Godaddy domain names being stolen!

[TheLegendaryJP]

When was 4n.net stolen?

 

[ydnaemsti]

[URL="http://www.dnforum.com/member-rockefeller.html"]Rockefeller
[/URL]
Do you know how to get the IP addresse from the email that came into your inbox?
Put the collection of those IPs together, just to validate that it's one guy from US and not a ring of guys from all over.

Also, His privacy service is Moniker. If you guys know Monte from Moniker, ask him if he can somehow help.

 

[TheLegendaryJP]

Well looking at the other residents of Lukasz's house reveal...

Mrs. Adriana Zycki
View Title...
Eisenhower Junior High School
Darien, Illinois

If she still works there as a special ed assistant it may be worth a call to the school and ask for her?

Someone needs to make a friend lol

Hey this guy is either the theif or a victim, it was his paypal that was used and charged back, someone needs to get a hold of him.

http://www.facebook.com/profile.php?id=100000135189925&v=info&ref=search

Another family members work...

Marcin Zycki
at Byte Managers Inc
800 West Huron Street, Suite 4w
Chicago, IL 60622


Whoever the names were stolen from need to follow up on this!

Ok thats it from me for now, two people to contact that live with Lukasz Zycki, same house, same guy's paypal etc. I can even tell you where they went to school and college but at this point the victim(s) need to call and get his mother and sister on the phone. Maybe he's a victim and his paypal was stolen and he just hasnt noticed?

 

[ydnaemsti]

I would not contact anyone. I would make sure he is not here and reading this first. If he is not here, than I would simple verify his info and file a case. No warnings.

 

[TheLegendaryJP]

I would not contact anyone. I would make sure he is not here and reading this first. If he is not here, than I would simple verify his info and file a case. No warnings.

Hey we all have our own ways but from past experience I find moms and dads dont feel good about people calling and going over what their son is up to, names get returned pretty quick, no lawyers, police etc.

I always try the easiest step first, if he is a victim too it will all come to light, if not and mom and dad dont care, follow through but easy at first is my route.

Just a fyi...

Zycki is a rare name in the US any ways, both .com and .net are taken within the last 1-2 years, both private at GD! The .org remains available, goes to show how rare a name it is, no one wants the org lol

Just a fyi

 

[Rockefeller]

Also, all of the yahoo accounts I have looked up ask for the same password reset question "what is your oldest child's name?", also, there is another option for a backup email on the account for which the hint is [email protected], anyone know of a 2 character domain that was stolen? Could be a big lead

Okay, so as I said before [email protected] was the original paypal email given to us by the first theif who didn't know we were going to take the name from him. A more in-depth search shows the Amir Mirghassemi" owns this domain name and also owns servers24.com. I have also found other posts that indicate that Amir has addresses in Ohio and Iran. I believe Amir Mirghassemi is our scammer.

Amir Mirghassemi
7828 Woodglen Dr
Westchester, OH
513-225-5200

 

[cmason]

FYI - Over at NP, the user i.domain has responded to the claims regarding VPR in the legal section.

 

[TheLegendaryJP]

Thanks for the heads up... I suppose someone has to show something now that he makes a bold claim like this.

link to np thread...

http://www.namepros.com/legal-issues-and-disputes/614857-vpr-com-is-stolen.html

 

[Rockefeller]

DO NOT do business with the member i.domain at NP, this IS the domain thieve that has stolen all of the Godaddy domain names.

http://www.namepros.com/members/159787.html

I managed to get the IP address of the person logging into NP, which IS the domain thieve. The address where his IP comes back to is Woodstock, IL, the ISP that hosts that IP is in Chicago, IL. The two addresses that we have on Lukasz Zycki are in Bensenville, IL and Bannockburn, IL. All of these cities only have a max of 34 miles in between them.

 

[Rockefeller]

We have successfully got 4n.net back to the true owner. Everyone that has had a domain name stolen by this thieve especially vpr.com and iwy.com need to email [email protected] and reference the 4n.net thieve.

Header from email that SPOOFED escrowdns email:

Sunday, October 4, 2009 4:56 AM
From [email protected] Sun Oct 4 11:56:29 2009
X-Apparently-To: [email protected] via 66.196.100.97; Sun, 04 Oct 2009 04:56:31 -0700
Return-Path: <[email protected]>
X-YahooFilteredBulk: 66.116.153.91
X-YMailISG: Ls7AglMWLDuwWxQCYZGVpq4dwM0i56WoEHMKMPN4gdlk1aNp5fBk9ESE5NXvva7pjtAEg2OXpBTnX707CteuI_tvCh6u14oEcVwTR26T8lBeoI.2X5vU5KqDxwsgooxbHYw9Pj5RRSLoy3uY0dlf5s0ULCIaIz9wYn5o1c2Y1Gk9abdc_OR6V5ATn7yWpDuw1zNeFwnos4hECuHgvbjetr_D_z5y17aVEDFUtj_13subaJ67_EIVcFPEzBFUtgj9QuUD4AwKTZcRyA3LbwT.FOdPiDrp77xyiawfJ7jSFfsnh2Ei5wEpLTRGmO_gS8wAiZcY2t0ClGZyUXOdq32yjtU-
X-Originating-IP: [66.116.153.91]
Authentication-Results: mta297.mail.mud.yahoo.com from=srv1.hostedfx.com; domainkeys=neutral (no sig); from=srv1.hostedfx.com; dkim=neutral (no sig)
Received: from 66.116.153.91 (EHLO srv1.hostedfx.com) (66.116.153.91) by mta297.mail.mud.yahoo.com with SMTP; Sun, 04 Oct 2009 04:56:31 -0700
Received: from nobody by srv1.hostedfx.com with local (Exim 4.69) (envelope-from <[email protected]>) id 1MuPhV-0007Ov-5N; Sun, 04 Oct 2009 07:56:29 -0400
To: [email protected]
Subject: Domain escrow - 4n.net Transaction
From:
"[email protected]" <[email protected]>
Add sender to Contacts
Reply-To: "[email protected]" <[email protected]>
To: <[email protected]>
Mime-Version: 1.0
Content-type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
Message-Id: <[email protected]>
Sender: Nobody <[email protected]>
Date: Sun, 04 Oct 2009 07:56:29 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - srv1.hostedfx.com
X-AntiAbuse: Original Domain - yahoo.com
X-AntiAbuse: Originator/Caller UID/GID - [99 32003] / [47 12]
X-AntiAbuse: Sender Address Domain - srv1.hostedfx.com
X-Source:
X-Source-Args: /usr/local/apache/bin/httpd -k start -DSSL
X-Source-Dir: khaye.com:/public_html/z
Content-Length: 351

 

[TheLegendaryJP]

Glad to hear...

Ironically the one email [email protected] I saw was for a group called 3 guys jump or something, the pic I found for the person involved throwing up gang signs where the site was too dangerous to link.. three guys in the pic!

Coincidence?

I also think the fact the addresses are so close is a great confrimation as well, put pieces together nicely.

 

[Rockefeller]

the jumptime email is the true owner, I've confirmed that and 4n.net is now in the true owner's hands, we worked hand in hand with Godaddy and they did the right thing. There are still 2 names that we have to get back to the owners, one that was stolen from the escrowdns spoof and another that was just outright stolen.

Would the "originator IP" be the sender's (scammers) IP? looks like it went through Hostedfx.com out of Ohio, the Amir Mirghassemi also has an address out of Ohio.

 

[britishbulldog]

the jumptime email is the true owner, I've confirmed that and 4n.net is now in the true owner's hands, we worked hand in hand with Godaddy and they did the right thing. There are still 2 names that we have to get back to the owners, one that was stolen from the escrowdns spoof and another that was just outright stolen.

Would the "originator IP" be the sender's (scammers) IP? looks like it went through Hostedfx.com out of Ohio, the Amir Mirghassemi also has an address out of Ohio.

Hey Sherlock aka Justin,great work........you the man

 

[Kventures]

VPR.com has been returned to me successfully!

Thank you GoDaddy.com, Adam Dicker, and Justin Godfrey (EscrowDns.com)

Everyone, please be VERY careful about these scams in the future. Always make sure to login to the website to confirm escrow statuses, and if anything looks fishy, call or send an email to the escrow companies!

 

[Namefox]

Been watching and I am very impressed by the team work involved here and the relatively quick resolution. Good work everyone involved and I happy to see domains have been returned to rightful owners.

 

[INVIGOR]

Much kudos to all involved in the safe recovery of these names.

 

[TheLegendaryJP]

Ok good to hear, poor jump guy was about to my wrath lol

Glad its working out, good work Justin.

 

[Rockefeller]

Anyone know how to track an IP, like actually track it? Would be willing to pay for legit info as I will be suing this guy if he is in the US and hopefully bankrupting his operation.

The IP from NamePros (that he used to login with) is:

76.73.68.156

 

[south]

Anyone know how to track an IP, like actually track it? Would be willing to pay for legit info as I will be suing this guy if he is in the US and hopefully bankrupting his operation.

The IP from NamePros (that he used to login with) is:

76.73.68.156

From Arin.net

OrgName: FDCservers.net
OrgID: FDCSE
Address: 141 w jackson blvd.
Address: suite #1135
City: Chicago
StateProv: IL
PostalCode: 60098
Country: US

ReferralServer: rwhois://rwhois.fdcservers.net:4321

NetRange: 76.73.0.0 - 76.73.127.255
CIDR: 76.73.0.0/17
OriginAS: AS30058
NetName: FDCSERVERS
NetHandle: NET-76-73-0-0-1
Parent: NET-76-0-0-0-0
NetType: Direct Allocation
NameServer: NS3.FDCSERVERS.NET
NameServer: NS4.FDCSERVERS.NET
Comment:
RegDate: 2009-02-02
Updated: 2009-04-08

RAbuseHandle: ABUSE438-ARIN
RAbuseName: ABUSE department
RAbusePhone: +1-630-729-0228
RAbuseEmail: [email protected]

RNOCHandle: NOC1402-ARIN
RNOCName: Network Operations Center
RNOCPhone: +1-630-729-0228
RNOCEmail: [email protected]

RTechHandle: NOC1402-ARIN
RTechName: Network Operations Center
RTechPhone: +1-630-729-0228
RTechEmail: [email protected]

OrgAbuseHandle: ABUSE438-ARIN
OrgAbuseName: ABUSE department
OrgAbusePhone: +1-630-729-0228
OrgAbuseEmail: [email protected]

OrgNOCHandle: NOC1402-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-630-729-0228
OrgNOCEmail: [email protected]

OrgTechHandle: TECHS72-ARIN
OrgTechName: Tech Support
OrgTechPhone: +1-630-729-0228
OrgTechEmail: [email protected]

You would have to contact the block owners, and hopefully they will have login records if it's a pppoe or dial up connection. It doesn't appear to have a fqdn on that address (76.73.68.156)

You may have to subpoena the records from the owner of the ip range, or they may cooperate.

 

[ydnaemsti]

A local detective service will locate him in 3 days. It will cost no more than 250. You know his name. It's an easy job.