Many of you have been wondering what happened to our site, why it was down and why we are not responding to emails related to InstantShift.com. In short, our website was hacked.

Because of this vicious attack, InstantShift.com has been down the last three days We have been continuously updating our status on our Twitter account (@instantshift), and everyone who follows us there is aware of the reason behind this downtime.

This attack happened to many other well-known sites in our niche, including css-tricks.com, kirupa.com and designshack.net.

To help you understand the situation, we have listed all the details related to this matter below in chronological order.

On December 2, David Appleyard informed us that our domain name as well as his domain designshack.net had been hijacked (stolen) by someone, and that the ownership of our domain (InstantShift.com) had been transferred to PlanetDomain. We immediately thought of David Walsh, webmaster of davidwalsh.name, who has been going through the same trouble since November 29.

Our site was live until December 5 at 8:00 AM, and then the hacker removed our nameservers associated with this domain. Since then, the website has been down, and we are not able to send or receive mail related to InstantShift.com.

The Timeline of Events:

Friday, December 2, 2011

• We’ve received an email from David Appleyard saying our domain name had been stolen. At first, we didn’t believe it, so we checked our WHOIS details which proved that we actually had been hacked and that our domain had been moved to PlanetDomain from GoDaddy. After receiving a few more emails from other people, we realized that this had been happening to other related sites like designshack.net, kirupa.com, css-tricks.com, sohtanka.com and shiachat.com.

• We called GoDaddy (our original registrar) for support, and they told us to email transferdisputes@godaddy.com with all the details, which we did immediately. We received a follow-up email requesting us to fill in a transfer dispute form and provide proof of our ID, which we also did immediately.

• We called PlanetDomain, but they were not very helpful and told us to email the details to domains@planetdomain.com. After sending a detailed email, we received an auto-generated reply saying they received our email.

• We started tweeting about this on our Twitter account (@instantshift) and receiving updates from fellow infected site owners.

Saturday, December 3, 2011

• No update from GoDaddy or PlanetDomain.

Sunday, December 4, 2011

• No update from GoDaddy or PlanetDomain.

Monday, December 5, 2011 (the day our site went down)

• At 8:15 AM, we tried sending a business email to one of our sponsors from our email contact@instantshift.com; the delivery of the message failed. After checking our WHOIS details, we realized that our nameservers had been removed by the hacker.

• We immediately called PlanetDomain support about this issue, and again they told us to email them at domains@planetdomain.com. The site has been down since then, and we have no control over this situation.

• We received an email from GoDaddy saying:

  We are in contact with PlanetDomain.com and are requesting that the domain name be transferred back. If their records also show the same registrant at the time of transfer, we will work with them to see if they can transfer the domain name back. However, they are not required to transfer the domain name back.

• They also told us to submit more ID proof for our domain and its ownership.

• We called PlanetDomain again to get an update of the situation, and they told us that they had frozen our account and that no one could access the account (not even the hacker). Unfortunately, in this frozen state, the PlanetDomain staff themselves are not able to update the things related to our domain, so they are helpless in restoring our nameservers. Once again, this was not helpful.

Tuesday, December 6, 2011

• For the first time in the last four days, we have been contacted by the PlanetDomain staff by email at our official email address (contact@instantshift.com), but unfortunately ,our site was down so we were not able to receive any email sent to our site address; therefore, we requested them to send further updates to a different gmail address. This is what they replied:

  As per the decision between PlanetDomain and GoDaddy, we have decided to reverse the transfer back. This means the domain will be transfered back to GoDaddy. At this stage, we are waiting for confirmation from GoDaddy in regards to this.”

  We will update you via email as soon as we hear from them.

• We tweeted both @GoDaddy and @netregistry (owner of PlanetDomain) about the situation.

• From PlanetDomain (@netregistry) via Twitter, we received this reply:

  As per our previous email, we are waiting on confirmation from GoDaddy regarding reversing the transfer.

Wednesday, December 7, 2011

• We got a confirmation email from GoDaddy saying:

  Thank you for your message. We have initiated the domain name to be transferred back to us.

  We are now waiting for PlanetDomain to acknowledge the transfer and to return the domain name to us.

• Our WHOIS details have been restored to GoDaddy, but the nameservers are still not restored.

• Another message from PlanetDomain (@netregistry) via Twitter reads:

  We have acknowledged and advised GoDaddy. You should be able to update your nameservers via GoDaddy. Let us know of any issues.

• We called GoDaddy support and told them to restore our nameservers, but they are not able to help as the domain was still processing with GoDaddy.

• At last, we received this email from GoDaddy:

  Thank you for your patience regarding this matter. The domain name INSTANTSHIFT.COM has been returned to your account.

  We kindly request that you update your contact information as soon as possible.

• Finally! We’ve restored the nameservers so the site will be live.

Now What?

Now we have full control over our site domain once again. There is no loss in site data as well as no problem with any site files as the hackers were only after our domain name. Everything is working fine as far as we know. If anyone finds any inconsistency, please email us at contact@instantshift.com or contact us via our contact form.

We learned that css-tricks.com, designshack.net and scriptandstyles.com have been restored back to their original owners, too. Now we are supporting others who were not yet able to get their domains back. We all are going to need all the support we can gather to get back what is rightfully ours.

For more information, you can follow us on Twitter (@instantshift) to learn more about the situation.

Status of the Sites which are Infected

• scriptandstyle.com – Resolved
• instantshift.com – Resolved
• css-tricks.com – Resolved
• designshack.net – Resolved
• davidwalsh.name – Resolved
• sohtanaka.com – Unresolved
• kirupa.com – Resolved
• shiachat.com – Resolved

Further Readings on This Attack

• .net Magazine – Web design sites hit by domain theft
• DavidWalsh.Name – DavidWalsh.Name Has Been Stolen
• CSS-Tricks.com – This Site’s Domain is Stolen
• DesignShack.net – The Theft of Design Blog Domain Names
• Kirupa.com – kirupa.com Domain Has Been Stolen!
• Slashdot – Domain Theft-for-Ransom Hits css-tricks.com and Others
• Hackers News