The KCAA website was recently stolen and redirected to a porn site. Here is the story of that horrific event and how we restored our site in record time.
On March 29th 2017, my Outlook email program declined my password. For years, I had been a Comcast subscriber and forwarded my Comcast email to Outlook. The system was trouble free.
I tried to restore access to my email with a passcode change but several attempts failed so I called Xfinity customer support and I found it difficult to prove my identity. Apparently, my contact phone number and primary email address had been replaced by a hacker. The hacker had used a phone number stolen from another victim and an email address from one of my business associates.
Comcast tech support was quick to blame the victim. As I would soon learn, when a hack occurs, every company involved blames the victim or another Internet company. The Comcast security team said this could never occur unless the hacker gained access to my account through something called a keylogger. A keylogger is used by a hacker to record every keystroke made by a computer user in order to gain fraudulent access to passwords and other confidential information. In other words, this program allows a hacker to watch every keystroke we make in real time. I was instructed by Comcast security to shut down my computers immediately and have them professionally scanned for the keylogger malware.
My Internet guru ran three full scans using three different programs and confirmed that no Malware had infested any of our computers. He said the hacker had used a combination of public information (social engineering), fraud and manipulation of after hours online customer service to accomplish the hack Regardless, the Comcast security team vociferously disclaimed any responsibility for the incident.
Like the song says “You ain’t seen nothing yet”. Before it was over, a circular firing squad had been formed that included I-Cann, TuCows, enom, namecheap and Homestead Technologies and they were all pointing at each other with KCAA in the middle.
Unbeknownst to me, by the time I restored access to our Xfinity account, the hacker had already done everything necessary to steal our radio station’s primary URL which is www.kcaaradio.com.
Our first indication that the damage had extended beyond Comcast email was a ransom message that came to my wife’s cell phone. The message originated at the aforementioned stolen phone number and the hacker demanded three Bitcoins valued at about $3,500.
I immediately called Homestead Technologies which hosts our website. They confirmed that an attempt was underway to steal www.kcaaradio.com, but they gave me assurances (which later proved to be false) that the hacker had been stopped.
The call to Homestead happened at about the same time that Comcast restored our email account. One of the emails that had been held hostage was from Homestead, which asked me to respond if changes had been made to KCAA's account that were not ordered by us. Obviously, their message didn't reach me until it was too late.
As I soon discovered, the hacker had done everything necessary to steal KCAA’s URL by Friday March 31, even though I had been assured by Homestead on March 29th that the hacker’s attempts had been thwarted and our account and URL registration were safe and secure.
Then All Hell Broke Loose
On Tuesday morning April 4th at 12:53 a.m., I logged into the KCAA website to confirm that all systems were operating. This had been part of my nightly ritual for many years. What I saw on the home page was enough to give me a heart attack.
Our website had been replaced by the most horrendous porn site imaginable. There were multiple moving GIFs of people having sex and all sort of links to ads for sex devices.
I thought to myself, stay calm Fred, you can fix this… you can fix almost anything. Unconvinced, I repeated the phrase, “This too shall pass”, while clicking refresh to no avail. Then I tried to remember the first verse of Rudyard Kipling’s poem called “IF” which begins, “If you can keep your head when all about you are losing theirs and blaming it on you”…
I frantically called Homestead Tech support, only to get this message “We are closed, blah, blah, blah… Please call back during regular business hours after 6 a.m. Pacific Time. I live in the central time zone so that meant I could not get phone support for another seven hours. I tried to use their online support but that proved to be useless. Suddenly, I heard myself scream out the four letter word that was being acted out all over the KCAA website.
Since Homestead did not answer their support line, my search turned to the Whois site where I discovered that www.kcaaradio.com had been moved to a registrar named “enom” and the new web host was a reseller called “namecheap”. I had never heard of either company, and at first glance, I thought “namecheap” was a pseudonym. It seemed illogical to brand a company with the word “cheap”. My bias must be generational, because namecheap is a real reseller for the registrar called enom. Interestingly, enom is owned by TuCows, and one of their resellers is Homestead Technologies, the company that hosts the KCAA website.
So, to talk with namecheap, I needed a phone number. I searched the internet for their phone support, but my efforts yielded nothing. Assuming I could reach them, I was prepared to make a simple and logical argument. What FCC licensed radio station with three frequencies on the air in a large market would voluntarily turn itself into a porn site? DUH...
Namecheap’s online support gave me an auto response which thanked me for my inquiry and promised a later review. I then looked up namecheap on Google maps and found a Los Angeles address. I gave the address to Gary Garver, who is KCAA’s Business Manager in Los Angeles and I asked him to knock on their door. After spending two hours in LA traffic, Gary arrived at the published address of Namecheap and found nothing but a parking lot.
By this time, several of us had worked for many hours and accomplished nothing. Mike Lundgren, my son who is KCAA’s Director of Internet operations had also been up all night and was uttering unique combinations of expletives that I’d never heard expressed in such a creative manner.
The sun was up and the work day was beginning when I received the first of many emails from clients. Soon, I was receiving a steady flow of emails and phone calls with variations of… WTF is going on at KCAA?
I silenced the ringer on my phone and dozed off from exhaustion. I needed some rest, having recently been in the hospital for five days due to bleeding ulcers.
I awoke just in time to watch the clock count down to 8 a.m. Central Time, which is 6 a.m. Pacific. Surely Homestead support would fix this immediately. After all, the site was built on their platform and KCAA has paid then monthly since 2003.
A Circular Firing Squad Begins To Form
Finally, Homestead support answered. If you ever want time to pass slowly, just wait for tech support to answer. I explained that KCAA had been hacked. I demanded to know why Homestead did not protect our site. Their answer was a series of questions about the security of our computers, not Homestead’s lack of security. The Homestead representative said I was to blame for allowing a “keylogger” malware to operate on our computers. A keylogger is a program that sends your key strokes to a hacker who steals your personal information.
The primary emphasis by Homestead tech support was to place the blame on my company and absolve themselves of any responsibility. They directed me file a complaint with ICann and they offered to help, but repeatedly said that this would be a long process and it was beyond their control.
What The Hell Is ICANN?
ICann is the big cheese. ICann is the acronym for the Internet Corporation for Assigned Names and Numbers. It’s an internationally organized, non-profit corporation that has responsibility for IP addresses, space allocation and top-level domain name management. They are so insulated that any attempt to force an issue with them is no more effective than hitting a pillow.
Tucows is our registrar and needless to say, I could not find a support number for Tucows nor could I find one for enom, which is the hacker’s registrar so I turned my attention to ICann who actually has a phone number listed in Los Angeles.
I explained our situation to ICann. They instructed me to fill out their form and bring the issue back to TuCows which evidently had the authority to redirect the KCAA website back to Homestead before the registration is restored. This is very important information. If your registration gets hacked and stolen, your registrar can do a redirect to your website host which immediately mitigates the damage to your business but their cooperation is not assured and the outcome is uncertain. Expressing anger at them is as useless as hitting a pillow in anger. However, our situation was so horrible and the theft so obvious that no one but the referee at an All Star Wrestling match could ignore it. In other words, the seriousness and absurdity of our situation actually weighed heavily in our favor.
The analysis we received from our podcast manager gave us little hope of a quick fix. He told us to expect a long and expensive battle and suggested we hire a lawyer and be prepared to pay the lawyer a substantial sum and pay an arbitration committee a minimum of $1,300.00 to review the matter.
All this was happening while literally dozens of people were calling and emailing us with comments that ranged from empathy to hostility. Most conveyed the message… “How could you let this happen?” From our perspective, it was a cyber rape of our business, but no one was blaming the rapist.
Help Came From An Unexpected Source
When word of the hack got out among our staff and broadcasters, one person jumped into the battle with the ferocity of an angry African lion.
Enter Fred Plimley, who hosts the Sunday evening Music Team on KCAA. He was especially angry about the hack because he had scheduled a meeting with representatives of the US Army recruiting office that day. They are sponsors of his show and were up for renewal. He knew it was impossible to avoid a review of the KCAA website as part of his presentation. Obviously, that meeting was postponed.
Mr. Plimley told me that he previously worked for the Country of Malaysia when their government site was hacked and as a result of that experience, he knew someone at ICANN who might help us.
After pleading our case to someone he knew at ICANN, he turned his attention to our registrar, which is Tucows. He was able to zero in on the person who could redirect our site back to Homestead. I soon received a phone call from a manager at Tucows who informed me that our website had been redirected.
Ultimately our redirect took 48 hours to accomplish and our registration was restored in six days. Evidently, that’s record time for resolving registration theft but it seemed like weeks to all of us who saw KCAA getting destroyed, on click at a time.
When navigating the wild west of internet registrars, website hosts and ISPs, we are often surrounded by obfuscated responsibility, No one is really in charge so no one has to take charge or even take responsibility for the wrongful acts that occur on their watch.
In the real world, if you are identified as acquiring stolen property, you must surrender it and defend your innocence. You must surrender and forfeit any ill-gotten gains. Not so if you own an ISP, web hosting company or if you are a registrar that receives stolen intellectual property. These companies are able to keep the stolen property and any associated gain while the victim proves title. Afterward, there is no statutory penalty imposed on any of these companies for their negligence.
There needs to be an American law that imposes harsh penalties on any company that operates in America and allows website theft to occur.The penalty needs to be far more harsh when a federally licensed radio station site is hacked because it prevents the station from serving the public interest, convenience and necessity.
In the midst of internet anarchy and cyberviolence, KCAA got help from someone who knew “someone”. He was willing to bulldoze his way through the internet’s jungle of juvenile named companies; a jungle filled with incomprehensible cyber-babble, buck passing and lawlessness. His dogged determination charted the best path to a quick resolution by Tucows.
From one Fred to another, many thanks and now let's go after the bad guys.
Here are some physical addresses, contact numbers and website URLs for the Internet companies we encountered along the way. They will save you lots of time and frustration if, God forbid, you find yourself in a similar situation.
You are welcome to email me with phone numbers for similar organizations and I will add them to the list. My address is firstname.lastname@example.org
1) Homestead Technologies, 10 Corporate Drive, Burlington, MA 01803 (602) 267-3600. www.homestead.com Tech support (800) 710-1998)
(2) Homestead parent company is Endurance International Group, 10 Corporate Drive, Burlington, MA 01803 (781) 852-3200 www.endurance.com
( 3) Domain.com, LLC 10 Corporate Drive Burlington, MA 01803 (602) 716-5396 www.domain.com
(4) Enom.com 5808 Lake Washington Blvd. NE Ste 300 Kirkland, WA 98033 (425) 274-4500 www.enom.com
(5) Tucows, Inc. 96 Mowat Avenue Toronto, ON M6K 3M1 Canada (416) 535-0123 www.tucows.com
(6) Namecheap, Inc, Namecheap.com 11400 Olympic Blvd., Suite 200 Los Angeles, CA 90064 www.namecheap.com (310) 259-3259)
(7) Rightside Group, Ltd. 5808 Lake Washington Blvd. NE Suite 300 Kirkland, WA 98033 (425) 289-2377 www.rightside.com
(8) ICANN 12025 Waterfront Drive Suite 300 Los Angeles, CA 90094-2536 (310) 301-5800 www.icann.org