09|16|2008 03:33 pm EDT
Over the last few months Brian Krebs of the Washington Post has been covering stories about domain name resellers and registrars who are in one way or another tied in to nefarious online activities such as spamming, spyware and malware. A noticeable trend in these articles is that the activity of these scammers is consistently showing them to be using registrar reseller accounts and privacy protection to cover their tracks. Krebs’ stories are worth reading as they highlight the issues in the domain name system, ICANN and registrars which continue to provide a means for these scammers to operate.
Privacy Protection and Bad Whois Information
One of Krebs earlier posts covered the story about spamming activity and how nearly 3/4 of all spam activity comes from domain names registered with a handful of domain registrars. It’s no surprise that the spammers use fake whois information or the privacy protection services available at these registrars to to hide their identities. The list compiled from over a year of research collecting spam emails can be seen at Knujon.com. It’s important to note that ICANN made efforts back in May to combat the problem with these registrars and that these registrars aren’t directly responsible for the activity. These registrars however are responsible for any false whois records and ICANN points out that if the registrars ”do not investigate and correct alleged inaccuracies reported to ICANN, our escalation procedure can ultimately result in ICANN terminating their accreditation and preventing them from registering domain names”.
Another Krebs story covers EstDomains, a company which the Post points out is a Directi reseller and has been tied to numerous spam emails and malware downloads which hijack the users computer.
One function of these codecs is to install software that changes the victim’s domain name service settings, so that some percentage of their Web site and search engine traffic gets redirected to Web sites and search engines controlled by the attackers.
According to a later article one of the sites EstDomains uses to promote their malware, “Power-antivirus-2009.com, received more traffic than chrysler.com, pontiac.com or salesforce.com before it was deactivated recently.”
Krebs digs around and uncovers more out Dynamaic Dolphin ( a company owned by Media Breakaway). Dynamic Dolphin was listed in the Knujon list is also a Directi reseller and hides a majority of its domain names using the privacyprotect.org service from Directi. The domains regsitered by the company are reported to be used in spamming a variety of items from knock-off purses to porn. The majority of the spam though is promoting pharmacy services that require no prescription.
Krebs notes in this article that while some legitimate domain registrants use privacy protection on the whois, it’s very unclear of how this fits within the ICANN registrar agreement which mandates that the whois information be publicly available. He also points out that it’s unclear what ICANN can and will do about this even after publishing their ”concern” over these abuses.
A more recent story is about Klik Domains which is also using a Directi reseller account and has been tricking internet users in to downloading fake anti-spyware software. The company uses its status as a reseller to quickly create new sites and uses the privacy protection feature to hide their identity.
Directi president Bhavin Turakhia said his company has disabled its registrant-anonymizing privacyprotect.org service for all Web site names registered through Klikdomains.com, which he said has sold roughly 100,000 Web site names through Directi during the past couple of years. Nearly half of those have been suspended due to abuse complaints, Turakhia said. More than 21,000 sites were suspended in the past 48 hours alone.
Domain registrar Directi seems to be the hardest hit by these articles and the Knujon list, as most of the companies named in these articles were Directi resellers and/or used Directi’s whois privacy service at privacyprotect.org. In a recent post on the Directi company blog they detail the ongoing cooperation with Knujon and Hostexploit.com to combat the issues
”Directi ceased to offer its privacy protection services to all customers of ESTDomains and to tens of thousands of other domains obtained through the community”
“Directi and HostExploit have discussed further ways to enhance their cooperative collaboration to clamp down spam and other forms of abuse on the Internet as rapidly as possible. Directi acknowledges and applauds HostExploit and Knujon’s continuous efforts in tracking down miscreants. HostExploit and Knujon confirms that they are pleased to work directly with the Directi abuse desk in helping Directi identify any miscreants that maybe using Directi’s services. The partnership includes sharing investigative processes and intelligence data on an ongoing basis. “
ICANN and domain name registrars seem to be up against the ropes on these issues, fighting a battle that will likely just change as scammers adapt to any new policies and rules that are created. The scammers meanwhile go about using reseller accounts and whois privacy/protection services to continue their operations and hide their tracks. There doesn’t seem to be an easy answers given in these articles but the mainstream coverage and the efforts of groups like Knujon might lead to some discussions and that hopefully leads to solutions.