Tick Tock – time is up. Exposing ICANN Policy …

Tick Tock – time is up. Exposing ICANN Policy …

For the past few years Artists Against 419 has seen mass abuse of domains, with blatant fake registration details, being ignored by ICANN and certain contracted parties.

The domains of concern are domains being abused in Advance Fee Fraud to defraud consumers, yet this isn’t important to ICANN. In the mean time we’re in contact with victims and law enforcement, we see annual losses escalating at shocking rates.

Some registrars and registries care, they try their best to mitigate abuse that is practically impossible to stop. The current domain model is a rush to the bottom at ICANN. Ease of registration and low domain costs has not left much margin for fighting against domain abuse. Yet even so, some do. In turn such gallant attempts see the malicious actors run in droves to registrars that don’t care about their RAA 2013 obligations. ICANN actively protects these registrars when a complaint as per “ICANN’s bottom up” processes is submitted.

We currently have two cases at ICANN Complaints Office, lodged more than a year ago. Despite queries, these issues have not been addressed. This allows registrars to ignore their contractual obligations with impunity.

To any sane party, this should be of concern. Ignoring malicious domains registered with registration fraud undermines the internet, it undermines intellectual property and trademark rights, it disrespects consumers who ultimately end up becoming victims to Advance Fee Fraud. It’s easy for ICANN and certain contracted parties to distance themselves from harm caused by these domains, for ICANN to publish a blog like ICANN is not the Internet Content Police regarding non-fraud issues. Yet when bogus registration details for a serial abuser is tolerated even though proven, made off as content issues, there is clearly something amiss in the trade union Lalaland.

Artists Against 419 will be publishing the full reports of two such complaints. Here is a taster of the reception an abuse report got:

Subject: Abuse alert: fake WHOIS – registrant email address fsmart1@yandex.com

Dear NameSilo abuse team,

We identified a party abusing your services to commit online fraud while
using fake details to register the domain names he operates.

Back in 2016, when he was reported for the first time in our database
with omsanfingroup.com he was:

Registrant Name: derelen john
Registrant Street: 443 s caroline
Registrant City: ridgeland
Registrant State/Province: Mississippi
Registrant Postal Code: 39157
Registrant Country: US
Registrant Phone: +1.4042376473
Registrant Email: deneailor3@mail.com

Two years later, with onlinefdx.com, he was:

Registrant Name: fred zanak
Registrant Street: 455 s wheatly
Registrant City: ridgeland
Registrant State/Province: MS
Registrant Postal Code: 39157
Registrant Country: US
Registrant Phone: +1.4046750766
Registrant Email: deneailor3@mail.com

This year, with ukrsibb.com , he was:

Registrant Name: dennis john
Registrant Street: 301 Wheatly Suite 2
Registrant City: Ridgeland
Registrant State/Province: MS
Registrant Postal Code: 39157
Registrant Country: US
Registrant Phone: +1.4123766971
Registrant Email: deneailor3@mail.com

This party had domain names registered with another Registrar, PDR. When
one of his domain names gets suspended there, he registers with your
company another domain name impersonating the same entity.

For example, after his domain name volgavodshipping.com was suspended on
PDR in April, a month later he registered with your company
volgavodshonline.com – spoofing the same company, volgaflot.com.

In at least one case, one of the domain names belong to this party and
registered with another Registrar, having only SMTP usage usage, seems
to be used in Business Email Compromise.

Resolving host name “torindrivientl.com“…
Connecting to host address “198.27.115.53”…
Connected.
Got: 220-server.direct11.com ESMTP Exim 4.92 #2 Sun, 21 Jul 2019
04:20:27 +0400
Got: 220-We do not authorize the use of this system to transport
unsolicited,
Got: 220 and/or bulk e-mail.

Send: HELO xxx
Got: 250 server.direct11.com Hello xxx

Send: MAIL FROM: <xxx>
Got: 250 OK

Send: RCPT TO: <ceo@torindrivientl.com>
Got: 250 Accepted

Send: DATA
Got: 354 Enter message, ending with “.” on a line by itself
Disconnected.

This host states that the address is valid.

ceo@torindrivientl.com is a valid deliverable e-mail box address.

In this case the targeted company is torindriveintl.com.

A list of the fraudulent domain names belonging to this party we managed
to identify so far can be seen here: 
https://db.aa419.org/fakebankslist.php?psearch=deneailor3%40mail.com+&Submit=GO&psearchtype=:

1. adelmanllp.com – fake law office
2. aktcservice.com – fake courier
3. armenkharenkoattorneys.com – fake law office
4. binstronline.com – fake financial institution offering for sale bank
instruments
5. brawleyaldwin.com – fake law office
6. diamondintcourier.com – fake courier
7. drillcore-au.com – SMTP ussage only, used in job scams with the email
address careers@drillcore-au.com
8. dubaifirstonline.com – SMTP usage only, spoofing
online.dubaifirst.com
9. duzhaocapitals.com – fake financial institution
10. facebookus.net – spoofing facebook.com
11. fulton-managernent.com – SMTP usage only spoofing
fultonmanagement.com, potentially in Show biz scams, see
https://www.fbi.gov/contact-us/field-offices/sandiego/news/press-releases/fbi-seeking-victims-in-indonesia-showbiz-scam-investigation/layout_view
12. inventorsgrp.com – SMTP usage only, spoofing inventleader.org
13. kinetcww.com – SMTP usage only, spoofing kineticww.com; the domain
name was also used with the email address erisondanielj@kinetcww.com to
register citifinancialunion.com (PDR – hold) and citiibanco.com
(NameSilo – hold).
14. onlinectlondon.com – spoofing citibank.co.uk
15. onlinesignaturebn.com – spoofing signatureny.com
16. raedenconline.com – fake courier
17.  rbofcan.com – spoofing rbcroyalbank.com
18. smasunq.com – SMTP usage only, spoofing samsung.com with the email
address sales@smasunq.com
20. ukrsibb.com – spoofing my.ukrsibbank.com
21. volgavodshonline.com – spoofing volgaflot.com.

Your company previously suspended jfiugov-hk.com, belonging to the same
party.

There are also few other domains belonging to this party and registered
with your company, not mentioned in the above list.

Please investigate and suspend the domain names belonging to this
registrant abusing your services to commit fraud.

Please also feel free to revert if you have any queries.

Thank you.

Clearly something is very wrong, this should have been of concern to any self respecting registrar? After all, we are talking about registrar obligations to investigate such reports? Nope!

Hi,

we are only the domain name registrar and cannot validate or remove the content posted on the site.

This can be done by the hosting company of the website, which you can look up on this website: https://www.whoishostingthis.com/

Once you know the hosting provider, please look up their company information and contact them with the case.

You can also use the following pages to report the website:

Malware: https://safebrowsing.google.com/safebrowsing/report_badware/

Scam and Fraud: https://secure.nclforms.org/nficweb/OnlineComplaintForm.aspx

You may also discuss the case with your local law enforcement officer to seek help.

NameSilo Abuse Team

At this stage this registrar just violated the ICANN RAA WHOIS ACCURACY PROGRAM SPECIFICATION.

4) If Registrar has any information suggesting that the contact information specified in Section 1(a) through 1(f) above is incorrect (such as Registrar receiving a bounced email notification or non-delivery notification message in connection with compliance with ICANN‘s Whois Data Reminder Policy or otherwise) for any Registered Name sponsored by Registrar (whether or not Registrar was previously required to perform the validation and verification requirements set forth in this Specification in respect of such Registered Name), Registrar must verify or re-verify, as applicable, the email address(es) as described in Section 1.f (for example by requiring an affirmative response to a Whois Data Reminder Policy notice). If, within fifteen (15) calendar days after receiving any such information, Registrar does not receive an affirmative response from the Registered Name Holder providing the required verification, Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information. If, within fifteen (15) calendar days after receiving any such information, Registrar does not receive an affirmative response from the customer paying for the Registered Name, if applicable, providing the required verification, Registrar shall verify the applicable contact information manually, but is not required to suspend any registration.

5) Upon the occurrence of a Registered Name Holder’s willful provision of inaccurate or unreliable WHOIS information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen (15) calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder’s registration, Registrar shall either terminate or suspend the Registered Name Holder’s Registered Name or place such registration on clientHold and clientTransferProhibited, until such time as Registrar has validated the information provided by the Registered Name Holder.

 

No content was reported and deliberately not; this registrar loves making all issues off as content issues beyond their remit. We have to assume they got confused, now also considering “WHOIS details content” as content. 

Perhaps we should consider what the ICANN Governmental Advisory Committee considers domain abuse, now that we’ve played out this registrar and ICANN’s game. The following is advice that the GAC gave to ICANN in the ICANN46 Beijing Communique. Although it pertains to registries in the new gTLDs, it shows rational thinking leading to sound advice:

The GAC Advises that the following six safeguards should apply to all new gTLDs and be subject to contractual oversight.

  1. WHOIS verification and checks – Registry operators will conduct checks on a statistically significant basis to identify registrations in its gTLD with deliberately false, inaccurate or incomplete WHOIS data at least twice a year. Registry operators will weight the sample towards registrars with the highest percentages of deliberately false, inaccurate or incomplete records in the previous checks. Registry operators will notify the relevant registrar of any inaccurate or incomplete records identified during the checks, triggering the registrar’s obligation to solicit accurate and complete information from the registrant.

  2. Mitigating abusive activity – Registry operators will ensure that terms of use for registrants include prohibitions against the distribution of malware, operation of botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law.

  3. Security checks – While respecting privacy and confidentiality, Registry operators will periodically conduct a technical analysis to assess whether domains in its gTLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. If Registry operator identifies security risks that pose an actual risk of harm, Registry operator will notify the relevant registrar and, if the registrar does not take immediate action, suspend the domain name until the matter is resolved.

  4. Documentation – Registry operators will maintain statistical reports that provide the number of inaccurate WHOIS records or security threats identified and actions taken as a result of its periodic WHOIS and security checks. Registry operators will maintain these reports for the agreed contracted period and provide them to ICANN upon request in connection with contractual obligations.

  5. Making and Handling Complaints – Registry operators will ensure that there is a mechanism for making complaints to the registry operator that the WHOIS information is inaccurate or that the domain name registration is being used to facilitate or promote malware, operation of botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law.

  6. Consequences – Consistent with applicable law and any related procedures, registry operators shall ensure that there are real and immediate consequences for the demonstrated provision of false WHOIS information and violations of the requirement that the domain name should not be used in breach of applicable law; these consequences should include suspension of the domain name.

This advice is in stark contrast to this registrar’s statement:  “we are only the domain name registrar”. While ICANN annually spends millions on conferences, certain contracted parties are playing loose and fast with the rulebook and the spirit of the rulebook. ICANN is the supposed party to make sure this does not happen. The image being projected is not what happens behind the scenes. The seminars are just pomp and show.

Here we see the registrar trying to pawn off responsibility for registration process checks on already much overwhelmed law enforcement. Yet this is in direct contradiction to what ICANN’s own Governmental Advisory Comittee conveyed to them.

In the next 48 hours we will be publishing the full details of two complaints pending in the ICANN doldrums for more than a year in the bottom up processes. While we would not have wished to publish these reports as they contain numerous of our techniques in identifying bad actors, at this stage ICANN’s unwillingness to address registration abuse has seen malfeasance now hiding behind the new GDPR implementation in WHOIS. This is in stark constrast to promises made in the initial GDPR discussions that the ICANN RAA has a requirement for reliable registration details. To keep quiet will cause greater harm than revealing methodologies. The small litle nest we show here pales into insignificance in what we’ll expose.

Known domains for deneailor3@mail.com at NameSilo

volgavodshonline.com Volgavod Shipping Services https://db.aa419.org/fakebanksview.php?key=139031
smasunq.com Samsung https://db.aa419.org/fakebanksview.php?key=139029
raedenconline.com Raeden Courier https://db.aa419.org/fakebanksview.php?key=139028
onlinesignaturebn.com Signature Bank https://db.aa419.org/fakebanksview.php?key=139027
onlinectlondon.com Citibank London https://db.aa419.org/fakebanksview.php?key=139026
kinetcww.com Kinetic Worldwide Ltd https://db.aa419.org/fakebanksview.php?key=139022
inventorsgrp.com Inventors Groups https://db.aa419.org/fakebanksview.php?key=139021
fulton-managernent.com Fulton Management https://db.aa419.org/fakebanksview.php?key=139020
facebookus.net Facebook US https://db.aa419.org/fakebanksview.php?key=139019
duzhaocapitals.com Duzhao Capital International https://db.aa419.org/fakebanksview.php?key=139015
dubaifirstonline.com Dubai First Online https://db.aa419.org/fakebanksview.php?key=139014
drillcore-au.com Drill Core Australia https://db.aa419.org/fakebanksview.php?key=139013
diamondintcourier.com Diamond International Courier https://db.aa419.org/fakebanksview.php?key=139012
brawleyaldwin.com Brawley Aldwin & Solicitors https://db.aa419.org/fakebanksview.php?key=139009
binstronline.com Bank Instruments https://db.aa419.org/fakebanksview.php?key=139006
armenkharenkoattorneys.com Armen KHarenkoa Attorneys https://db.aa419.org/fakebanksview.php?key=139005
aktcservice.com Akt Courier Serice https://db.aa419.org/fakebanksview.php?key=137668
adelmanllp.com Neil Adelman & Solicitors https://db.aa419.org/fakebanksview.php?key=136993
rbofcan.com Royal Bank of Canada https://db.aa419.org/fakebanksview.php?key=136992
ukrsibb.com UkrSibbank https://db.aa419.org/fakebanksview.php?key=136991

 

Note: The fake lawyers above are not a new phenonema, however they have become a massive cyber crime problem: https://www.legalfutures.co.uk/latest-news/crime-agency-adds-online-lawyer-impersonation-to-hit-list

This cyber crime incident does not end at what is described in the article either. We also see banks spoofed and all types of malfeasance unleashed on unwitting consumers.

Update:

Here is the gaming with stated policy that fuels the untrusted net. Read and understand how the joker prince became one of the biggest threats equally to business and casual consumer. Anybody for a little AFF, 419, phishing, BEC?

ICANN Compliance complaint UNY-783-11184 : Namesilo Standards Compliance

ICANN Compliance complaint XTO-568-35273: QHoster Proxy

 

Comments are closed.