Latest news of the domain name industry

Recent Posts

Three-letter .com owned by hospital “hijacked”

Kevin Murphy, August 20, 2019, 11:45:01 (UTC), Domain Registrars

A California hospital has seen its three-letter .com domain reportedly hijacked and transferred to a registrar in China.

Sonoma Valley Hospital, a 75-bed facility north of San Francisco, was using svh.com as its primary domain until earlier this month, when it abruptly stopped working.

The Sonoma Index-Tribune reports that the domain was “maliciously acquired”, according to a hospital spokesperson.

It does not seem to be a case of a lapsed registration.

Historical Whois records archived by DomainTools show that svh.com, which had been registered with Network Solutions, had over a year left on its registration when it was transferred to BizCN in early August.

BizCN is based in China and has around 711,000 gTLD domains under management, having shrunk by about 300,000 names over the 12 months to April.

The Sonoma newspaper speculates that the domain may have been hijacked via a phishing attack. It’s not clear whether the hospital or NetSol, part of the Web.com group, was the target.

Three-letter .com names are highly prized, usually selling for tens of thousands of dollars.

Domain investors should obviously steer clear of svh.com, which will is probably already up for sale.

Not only is there a possibility of attracting unwelcome legal attention, but there’s also the moral implications of paying somebody who would steal from a hospital.

The hospital in question has now changed its name to sonomavalleyhospital.org. This transition, which includes migrating the email addresses of all of its staff, seems to have taken several days.

Anyone sending personal medical information to the old svh.com email addresses may find that information in the wrong hands.

Tagged: , , , ,

Comments (8)

  1. Rob Hall says:

    This is such a crock of shit and our industry needs to fix it.

    Domain Hijacked. We need to stop thinking of it like this.

    The domain name was stolen.

    And lets be honest. Domains are not like a piece of art where they disappear when they are stolen. We know exactly where it is. And we know exactly what the history of it is.

    It’s time we pull our heads out of our asses and start doing whats right. This domain should be put back in the hands of its rightful owner.

    All too often we get tied up in our own policies and procedures and throw our hands up and say there is nothing we can do.

    How about we create an “undo transfer” command for Registrars. It has the effect of instantly undoing a transfer to another Registrar. Puts the domain name back.

    At the same time, it launches an investigation by a third party. The third party looks at who is right and decides where the domain should live. Loser pays a stiff fee to cover the cost of the third party investigation. That would stop abuse of using the undo transfer command.

    If transferring it back is just too much for most people to comprehend, then how about we have a command that lets the losing Registrar put the OLD DNS on the record at the registry and lock it until the investigation is done. In effect, that would restore the domain to use by the proper client so web and email worked, and then let a quick investigation occur.

    It’s time to stop ignoring doing whats right in the name of policy and figure out some common sense solutions to domain name theft.

    • Chris says:

      I own fullname.com and fullname.nl. But eventually I settled for .nl because then at least I could contact the registry if my domain gets stolen. Who will then intervene, contact the registrars, verify the old and existing whois records, undo the mutation and give a symbolic fine to the gaining registrar. I love how .com has a transfer lock and asks for email verification before a transfer, but that wont help you if your account get compromised.

      Im sure Verisign earns enough that they can afford to do some oversight as well.

    • Kevin Murphy says:

      Sounds like maybe you should take this to the GNSO.

    • Patrick Mevzek says:

      What you describe already exists (in gTLD world). See https://www.icann.org/resources/pages/tdrp-2016-06-01-en (before 2016 there were even 2 steps, first one being the registry itself arbitrating the dispute, before going to an external provider)
      There is no need to a specific “undo” transfer, as it is just a transfer in opposite direction (and the registry can force it to go through). There are underlying operations to remember also (like transfer of in-bailiwick host objects if they exist), and one may have to adjust the expiration date. As for your final suggestion to let the old registrar change nameservers on a domain not sponsored by it anymore, this is ripe for abuse in the opposite case.

  2. It looks like this specific issue might be getting resolved as we speak, but it’s not clear how or why.
    I noticed the registrar whois for svh.com shows this domain name with cloudflare.com nameservers, which point to the same mailserver as sonomavalleyhospital.org and the webserver of cloudflare.com seems to be set to redirect to https://www.sonomavalleyhospital.org.

    But: that’s only in the registrar whois. At Verisign this has not been updated yet.

    • Kevin Murphy says:

      The Whois site for BizCN doesn’t even resolve for me.

    • Benedict says:

      Nameservers in whois are often outdated, and thus not much use for this type of investigation.

      Shame we got rid of owner info in whois isn’t it…

    • Benedict says:

      Nameservers in whois are often outdated, and thus not much use for this type of investigation. Much better to use a live DNS lookup such as dig on the command line.

      Shame we got rid of owner info in whois isn’t it…

Add Your Comment