Subscribe to RSS Feed

09|16|2008 03:33 pm EDT

Washington Post Coverage on Nefarious Domain Name Activities

by Adam Strong in Categories: News

Over the last few months Brian Krebs of the Washington Post has been covering stories about domain name resellers and registrars who are in one way or another tied in to nefarious online activities such as spamming, spyware and malware.  A noticeable trend in these articles is that the activity of these scammers is consistently showing them to be using registrar reseller accounts and privacy protection to cover their tracks.  Krebs’ stories are worth reading as they highlight the issues in the domain name system, ICANN and registrars which continue to provide a means for these scammers to operate. 

Privacy Protection and Bad Whois Information
One of Krebs earlier posts covered the story about spamming activity and how nearly 3/4 of all spam activity comes from domain names registered with a handful of domain registrars.  It’s no surprise that the spammers use fake whois information or the privacy protection services available at these registrars to to hide their identities.  The list compiled from over a year of research collecting spam emails can be seen at Knujon.com.  It’s important to note that ICANN made efforts back in May  to combat the problem with these registrars and that these registrars aren’t directly responsible for the activity.  These registrars however are responsible for any false whois records and ICANN points out that if the registrars  ”do not investigate and correct alleged inaccuracies reported to ICANN, our escalation procedure can ultimately result in ICANN terminating their accreditation and preventing them from registering domain names”.

ESTDomains
Another Krebs story covers EstDomains, a company which the Post points out is a Directi reseller and has been tied to numerous spam emails and malware downloads which hijack the users computer. 

One function of these codecs is to install software that changes the victim’s domain name service settings, so that some percentage of their Web site and search engine traffic gets redirected to Web sites and search engines controlled by the attackers.

According to a later article one of the sites EstDomains uses to promote their malware, “Power-antivirus-2009.com, received more traffic than chrysler.com, pontiac.com or salesforce.com before it was deactivated recently.”

DynamicDolphin
Krebs digs around and uncovers more out Dynamaic Dolphin ( a company owned by Media Breakaway). Dynamic Dolphin was listed in the Knujon list is also a Directi reseller and hides a majority of its domain names using the privacyprotect.org service from Directi.  The domains regsitered by the company are reported to be used in spamming a variety of items from knock-off purses to porn. The majority of the spam though is promoting pharmacy services that require no prescription.

Krebs notes in this article that while some legitimate domain registrants use privacy protection on the whois, it’s very unclear of how this fits within the ICANN registrar agreement which mandates that the whois information be publicly available.  He also points out that it’s unclear what ICANN can and will do about this even after publishing their ”concern” over these abuses.

KlikDomains
A more recent story is about Klik Domains which is also using a Directi reseller account and has been tricking internet users in to downloading fake anti-spyware software.  The company uses its status as a reseller to quickly create new sites and uses the privacy protection feature to hide their identity.

Directi president Bhavin Turakhia said his company has disabled its registrant-anonymizing privacyprotect.org service for all Web site names registered through Klikdomains.com, which he said has sold roughly 100,000 Web site names through Directi during the past couple of years. Nearly half of those have been suspended due to abuse complaints, Turakhia said. More than 21,000 sites were suspended in the past 48 hours alone.

Directi.com
Domain registrar Directi seems to be the hardest hit by these articles and the Knujon list, as most of the companies named in these articles were Directi resellers and/or used Directi’s whois privacy service at privacyprotect.org.  In a recent post on the Directi company blog they detail the ongoing cooperation with Knujon and Hostexploit.com to combat the issues  

 ”Directi ceased to offer its privacy protection services to all customers of ESTDomains and to tens of thousands of other domains obtained through the community”  

“Directi and HostExploit have discussed further ways to enhance their cooperative collaboration to clamp down spam and other forms of abuse on the Internet as rapidly as possible. Directi acknowledges and applauds HostExploit and Knujon’s continuous efforts in tracking down miscreants. HostExploit and Knujon confirms that they are pleased to work directly with the Directi abuse desk in helping Directi identify any miscreants that maybe using Directi’s services. The partnership includes sharing investigative processes and intelligence data on an ongoing basis. “

ICANN and domain name registrars seem to be up against the ropes on these issues, fighting a battle that will likely just change as scammers adapt to any new policies and rules that are created. The scammers meanwhile go about using reseller accounts and whois privacy/protection services to continue their operations and hide their tracks. There doesn’t seem to be an easy answers given in these articles but the mainstream coverage and the efforts of groups like Knujon might lead to some discussions and that hopefully leads to solutions.

Tags: , , , , , , ,

  • http://www.domainsalesmachine.com Mickie Kennedy

    I wonder sometimes if the domain industry will mature to the need for: title insurance and confirmed ownership. Few domainers are aware of the risk of buying stolen property (sorry for the sidetrack). Lets say you buy domainX.com for a company and pay $25,000 for it. You have a website and it’s doing well, brining in $10,000 a month. Lots of great SEO and sweat equity. Turns out that in the life of ownership, the third previous owner still thinks he owns it and has it registered for eight years. It’s five years into that eight year term and you now have it. How did that happen? Could be as simply as letting a yahoo or hotmail email address lapse years ago and a bad person assumed control of it, selling it at a forum or online. That new owner then sold it to you. Guess what. You can now lose that domain. You can even be charged for receiving stolen property. Where’s your business? Where’s that $10,000 a month to go? The $25,000 you paid. All gone.

  • Pingback: Privacy Protect #1 Privacy Protection. | 7Wins.eu

  • Pingback: ICANN De-Accredits EstDomains | Domain Name News

  • Pingback: ICANN De-Accredits EstDomains | AdamDicker.com

  • Pingback: Seo Swap » Blog Archive » ICANN De-Accredits EstDomains