Three vehicle scams, a warning in a GDPR WHOIS future

Three vehicle scams, a warning in a GDPR WHOIS future

The worlds leading and biggest registrar, GoDaddy, has adopted the attitude that the registrant name, phone number and email address is private information, much in line with the proposed ICANN WHOIS changes to meet the requirements of the upcoming GDPR the end of this month (May, 2018).

These changes by Godaddy has left various commercial and governmental players dissatisfied, leading to a complaint to ICANN via Mr Brian Winterfeldt (Winterfeldt IP Group, PLLLC):
https://www.icann.org/en/system/files/correspondence/winterfeldt-to-chalaby-et-al-10mar18-en.pdf

ICANN is still stalling on this issue:
https://www.icann.org/en/system/files/correspondence/icann-to-winterfeldt-05apr18-en.pdf

The privacy experts have regarded this as a win in part of the ongoing GDPR discussions in the face of the “evil IP constituency”.

This post has nothing to do with governmental or commercial interests.  This post has everything to do with consumer issues and consumer protection, issues documented about on this blog and up to date still unresolved. Artists Against 419 requested WHOIS access from Godaddy for automated access in a narrow scope of protecting consumers against fraud, to be used for automated pre-identified malicious domains. In turn Godaddy tried to impose terms and conditions beyond those in the supposedly mandated ICANN RAA. This resulted in an ICANN Compliance complaint still outstanding and last responded to with “Please note that ICANN is still following up with the registrar to address your complaint and will provide you an update with its findings.” on 25 April 2018.
https://blog.aa419.org/2017/09/08/an-open-letter-to-godaddy-whois-service/

We can’t but believe ICANN is playing for time and Godaddy has taken the exact vindictive approach Mr Winterfeldt suggested with “or because they fear retaliation from GoDaddy“. Up until today, Godaddy has placed a blanket block on Artists Against 419 IP addresses as a quick lookup shows:

$ whois -h whois.godaddy.com nigeriacarmart.com
Domain Name: NIGERIACARMART.COM
Registrar URL: http://www.godaddy.com
Registrant Name: ******** ******** (see Notes section below on how to view unmasked data)
Registrant Organization:
Name Server: NS55.DOMAINCONTROL.COM
Name Server: NS56.DOMAINCONTROL.COM
DNSSEC: unsigned

For complete domain details go to:
http://who.godaddy.com/whoischeck.aspx?domain=NIGERIACARMART.COM

The data contained in GoDaddy.com, LLC’s WhoIs database,
while believed by the company to be reliable, is provided “as is”
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, LLC. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty. In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam. You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.

Please note: the registrant of the domain name is specified
in the “registrant” section. In most cases, GoDaddy.com, LLC
is not the registrant of domain names listed in this database.

Whereas for the average consumer the WHOIS details currently appears as:

Domain Name: NIGERIACARMART.COM
Registry Domain ID: 1584585814_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2017-02-12T15:45:40Z
Creation Date: 2010-02-07T06:58:06Z
Registrar Registration Expiration Date: 2019-02-07T06:58:06Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: ******** ******** (see Notes section below on how to view unmasked data)
Registrant Organization:
Registrant Street: 10 Wole Cole Street, Ijeshatedo, Surulere
Registrant Street: 10 Wole Cole Street, Ijeshatedo, Surulere
Registrant City: Surulere
Registrant State/Province: Lagos
Registrant Postal Code: 050031
Registrant Country: NG
Registrant Phone: +**.***********
Registrant Phone Ext:
Registrant Fax: +86.18615750085
Registrant Fax Ext:
Registrant Email: ********@*****.***
Registry Admin ID: Not Available From Registry
Admin Name: ******** ******** (see Notes section below on how to view unmasked data)
Admin Organization:
Admin Street: 10 Wole Cole Street, Ijeshatedo, Surulere
Admin Street: 10 Wole Cole Street, Ijeshatedo, Surulere
Admin City: Surulere
Admin State/Province: Lagos
Admin Postal Code: 050031
Admin Country: NG
Admin Phone: +**.***********
Admin Phone Ext:
Admin Fax: +86.18615750085
Admin Fax Ext:
Admin Email: ********@*****.***
Registry Tech ID: Not Available From Registry
Tech Name: ******** ******** (see Notes section below on how to view unmasked data)
Tech Organization:
Tech Street: 10 Wole Cole Street, Ijeshatedo, Surulere
Tech Street: 10 Wole Cole Street, Ijeshatedo, Surulere
Tech City: Surulere
Tech State/Province: Lagos
Tech Postal Code: 050031
Tech Country: NG
Tech Phone: +**.***********
Tech Phone Ext:
Tech Fax: +86.18615750085
Tech Fax Ext:
Tech Email: ********@*****.***
Name Server: NS55.DOMAINCONTROL.COM
Name Server: NS56.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-05-06T14:00:00Z <<<

For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en

Notes:
WHOIS consumers who are now receiving masked data can visit:
https://whois.godaddy.com to look up the unmasked data. You can also
get whitelisted, to get unmasked data via Port 43. Find instructions
on how to apply for whitelisting here:
https://www.godaddy.com/help/masking-contact-information-shared-via-whois-automated-access-points-27421
The data contained in GoDaddy.com, LLC’s WhoIs database,
while believed by the company to be reliable, is provided “as is”
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, LLC. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty. In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam. You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.

Please note: the registrant of the domain name is specified
in the “registrant” section. In most cases, GoDaddy.com, LLC
is not the registrant of domain names listed in this database.

Great, privacy mission accomplished. Or is it accomplished? A Google Maps check on the published address  shows a residential property with a small stall in front selling groceries like Power Oil (a cooking oil), not a company and hardly the address of somebody involved in the international car trade. This domain is used for an online trading portal claiming to sell vehicles:

http://www.nigeriacarmart.com/
http://www.nigeriacarmart.com/

Users are asked to register with their personal details:

NigeriaCarMart Registration
NigeriaCarMart Registration

But, hang on. We said “somebody involved in the international car trade”. On the http://www.nigeriacarmart.com/ website, we find links to USEDCARSHONGKONG.COM and USEDCARSOUTHAFRICA.COM.

Let’s look at what Godaddy has chosen to hide to protect “their registrant’s privacy”:

NIGERIACARMART.COM WHOIS
NIGERIACARMART.COM WHOIS

 

USEDCARSHONGKONG.COM WHOIS
USEDCARSHONGKONG.COM WHOIS

But wait – hang on. The same email address was previously supposedly somebody else in Nigeria? But it does not stop there …

USEDCARSOUTHAFRICA.COM WHOIS
USEDCARSOUTHAFRICA.COM WHOIS

Once again of note in the last two is totally incomplete and even bogus registration details. Penglai in Hong Kong?  Cape Town, Cape Town with fake postal code 636000?

Oh well, let’s humor the privacy experts and their theoretical concept of consumer protection. No doubt this registrant values his privacy. And if there is any fraud, we dump that to the authorities, it’s their job. There, all the nice augments shrink wrapped and a clear conscience  for all around.

But wait, what is this? A “Nigeria Customs Auction Service – NCS” Facebook page? With a link to NIGERIACARMART.COM?

Nigeria Customs Auction Service - NCS
Nigeria Customs Auction Service – NCS

Surely such blatant spoofing should have repercussions? Well, we do find this alert five years ago: https://www.customs.gov.ng/Publications/getPublication.php?id=204

CUSTOMS’ SCAMMERS EXPOSED!
CUSTOMS’ SCAMMERS EXPOSED!

Job done. So why, five years later, do we still see this fake website and it’s two partner websites, still asking consumers to enter their private data into a website if the authorities did their job? That is the argument the privacy experts and registrars use after all. Did it work?

Defining the problem

On the net there are three groups of users; Government, Commerce and Consumer. These groups may intersect, but each also faces unique threats. The amount of effort to mitigate an internet threat requires finances and understanding of such a threat. Sadly the ordinary internet consumer does not have the voice, does not have the media’s ear nor the finances to create awareness campaigns. As such pure consumer threats are very much unknown if it does not step on the toes of commerce or government. We can illustrate it something like this:

Cyber Threats
Cyber Threats

The darker the red, the better protection there is against such threats. This has been seen time and again: Report a bank spoof to certain registrars and they suspend it immediately, no questions asked. Report a totally fictitious bank to a registrar and they turn a blind eye, or will even argue the point a bank is not being spoofed (denying consumer rights – who are a third party as per the ICANN RAA). Many security experts are not even aware that malicious domains abound and are being abused to defraud consumers outside their commercial sphere. While the authorities report an all time high in romance scam fraud, not much is said about the fake couriers that typically are associated with such. News reports are mostly sensationalist.

This is the environment ordinary consumers find themselves in, and as from the end of the month will have to figure out how to look after themselves with no usable domain registration details. Typically the corporate and government ignorance we have traditionally seen when it comes to consumer fraud issues, will now be legitimized with the GDPR. Sometimes this ignorance turns to arrogance when challenged, as we saw when @InfoSecSherpa posted on Skype “Stop calling end users the weakest link in security.” in the resulting comments  Yet the very party the GDPR was meant to protect, the consumer (and their privacy) has now seen domain registration details (WHOIS) twisted to their detriment. Consumers do know about WHOIS details and how to protect themselves by verifying details given in WHOIS. Or, if they don’t they have a friend who knows how to check. Most security companies and commerce argues they also protect consumers in the legitimate WHOIS usage fight. While this may be true to an extent, this is in only that small portion where commerce and consumer interests overlaps. For the rest and bulk of advance fee fraud threats, the consumer is on his own when it comes in any effort at protection. Should the scammer spoof a bank, the bank will intervene. But steal a bank website, slap on a fictitious logo and name, it’s no longer a threat for that bank . But the consumer threat remains. This is what we see regularly. The bank may equally be any other supposed commercial domain and associated website.

Research abounds mistaking phishing and advance fee fraud. For the sake of these misinformed well quoted peer reviewed individuals, we will refrain from naming them.  Yet phishing and advance fee fraud are two extremely different creatures and requires different mitigation tactics. The topic of fake banks vs a phishing has been documented. What becomes abundantly clear is that most security researchers still see advance fee fraud as the mischievous prince wishing to share his billions via Yahoo and they never cared to look further. The simple reality is BEC (Business Email Compromise) is nothing more than distinct growing threats consumers have been facing for the past 15 to 20 years. Yet BEC became a popular ITSec buzz word when companies were attacked the pass five years with losses accumulating.  Even now there are other business threats where consumers are the training ground, yet distinctly different from 419-fraud and BEC, example Cameroonian fraud. These bad actors abound targeting consumer and business (also in the EU) with impunity. Some of these bad actors even live in the EU. Due to a lack of awareness, they succeed. Where they succeed,  apart from the financial loss,  this also leads to loss of privacy by the victims, consumer and business alike. These parties simply could not care about the GDPR apart from the god-sent advantage it will afford them now in terms of GDPR mandated privacy protection.

After the end of the month, the ordinary consumer’s rights to not be defrauded and privacy will be denied. The authorities and registrars will now become the custodians of that protection, one registrars  typically distance themselves from.  Consumers will be expected to sign a blank check each time they do business with a company on the web. We find the chief counsel of one German registrar extremely vocal on CircleID:

At least it does in civilized countries like Italy, the United Kingdom, France, the EU, and other countries that redact whois data by default. None of these TLDs are grave security threats or havens of scum and villainy.

Private information must be protected to protect the data subjects from abuse. And guess what, there will still be access for thise that have a right to access such data, like LEAs or rights holders. It will be less immediate access, but heck, that is just adopting the way this works in most other industries, offline or online.

Really? The utter arrogance willing to toss the rest of the world’s consumers under the bus with such flippant remarks?

Perhaps it’s time for a sacrificial lamb. Domain BUNITEDNS.EU has fake registration details and is controlled from Nigeria by an well know facilitator serially registering domains used in advance fee fraud and using domain BUNITEDNS.EU for DNS Services. The role of the Faker Maker has long been understood by Artists Against 419. This is an insider threat for the registry industry, a party with access to domain registration tools and manipulating malicious domains to the detriment of the victims in an effort to perpetuate frauds successfully. While Europol laments the difficulty in dealing with romance scams, the EU is being used as a staging point for name-serving domains used in these very consumer attacks. In the Europol 2017 ‘INTERNET ORGANISED CRIME THREAT ASSESSMENT’ report, we find:

Almost half of the EU Member States highlighted Africa as the source of specific cyber threats. The most commonly reported threats were social engineering attacks and cyber-facilitated frauds. This largely referred to romance scams and phishing, but also IT support scams, CEO fraud and the sexual extortion of minors. Several countries also reported Africa as the source of various attacks on their critical infrastructure. Lastly, CNP fraud using compromised EU cards was also reported by several Member States.

Yet this is exactly where BUNITEDNS.EU fits in and why we left it as a watering hole to trace malicious domains. For the sake of education we will now expose it, a sacrificial lamb.

Perhaps the chief counsel of said registrar should have been reading reports from his own authorities before making ill informed comments on CircleID. We have to wonder if the agenda is not a trans-Atlantic match of egos for some, from what is written, as this certainly appears to be the case based upon attacks like IBM etc.

We’ll be turning the world outside the EU (and perhaps inside it) into a war zone for consumers, yet everything is dandy and fine? If consumers outside the EU are defrauded, will the EU also protect such consumers if their authorities are not quite reactive to fraud and malicious domain issues? Or course not. We cannot expect that of them. Doing so would be a violations of international jurisdiction. Yet the laws applying to a group of countries that makes up 8% of the world population will now apply globally? While the new WHOIS provisions in the normal .com and other general (global) top level domains will reflect a GDPR approach, the relevant protections for consumers may and do not not exist globally. Rights holders and attorneys will have access, governments will have access – but only after applying for such access in a model/method yet to still be determined, and if they qualify. Consumers are not entitled to such information. And if a consumer is defrauded, will it be resolved by blaming such victims? This is most certainly what a Court in Malta did. Considering the GDPR describes the attempt to instill a privacy regimes as one of the basic human rights, should not not look at the other human rights before applying this in a registry that is of vital importance in defending other human rights? Does Article 30 not say:

Nothing in this Declaration may be interpreted as implying for any State, group or person any right to engage in any activity or to perform any act aimed at the destruction of any of the rights and freedoms set forth herein.

Is applying the GDPR  in WHOIS not doing exactly this? We need to ask how the Internet and domain name system features in cyber fraud? A quick Google search will reveal the answer to that. We need to ask how fraud undermines basic human rights while the authorities are already in an impossible situation to find restitution for all victims? Many victim statements in courts will give clarity on this issue, the devastating and degrading effect it’s had on the very humanity of the victims, some committing suicide. Against this background, we need to ask why the champions of privacy have decided to cherry pick privacy in the domain WHOIS system, while totally ignoring the other detrimental effects this may and will have to consumers? All the issues should be considered and the interplay between these.

Do we not find this also mentioned in the Charter of Human rights?

In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society.

A domain registration is after all, a mechanism to interact with others on the web. The domain registration forms part of the ICANN requirements and is part of a bigger social contract underpinning the very security on the internet.  Yet this very security for the normal consumer is now under attack for the sake of a few in the name of human rights!

Consumers are in the best position to protect themselves from being defrauded and inadvertently entering private details on a website like NIGERIACARMART.COM – if they are given a chance. They are now to be denied access to WHOIS, an essential tool to protect themselves in what will be a devastating failure in the theory of privacy, ignoring the consumer security aspect. We can safely say consumers will have no protection unless a fraudsters inadvertently register a domain that overlaps or targets government or commercial interests.

Protect implies taking action before something happens. The authorities do not investigate before there are numerous reports of fraud, or unless you are a well known private person or like. Normally it’s enforcement by the numbers – numbers of victims, numbers of a currency. A pittance to a company is a livelihood to a consumer, yet the formula dictates commercial issues will trump human rights.

So are we to expect that registrars and registries will take up this challenge? We already have much history at our disposal to show this will not happen. Much as claims were made of checking registration details in the ICANN GDPR talks, this was very much posturing as can be substantiated by ICANN complaints where registrars are willing to turn a blind eye to the very policies which allows them to operate. Where such was reported, the relevant domains may or may not be cancelled and it’s business with fake registration details as usual, with the only cure being a lengthy rinse-and-repeat ICANN compliance process while the harm is ongoing. We will be looking at this in future articles.

The best advice for consumers at this stage is to look at WHOIS details. Does the party wishing to do business with you have hidden elements in the WHOIS details of their domain registration? They have the option to do a full WHOIS disclosure. Why will they ask the public to trust them if they can’t trust the public? You have the right to due diligence. If you cannot establish who they are – run! You may well be supplying your personal details to a NIGERIACARMART.COM / USEDCARSHONGKONG.COM / USEDCARSOUTHAFRICA.COM by another name.

The naysayers deny the above realities and throw up straw man arguments with no real experience in these issues. There is a reason why consumer losses to fraud is at an all time high. Ask yourself: If an iron is red hot, will it burn you? It does not matter how much we debate this issue or wish it not to be so, it will burn you! While privacy may be great and appropriate at a place like Facebook or your hospital, even your games provider, it does not belong at the very core of the internet fabric.

 

In the next post we will take a look at how one registrar operates and how the relevant registry distances itself from any abuse in it. This should be an eye opener to all the naysayers who believe all will be fine and dandy after the end of the month and that articles such as this are just scare mongering, despite ample evidence to the contrary.

Comments are closed.