Cybercriminal takes “Get Rich Click!” advice too far by David Taylor and Jane Seager, Hogan Lovells

Hogan Lovells logoDavid Taylor imageLast month, cybercriminal Daniel Goncalves had the dubious honour of becoming the first person to receive a prison term for domain name theft. On 22 July 2011, he was sentenced to five years in prison by the New Jersey state Superior Court after pleading guilty in a plea bargain arrangement that spared him a possible 15 year sentence. Goncalves had stolen the domain name <>, estimated to be worth between $160,000 and $200,000 at the time of the theft, and sold it via eBay for over $100,000 in a plot worthy of an airport novel involving multi-millionaire Internet investors, an unsuspecting Mormon NBA basket ball player and a sleuthing nurse.

The domain name <>, which stands for “peer to peer”, was transferred in 2005 to, LLC, a company formed by web entrepreneur and New York Times bestselling book writer Marc Ostrofsky, author of Get Rich Click!, The Ultimate Guide To Making Money Online and the husband and wife domain name Jane Seager imageinvestment team Albert and Lesli Angel. Marc Ostrofsky is listed in the Guinness Book of World Records for having bought the domain name <> for $150,000 in 1995 and then selling it in 1999 for a world record $7.5 million. Lesli Angel, a nurse involved in teen drug abuse matters, holds a investment portfolio along with her attorney husband of over 1,000 domain names, including <> (which was also allegedly stolen by Goncalves, but now appears to be back in her portfolio) and <>.

Daniel Goncalves, a 25 year old law firm computer technician, apparently hacked into the Angels’ AOL email account in order to retrieve the login and password details for the Godaddy account in which <> was held. Goncalves then did an internal push of the domain name into an account he controlled, changing the registrant name to Dan Louvado in May 2006 and even going so far as falsifying emails to make it appear that he had bought the domain name via Paypal for a few thousand dollars. Shortly after changing the registrant name, he attempted to transfer the domain name away from GoDaddy to another registrar, but was caught out by the 60-day registry lock. Nine days after the lock was lifted, Goncalves managed to move the domain name to a different registrar. After moving the domain name to the new registrar, he waited out a new 60-day registry lock before listing the domain name for sale on eBay in September of 2006. It was then purchased by Mark “Mad Dog” Madsen, an NBA basketball player with the Minnesota Timberwolves, who was oblivious to the fact that the domain name was stolen, for $111,211.

While it may seem surprising that all this activity could go unnoticed, it is even more incredible when one discovers that it took, LLC a full year to realise that the domain name had been stolen and it only then came to light when a domainer brought certain irregularities on the website to the attention of the company. However, at the time, it seems the registrar Godaddy did not send out emails notifying such changes, so the Angels would have had no notification whatsoever of any change in the domain name.

Once the theft was discovered, Lesli Angel spent the next couple of years meticulously building up a case against Goncalves with the help of Joshua Pelissero, a domainer with a special interest in hunting down domain name thieves who goes by the moniker of the “Legendary JP”. Once they had amassed enough evidence, including pointing to Mr Goncalves’ newly-installed swimming pool, Lotus and Mercedes cars, in addition to filing a civil suit against both Goncalves and Madsen in November 2007, they took their case to the New Jersey Cyber Crimes Unit, who initiated an investigation in October 2008. On 30 July 2009 Goncalves was arrested at his home and had his computers seized and, on 13 December 2009, he pleaded guilty in the criminal proceedings to theft, theft by deception, and computer theft., LLC’s civil litigation suit against Daniel Goncalves and his company EliteHost, LLC is ongoing; however, Mark Madsen, who counterclaimed against for malicious use of process and tortious interference and also crossclaimed against Goncalves for breach of contract, fraud and indemnification was excluded from the case after he settled with, returned the domain name to them and assigned his claims against Goncalves to them.

The case sets an important legal precedent in the US as, in certain states, such as California, a domain name is considered to be similar to a piece of real estate meaning that if it is stolen the owner may have a remedy to have it returned (even though this may be a long and costly process). However, most other states, including New York and New Jersey, where the crime took place, have previously considered a domain name to be intellectual property, making legal action more difficult. In addition, tackling domain name theft requires specialised knowledge of the domain name system on the part of police officers and lawyers, which is usually not the case.

In spite of additional security measures being implemented by some registrars, domain name theft appears to be an ongoing problem and even a simple search on the Internet will bring up detailed guides to hijacking domain names. The problem was last studied in detail by the Security and Stability Advisory Committee (SSAC) of the Internet Corporation for Assigned Names and Numbers (ICANN) in its 2005 report Domain Name Hijacking: Incidents, Threats, Risks, and Remedial Actions. The report enumerated 10 findings, the ninth of which stated that:

“The Inter-Registrar Transfer Policy incorporates formal dispute mechanisms. These were not designed to prevent incidents requiring immediate and coordinated technical assistance across registrars. Specifically, there are no provisions to resolve an urgent restoration of domain name registration information and DNS configuration.”

Since then, an ICANN’s Inter-Registrar Transfer Policy (IRTP) Policy Development Process Working Group went on to recommend, in its report of May 2011 to GNSO Council, that registrars should be obliged to create a “Transfer Emergency Action Contact”, who would be required to provide a human (rather than automated) response to alerts within four hours. This Contact would facilitate communications between registrars in emergency situations and, if necessary, reverse domain name transfers. The report proposes that the conversation between these emergency contacts be monitored by ICANN and that failure to respond to a notification could result in reversal of the transfer and even loss of ICANN accreditation by the registrar at fault.

The creation of a Transfer Emergency Action Contact, along with the raft of other preventative measures recommended in the Working Group’s report, would go a long way to bolstering the security of the domain name system and would help to avoid costly legal wrangles such as those over <> and the infamous <> case. As such, we can only hope that they are implemented as soon as possible. In the meantime clients would be well advised to minimise the risk of domain name theft by using registrars with solid security procedures and making sure that contact email addresses used to register domain names are kept up to date and regularly monitored.

This Anchovy News article by by David Taylor and Jane Seager from law firm Hogan Lovells was reproduced with permission.