
So, you may have noticed that I haven’t posted a lot in the last few months. Sure, I’ve been super busy. But that’s not why.
My website got hijacked.
Hijacked, like a plane. Like a stagecoach in the Old West.
You heard me right. Hackers stole this very domain, thehungrymouse.com, and from mid-March to mid-May, I had absolutely no control over it. This website. The very one that you’re reading right now.
I *just* got it back.
Domain theft is a very real thing
If you haven’t heard of domain theft before, it sounds crazy. After all, domain names are pretty intangible and live in cyberspace. But, domain names are a commodity, and are subject to theft just like other property. That is, if someone can figure out how to pull the rug out from under you.
(In fact, read about the first ever criminal prosecution for domain name theft here, which actually also involved my registrar, Network Solutions.)
It happened to me. It could happen to you.
If you’re a blogger, please pay attention. If you know someone who runs a website, please pass this along. Because I honestly had no idea that this could happen. If I did, I could have prevented it.
Let me tell you what happened
The FBI is actually still investigating this for me, so I can’t give you all the details. But here’s the 30,000-foot view.
Right around mid-April, right when my book released, I tried to log in to The Hungry Mouse to write a new post.
I couldn’t get in.
Now, blog software can be finicky, so I contacted my host to find out if something was wrong, or if I was somehow bugged. The website looked fine on the front end. All my content was live and looked to be in good order, so I was sure it was just some kind of glitch.
My host called me an hour later and told me that there was a big problem. They said that it looked like I actually no longer owned my domain name. According to the WhoIs record, some dude in China owned it. And, to make it worse, the domain had been transferred to a registrar in China.
“China?!?!,” I screeched.
“Yes, China,” they said.
My host also told me that early in March, someone had made a complete copy of all my files and downloaded them.
They advised me to call my registrar, Network Solutions. Network Solutions confirmed what my host told me, and directed me to their fraud department.
The fraud guys at Network Solutions informed me that my domain had been transferred to the Chinese registrar in mid-March, about a month earlier.
They said that the transfer appeared to have been done legitimately through the email address they had on file for me, despite the fact that my Network Solutions account was accessed by an IP in Japan—not Salem, MA, where I’m based.
What’s more, the domain was pointed to my copied files, which had been installed on servers at CloudFlare out in California.
Why would someone do that? Usually domains are hijacked and the content is changed to something super lucrative (think porno or Viagra ads) immediately. They left my contact completely intact. So strange, right? Hold that thought for a sec.
Network Solutions promised to investigate and get back to me.
Nancy Drew, Mouse Detective
In the meantime, I did some digging on my own. I scanned my computer. I looked back through my email for odd messages.
Finally, as I was poking around in my Gmail settings, I discovered filters set to automatically delete any emails from both my host and my registrar. This means someone cracked my Gmail to make sure that I wouldn’t receive any notification that changes were being made to my domain.
Because I didn’t receive those notification emails, and I wasn’t in the habit of regularly checking my registration, I had no idea this was going on.
(Can you see me fuming…and feeling like the biggest idiot in the world right about now? Thought so.)
I’m more vigilant than the average girl with all my online stuff, but I don’t root around in the dusty corners of my Gmail settings every day. I don’t think many people do. But you should. (That’s Lesson Numero Uno from this debacle. More on that in a bit.)
So, per the protocol for this sort of thing (because domain theft is so common that there’s actually a protocol for it), Network Solutions started talks with the Chinese registrar, and made the case that the domain had been fraudulently transferred.
There’s no question that I am the owner of The Hungry Mouse. I have four years of national press and a published cookbook under my belt. Not to mention a closet full of receipts, account statements, and tax returns. You get the picture. I could jump up and down and scream about justice all I wanted.
The question was whether the Chinese registrar was going to play ball with us.
I should note here that the Chinese registrar may or may not have known that my domain was stolen. Think of this registrar like a bank that had criminal funds in one of its accounts. Unless there’s a reason to investigate, the bank probably isn’t going to ask where that money came from. Sort of the same thing here.
Where can you turn when your domain is stolen?
While we were waiting to hear back from the Chinese registrar, we contacted everyone and anyone we could think of who might be able to help.
We were advised not to make an immediate public announcement about the theft because of the investigation. Also, since the site was up and running, and not distributing any kind of virus or malware, all it would do was grind The Hungry Mouse to a halt.
So we waited, very uneasily. (During this time, as you might imagine, we had to cage and sedate The Angry Chef.)
In the meantime, we found a bang-up intellectual property attorney and talked about our options.
We called the Massachusetts Attorney General to report business fraud.
When the Mass Attorney General didn’t get back to us, we called Senator John Kerry’s office, who we know has an interest in cyberterrorism.
The folks at Kerry’s office were great. (Thank you all, again!) They made a bunch of phone calls, and ultimately put us directly in touch with the FBI.
I love the FBI
Now there’s a phrase I never thought would make it into one of my posts.
Like I said, because there’s an ongoing investigation, I can’t tell you that much about the Special Agent in charge. Suffice it to say, he’s more than earned a lifetime supply of cakes and cookies from The Mouse Empire.
(And yes, I somehow manage to refrain from calling him Mulder. Don’t ask me how.)
There’s a lot more that I just can’t talk about right now, but that should give you a pretty good idea of what happened.
How I ultimately got my domain back
Fast forward to about two weeks ago.
Network Solutions emailed me with great news. Based on the evidence presented, the Chinese registrar had agreed to return the domain to us.
A week or so later, it was safely back in our paws, where it belongs.
Basically, we got lucky. The other registrar decided to cooperate. The whole thing could have been a lot harder. (See below.)
Now, the FBI are still investigating. We’ll see if they catch the bad guys.
Interesting fact. I learned that if the FBI can figure out who did this, but won’t prosecute for whatever reason, they’re bound by recent victim legislation to turn the perpetrator’s information over to me.
Rest assured, if the party responsible for the theft is on U.S. soil, I’ll bring the biggest, baddest civil case right to their door, complete with bells, whistles, and complimentary, homemade mints.
Why did they do it?
Honestly, we’re still not sure. And I’m not 100% convinced that I even care.
As personal as it may feel, we’re sure it wasn’t. Whoever did this has most likely done the same thing to a bunch of other websites, and will do it to a bunch more before they’re caught.
When it comes down to it, I’m a regular girl who works a full-time job, and runs this website because I truly love to teach people how to cook. I just happen to own something that someone else wanted to use to make a couple of bucks.
Our best guess is that they were after ad revenue based on our traffic. (The Hungry Mouse gets about 200,000 unique visitors a month.) They tried installing their own Google AdSense code on the site on three separate occasions, each of which I had shut down through Google.
I just thank the gods we don’t store customer data or credit card information.
Where can you turn if your domain has been stolen?
Aside from what I outlined above, there’s actually a whole procedure for disputes about domain names. Read more about it here.
In fact, there’s a whole organization, called iCann, that’s dedicated to the global care and feeding of domain names.
Basically, I would have had to file a dispute, and pay to have it arbitrated. That’s a process that, before attorney’s fees, can cost a couple grand and take months.
10 Tips for Blog Security
There are surely better sources for website security than this post. Please seek them out. (Please!) I’m by no means an internet security expert, and I’m not making any claims that this stuff will make your site hacker proof. That said, here are a handful of things that should make your blog harder to steal.
1. Make sure your email is secure
This is the big one. If you use Gmail for email, turn on two-step verification. Basically, this service ties your email log-ins to specific browsers on specific computers. (As in, I can only log-in to my email on Google Chrome on this computer, etc.)
If you try to log-in anywhere else, Gmail requires you to enter a special code that you receive by cell phone.
So, even if someone manages to hack your username and password, they won’t be able to get into your Gmail if they don’t have your phone. Here’s more on how that works.
Why is email security so important?
Think about it. If someone hacks your email, they can use your messages to figure out what kind of online accounts you may have.
For example, say they try to login to your Amazon.com account. They use your email address to sign in, but say that they lost their password. They get a password reset message sent to them at your email that they now control, they use it to create a new password, and…bingo! They can access your Amazon.com account. (And you can’t, because they reset your password.)
Rinse and repeat with your bank account, your PayPal account, and whatever else they can find via your email. Sure, some of those sites will probably have other security measures in place around password resets, but some won’t. Do you want to find out the hard way?
The two-step verification thing can be a huge pain in the ass, but it’s well worth it. Funny enough, someone told me that Google came up with it because they originally got hacked by the Chinese.
2. Make your domain registration private
When most bloggers register a domain name, they use their home address on their account. When you make your registration private (a service that I believe most registrars offer), your address isn’t published publicly with the domain listing. You can see who is listed as the owner of any domain name by doing a “whois” lookup. Hit this website (or the site for any big registrar), enter any domain name, and see what I mean.
3. Max out your security with your registrar
Whatever your registrar and/or host offer for security, you probably want it. Every company will have different services. Find out what your providers offer and see what makes sense for you.
4. Use smart user names & passwords
Make them complicated and unintelligible. Use symbols, numbers, and upper and lower case letters. Forget about using your birthday. Don’t use your dog’s name. Change your username from “admin” to something else. And don’t, whatever you do, use the same password for your email, your blog log-in, and your ATM pin. Because if someone cracks one password, they can probably get into all your accounts associated with it.
5. Change your password every 90 days
My friends at the FBI told me that most stolen passwords kick around for a while before they get used. Change your passwords at least every 90 days.
6. Install security plugins on your blog
Do some research and find out what the best security plug-ins are for your particular blogging software. Install them. Keep them up to date. Monitor them. Don’t skimp on the antivirus software on your computer, though I’ve been advised that a lot of the off-the-shelf programs aren’t super up to date, and if a hacker really wants your site, they’ll write custom code to try to get it.
7. Back your content up
This is a basic one, but it’s one that not everyone does regularly. Back up all your files to some kind of external drive or cloud, so that if the worst happens, at least you still have a copy of all your data.
8. Document everything
Keep good records. If your domain is hijacked, or if your email is hacked, take screenshots of everything you find, and keep a running Word doc with notes. It’s a frazzling time, and little details that might be important can slip through the cracks.
9. Don’t assume it can’t happen to you
I don’t store customer data or credit cards. I have nothing that a hacker might want except my content or my traffic. You never know what motivates a criminal. And frankly, it doesn’t really matter much once they have your stuff. Be preemptive. The best offense is a good defense, and all that.
10. Be vigilant
Don’t assume that the companies you do business with always have your best interests at heart. You’re responsible for keeping yourself as safe as you can. Check your accounts frequently. Change your passwords frequently. Alert companies about any sketchy activity you notice. Don’t login to super sensitive accounts over public wifi, or on public computers. If it’s important to you, don’t get lazy about it. Read about online security. Talk to people you know who know who work in the field. Put what you learn into practice.
The bottom line?
Our lives increasingly revolve around the Internet, whether you run a website, or just use the internet.
Stop for a minute and think about how some of the most valuable things in your life are probably also the most intangible.
I’m talking bank accounts. (Do you keep a big pile of cash in a safe in your house? Or is your life savings represented by a number you see on your bank’s website?)
I’m talking credit cards. (Do you pay your credit cards online via instant transfer from your bank? Are your credit cards tied to your PayPal account? Do you receive e-statements for all of your accounts via email?)
I’m talking e-mail. (Do you back up your email or keep paper copies? Or does all of your important correspondence live only in your inbox?)
I’m talking commerce accounts. (Do you buy everything in person in a store? Or do you purchase half your stuff online and pay using your PayPal account…that’s tied to an email account that has a password you never change…which happens to be your birthday, your cat’s name, or something else really easy to guess?)
You see where I’m going with all this.
I’m not suggesting that everything online is insecure. Not at all.
I am suggesting, however, that security and smart behavior is more important than ever as we do more and more personal stuff and business online.
Be smart. Be safe. Stay on top of your accounts and your computer, and make sure you keep whatever security measures you take up to date.
Please leave a comment
If you have insights, questions, or other tips about blog security, please leave a comment!
We’ve recovered now, but we did actually treat this like a case of full-on identity theft. That means we changed ALL our financial accounts over, alerted credit bureaus, modified all of our online accounts, etc. As much as we want to forget what just happened to us, it was really important to tell this story, because we don’t want it to happen to anyone else.
And now, back to the kitchen! Even though summer’s coming, I can’t shake the urge to start baking.
Talk to you soon!