[At-Large] Privacy and domain abuse vs the IP constituency

Derek Smythe derek at aa419.org
Fri May 6 22:41:53 UTC 2011


Hi Folks

Here is a more than excellent example of why domain abuse issues
belongs at the registrar and why true privacy will not be possible
until abusers are taken care of.

It all started off with a report of a phishing site. Doing a reverse
lookup on the IP the domain was hosted on, we get the list included below.

Spending a bit of time on the search engines quickly shows numerous
frauds related to the relevant domains. Digging a bit deeper keeps on
leading to a specific "hosting provider" with a track record of these
type of domains and even SSL certificate abuse.

Now, looking a bit closer at them in terms of whois details, we find
gross privacy abuse for the domains used in fraud and fraud attempts.

For those that know how, looking very closely at them leads to victims
to this fraud and details showing them all to be of the same origin as
regards certain design elements.

Now, considering the background of the hosting provider, he
specializes in these.

How do we counter the the IP constituency if they throw these examples
at us?

How do we deal with this form of domain abuse? The authorities are in
the know for a more than a while know. The SSL certificate providers
are in the know as well. The domain registrars are in the know.

Doing a bit of backtracking leads to this post:
http://www.jaguarpc.com/forums/showthread.php?t=24529

Now here is the sad part;
Since that post, the hosting was terminated and simply moved to
another IP at the same hoster, later we have two more more victims in
Australia after this move.

http://www.rbol-uk.com/INT-UK/ (as I said, those that know how ...)

In fact the Nigerian hosting provider is simply moving hosting once
caught out. In the meantime the "free one year privacy" is abused to
for anonymity and to make tracking more difficult. Without finding,
stopping and disabling these domains, the misery they create at the
hands of the abusers continues.

As you will see, there is no easy way to do a 1-to-1 mapping of domain
name against the spoofed domain, so more TLDs will just compound the
issue.

It also does not help if we claim that domain names have no special
meaning, in the eyes of the "ordinary user", how can
http://www.barclaysonlineservice.com not be part of Barclays Bank PLC?


Just one such IP - 209.217.237.134:
adamscolechambers.com
airfrcdcuk.com
Download your scam kit at https://airfrcdcuk.com/images/intcourier.zip
... or use the online pages:
https://airfrcdcuk.com/intcourier/contactus.htm

if you search a bit on the contact details, you will see it's a
continuation of
http://www.complaintsboard.com/?search=Air%20Freight%20Courier%20Delivery%20Service

albmb-my.com (http://www.albmb-my.com/INT-BANKING/ - initial report)
albmb-my.net
babaplc.com
banquefinamauk.com
barbplcuk.com
barcba-uk.com
barcbplcuk.com
barclaysonlineservice.com
barristermayallemersonstuart.com
bdl-eu.com
boabn.com
boaplc-online.com
cahootbplc.com
capitalcrownbplc.com
cbplconline.net
chelseabuk.com
chevronoilcompany-uk.com
chmbchina.com
ctmfirm.com
davidhunterpartnerschambers.com
daviesandpartnerschambers.com
ddicourier.com
dhlhome-uk.com
dib-ae.com
dislamiconline-ae.net
e-alliancetrustsonline.com
e-clydesdalebauk.com
e-clydesdalebauk.net
e-creditalliance.com
eu-finciu.com
eurolacbn.com
expressparceldelivery-ng.com
fbi-govs.com
fbi-uk.com
fbidirect.org
fcmbdirect.com
fcmbhome.com
frontierforwardings.com
fsaofficeonline.com
fwcdsonline.com
g-maildirect.com
gainvestmentlimited.com
gcc-as.com
globalinvestltd.net
halimicrofinance.com
hlisbs.com
ibarclaydirect.com
iraqreconstructionjobs.net
irsukonline.com
katiemarchart.com
kayenterprisesinsurance.com
kmiexpresscourier.com
leighdaysolicitors.com
ltsb-official.com
macsreview.com
milestonemonetaryfirm.com
monitoringcommission.org
nbgroupplc.com
nokiastaff.com
norwichcitybn.com
ntwstbnplc.com
nwsttbplc.com
planfslimited.com
rbimb.com
rbnsplc.net
rbosmy.com
responsecs.com
rrs-asociados.com
thehotmailupdate.com
thestudenteventhost.com
tpcapitallimited.com
uknl-office.com
ukpdac.com
ukworldlinkcourier.com
un-worldwide.org
upds-ng.com
wapblogin.com
yahoo-maildirectonline.com
zenithb-ng.com
zenithoffices.com

Note the impunity with which even the FBI, IRS, United Nations is
being impersonated, never mind Yahoo, Hotmail and the rest. And this
party has been doing it for years now.

Now ask yourself: what number of legitimate domain owners are targeted
by lack of domain privacy vs what number of the public are victimized
by domain "anonymity"? Which is the lesser of the two evils?

Just some real world food for thought.

Derek Smythe
Artists Against 419
http://www.aa419.org




More information about the At-Large mailing list