Feb 18

Domain Theft Strands Thousands of Web Sites

Newtek Business Services Corp. [NASDAQ:NEWT], a Web services conglomerate that operates more than 100,000 business Web sites and some 40,000 managed technology accounts, had several of its core domain names stolen over the weekend. The theft shut off email and stranded Web sites for many of Newtek’s customers.

An email blast Newtek sent to customers late Saturday evening made no mention of a breach or incident, saying only that the company was changing domains due to “increased” security. A copy of that message can be read here (PDF).

In reality, three of their core domains were hijacked by a Vietnamese hacker, who replaced the login page many Newtek customers used to remotely manage their Web sites (webcontrolcenter[dot]com) with a live Web chat service. As a result, Newtek customers seeking answers to why their Web sites no longer resolved correctly ended up chatting with the hijacker instead.

The PHP Web chat client that the intruder installed on Webcontrolcenter[dot]com, a domain that many Newtek customers used to manage their Web sites with the company. The perpetrator can be seen in this chat using the name “admin.” Click to enlarge.

In a follow-up email sent to customers 10 hours later (PDF), Newtek acknowledged the outage was the result of a “dispute” over three domains, webcontrolcenter[dot]com, thesba[dot]com, and crystaltech[dot]com.

“We strongly request that you eliminate these domain names from all your corporate or personal browsers, and avoid clicking on them,” the company warned its customers. “At this hour, it has become apparent that as a result over the dispute for these three domain names, we do not currently have control over the domains or email coming from them.”

The warning continued: “There is an unidentified third party that is attempting to chat and may engage with clients when visiting the three domains. It is imperative that you do not communicate or provide any sensitive data at these locations.”

Newtek did not respond to requests for comment.

Domain hijacking is not a new problem, but it can be potentially devastating to the victim organization. In control of a hijacked domain, a malicious attacker could seamlessly conduct phishing attacks to steal personal information, or use the domain to foist malicious software on visitors.

Newtek is not just a large Web hosting firm: It aims to be a one-stop shop for almost any online service a small business might need. As such, it’s a mix of very different business units rolled up into one since its founding in 1998, including lending solutions, HR, payroll, managed cloud solutions, group health insurance and disaster recovery solutions.

“NEWT’s tentacles go deep into their client’s businesses through providing data security, human resources, employee benefits, payments technology, web design and hosting, a multitude of insurance solutions, and a suite of IT services,” reads a Sept. 2017 profile of the company at SeekingAlpha, a crowdsourced market analysis publication.

Newtek’s various business lines. Source: Newtek.

Reached via the Web chat client he installed at webcontrolcenter[dot]com, the person who claimed responsibility for the hijack said he notified Newtek five days ago about a “bug” he found in the company’s online operations, but that he received no reply.

A Newtek customer who resells the company’s products to his clients said he had to spend much of the weekend helping clients regain access to email accounts and domains as a result of the incident. The customer, who asked to remain anonymous, said he was shocked that Newtek made little effort to convey the gravity of the hijack to its customers — noting that the company’s home page still makes no mention of the incident.

“They also fail to make it clear that any data sent to any host under the domain could be recorded (email passwords, web credentials, etc.) by the attacker,” he said. “I’m floored at how bad their communication was to their users. I’m not surprised, but concerned, that they didn’t publish the content in the emails directly on their website.”

The source said that at a minimum Newtek should have expired all passwords immediately and required resets through non-compromised hosts.

“And maybe put a notice about this on their home page instead of relying on email, because a lot of my customers can’t get email right now as a result of this,” the source said.

There are a few clues that suggest the perpetrator of these domain hijacks is indeed being truthful about both his nationality and that he located a bug in Newtek’s service. Two of the hijacked domains were moved to a Vietnamese domain registrar (inet.vn).

This individual gave me an email address to contact him at — hd2416@gmail.com — although he has so far not responded to questions beyond promising to reply in Vietenamese. The email is tied to two different Vietnamese-language social networking profiles.

A search at Domaintools indicates that this address is linked to the registration records for four domains, including one (giakiemnew[dot]com) that was recently hosted on a dedicated server operated by Newtek’s legacy business unit Crystaltek [full disclosure: Domaintools is an advertiser on this site]. Recall that Crystaltek[dot]com was among the three hijacked domains.

In addition, the domain giakiemnew[dot]com was registered through Newtek Technology Services, a domain registration service offered by Newtek. This suggests that the perpetrator was in fact a customer of Newtek, and perhaps did discover a vulnerability while using the service.

Tags: , , , ,


  1. Thanks for the article, I was completely stumped by the emails from Newtek.

  2. Robert Scroggins

    Why did the perp cause all this trouble? Couldn’t he have posted the new about the bug somewhere prominently on the web where customers could see it or maybe give it to one of the online news sources?


    • Because he’s an a-hole!

    • Well, assuming he’s telling the truth, that he did contact them 5 days before, if it wasn’t going to be him it was going to be somebody. Basically “better for I do it than someone worse to do it.”

      He could just be a ticked off customer who felt the company wasn’t taking its security seriously so he decided to publicly shame them in the worst way imaginable.

      This assumes he’s not being malicious with the information he’s gathered or has unwittingly been sent to him. If he has done something, or does something with it in the future, then he’s just another scumbag who deserves punishment. If he didn’t give them advance warning then he’s coming down on the blacker side of gray hat but doesn’t go full black until he actually takes the data he’s given and does horrible things with it. Or holds the domains for ransom. Or… well its a long list.

      What he’s done is clearly illegal, sure, but if the company failed to investigate a security hole that this person notified them about and later used to accomplish this clusterfsck then they’re not looking particularly blameless either. You can ask the guy for further details about what he uncovered while simultaneously working to patch the exploit. Going incommunicado portrays that you’re not interested, which as you can see is not a good place to be.

  3. Domain hijacking has been a problem for years, but this is one of the larger cases I have heard of. It will be interesting to me to hear in a follow up if the domains were lost because they were not renewed by Newtek, or if the hacker was able to transfer the domains away from the legitimate owner(which is what it sounds like). In the latter case it could have taken place sometime in the past, but as long as the new owner maintains the same name servers, the original owner may not have been aware until the name servers were changed.

    It sounds like in this case the way Newtek lost the domain may appear to the registrar as legitimate (or may be legitimate if the domain expired and was repurchased). If it was obvious theft I would think the registrar would investigate and be able to return the stolen property. But if it appears the rules were followed registrars can be very stubborn to help a victim.

    Domain hijacking is a risk for ANY domain owner, but there are a number of things you can do to protect yourself. Lock your domain, make sure all of your domain contacts have valid contact information, make sure all of the domain contact have DIFFERENT information, and set your domain to auto-renew each year.

  4. IRS iTunes Card (Number 1 Fan)

    “the admin is a piece of crap. no i am from vietnam” 😀

  5. Is none bother by the response form NewTek? It almost seems as if they care more about what they perceive as their image than the problem they’ve got on their hands.

  6. This is part of Newtek’s latest email: “…this change was a proactive response to a contest over three domain names…”

    Proactive??? What a joke.

  7. I’m just baffled why anyone would use a third party to manage their domain registration. It seems the effort to provide the registration data to either entity is the same, but the third party can always screw it up.

    There is a certain irony in that Newtek provides disaster recovery.

  8. Newtek failed.

    It is really that simple. Someone could have done much worse that just cut off their domains.

    Much worse.

    For months.

    At least this person is forcing a solution rather than letting it go for month after month for someone else to take advantage.

  9. My tablet is half blocke. Iwona phone and gift certificate for red lobster and one for Amazon how do I get these.i can’t walk or drive

  10. The Newtek stock is up over 3% at the close of trading today. As usual, the perception of security is an afterthought.

  11. As of this moment, one of the new control center domains they asked you to use in their email has flaws. Watch out! In this one …


    The link for Live Chat links to the old webcontrolcenter(dot)com

    Also, the Ticket Submission does not submit. Hopefully they will see this and finally do something.

    I did not try the other control center they suggested to login through:


    I have been with them since CrystalTech. I liked CyrstalTech more than when Newtek took over. But when theSBA got involved, it seemed to get more out of control.

    • I’ve been with them since theCrystalTech days too and the whole name change of TSBA/Newtek was a mess and confusing.

      My client sent me the Saturday email. It seemed odd and out of the blue, but I changed the DNS pronto and told him to use the manage.newtekwebhosting.com url which he already was anyhow.

      Today, I got a notice for my own domain. I found the first sentence annoying– “We wanted to send you another follow up email regarding the DNS Name Server change we first informed you about over weekend.” — for it was my first notice!

      It’s unfortunate that they weren’t upfront with the situation. Transparency can go a long way with your customer base unless there was gross negligence. Instead you put your customers trust and confidence at risk.

      I think I’ll continue to stay, but If anyone decides to leave, I’d be interested to know where to.

      • Hey George,

        I’ve been with them since Crystal Tech days as well, c. 2000 or so.

        I too have been bothered by the lack of transparency and coming clean on this.

        I presently have a good three dozen or so domain names that I use registered wit Godaddy whom I hate due to their deceptive management of their products that have cost me unnecessarily over the years, particularly this past year or so.

        I was getting ready to transfer all of those domains and a couple of other products to Newtek before this happened. Now I’m not so sure.

        As they say, the cover-up is worse than the crime. Had Newtek simply stated the truth and not played this off as some sort of trademark or other IP infringement issue, then IMO everyone would have understood. Hell, even the largest companies get hacked. Doesn’t seem as if there was even much damage.

        But trying to hide reality in layers of BS simply doesn’t sit well with me.

        Also, I called them the other night since I got one of those e-mails, but none of my DNSs seems to match the ones that they said I need to change and it wasn’t a “check and see” e-mail, it was one telling me that my servers were affected.

        I called them and they said hold times were 5-20 minutes, and I replied to their option for a “call back” which they said would not alter my time in line. NEVER got a callback.

        I’m on the phone now and am (as I type this) at the 20 minute mark and still no one’s gotten to me.

        I will write the executive offiers and see if I get a response.

        Again, it’s not necessarily what’s happened that’s disappointing, rather the manner in which it’s been handled, which is seemingly irresponsibly.

      • BTW, I too am interested in other good options if you find any.

        I will suggest that Godaddy is not among them.

  12. Bryan,

    Please investigate why DreamHost keeps providing services to a identity thief that claims to be a staffing company. You have a lot of influence. Please help to stop this American based scammer from getting services from a California based hosting company.


  13. If I remember right Netwek is/was using a custom coded control panel. It’s been basically the same since 2006 back when CrystalTech was on their own. At least as far as look and feel and almost all functionality. If so I could see some bugs being evident.

    Their response has been pitiful. Emails that are confusing, changes they ask us to make don’t work right away, etc. Luckily the one client I have left there is almost ready to shut down so I don’t have to deal with this anymore.

  14. I knew this a couple of days ago, but this is the only place I have found that picked up this story. Have any of the other news services run anything? This should be the lead story on WIRED, Cnet, etc.I have been a customer since way back when it was CrystalTech. I received their cryptic email about an IMMEDIATE nameserver change needed around midnight Saturday(!!) Suspecting this was what may have happened, I did a WHOIS lookup on their domains and found them registered to a Vietnamese company. This is unbelievable!

  15. I recently learned about the “salad oil king” Anthony “Tino” De Angelis (on the Useless Information podcast). He defrauded business partners, investors, and government customers by pretending to be holding billions of dollars (in today’s currency) inventory of fats and oils.

    He was caught when his business was stressed and he couldn’t produce the inventory for inspection.

    I suspect this NWTK company is now being stressed and they will soon show themselves to be a false facade.

    I wonder how many executives will end up in jail, just like Tino De Angelis.

    What’s surprising is that the stock price was better today than last week.

  16. For the second time in as many days I am on endless hold with Newtek support. They have the nerve to bust in every few seconds with a recorded sales pitch for another one of their services. I used to host many sites there but ever since Crystaltech was acquired by Newtek the service and support have gone downhill. I will be transferring my remaining customers hosted at Newtek to another host as soon as possible, one that just does hosting and does it right. I’d like to know exactly what happened here. Did they simply neglect to renew the registration of these domains? If so that’s shocking incompetence.

  17. in 3rd party we trust (and outsource all blame and responsibility).

    ‘We take security seriously. It’s right after convenience and understand security on our priority list.’

    Another day, another hack/breach/ransom. Keep up the great work Brian, it’s not easy staying ahead of this each day.

  18. I have had the misfortune of dealing with many of their dedicated servers in the past when clients have chosen them.
    Their technical incompetence was almost beyond belief. An email server died due to a failed hard drive, but that only became apparent after days of them blaming my client for either misconfiguring the server, misconfiguring their own mail clients, and similar. No, it was a failed boot drive. Days.
    Another time, all the servers stopped responding (about 15 or so this client had at the time). Took over 6 hours of them telling us “Server is good, working for me” and “Maybe you have issue. Please open browser and go to Google.com” and other ludicrous blame-the-client ‘suggestions’. Turns out they had a switch die, took out a huge chunk of their network. Suddenly after about 6 hours, connectivity was restored. “Tech Support” was still telling us the problem was on our end, not at their data center.
    This is a company that could do the world a huge favor by just going away. Horrifically incompetent.

  19. When I pushed for an answer for more information, this is what they said:

    “We are moving away from our webcontrolcenter.com domain to the newtekwebhosting.com to stay in line with the newtek brand.”

    Sure, this is what you do without any notice for planning.

  20. Has ATT’s @att.net been compromised as I can’t get any email Microsoft Support says that the domain name can’t be accessed. ATT tells me they are having trouble locally but is it really nationally.

  21. “foreign piece of crap”
    Mhm.. racist maggots

  22. The nightmare is still on with this guys, all the databases had been cutted of remote access.

    So if you need to make an upgrade in a website, and need to modify a table or stored procedure, you just simply can´t… and still waiting for his response…

  23. I’m ready to drop Newtek like a hot potato.
    Just tell me where to go, and I’m outta here.
    Zero email support, no response to my emails, for 2 WEEKS straight. They don’t give a damn about their customers, just their paycheck.

    • Newtek, Thesba, whatever, has always had a good price point, but Rackspace.com has had better security. I think that’s where I’m heading.

  24. I think I figured out how Newtek lost their domain: they let their domain name expire!!!!

    If you look at the expiration for webcontrolcenter.com in WhoIs.com, then you’ll notice the new expiration is Jan. 29, 2028, which means the old domain expired Jan. 29, 2018.

    The Vietnamese group was probably sitting on this domain in hopes that Newtek did something stupid, and Newtek did by not auto renewing.

    Does this sound right?

    • Hi Edward,

      No, that doesn’t sound right. I’ve let numerous domain names expire and there’s ALWAYS a lengthy grace period, typically accompanied by increasing fees, for renewing beyond that point. Even the I think one has like 10 days to renew w/o additional fees.

      This entire mess is disturbing however, not that it happened, but as I said above, the cover-up.


      I’m both dumbfounded as well as somewhat befuddled in terms of where to go with this.

      I supposedly had a callback this morning from Friday (re: my note above) to resolve my issues, at 10 a.m., but that never happened either. I had to reinitiate to have it corrected. But what left me dumbfounded with the simplicity of the correction yet that it was not rendered earlier on in the process with the other resolutions that were sent out in a semi-timely manner.

      Either way, doesn’t sound as if they’re losing much business over this, and it’s all probably chump-change anyway. My recommendation would be to make whatever business decisions you feel comfortable with.

      The gamut of emotions in me right now has left me drained as of this morning upon having received a call from a very relevant party that had told me that none of their e-mails had been getting through to me, including those that were replied to off of mine. Makes me wonder what others tried to contact me that I’ll never hear from again.

      Their senior staff has been gracious, but the amount of work that this will have caused me not to mention the continued SNAFUs has left me scratching my head. Not to mention the abjectly inadequate first measures that were sent out. They’ve certainly made it difficult to endorse at this time.

      I quite honestly do not know what to make of this other than that it’s probably just a few “squeaky wheels” here and in a few other forums that are heavily impacted.

      Much of my morning was spent online and on phone. Anyone ever used Bluehost before for e-mail or domain hosting? … or other services? Thoughts? Their initial phone consult was encouraging.

      All I know is that I’m tired of doing the work of companies that I pay to provide services and even more tired of work that gets created for me by the negligence of other companies. As if I don’t have enough to do to run my businesses.

      I really didn’t need this.

  25. Over 1 hour calls on hold x 5 in the past week to ever reach a human. Today, finally connectws and tech support says can you hear me – yes I say; he can’t hear me; disconnect. I am not a techie but guessed hacking early on because once I got into my email accounts and changed passwords, I noticed lots of junk email in 4 accounts (400+ in each). Service worsens by the week; we customers simply don’t have the time to wait while Newtek figures this out. Maybe the problems are insurmountable after the fact.

  26. OK, I just got off the phone, cell to cell, having spoken with Barry Sloane at length regarding both the current ongoing issue as well as potential future issues. I asked for direct and forthright answers and I believe that’s what he gave me. I grilled him pretty hard. I’ll have to post this in several places, but the bottom line seems to be that things are under control and that they simply have to deal with the aftermath, which clearly is no small task.

    Exactly what happened isn’t clear, I’m not even sure that they know entirely, again, exactly, based upon what he told me. He assured me that all the e-mail servers were fully secure at this point in time with absolutely no issues of security issues as such in sight. The issue to begin with only involved e-mail servers/service, no site hosting servers.

    He described much of what is going around on the internet regarding this as conjecture on Krebs’ end and then the associated spinoff conjecture of course. As with all media these days, there’s typically always an element of embellishment and guessing as is probably the case here as well.

    Having said that, he in no way attempted to mitigate the severity of the original issue, but again, did assure me that there were no security issues at the present time and that any issues as such have been fully resolved.

    The impression, strongly, that I got following that conversation was that everything is in fact under control but that they realize that they have a sizeable mess to “clean up” as it were. He understands that this is one of those “20 year ‘events’/100-year flood” kinda things and let me know that much of their 450-person staff has been working OT and then some to deal with all of the related issues.

    So for those that have been customers and have been happy with Newtek, such as myself having been there since the late ’90s with Crystal Tech before it was bought out by Newtek, before you jump ship it may be worth waiting a week or two before doing so.

    It sounds as if they’ll sift through the issue with a huge lesson-learned as it were, and then be stronger for it after it comes out the ass-end finally. That’s my take and given the history I’ve had with them, nearly 20 years, I’m willing to wait at least another couple of weeks to see where things stand at that point.

    I will say this, and this is what encourages me, that given that this is under control albeit still an enormous inconvenience for customers, including myself, that haven’t been able to get thru to customer service otherwise for whatever reasons, that typically when a company goes thru something like this they double if not triple-down on future security protections so that it or anything close does not happen again. Clearly a recurrence of anything similar would send business packing in droves and could be cataclysmic for the company and likely raise terminal trust issues.

    So, while I cannot tell anyone else what to do, based upon my conversation with him, I’m content to wait at least a few weeks to see where they stand before transferring domains, site hostings, and other services to other companies that I have no history with.

    If in another month I continue to have trouble getting in touch with customer service over routine things, then I will also too likely move my services.

    And no, I didn’t receive anything for free, I’m not an attorney (I hate attorneys), nor am I otherwise being compensated for posting this. I simply don’t have the time to deal with moving everything for my small business, but would if in fact I felt that there was any imminent threat to my sites, e-mails, info/site security, etc. In fact I wouldn’t be writing this right now if I still surmised at this point that that were the case, I’d be on the phone moving everything.

    Most sincerely

  27. My name is David Miers, the Chief Operating Officer at Newtek Technology Solutions. I would like to invite any of our clients reading this post to contact me directly – whether you’re still experiencing any issues, or if you’d like to discuss any of your concerns. You can email me at dmiers@newtekone.com. I can also be reached by calling my office at 602-241-4374 or my cell 602-614-5050 . I will return every call as soon as I can if you reach my voicemail.

  28. A friend of mine was affected by this outage and I helped him migrate to a new host. Here’s what we did:

    Contacted his Domain Registrar (which was tricky because his email at his domain name was the emailed used to retrieve his much needed login info)

    We moved him to a new more reliable host, then we mapped the DNS and uploaded files etc.

    He’s now back up and running and not only is his website on a better environment but he’s happy that he’s paying substantially less. (We’re thinking as much as 60% less long term.)

    If anyone needs help in migrating away from this solution, call or email me.


  29. In 2004 looking for a host I called several companies. I did it a few days in a row, usually at evening hours to test them. The ONLY one whose reps picked up the phone every time was CrystalTech; anybody remembers Tim Uzzanti? (they hosted about 40,000 sites then) So I’ve been a customer ever since and recommended them time and again.

    I still find the same customer service engagement and quality today as I’ve always cherished. I know different customers have different needs and some of you people are [perhaps] degrees of magnitude over me but I believe the same philosophy still stands; I was worried when Tim sold and he was blasted by the ‘oldies’ but things turned out ok with Newtek

    Agree, Newtek should have been more open with us. Frankly everyone of you people who posted here are pros and I bet you all knew precisely what was going on despite their ‘shyness’ to tell us; hopefully they learned a severe PR lesson but let’s cut them some slack once more although we’ve already done that with some DOS attacks…

    After having read so many of the postings I’d like to comment on all but ya’ll hate the length of my posting so in a nutshell I see some people talking about “moving to a more reliable host” – What does that mean; what is reliable? How do you quantify that reliability? Nothing is fully reliable and the pros around here know that well. Wishing you all my ‘colleagues’ on Newtek a contiguous unencumbered flow of bitts and bytes.

    • Have you called them recently Michael?

      Try it and let me know how quickly you get thru. It’s been an enormous problem for me, quite possibly costing me business over the last several weeks.

    • Have you tried calling them recently Michael?

      Try and let us know how long it takes you to get thru. I’ve spent several hours on hold, once for nearly an hour, once with a call-back request whereby I “wouldn’t lose my place in line,” that was a week-and-a-half ago and I have yet to receive a call-back. Haven’t been able to get thru since.

      What, you work for Newtek?

  30. This has really be disheartening – I’ve been with this company as a customer since around 2003 when it was Crystal Tech. Their customer service was, until recently, absolutely outstanding – their tech support people knew exactly how to resolve any issues that I had – and this was via the online chat. The tech guy that I talked with a day ago was great – but the problem is that the online chat seems to be really limited now and that was the easiest way to get quick support.

    I have two domains hosted and my son (one is his) wanted to add another one but we were told by tech support that it would be a minimum of two weeks before they could set up hosting. In the past it was done within minutes to an hour.

    My son needed his website to go live very quickly so out of desperation he went to GoDaddy and within a couple of hours he was up and running. This is NOT an ad for them – my point was that Newtek will be losing customers if they keep sitting dead in the water.

    There are still links that aren’t working – when I went to the control panel to look at getting a new site (click on “Customer” then “order new site” – it takes you to http://webservices.thesba.com/which is a dead link.

    Anyway – we’re keeping our current two domains with Newtek for now but I’m really worried about where things are going – something is not right.