Artists Against 419 News & Events Sun, 15 Sep 2019 18:41:21 +0000 en-US hourly 1 BEC, a Metamorphosis of Advance Fee Fraud Sun, 15 Sep 2019 04:11:38 +0000 Read More Read More

BEC (Business Email Compromise) has gained more and more attention lately. Most recent statistics show $26 billion in losses the past three years. The sad reality is that BEC could have been avoidable if Advance Fee Fraud (AFF) had been recognized earlier as the threat it is and dealt with appropriately. Inaction on basic levels, despite alerts for the past 16 years from Artists Against 419, allowed these actors to escalate to unknown heights. BEC is the end product of AFF.  Domain name abuse in BEC was merely the trendy evolution of what AFF fraudsters had been using for years to target consumers.

Recent Numbers and Cases

Obinwanne Okeke, a young Nigerian billionaire known as Invictus Obi, was arrested in August 2019 for over $11 million BEC fraud.

A few days later, 80 individuals, mostly Nigerians suspected to be part of a massive BEC and romance scam network, were also indicted.

On Sept 10 2019,  the FBI released details of Operation reWired resulting in 281 arrests. Of these, 167 arrests were in Nigeria, 74  in the US, 18 in Turkey and 15 in Ghana. Fraudsters associated with the operation were also arrested in France, Italy, Japan, Kenya, Malaysia, and the UK.

The ‘Behind the “From” Lines: Email Fraud on a Global Scale‘,  ‘Scarlet Widow‘ and ‘Scattered Canary‘ studies done by Agari clarified a reality we tried to expose for a long time: BEC would never become possible without an entire infrastructure of advance fee fraud elements used against consumers and ending with them turned into money mules. Other similar studies mention the AFF-BEC connections, even though some not as clearly as others.

In other words, the consumer was the training ground for BEC. Consumer fraud is the arena where the fraudsters crafted their fraud and saw what was the most effective way of upping their game to the next level. This was done through email correspondence, fraudulent domain names abusing the DNS infrastructure, VOIP phone numbers and also impersonation of real people or entities having no connection with the fraud.

Social media was a main vector, allowing the fraudsters to study their victims and adjust the “game” to what triggers the victims. There are also never-ending breaches, exposing consumer details or companies internal structure, allowing for a rich source of information to refine their social engineering.  After testing it on average people, the fraud recipe was improved and used to target people with financial responsibilities in various companies. These victims were lured into making payments to fraudsters in the belief that they were paying a regular business partner, or that they were fulfilling an urgent financial need for their company’s boss.

Social media admits that killing the fake profiles used in fraud doesn’t help much when, for each suspended account, the fraudsters will create more. Each one in turn will only be reported after someone else becomes a target. Anything free that can be abused, will be abused.

High level breaches shows that anyone can become a victim of a breach. We see more and more data dumps sold to cyber-criminals, in turn fueling more targeting of consumers and businesses.

So far the phone providers are unable to deal with clients abusing their services to commit fraud, be it SIM-swap, spam calls or AFF fraudsters. Free online telephone verification services to “protect consumer privacy” adds another layer of complexity undermining methods used to ensure services aren’t abused, ending up causing greater harm than the harm they’re meant to protect against.

DNS abuse is also massive and no one seems to care enough to change anything in the AFF arena. For each suspended domain, others are registered daily, sometimes spoofing the same entities.

Recognition of Advance Fee Fraud as a Threat

Reporting DNS abuse is easy when it involves phishing, botnets, spam or malware. Advance Fee Fraud doesn’t get the same recognition and is disavowed as DNS abuse.

Any further mention of domains in this post will refer to domains registered explicitly to be used for AFF activities and not compromised domains or hosting content.

The Anti Phishing Working Group defines phishing as:

Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.

AFF might look like phishing in some cases, but it’s not the same thing. While AFF uses social engineering and technical subterfuge, the goal is not to steal personal identity data and financial account credentials.

Any such theft is incidental. There are cases where AFF victims details were used for further fraud in identity theft, but this  is merely a crime of convenience, the end result of successful AFF rather than phishing.

Pretending to be a bank isn’t phishing when a fake site is used to confirm the financial status of a fake character used in a romance scam. Such a bank might not even impersonate a real bank, but be a totally fictitious bank. Typically a fake identity used in a Romance Scam will show an equally fake bank account to a target as a token of trust, ultimately showing that he is good for the money he is asking for.

Pretending to be a company while using a domain name slightly similar to a real one, or perhaps totally bogus, to defraud small businesses is also not phishing. Yet these scams accounts millions of dollars in losses annually, easily causing small businesses to close their doors forever and the staff to lose their jobs.

Impersonating the FBI or Homeland Security, asking an AFF victim to send his / her bank account where the recovery money needs to be paid into, is also not phishing. Likewise impersonating the authorities, extorting victims who purchased items in AFF fraud, is not phishing. No website is even needed. It’s not content issues. Yet these result in massive consumer losses annually.

A fake courier pretending to deliver goods, asking for upfront fees, is also not phishing. Yet this is where the fake authorities, previously mentioned, will suddenly impose their customs fees, fines etc in fake parcel scams. This tactic alone has resulted in over 17,000 victims being targeted by one small Nigerian syndicate in Malaysia over a three year period. Real companies may or equally might not be impersonated. But even if it was the case, this is not a copyright or trademark issue, this is a fraud issue. This is reason why UDRPs massively fail to resolve these problems while the infringing domain owners never respond.

A fake lawyer offering help with an Inheritance or Romance Scam, asking for fees to be paid upfront to obtain bogus court papers and certificates, is also not phishing. Spoofing and a stolen website is incidental and not even required to succeed, it’s merely a crime of convenience. Spoofing or not, neither makes it less of a crime.

A bespoke company, or one impersonating a real entity, offering jobs and asking fees for a non-existent job is not phishing either. Yet it is fraud, Advance Fee Fraud and it’s a crime.

A bogus lottery or alleged legal department offering non-existent prizes or grants, that you need to pay for before receiving, is not phishing and it isn’t legal either – it’s AFF.

All the above examples and a myriad of other fake instances used in AFF are using fraudulent domain names, abusing the DNS system as well. In our experience, over 80 percent of AFF scam-spam emails end up with malicious domains being uncovered. Some of these domains get reported by victims after the fraud, or attempted fraud, occurred. Logically, known fake entities should be mitigated. Not doing so creates perpetual consumer traps defrauding more and more victims as time goes by. Much of the internet reputational systems rely on the domain name’s age.

The Minefield of AFF Mitigation

Things should be easy when reporting Advance Fee Fraud. Not so!

To register a domain name, the person registering the domain name (registrant) needs to provide his name, location, email address and phone number. These details must be accurate and verifiable. They are part of what is known as the domain WHOIS. Each company involved in giving access to the online space has a TOS (Terms of Service) and AUP (Acceptable Usage Policy), mentioning what type of activities are not allowed on a domain name registered / hosted with them. These mention fraud and other illegal activities as a major “No!”

If AFF activities are committed using a malicious domain name, a factual report sent to the registrar abuse team should result in them investigating the report and taking the appropriate measures.  A valid report should result in the domain name being suspended. Likewise, deliberately supplying invalid domain registration details are grounds for an immediate domain suspension.

The Internet Corporation for Assigned Names and Numbers (ICANN) is a nonprofit organization governing (among others) the Internet’s global Domain Name System (DNS). They also publish and monitor compliance with policies. These policies are based upon community, government and business input.

The current Registrar Accreditation Agreement (RAA) dates back to 2013 and governs the requirements for domain registration and surrounding policies. The same year also saw the GAC Beijing Communiqué published. Both mention registering a domain for fraud as a reason for suspending such a domain name. Both also mention the importance of accurate WHOIS details, free access to those details and the retention of those details.

Free access to WHOIS was revoked May 25 2018. From that date on, ICANN’s interpretation of the new European General Data Protection Regulation (GDPR) was implemented. The GDPR was adopted in 2016 and became European law two years later. Despite knowing about it and given time to develop policies to implement and meet the new GDPR rules, ICANN had done nothing until the last minute. Their solution was predictable; a big mess and free access to WHOIS disappeared.

The end result solved a long standing issue for some registrars. By hiding the WHOIS details these Registrars would no longer be flooded with reports of invalid registration details. We can only question if this is a lesson they learnt from their abusive clients who started using proxy services to hide invalid registration details. How can you report what you cannot see? The self serving ICANN privacy won and the consumers were thrown to the wolves. No general consumer can check who owns a domain name if protected by this WHOIS GDPR mask and thus cannot report abuse. Advance Fee Fraudsters were quick to adopt addresses in the EU, despite clear indications they are Nigerian based, ditto parties in the Cameroon.

The irony was that the GDPR only protected the privacy of natural persons in the EU, yet large swathes of WHOIS went dark, for domains belonging to businesses and individuals alike internationally. The consumer had no way of checking if the bank/lawyer/business website he was looking at was real or a spoof, an AFF scam or phishing. The consumer was further insulted by “experts” claiming the casual user never really used WHOIS. Other “experts” justified the disappearance as most of it was fake anyway and having no value. The real experts were ignored.

Essentially this GDPR-WHOIS made registrars the custodians of trust on the net, a responsibility they disavow. It was still the consumers problem to find other ways to protect themselves. Likewise all abuse issues was the responsibility of law enforcement, even where they had no jurisdiction. In a nutshell, the least qualified party became the key holder of trust on the net – much like a taxi driver without a driver’s license.

Moving forward, as shown above, spoofing is not always phishing. Nor is all AFF spoofs. While many Registrars will accept, for example, reports of a fake spoofing bank only as phishing, it leaves the entire plethora of other fraudulent domain names that aren’t spoofing, like bespoke fake banks or couriers, hanging without a solution for mitigation.

Surely anybody selling forged passports, visas and currency in Canada would be doing something illegal? Common sense is an oxymoron in registrar land and lacking. Consider numerous domains found doing so, belonging to the same party at the same registrar. More worrying is the bogus German registration details used and pointed out. This was reported to the registrar just as this registrar chose to implement blanket GDPR protection on all domains in their portfolio, also the identified forger’s domains. The registrar chose to do nothing about the abuse, simply pointing out all the potential (other) venues for relief, some appropriate, some not. In the process they made themselves off as merely a registrar; “Essentially, we are an administrative body and do not judge or adjudicate issues of dispute.” The fact of clearly illegal activities and accompanying fake registration data was of no concern to them. Perhaps they should have considered sections 1.13, 3.18 and of the ICANN RAA. This is the same holding company that challenged ICANN in the European arena “to protect consumers”. Yet this registrar was happy to devolve responsibility to a European jurisdiction based upon the fake registration, allowing consumers to be extorted in clearly illegal activities and a resultant loss of privacy, while the bad actor was clearly engaging in AFF commonplace in the arsenal of Cameroonian fraud. In case anybody thinks BEC only originates from Nigeria, Cameroonian actors equally engage in it. This is a latent threat hardly recognized so far, much like 419 fraud was. Advance Fee Fraud constitutes many sub-fraud types, some known about, some ignored.

Proper research done on fraudulent domain names can establish patterns of the same actor creating an entire nest of domain names used in Advance Fee Fraud. It doesn’t matter if the WHOIS details are real of fake, they can establish the context and intent. Still, some Registrars will never accept a report involving more that one domain name at a time (nor will ICANN), even if they belong to the same party. The reporter is forced to report domains individually. In this way the context of the linked fraudulent activity gets lost. It also results in cherry-picking only some of the domain names for suspension, mostly those impersonating banks, while leaving the rest of the malicious domains active and defrauding consumers until the domain expires. This also places disproportionate work on the abuse reporter, resulting in frustrating anti-abuse efforts.

Is there any Accountability ?

According to the ICANN RAA 2013:

3.18.2 Registrar shall establish and maintain a dedicated abuse point of contact, including a dedicated email address and telephone number that is monitored 24 hours a day, seven days a week, to receive reports of Illegal Activity by law enforcement, consumer protection, quasi-governmental or other similar authorities designated from time to time by the national or territorial government of the jurisdiction in which the Registrar is established or maintains a physical office. Well-founded reports of Illegal Activity submitted to these contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report. In responding to any such reports, Registrar will not be required to take any action in contravention of applicable law.

3.18.3 Registrar shall publish on its website a description of its procedures for the receipt, handling, and tracking of abuse reports. Registrar shall document its receipt of and response to all such reports. Registrar shall maintain the records related to such reports for the shorter of two (2) years or the longest period permitted by applicable law, and during such period, shall provide such records to ICANN upon reasonable notice.

Advance Fee Fraud is illegal activity in all jurisdictions. Theoretically it should be easy to report it if it can be proven. This last part created another issue; based on the area where they have located their main offices, some Registrars will deny any responsibility for consumer protection, asking for a court order to do anything. This ignores the reality that victims are in a different geographic area and might also be already penniless after being defrauded, unable to pay a lawyer for obtaining a court order. Typically law enforcement will also not do take downs for the bulk of malicious domains. Some countries don’t even have a mature cyber anti-abuse strategy. Where there is mature enforcement, the authorities are overwhelmed with cyber crime mitigation.  This leaves more than 99 percent of malicious AFF domains at some Registrars free to defraud.  What might seem to be a reasonable registrar response to the unenlightened, is suddenly grossly unfair in terms of human rights. Yet nobody knows this better than the registrars and ICANN.

In 2015 ICANN published the article “ICANN Is Not the Internet Content Police”. Essentially ICANN tried distancing themselves from any illegal abuse on the Internet. While there may be some merit to some of the content, such as the types of complaints ICANN tried making these issues out to be, they failed to acknowledge that much of the more serious illegal abuse was fueled by the DNS infrastructure. More so, many of the abusive domains were registered with invalid registration details in what was clearly a violation of their own policies. This blog was published by the head of Compliance that did not even realize that ICANN also had duties as per the Affirmation of Commitments. The result was rather interesting and saw people resign, new posts being filled. Not that it helped much, as nothing stopped the growing DNS abuse and consequent AFF and BEC abusing the DNS system. It would appear by not formally allowing AFF and BEC to be given a name, it was hoped it could be swept under the carpet. ICANN continued ignoring what was being demonstrated to them. Formal ICANN Complaints processes were abused to frustrate reporters, even closed as resolved where the abuse was ongoing and in violation of their own policies.

Other Registrars deal with abuse reports by blindly forwarding them to their downstream reseller, despite requests this not be done. Many of these resellers are hosting providers. Some of these hosting providers specialize in facilitating AFF (and consequently domain abuse) as a business, some being the very party that designed the fraudulent websites. Many such resellers have been caught over the years with their hands in the cookie jar. This makes out an insider threat to the DNS system. What is labelled as transparency, suddenly becomes a lesson to criminals on what not to do next time, what got their fraud exposed. In turn they refine their technique to defraud better.

Certain Registrars don’t use anti-abuse email address for reporting abuse anymore. Reports sent to the registrar anti-abuse email address will either get ignored, result in a request to use a web-based form, or result in an auto-responder reply to use such a form. Many of these forms limit abuse to pre-defined abuse types. Only one domain can be reported at a time. We’ve already mentioned how many registrars and ICANN community does not recognize AFF as DNS abuse. This results in shoe-horning malicious domains one by one into incorrect nearest categories, shoe-horning a bit more to get the message across what is being reported.  To add insult to injury, some registrars don’t even acknowledge such reports, leaving the reporter with no evidence of what was reported. Yet ICANN requires proof if any party wishes to point out a registrar not taking action as mandated in the ICANN RAA. This is a mechanism being abused for plausible deniability. This mechanism also fails to recognize that more than one party might have interest in an abusive domain. Also, very suddenly, all those forms might be collecting user IP addresses and details, perhaps even sent to the abusive party as in the previous paragraph. There is no recognition for the privacy, even security, of the abuse reporter or the threats this may expose him to, while the abuser has all the protection at the registrar.

Even if a malicious domain is suspended, the same Registrar that agreed it has to be suspended, will silently remove the suspension and allow it to jump back to life. It’s extremely counter-productive to have to re-mitigate a malicious domain, openly spoofing a well known bank, or where a public alert exists on the likes of the Solicitors Regulation Authority. Even more so, if a consumer reports being defrauded with such a domain after it jumped back to life.

Another infamous game to frustrate the WHOIS accuracy specifications, is the Registrar insisting the reporter sends a scanned copy of a returned envelope, to prove the street address is indeed inaccurate. This response blatantly ignore established geography at times. Consider;

Registrant Name: Morgan Lorga
Registrant Organization: Anonymouse Host
Registrant Street: Down street Rus
Registrant Street:
Registrant Street:
Registrant City: welmshi
Registrant State/Province: North West
Registrant Postal Code: 101000
Registrant Country: RU
Registrant Phone: +7.675552377
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registrant Application Purpose: P1
Registrant Nexus Category: C11

There is no Welmshi to be found in Russia,  there is no North West Province in Russia, the postal code is for Moscow.  The blatant self-blinding does not end here. Telephone number +7675552377 is not valid either. Let’s also not ignore the significance of P1/C11 indicating this is a US business and belonging to a US resident. Russia was never part of the USA, need more be said?

The Registry for this domain ccTLD has some very specific requirements for any domain in their Registry. This was also escalated to them. Surely this would have upset them as they market themselves as the compliance experts? Not so, this farce was allowed to continue to drive their sales. The consumer was the party paying the real price for this lack-lustre policy enforcement and self blinding. Yet one of largest economies had entrusted them to manage their national country TLD. Marketing trumped reality.  It’s no surprise that the fraud that’s being perpetuated with these domain names reached such pandemic levels, that the Better Business Bureau initiated a research project, culminating in the publishing of an international study. Even today this abuse is ongoing and constant alerts are being put out to the public. For the informed, we can connect these very same parties to other issues affecting this country and numerous other alerts, where even this country’s cancer sufferers are being targeted and extorted in drug scams.

To some Registrars consumer protection has zero meaning. The only party they will consider abuse reports from, are the actual victims. Of course this would only be after somebody has been defrauded. There is no recognition that much of the ongoing fraud can be prevented. Others insist on reporting such fraud to the likes of IC3, Action Fraud, ACORN or law enforcement, then distance themselves from any further responsibility. Yet these parties will hardly ever investigate individual complaints. There will be no removal of the fraudulent content or a request for a domain suspension. As such the online trap continues and the result is treated with no forethought for protection. The victims become statistics.

The term “protection by proxy also exists”, referring to situations were an ICANN process called a UDRP can be used if, and only if, it can be proven that “(1) the domain name registered by Respondent is identical or confusingly similar to a trademark or service mark in which Complainant has rights; and (2) Respondent has no rights or legitimate interests in respect of the domain name; and (3) the domain name has been registered and is being used in bad faith.” The assumption exists that if such a brand owner mitigates the abuse (at a cost of about $1500 to $2500) the consumer will be protected. This fallacy falls far short of reality. Invariably in AFF, the Respondent will not challenge the action, the bulk of these UDRP actions names the abuse as phishing (which it is not). Even before the UDRP succeeds, the AFF actor has already registered his replacement domain in his portfolio of malicious domains. There is no penalty for him and the mitigation of a single domain does not really affect his malfeasance in any real way. A UDRP is not protection against AFF, it’s the wrong tool for the job and merely penalizes the legitimate rights holder with costs and with no real relief, also no sanction for a registrar continuously sponsoring such domain names.

Recently DomainTools discovered a set of malicious domain names. The same actor had setup a nest of defrauding websites used in Romance Scams. One of the domain names the registrant registered and abused was, which resulted in a successful UDRP. Even so, the same actor registered domains and afterwards at the same registrar. How many more thousands of dollars will it take the real Exxon to mitigate this threat? Will Chevron even try where they face the same problem? Even so, the sponsoring Registrar and Registry are allowing the same registration details (which are fake and proven to be equivalent to another party), to blatantly continue his AFF abuse registering new domains, equally spoofing other real banks and companies simultaneously. This is as close to facilitation as can be without being directly involved. Yet they will never be held accountable for their gross negligence. It’s no coincidence the shown typo-domains are equally popular in BEC. In fact we can’t be sure it’s not being used for BEC as well.

Just for fun, the United Nations had a bank as well – managed by the above malicious actor:

Another method by which malfeasance is shielded is via proxy abuse. Here a Registrar or affiliate with allow their details to be substituted for the real user’s details. The theory is that this will protect the user from abuse such as spam. As per the ICANN RAA, the proxy owner becomes the domain holder and will accept all responsibility for the domain. The protected user will be the licensee. Theoretically as per policies, the proxy owner will reveal the licensee details when asked for such details and clear abuse of the domain name is shown. Failing to do so, he’ll accept liability for the harm.  Even so, despite the clear language, many proxy owners insist on court orders in specific jurisdictions to reveal these details, or simply refuse to divulge these details, that could be used to protect the consumer. Although outside the scope of this post, we’ve seen what constitutes as licensee details for some of these proxies and the resulting abuse. Anything from spam to child pornography is hidden behind one Registrar’s free affiliated proxy service. Yet many Proxy Providers openly publish on their websites, or reply via email, that they are not the domain owner, contrary to ICANN published policies.

Another method of buck-passing it to make any abuse the responsibility of the hosting provider as content issues. We have already discussed who some of these hosters are, the very parties facilitating the fraud. This approach disavows the DNS abuse nature of AFF.  Some of these hosters have multiple hosting accounts in various locations. An abuse report to them will see such a domain have it’s DNS changed to another hosting account and within a day, the malicious domain is resolving to the re-published fraudulent content in what is called “host-hopping”. One such fake lawyer website host-hopped 27 times between different networks, resulting in a strongly worded abuse report to the sponsoring Registrar. While a hosting provider abuse report might work with phishing, mis-identifying the threat may cause even worse problems. One domain spoofing the Bank of America disappeared and was suspended for a day as per it’s index page. Yet the MX (mail server) record was changed to point to a professional email provider the next day, from where the rather unique email address on the bespoke domain was resolving again. This approach also disavows the reality that sub-domains can be pointing to different hosting providers. Yet this is what AFF is, DNS abuse.  It’s also no small irony that certain AFF actors were quick to adopt plausible deniability with hidden content on a seemingly innocent website. Certain Registrars taught them well. The same practices can also be seen in BEC where the MX is pointing elsewhere.

Even currently a “Repossessed Domain” is still merrily spoofing a major financial institution. Where the domain should have been suspended, non-standard practices where deployed and merely took care of online content issues. There are reasons for best practices, such as suspending the domain with the appropriate locks. It will disable all the various ways a domain can be abused in AFF and BEC.

Setup for failure

A consistent solution for mitigating AFF abusing the DNS system has never existed.  Though we theoretically have strong policies and procedures that should be applied against any abuse of the DNS system, these policies are gamed and never properly applied, sometimes much watered down for the financial benefit of self-interests and substituting for real action. While the general outcry of businesses getting defrauded grows as BEC grows, we need to remember this abusive growth was at the cost of thousands of consumers getting defrauded annually. These victim’s complaints were not properly mitigated, some simply just ignored. BEC is only the most recent evolution of AFF.  Without a clear policy of mitigating AFF abusing the DNS system, we are setting ourselves  and the internet up for failure. Previously the price of this failure was borne by the casual consumers. Now businesses are equally joining the victim arena. How many lives need to be destroyed and how much more money needs to be lost, before we start to really solve this systemic abuse? No provider of any service on the net can any longer pretend “it’s not my problem”: it’s everybody’s problem.

No Registrar can any longer afford to say “We are only a registrar”, not when only is wrapped in a myriad of obligations.  Only has bolted the stable.  The slow growing “joker” AFF problem we’ve been recording since at least 2003 is now a full blown threat to the world economy in your domain of responsibility and it has a name; Business Email Compromise, or BEC. What more will it take? Some class action lawsuits to the risk averse registrars that bury their heads in the sand? A de-registration as per section of the RAA?

2019 is your wake up call back to reality.

This is a joint blog post by Scam Survivors and Artists Against 419.
Tick Tock – time is up. Exposing ICANN Policy … Mon, 22 Jul 2019 23:23:24 +0000 Read More Read More

For the past few years Artists Against 419 has seen mass abuse of domains, with blatant fake registration details, being ignored by ICANN and certain contracted parties.

The domains of concern are domains being abused in Advance Fee Fraud to defraud consumers, yet this isn’t important to ICANN. In the mean time we’re in contact with victims and law enforcement, we see annual losses escalating at shocking rates.

Some registrars and registries care, they try their best to mitigate abuse that is practically impossible to stop. The current domain model is a rush to the bottom at ICANN. Ease of registration and low domain costs has not left much margin for fighting against domain abuse. Yet even so, some do. In turn such gallant attempts see the malicious actors run in droves to registrars that don’t care about their RAA 2013 obligations. ICANN actively protects these registrars when a complaint as per “ICANN’s bottom up” processes is submitted.

We currently have two cases at ICANN Complaints Office, lodged more than a year ago. Despite queries, these issues have not been addressed. This allows registrars to ignore their contractual obligations with impunity.

To any sane party, this should be of concern. Ignoring malicious domains registered with registration fraud undermines the internet, it undermines intellectual property and trademark rights, it disrespects consumers who ultimately end up becoming victims to Advance Fee Fraud. It’s easy for ICANN and certain contracted parties to distance themselves from harm caused by these domains, for ICANN to publish a blog like ICANN is not the Internet Content Police regarding non-fraud issues. Yet when bogus registration details for a serial abuser is tolerated even though proven, made off as content issues, there is clearly something amiss in the trade union Lalaland.

Artists Against 419 will be publishing the full reports of two such complaints. Here is a taster of the reception an abuse report got:

Subject: Abuse alert: fake WHOIS – registrant email address

Dear NameSilo abuse team,

We identified a party abusing your services to commit online fraud while
using fake details to register the domain names he operates.

Back in 2016, when he was reported for the first time in our database
with he was:

Registrant Name: derelen john
Registrant Street: 443 s caroline
Registrant City: ridgeland
Registrant State/Province: Mississippi
Registrant Postal Code: 39157
Registrant Country: US
Registrant Phone: +1.4042376473
Registrant Email:

Two years later, with, he was:

Registrant Name: fred zanak
Registrant Street: 455 s wheatly
Registrant City: ridgeland
Registrant State/Province: MS
Registrant Postal Code: 39157
Registrant Country: US
Registrant Phone: +1.4046750766
Registrant Email:

This year, with , he was:

Registrant Name: dennis john
Registrant Street: 301 Wheatly Suite 2
Registrant City: Ridgeland
Registrant State/Province: MS
Registrant Postal Code: 39157
Registrant Country: US
Registrant Phone: +1.4123766971
Registrant Email:

This party had domain names registered with another Registrar, PDR. When
one of his domain names gets suspended there, he registers with your
company another domain name impersonating the same entity.

For example, after his domain name was suspended on
PDR in April, a month later he registered with your company – spoofing the same company,

In at least one case, one of the domain names belong to this party and
registered with another Registrar, having only SMTP usage usage, seems
to be used in Business Email Compromise.

Resolving host name ““…
Connecting to host address “”…
Got: ESMTP Exim 4.92 #2 Sun, 21 Jul 2019
04:20:27 +0400
Got: 220-We do not authorize the use of this system to transport
Got: 220 and/or bulk e-mail.

Send: HELO xxx
Got: 250 Hello xxx

Send: MAIL FROM: <xxx>
Got: 250 OK

Send: RCPT TO: <>
Got: 250 Accepted

Send: DATA
Got: 354 Enter message, ending with “.” on a line by itself

This host states that the address is valid. is a valid deliverable e-mail box address.

In this case the targeted company is

A list of the fraudulent domain names belonging to this party we managed
to identify so far can be seen here:

1. – fake law office
2. – fake courier
3. – fake law office
4. – fake financial institution offering for sale bank
5. – fake law office
6. – fake courier
7. – SMTP ussage only, used in job scams with the email
8. – SMTP usage only, spoofing
9. – fake financial institution
10. – spoofing
11. – SMTP usage only spoofing, potentially in Show biz scams, see
12. – SMTP usage only, spoofing
13. – SMTP usage only, spoofing; the domain
name was also used with the email address to
register (PDR – hold) and
(NameSilo – hold).
14. – spoofing
15. – spoofing
16. – fake courier
17. – spoofing
18. – SMTP usage only, spoofing with the email
20. – spoofing
21. – spoofing

Your company previously suspended, belonging to the same

There are also few other domains belonging to this party and registered
with your company, not mentioned in the above list.

Please investigate and suspend the domain names belonging to this
registrant abusing your services to commit fraud.

Please also feel free to revert if you have any queries.

Thank you.

Clearly something is very wrong, this should have been of concern to any self respecting registrar? After all, we are talking about registrar obligations to investigate such reports? Nope!


we are only the domain name registrar and cannot validate or remove the content posted on the site.

This can be done by the hosting company of the website, which you can look up on this website:

Once you know the hosting provider, please look up their company information and contact them with the case.

You can also use the following pages to report the website:


Scam and Fraud:

You may also discuss the case with your local law enforcement officer to seek help.

NameSilo Abuse Team

At this stage this registrar just violated the ICANN RAA WHOIS ACCURACY PROGRAM SPECIFICATION.

4) If Registrar has any information suggesting that the contact information specified in Section 1(a) through 1(f) above is incorrect (such as Registrar receiving a bounced email notification or non-delivery notification message in connection with compliance with ICANN‘s Whois Data Reminder Policy or otherwise) for any Registered Name sponsored by Registrar (whether or not Registrar was previously required to perform the validation and verification requirements set forth in this Specification in respect of such Registered Name), Registrar must verify or re-verify, as applicable, the email address(es) as described in Section 1.f (for example by requiring an affirmative response to a Whois Data Reminder Policy notice). If, within fifteen (15) calendar days after receiving any such information, Registrar does not receive an affirmative response from the Registered Name Holder providing the required verification, Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information. If, within fifteen (15) calendar days after receiving any such information, Registrar does not receive an affirmative response from the customer paying for the Registered Name, if applicable, providing the required verification, Registrar shall verify the applicable contact information manually, but is not required to suspend any registration.

5) Upon the occurrence of a Registered Name Holder’s willful provision of inaccurate or unreliable WHOIS information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen (15) calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder’s registration, Registrar shall either terminate or suspend the Registered Name Holder’s Registered Name or place such registration on clientHold and clientTransferProhibited, until such time as Registrar has validated the information provided by the Registered Name Holder.


No content was reported and deliberately not; this registrar loves making all issues off as content issues beyond their remit. We have to assume they got confused, now also considering “WHOIS details content” as content. 

Perhaps we should consider what the ICANN Governmental Advisory Committee considers domain abuse, now that we’ve played out this registrar and ICANN’s game. The following is advice that the GAC gave to ICANN in the ICANN46 Beijing Communique. Although it pertains to registries in the new gTLDs, it shows rational thinking leading to sound advice:

The GAC Advises that the following six safeguards should apply to all new gTLDs and be subject to contractual oversight.

  1. WHOIS verification and checks – Registry operators will conduct checks on a statistically significant basis to identify registrations in its gTLD with deliberately false, inaccurate or incomplete WHOIS data at least twice a year. Registry operators will weight the sample towards registrars with the highest percentages of deliberately false, inaccurate or incomplete records in the previous checks. Registry operators will notify the relevant registrar of any inaccurate or incomplete records identified during the checks, triggering the registrar’s obligation to solicit accurate and complete information from the registrant.

  2. Mitigating abusive activity – Registry operators will ensure that terms of use for registrants include prohibitions against the distribution of malware, operation of botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law.

  3. Security checks – While respecting privacy and confidentiality, Registry operators will periodically conduct a technical analysis to assess whether domains in its gTLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. If Registry operator identifies security risks that pose an actual risk of harm, Registry operator will notify the relevant registrar and, if the registrar does not take immediate action, suspend the domain name until the matter is resolved.

  4. Documentation – Registry operators will maintain statistical reports that provide the number of inaccurate WHOIS records or security threats identified and actions taken as a result of its periodic WHOIS and security checks. Registry operators will maintain these reports for the agreed contracted period and provide them to ICANN upon request in connection with contractual obligations.

  5. Making and Handling Complaints – Registry operators will ensure that there is a mechanism for making complaints to the registry operator that the WHOIS information is inaccurate or that the domain name registration is being used to facilitate or promote malware, operation of botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law.

  6. Consequences – Consistent with applicable law and any related procedures, registry operators shall ensure that there are real and immediate consequences for the demonstrated provision of false WHOIS information and violations of the requirement that the domain name should not be used in breach of applicable law; these consequences should include suspension of the domain name.

This advice is in stark contrast to this registrar’s statement:  “we are only the domain name registrar”. While ICANN annually spends millions on conferences, certain contracted parties are playing loose and fast with the rulebook and the spirit of the rulebook. ICANN is the supposed party to make sure this does not happen. The image being projected is not what happens behind the scenes. The seminars are just pomp and show.

Here we see the registrar trying to pawn off responsibility for registration process checks on already much overwhelmed law enforcement. Yet this is in direct contradiction to what ICANN’s own Governmental Advisory Comittee conveyed to them.

In the next 48 hours we will be publishing the full details of two complaints pending in the ICANN doldrums for more than a year in the bottom up processes. While we would not have wished to publish these reports as they contain numerous of our techniques in identifying bad actors, at this stage ICANN’s unwillingness to address registration abuse has seen malfeasance now hiding behind the new GDPR implementation in WHOIS. This is in stark constrast to promises made in the initial GDPR discussions that the ICANN RAA has a requirement for reliable registration details. To keep quiet will cause greater harm than revealing methodologies. The small litle nest we show here pales into insignificance in what we’ll expose.

Known domains for at NameSilo Volgavod Shipping Services Samsung Raeden Courier Signature Bank Citibank London Kinetic Worldwide Ltd Inventors Groups Fulton Management Facebook US Duzhao Capital International Dubai First Online Drill Core Australia Diamond International Courier Brawley Aldwin & Solicitors Bank Instruments Armen KHarenkoa Attorneys Akt Courier Serice Neil Adelman & Solicitors Royal Bank of Canada UkrSibbank


Note: The fake lawyers above are not a new phenonema, however they have become a massive cyber crime problem:

This cyber crime incident does not end at what is described in the article either. We also see banks spoofed and all types of malfeasance unleashed on unwitting consumers.


Here is the gaming with stated policy that fuels the untrusted net. Read and understand how the joker prince became one of the biggest threats equally to business and casual consumer. Anybody for a little AFF, 419, phishing, BEC?

ICANN Compliance complaint UNY-783-11184 : Namesilo Standards Compliance

ICANN Compliance complaint XTO-568-35273: QHoster Proxy


Advance Fee Fraud, Advanced Fee Fraud … or 419 Scams, or simply Scams? Sun, 21 Jul 2019 16:05:43 +0000 Read More Read More

Is it Advance Fee Fraud or Advanced Fee Fraud? Or 419 Scams, or simply Scams?

Of late the meanings of these phrases are getting lost and causing confusion.

419 Scam was originally intended to refer to fraud originating from Nigerian actors violating section 419 of the Nigerian Criminal Code. These are also commonly called Nigerian Scams or 419 Fraud.

Advance Fee Fraud is a type of fraud in which businesses or individuals are required to pay a fee before receiving some promised offer or advantage. The general definition pre-dates 419 scams/fraud and is generally non-geographic: says:

Advance fee fraud has existed in various forms since at least the 18th century, though the modern concept dates to the 1920s. In the 1980s, advance fee fraud became closely associated with African-based criminal groups, Nigerian criminal enterprises in particular. It was sometimes called 419 fraud, after the relevant section of the Nigerian criminal code. The 419 fraud scheme was a variation of the confidence swindle, which preys on peoples’ greed and naïveté.

Scam has many meanings. In common usage it can mean anything from paying too much for an item, receiving an inferior item, or being defrauded. An interesting attempt at minimizing consumer losses vs bank’s responsibilities was seen in the UK banking industry, leading to private joke: “Scam a bank and it’s fraud. Defraud a consumer and it’s a scam”.  

Wikipedia’s Talk:Advance-fee scam shows the total chaos in the consumer mind, attempts at political correctness and how it creates general confusion:

Advanced Fee Fraud is pretty much a mish-mash to refer to 419 Fraud. Early sightings:, along with the term Nigerian 419.

Nigerian Scam is a later attempt at separating scam types and to define 419 Fraud from general Advance Fee Fraud. Even a bit later the confusion is once again solidified by considering Nigerian Scam, 419 Fraud and Advance Fee Fraud to be synonyms. Since all cats are animals, it does not mean all animals are cats. 419 Fraud is but one form of Advance Fee Fraud.

419 Scam vs 419 Fraud are used interchangeably. It refers to the Nigerian form of consumer facing cybercrime and derivatives. Artists Against 419 has standardized on 419 Fraud as to distance it from scam which may or may not be illegal. The word scam is somewhat hijacked and a weak term to describe something that’s both fraud and illegal internationally.

Sakawa normally signifies a special zealot type form of Advance Fee Fraud typically associated with black magic and blessing to defraud a good victim. It’s closely related to 419 Fraud and originates from it. However a mere Ghanaian IP address is not enough to define it as either Sakawa or not. Many of the 419 Fraud from Ghana originates from Nigerian citizens in the country. This does not mean all attribution will be Nigerian either as many Ghanaian nationals do partake in 419 Fraud on steroids, Sakawa. Ivory Coast sees the same challenges, likewise many West African countries all the way through to Mororcco. Since we are unable to definitively distinguish in general, we refer to 419 Fraud to be 419-type scams emanating from West Africa.

Benin deserves a special mention. We have been monitoring rather unique EU targeting consumer loan scams emanating from Benin. Typically these scams are primarily in French, with translations available for other languages via Google translate. Canada is a secondary target.

Another major area of confusion is spoofing, as we find in 419 Fraud, which is seen as phishing. We explain the difference in our post Phishing Sites vs Fake 419 Banks.

Yet these concepts and are important if we are to get it right. To stop abuse, we need to understand what we’re talking about and how to protect against it..

Advance Fee Fraud
Advance Fee Fraud vs fraud types

Artists Against 419 uses the term Advanced Fee Fraud as originally defined, although in a cyber fraud environment, to signify internationally illegal fraud requiring some form of fee in advance.

DNS Abuse Dominoes Thu, 11 Jul 2019 15:12:22 +0000 Read More Read More

While ICANN, the regulators and the various interest groups are debating the definitions of DNS abuse, what constitutes a security threat and is within their responsibility (or rather not), what’s wrong in this area, fraudsters don’t care about these shenanigans. They’re exploiting DNS to their own advantage in well defined illegal activities.

The rules made when the Internet was young, seems unable to keep the steps with current realities. The divide between the ideal Internet in the regulators’ model and the one we’re dealing with daily, is widening as ever increasing numbers of fraud actors learn how to abuse and hijack anything they can in their efforts to steal unwary consumers’ money.

While there are no definitions of Advance Fee Fraud everyone can agree on, there are also no standard ways of dealing with the abuse of the online space the bad actors base their frauds on. There might be rules, but those rules are inconsistently applied at each Registrar / hoster, with each having their own interpretation of rules. This has educated the fraudsters well.

One of the main elements used in blaming the victims of online fraud is a basic question: Why didn’t they check before being defrauded? This is easy to say, yet increasing harder to do lately.

The Internet is crowded with crawlers and spiders reposting content in what looks almost like a general click-bait contest. No one seems to care how legitimate the original source is. Fake businesses using fraudulent websites (and sometimes smart SEO campaigns) shows up in various places online. In all that noise, it becomes almost impossible for an untrained person to guess what is real and what is fake.

We don’t have courses in schools to teach us, for example, the difference between a simple search key in Google and the same search key in quotes. In the real world, you need a license to prove you’re qualified to drive a car. The Internet has no license. One can chose to have a car or not, but no such liberty exists when it’s about  the Internet with everything forcing us to use online resources. We end up having our entire life online – finance, work, education, social interactions.

The average Internet user assumes that someone is checking before allowing a website online, yet the reality is that the processes are mostly automated.  The checks we see happens usually only after someone gets defrauded and complains about it, if at all.

One might imagine that a Registrar or a hoster will never register / host a domain name impersonating a registered company name. They might refuse to register the obvious ones, but many are well aware that the bad actor will turn to another Registrar / hoster more “flexible” in that regard. At the end of the day it’s all about business and we even find the term “bullet proof hoster”. Yet these “bullet proof hosters” also sell domains.

Before the GDPR, identifying a bad actor creating a fake website used in Advance Fee Fraud was easy, based on a WHOIS check. That option is now gone for the average user, with even the privacy protection provided by the Registrar now sometimes hidden behind the GDPR privacy blanket:

Redcated Proxy

While regulators, law enforcement or financial institutions have jurisdictional problems they try to solve mitigating abuse and fraud, fraudsters have no such problems. When they don’t steal from one another, these bad actors can happily share the same infrastructure and develop their other part of the business independently. The case illustrated here is a perfect example of how the DNS abuse happens and nobody seems to notice or wishes to acknowledge it.

Domino effect – the case study

In this study we have a total of 295 domains impersonating banks and associated websites used to impersonate oil companies, pharma and other romance scam related websites. Then we uncover another 153 domains impersonating couriers. We managed to identify and analyze 336 of these fraudulent domain names. The entire list can be seen here:

Different fraud syndicates share the same resources abusing these domain names. In some cases they use the services of the same faker maker. In other cases they only share hosting accounts or SSL certificates.

The idea for a case study started with a dying widow scam as shown at

Scam spam
Scam spam

We’ve found that over 80% of such scam spams leads to malicious domains and websites. This was no different. A fake lawyer followed and after that a bank:

Website reveal
Website reveal

The bank was impersonating a real bank (as it can be seen in last line of the message shown above). There was no content on the fraudulent domain name – the fraudsters were using it only for the email address. During the interaction with the fraudster, another domain name was sent to the potential victim on the forth bank email, with the same sender email address being used.

But there was no bank, no problem. Another email followed, and another and another using the same domains. The fourth time we find a slight variation in the domain name. Domain becomes

Fourth Bank email
Fourth Bank email

To the casual internet user, it might have appeared that there was no content on, only a parking page.

Parking Page
Parking Page

Yet the fraudster was sending the direct link for were the “bank” was really hidden:

Hidden 419 Spoof
Hidden 419 Spoof

As it happened, in this case the registrant details wasn’t hidden:


There’s a second bank registered with another email address on to the same domain name:


Once again the index page would appear to be a parking page:

Parking Page
Parking Page

Once again the actual content is hidden in a sub-directory as before:

Hidden spoof HSBC
Hidden spoof HSBC

Apparently these “banks” were registered by another bank,, with a maintenance page on it’s website:


Yet, hidden in a sub-directory, we find another 419 spoof of a bank:

Hidden WoodForest spoof
Hidden WoodForest spoof

So who does belong to?


So this domain is registered with another email address claiming to belong to yet another bank. We continue like this, uncovering fraudulent bank spoofs registered with the address of yet other bank spoofs. The domino effect?

Scam syndicates connected

The first identified group of fraudulent websites are operated from Ghana. The domain name, impersonating Leads Guaranty Bank, is registered in Ghana by a Nigerian hoster.


A second one is centered around the email address During previous abuse way back in 2014 he claimed to be:

Details in 2014
Details in 2014

Currently this party claims to be:

Details in 2019
Details in 2019 Royal Bank of Scotland Royal Bank of Canada Central Bank of Nigeria Citi Bank China Citi Bank China Commerzbank Switzerland Wells Fargo Dongguan Bank China (expired) ZOCS Worldwide GSC – Global SC Eagle Express Cargo & Security Services Chase Bank Online (expired) China Merchants Bank (expired) Asia Springlite Group Elite Travels (expired) China Citic Bank (expired) China Citic Bank (expired) China Citic Bank (expired) China Citic Bank


With spoofing First Gulf Bank, we find another syndicate from Ghana crossing paths: Wells Fargo Bank Laurence Law Firm Holy Trinity Orphanage Ghana Global Remittance Bank G4S International Logistics First Bank of Ohio Diamonds Logistics Ltd Cargo Shipping Company Bridge Bank Group Ivory Coast (BBG CI) Agricultural Development Bank of Ghana (ADB) First Gulf Bank (expired) Universal Courier and Logistics Company


Who remembers ‘Have a Coke and a scam‘? The same scammer now has, impersonating Comerica Bank which leads to a South African “branch“ of his identity. When the registrant email address was first reported back in 2013, he was:

Frank in USA
Frank in USA

A year later until last time when we checked, while being busy with Coca-Cola lotteries scams, he was:

Frank in ZA
Frank in ZA

But where did Frank and his Coke scams originate from? Nine days before first observing Frank, we had a previous Coca Cola spoof:

Before Frank
Before Frank

To understand why these syndicates have become so powerful, we only have to look at domain Despite many reports with evidence of blatantly deliberate inaccurate registration details, this domain abused for a fake courier was devolved to host mitigation time and again, “it was not DNS abuse” as per the wise anti-abuse sages.

Domain WHOIS
Domain WHOIS

This resulted in the inevitable host hopping and victims:

Host Mitigation Result
Host Mitigation Result

So far there are 31 fraudulent domain names that he registered and we managed to identify. Investec Comerica Bank (expired) Yorkshire Bank (expired) Thomas Philip (expired) Coca-Cola (expired) Standard Bank (expired) Coca-Cola (expired) Coca-Cola (expired) Coca-Cola (expired) Global Financial Solution (expired) Patrick Pelischek Industrail & Machinery Supplier (expired) Thomas Philip Advocates & Solicitors (expired) Peter Home of Antiques (expired) Coca-Cola (expired) Yorkshire Bank (expired) Coca-Cola (expired) Global Financial Solution (expired) Global Financial Solution Ltd (expired) Coca-Cola (expired) Coca-Cola Promo (expired) Coca-Cola Promo (expired) Coca-Cola South Africa (expired) Coca-Cola South Africa (expired) Coca-Cola (expired) GLFS Group (expired) Coca-Cola (expired) Global Financial Solution (expired) Coca-Cola (expired) Samsung (expired) Standard Bank (expired) Coca-Cola Promo

We’ll skip historic fights with registrars about this blatant abuse of domains which led to aliases and, proven to be the same party as, that led us to now.

Linked to the above mess, we find another Nigerian actor operating a bank and a courier scam from the domain name It’s pretending to be both Logis Cargo Ltd. as well as Finance Bank. Two years ago he was actively doing romance scams using stolen pictures of a Focus Hawaii Agency model.

With, pretending to be Europ-Express France, we stumble upon a Benin loan scam syndicate:

With pretending to be a courier named BorderWay Express Logistics, we enter the Cameroonian Fraud arena – Pracia Naturals Kush Base 420 Horizon Logistics / Trans Logistics Delta Motor Pty Ltd / Rotakuwa General Trading Ltd BL Group Spolka BorderWay Express Logistics

Domain used to host a matching fraudulent delivery company, leads to yet another Cameroonian fraud syndicate: Vision Express Delivery USES Postal Service / USES-PS Logistic Services Thai Global Logistics Company LTD Royal Blue Pitbull Mega Travel Agency Express Line Delivery

The registrant details of spoofs of Santander, CapitalOne and RainForest banks, leads us to the fake pharma supplier arena, with the orginal pharma domain being registered using a proxy provider: Santander Bank Capital One Bank Rainforest Capital Bank Richard Pharamceuticals Ltd (PDL)

A spoof of the SYZ Bank is showing a host suspension page, yet it’s email was similarly used for registrant email addresses, initially starting with a proxy protected domain. In this example we also show how different registrars are used: First Texas Bank Namecheap, Inc. Citi Bank Namecheap, Inc. SYZ Bank Ownregistrar, Inc.

Despite the supposed host suspension, the email address is still active at the same host:

Email Active
Email Active

Domain used for spoofs such as Standard Chartered Bank, Bank of America ( and the Federal Reserve (,  was abused in a similar way, also registered via proxy protection: UDSS Express Logistics Limited Polar Freight Global Services SunTrust Bank United Overseas Bank Malaysia (UOB) Frost Home Delivery Services Limited Standard Chartered Citi Bank SunTrust Bank Citi Bank

Domain is now parked – long live Rinse and repeat:

The index page is the one seen before.


A fake bank is also an oil company simultaneously, with a divorced CEO, searching for love online and depriving his victims from all the money he can get. Domain is FinTrustFinancial Bank on it’s main website, but then also Arbitoil Engineering as per the domain’s one sub-domain.

A fake orphanage in Ghana is also used in romance scams. Their only American volunteer uses stolen pictures of a known doctor, a photo reported many times over the years by victims defrauded by these scammers.

Fake Dr Fernando Gator
Fake Dr Fernando Gator

A set associated couriers follows the same recipe. Virginia Farmer Matt Lohr, named NRCS Chief in 2018, will be surprised to learn that he was promoted to a diplomat, also has a new name. At least this is what an image of his says on a lot of the fake couriers, associated with these fraudulent websites. Meet “Senior Diplomat John Mathieu”!

Analyzing the associated fake couriers, we find the same design elements used repeatedly. The association is clear. For example, we see addresses such as “6 River Hill Duharm“, sometimes in the UK, sometimes in Turkey, sometimes in the USA.

Let‘s look at those fake sites from another perspective. There are four domains impersonating Barclays Bank, 14 impersonating HSBC, 5 impersonating the Dubai Islamic Bank, 7 impersonating Citi Bank and 24 pretending to be FirstFlight Courier.

The examples can go on forever. Behind all the statistics and posturing surrounding the procedures at ICANN, we also find the reality of Advance Fee Fraud. Bad actors are working together for the common goal, on one side, to defraud consumers and small businesses.  All the pomp and procedure at ICANN has long since become disjointed from realities the fraudsters understand and exploit. In the middle are the consumers, the victims defrauded every day. This fraud uses the DNS system caring little about definitions. The policy regulators of the Internet are debating theoretical concepts while fraudsters are busy abusing the system and destroying lives.


This is a joint project by Scam Survivors and Artists Against 419.
Should we be honoring clientHolds for certain Registrars? Mon, 29 Apr 2019 16:22:55 +0000 Read More Read More

We’ve become aware that the domain suspension system is being gamed. Once we become aware that a malicious domain is targeting consumers, we list it in our database.

We also have some free sub-domains and free URLs to content, but this discussion doesn’t include them.

Up until now, we’ll submit reports to certain registrars who would suspend them. Likewise certain Registries monitor our database and upon a listing by us would investigate and suspend these domains. These Registrars and Registries are invaluable allies in the fight against fraud.

However, many Registrars insist upon individual reports using web forms etc. Some insist that anti-phishing reporting mechanisms be used (we’re not dealing with phishing incidents, we’re dealing with advance fee fraud).  Some Registrars insist the hosting provider or reseller be contacted. Many parties report these incidents using these mechanisms and methods, yet this is where the games begin.

History is gold! We constantly find bad actors abusing the DNS system, registering domains with fake registration details, re-hosting domains once an abuse report has been sent. Most recently we again uncovered one such party going back to 2006. In all the whack-a-mole host hopping, we also noticed patterns where certain facilities were always used. As our investigative techniques evolved, we eventually became aware of large scale facilitation. The very parties some registrars expect us to report to are the ones making a living out of designing malicious websites.  They’re registering domains for these and then hosting them for their clients, the Faker Makers. Some are official resellers of certain registrars. This is big business in West Africa. While a large portion of the ICANN community wishes to deny the existence of DNS abuse in advance fee fraud, the ICANN contracted parties reseller channel is contaminated and deliberate facilitation for advance fee fraud exists.

We’ve not even delved into the reseller channel being gamed for the more common bullet proof hosting. Here the domain reseller will allow their facilities to be abused for the registration of malicious domains, turning a blind eye to the abuse that follows.

We’ll reveal how we manage entries in our database. But let’s first show what is publicly visible:

An entry in our database has either active or expired status, matching the domain status. An expired entry will show (expired) after the URL.

Expired Entries
Expired Entries

If an entry isn’t marked expired, the public view will show as either active, dead or hold statuses.

  • Hold is the only real way that we can guarantee that the malicious domain owner can’t abuse the domain. This is where a domain shows in the Registry to be either a ClientHold or ServerHold status ,  indicating either the registry or registrar suspended this domain. This means the domain won’t resolve and can’t be abused for email or hosting purposes.
  • Dead is a status we assign where some other method exists that may indicate the domain is disabled. However this isn’t foolproof and this system is open to manipulation. Traditionally we accepted the word of a registrar or a hoster in good faith. Yet these methods haven’t stood the test of time. Supposedly dead domains were suddenly found to have active content on sub-domains. We’d receive a victim report showing how the domain was involved in email communications. The problem was  there’s no transparency in how the abuse is mitigated and our good faith belief was abused to the detriment of the consumer. This eventually led to a policy decision of drop-dead, i.e. we won’t assign such a status on good faith. There has to be a measurable metric for us to consider an entry dead. One exception we make is for a registrar to change the domain’s DNS to a well known suspension DNS entry (a shadow database suspension status). This status can be evaluated as a known status. However no published policies or rules exists on how the registrar expects such entries to be evaluated and is open to gaming. In this class we also put numerous ccTLDs that may show suspension statuses. The bigger issue here is that, unlike gTLDs, these domains have been observed to jump back to life again. Despite policies, West African and Cameroonian syndicates do play in these registries and we see constant abuse.
  • Active is where the domain doesn’t meet the previous two criteria for not being able to be abused. This has led to critique that this doesn’t acknowledge the positive role a hoster might play in abuse mitigation. However, unlike a hacked website, we’re discussing malicious domains under the control of malicious actors. It’s trivially easy for the domain owner to re-host content elsewhere. One fake lawyer website changed hosting providers 27 times!


How do we manage all this data for active entries?

Where we submit known malicious domains for evaluation to a registrar, we have tools to evaluate the sent list and our database is updated accordingly.

We also have automated processes that check each non-expired entry at least once per week (more on this later). Using Whois, DNS and other defined triggers, we first check the Active entries:

  • Any Active domain that’s gone onto a ClientHold or ServerHold is updated to Hold.
  • Active entries that have Expired are set to Expired and are no longer maintained.  We also filter for non-existent (AGP drops) domains in this step, or domains that may have expired we may have otherwise missed. The entry shows the (expired) status.
  • Active domains whose name servers change to pre-defined name servers are set to Dead.
  • Active domains not resolving at MX and A record levels are flagged for investigation. This is a manual process and may lead to a Dead status.

Domains that were set to Hold are similarly scanned.

  • The Expired process mentioned is again followed.
  • We also monitor for changes from a hold back to active.

This event may be found in UDRP procedures where a successful UDRP will lead to an Expired status.

We also see this change of status where a domain goes into the reseller market, typically after expiry.

But here we also clearly see other games being played. Once we’ve flagged such a domain as Hold, the clientHold is silently removed despite the usage being incriminating and malicious.  One registrar where we see this even asked us “who are you?”, but apparently their reseller clients clearly understands the answer to that. Ignorance is bliss where the registrar chooses to distance themselves from the abuse as “content issues only”. It’s no irony that this registrar is consistently in the top-five most abused Registrars list.

Dead domains are also monitored. This mechanism depends on WHOIS, DNS checks and also sleuth checks (we won’t discuss these as this might make them moot).

  • Any expired domain is marked as expired.
  • Dead domains that change DNS servers from predefined name servers to others, are flagged for manual investigation.
  • Any other pre-defined triggers also flags the domain for manual investigation.

Any change or registry date also triggers investigation. Despite well published ICANN policies, we do observe policy deviations.

Having clear, consistent and standardized methods to disable domain abuse is vital. Without this we head into a Babylon of misunderstanding and gaming of any system. DNS abuse is not merely hosting abuse or content issues. Advance Fee Fraud isn’t hacking and phishing. There seems to be an unwillingness in certain quarters to game reality for profit, allowing abuse. This is the beast that fuels not only Advance Fee Fraud, but also Romance Scams and BEC. We understand the nature of the abuse, the methods used by malicious actors and what will or won’t work. We understand why regular reports published by government law enforcement departments shows shocking increases in consumer facing fraud losses. This is to be expected and predictable where abuse of a crucial layer of the internet, DNS, is allowed to be gamed for profit, even excuses made for it.

Artists Against 419 has developed a system that monitors as per published DNS standards, also against a gaming of the standards.

Ultimately we’re trying to protect the consumer and small business against fraud. If a Registrar willy-nilly flicks abusive domains onto hold and removes it again despite clear evidence of harm, this is putting the consumer at risk. The same happens where any Registrar allows this to happen in their reseller channel. We rate limit our registry queries to meet best practices at the insistence of the Registry community. Yet the same community allows abuse of their Registry by certain Registrars. We can’t check each domain daily as this would be seen as abusive. Yet where does the abuse start and who can end it?

Should we be honoring ClientHolds for certain Registrars, or rather start publishing a list of Registrars where we don’t honor such holds?



What Protection Does ICANN Offer The Consumer? Mon, 04 Feb 2019 22:24:28 +0000 Read More Read More

On the 20th of Jan 2018 we sent an email to Tucows and the reseller SmarterASP on domains used for websites selling both legitimate and forged passports, visas, drivers licenses etc. They also claimed to sell forged currency. The reality is this is a well known scam used by Cameroonian fraudsters. Invariably these lead to later extortion where the fraudsters impersonate the authorities and fees/fines are payable.


Naturally such activities are illegal globally. Even if you don’t understand how the fraud plays out, at least any mature responsible person should know that you can’t simply buy a passport, visa or like government issued documents off the web, it is illegal.

Jan 20, 18:05 EST

Dear Tucow and SmarterASP.NET

Re: (website error) (currently inactive)

Could you please be as kind as to suspend these domains as being
abused to facilitate illegal activities.

All these domains belong to the same owner with email and a German address. While this is now hidden,
domain MIGRATIONDOCUMENTS.COM had the following registration details
which are incomplete and most likely fake.

> Registrant Name: Migration Documents
> Registrant Organization: CreativSoft Pvt Ltd
> Registrant Street: Brandenburg Brandenburg
> Registrant City: Berlin
> Registrant State/Province: Br
> Registrant Postal Code: 28359
> Registrant Country: DE
> Registrant Phone: +1.2687362645
> Registrant Phone Ext:
> Registrant Fax:
> Registrant Fax Ext:
> Registrant Email:

These are Cameroonian scams where the scammer targets the victim,
typically found via spamming, social media abuse, or classifieds with
fake offers, only accepts payment via anonymous payment methods where
no charge-back can be done and then does not deliver. Essentially this
is money laundering. In a follow up scam, impersonating the
authorities, the scammer will claim the victim ordered illegal goods
and a fine is payable, thus extorting the victim. This modus operandi
is common in Cameroonian scams.

Typically these websites target desperate people in the Middle East
and are associated with job seekers. While these may seem ridiculous
scams, the level of ignorance pertaining to the illegalities of these
are extremely high. One such victim tried reporting it and was told
he’d be arrested if he continues bothering the authorities in Egypt.

More details below:


While the index page shows a deceptive temporary holding page, real
content is hidden.

This domain is abused to perpetuate a fake currency scam at URL:

Obviously selling fake currency is illegal internationally.
Here we see the owner claims to be selling “real and fake” passports,
even going as far as to calim to be able to “erase all the previous
information” regarding seized passports under “My passport has been
seized, Can you erase my previous information and produce me a new one
with same info?”

On this same page the owner also claims their passports can be used in
lieu of governmental passports under “Can I use your Real documents
instead of the ones from the authorities ?”
Here we see the owner claiming to sell IELTS certificates. The IELTS
certificates testing and issuing are controlled by the British
Council, IELTS Australia Pty Ltd and Cambridge Assessment English
based upon examination and can’t be bought off a website.

Likewise birth certificates, marriage certificates, driver’s licenses
etc are being sold.

Obviously there is much fraudulent misrepresentation on this website
and the choice of domain name shows intent to defraud.

Once again the content for this domain is hidden. It can be found here:

The actual website content is very similar to the previous domain’s
web content and indicates illegal activities.

While not hidden, the content is once again various forms of forgeries
as previously. Also SSN number, birth certificates and death
certificates are being sold. Even bank statements and resident permits.

Essentially this is another forged document scam as seen previously.

While this website is currently failing due to an error, we did
capture snapshots of the website in December 2018:

This snapshot can also be verified via Bing:

While this domain currently has no DNS, it’s essentially another
forged document scam as seen previously.

The hosted content can be found in Bing:



While a hosting suspension could offer short term relief, this would
be fruitless if the domain owner can simply re-point DNS elsewhere and
re-host the websites. As such a domain suspension would be preferable
and also not unreasonable to request, given the nature of the domain

Thank you.

We notice the not so beautiful (actually fake) registration details pointed out for these domains.

Having supplied the registrar and reseller these details, what would a reasonable party do? After all, has the Registrar group not said in ICANN policy discussions they generally would not ignore such complaints? As per the ICANN RAA, a response is due in 24 hours. However, the failure to respond in this time frame, if at all,  has become a common occurrence at many registrars.

Having not heard back on this issue apart from an automated ticket ‘Your request (327630) has been received and is being reviewed by our support staff.’,  a prompt was sent again on this issue on the 3rd Feb 2018. We received the following reply:

Feb 4, 08:49 EST


Whois information no longer shows up at due to GDPR regulations. You can read more about our position here:

Tucows/OpenSRS has no control or ownership over this domain. We are just the Registrar.
We do not host any content or provide bandwidth.

If you wish to launch a concern about abuse, you can try contacting the Internet Service Provider (ISP) or the upstream provider. They may have Rules governing the use of their service. You can also try contacting the actual domain owners by using contact information found on the website.

If this is an issue of trademark, then you may want to review the documentation on how to lodge a formal dispute through the UDRP ( or a court of competent jurisdiction. 

Essentially, we are an administrative body and do not judge or adjudicate issues of dispute.
If the domain does go to arbitration, please send any legal documentation (court filed or filed with an ICANN recognized arbitrator) by email to,  by post to Tucows, Inc, 96 Mowat Ave, Toronto, Ontario, Canada M6K 3M1.

Please let me know if you have any other questions 

Let’s put this response into perspective:

First is the ridiculous response: ‘You can also try contacting the actual domain owners by using contact information found on the website.‘ That sounds like an excellent Lalaland idea (not) to offer some relief, this section is simply mind boggling! Why haven’t we thought of this before? Let’s ask all criminals to stop committing crime, governments can save fortunes annually. Naturally this suggestion receives the contempt it deserves.

We pointed out the domain registration details were problematic before being hidden. The European GDPR was intended to protect the privacy of natural persons residing in the European Union. While nobody denies th need for privacy, Tucows is now using it as a blanket get-out-of-jail-free card to not meet it’s WHOIS obligations. Ironically this was predicted before the ICANN GDPR talks began in earnest. It was stated that Registrars and other ICANN contracted parties would abuse the GDPR to hide the mess that is WHOIS, but one that was used to protect governmental, commercial and consumer interests. It seems we may be correct. In turn this European privacy initiative was hijacked to now hide registrations for companies as well, some of them not even real as in this case. Bogus registration details for a fraudulent company is not a natural person. It’s not even a legal person! This mess was predictable, was predicted and now we are starting to see it’s fruits.

The irony is that in these talks, great fanfare was made about the requirement of the RAA to ensure that Registrars are obligated to collect accurate WHOIS details. This statement was made while we ourselves knew this to be patently untrue! In fact ICANN knew this as well. We had an ICANN Compliance Complaint later escalated to the ICANN Complaints office. ICANN’s own WHOIS accuracy reports in the past testified to this fact. Throughout the history of ICANN accurate WHOIS always has been a problematic issue and much abused to undermine consumers’ rights. Records of this can be found in the ICANN archives.

The irony is the GDPR is now being used by an ICANN Registrar to absolve themselves from any further need for action, dooming consumers who believe they can actually buy both “fake and real documents” off the net, to identity theft, fraud and extortion. The GDPR is now a tool to be used to shield themselves at registrars at the cost of the ordinary consumer.

In the ICANN/ Registrar world, government and commercial rights are acknowledged. We find mechanisms such as court orders, UDRPS and the URS (depending on TLD). At best ordinary consumers find some protection of rights in the ICANN RAA clause The Registered Name Holder shall represent that, to the best of the Registered Name Holder’s knowledge and belief, neither the registration of the Registered Name nor the manner in which it is directly or indirectly used infringes the legal rights of any third party.

Claiming to be selling real and fake/forged documents to unwitting consumers in an elaborate fraudulent scheme is a blatant breach of this promise.

Registering a domain with fake registration details would be a further breach of the RAA/Registrant agreement, except this is now hidden. We had to use historic WHOIS data to show this problem, DNS abuse. Yet the registrar is now ignoring it, the perfect excuse to devolve the bigger problem to a “content only” problem. The GDPR is now a shield for plausible deniability and self-blinding.

Where we see the ICANN DAAR initiated to highlight problem trends, the Registry Stake Holders Group (RySG) was quick to attack this initiative: Ironically the GDPR is mentioned as one of the reasons in criticism of DAAR. Yet this is an initiative to highlight abuse that also undermines consumers by the very parties who would most likely be allowing abuse, including abuse of the GDPR. Is the problem the issue, or rather shining light on the problem? Apparently it seems the latter.

During much of the GDPR talks, much was said about government interest in WHOIS data. Likewise commercial interests. There was no real acknowledgement for the common consumer who might wish to look at domain registration data to see if the party he is dealing with is credible. Contrary to what many parties would wish to be true, consumers actually did use WHOIS data to see if there is any credibility to the domain registration data before deciding to deal with a party. Any consumer that saw domain registration details on a domain such as the below, would avoid dealing with the associated website:

Registrant Name: Migration Documents
Registrant Organization: CreativSoft Pvt Ltd
Registrant Street: Brandenburg Brandenburg
Registrant City: Berlin
Registrant State/Province: Br
Registrant Postal Code: 28359
Registrant Country: DE
Registrant Phone: +1.2687362645
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:

Now the consumer has to rely on a registrar, perhaps in a foreign country, delivering a service to somebody unknown, blindly hoping and trusting said registrar did in fact take the time verify registration details as is required in the RAA, mentioned by ICANN in the RAA talks and agreed to by registrars. All the consumer now sees is:

Registrant Organization: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY 
Registrant State/Province: REDACTED FOR PRIVACY
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: REDACTED FOR PRIVACY
Registrant Phone Ext: 
Registrant Fax Ext: 

Meanwhile the registrar is aware of a serious problem, yet hiding behind the GDPR to do nothing. Too bad for the victims of fraud, ‘We are just the Registrar‘.

However the GDPR does have an accuracy requirement, something that falls by the wayside in all these Lalaland discussions where criminals are now abusing the GDPR to either commit fraud, where we find ICANN contracted parties shield themselves from having to deal with pesky fake WHOIS admin issues well known to exist.

Perhaps the ICANN contracted parties should take the precious time they have now saved, at the cost of the ordinary consumer, to actually read a most insightful article by Fabricio Vayra on CircleID: WHOIS Inaccuracy Could Mean Noncompliance with GDPR

It would be highly amusing to see how this issue would play out if a European citizen was defrauded by one of the reported domains, if the European authorities follow the much bandied about “due process”, to only uncover the garbage registration details. More so if they are aware of the type of responses as shown above on this issue. It should trump all the ICANN / Tucows court cases on the subject of privacy to date.  The following article makes for quite an interesting read and we quote from this CircleID article by Michele Neylon:

ICANN vs EPAG/Tucows: Tucows Releases Statement on What They’re Doing and Why

“In order to have a domain registration system reflective of ‘data protection by design and default’, we started with the GDPR itself and crafted our procedures and policies around it. We built a new registration system with consent management processes, and a data flow that aligns with the GDPR’s principles. Throughout the registration life-cycle, we considered things like transparency, accountability, storage limitation, and data minimization.”

We leave it to the reader to ponder this statement, weighed against the reply received. We are more than sure that ‘Migration Documents’ at ‘Brandenburg, Brandenburg in Bremen, Germany‘ will not be held accountable, no more than Yogi Bear in Yellowstone Park (buried in the annals of ICANN). We are sure the authorities also won’t be grateful for this great domain registration record, once due process has been followed and the waste of their precious resources.

So much song and dance about five domains? Surely not? All the time and money spent, would have been better spent in understanding the nature of Cameroonian fruad. The Brandenburg registrant is most likely a bit south on another continent in another country. The very problem and parties that were allowed to destroy the legitimate pet trade online, as highlighted by a US BBB report, is also responsible for these types of frauds. We only have to search for “undetectable counterfeit money” on Google to see over 200,000 results, many linked to bespoke domains. Enter registrar responsibility. This problem is just as pervasive as pet scams. Ditto “fake/real” passports and other government issued documents. Likewise other forms of abuse that have the authorities reeling from dya to day, overwhelmed by cyber crime complaints and reported losses ever increasing annually.

Newflash: Apparently certain Registrars and contracted parties don’t read the news. Law enforcement is overwhelmed with all the cyber fraud and can impossibly attend to all the fraud on the net. Yet this attitude allows even more DNS abuse to happen, worsening the problem. Allowing invalid registration data into the system, then hiding it in the name of the GDPR for a fake business,  even less so.

Certain ICANN contracted parties are quick to absolve themselves from responsibility. They do not want their cash cows to seek refuge at a competitor. Law enforcement is made the scapegoat and given the responsibility to clean up all this abuse on the net and for failing to. The consumer count mounts daily, victims that will never see justice or restitution.

Why are registrars absolved from responsibility for the problem. Making law enforcement responsible for consumer protection in DNS abuse is inappropriate. At best law enforcement is mitigation after the fact of harm done. Law enforcement is bound by jurisdiction, law enforcement needs a victim report, law enforcement has to measure loss vs potential for success, cost of prosecution etc, all belying  the self-serving ICANN logic.

Why all the bottoms-up processes if they are not implemented in reality and can be gamed? Why ask for community involvement to develop processes, but to then allow violation of such? Is ICANN looking for disciples, or true balanced input and a balanced result?

Currently turds are being gold-plated, wrapped up in gift wrap and worshiped. But once we remove the wrappings, it still remains a turd. Why wrap clearly malicious domains in pomp and due process? It serves nobody except a select few in self blinding or profiteering by nefarious actors and a rush-to-the-bottom self-destructive model for the internet to the detriment of consumers. This undermines the very credibility of the internet.

What protection does ICANN and it’s contracted parties offer the common consumer, the natural person?
Advance Fee Fraud: Content Issues or DNS Abuse? Tue, 22 Jan 2019 18:34:57 +0000 Read More Read More

All to often we see people that should know better, claiming that Advance Fee Fraud (AFF) is purely content issues. A while back a senior person at a company offering security services, which includes email filtering, expressed his surprise that AFF uses bespoke domains to defraud.

More recently a community member of ICANN denied that domains and DNS abuse is seen in consumer facing threats. When he was shown such, he was surprised.

What is DNS?

DNS is an abbreviation for Domain Name System. A domain name is a name that is registered and is used to link to various resources on the internet such as a website or an email server. If a user sends an email to somebody at a domain name, let’s say, your email system will look up the internet address for the email server for and then forward your email to this address, commonly called an IP address. Likewise if you go to, your system will look up the IP address of, then fetch the content from this address using this domain name. We can also have a sub-domain. If you go to our database, you will type in Sub-domain can be at the same address as or a different address.

To partake in this system, called the DNS system, you have to obtain a domain name through a registration process. While certain providers may give you such a domain name for free, typically these names are not as wanted as they have less desirable domain name endings, called Top Level Domains (TLDs) due to abuse and credibility. Other domain names in TLDs such as .com, .org, .info and the more popular ones typically have to be formally registered on an per annual basis. This registration is via Registrars and controlled through ICANN (Internet Corporation for Assigned Names and Numbers) who sets the policies and procedures for such registrations which the Registrars have to abide by. These policies are found in a documents called the Registrar Accreditation Agreement (RAA). This policy includes supplying valid and complete registration details. There is also a clause which states that the person registering a domain name shall not use it directly or indirectly in a manner which infringes on the legal rights of any third party.

Protection Mechanisms

There is an acknowledgement that a domain name may infringe of the rights of a brand name in trademark issues. The mechanisms to deal with these can either be court processes (extremely expensive), or a process within ICANN called the Uniform Domain-Name Dispute-Resolution Policy (UDRP).

Various dispute providers are listed and, if the complaint of a rights holder in a dispute is found to be valid, the domain name will be transferred to the complainant. The cost, although faster and cheaper than a formal court procedures, is not free.

For domain names registered in some of the newer top level domains, a newer equivalent procedure exists that is cheaper, called the Uniform Rapid Suspension (URS).

These two mechanisms essentially address commercial issues which companies may face. These are not directly aimed at protecting consumers.

Consumer Protection

While much has been said about consumer protection in the domain name system, ICANN considers any form of consumer protection to be beyond their remit. This view is made extremely clear on ICANN’s page under an article titled ICANN Is Not the Internet Content Police. Much as this article may make sound sense to the unenlightened who has never had to deal with internet fraud, it still does not address where DNS abuse starts and what is not merely content issues.

Many innocents consider illegality on the internet to purely be in the gambit of law enforcement and the courts. ICANN follows this same logic. Due process is a word commonly used (abused?) with little understanding of the constraints of such processes. The ICANN article mentions issues of illegality that may not be illegal in another country. We are not talking about those types of activities when we look at AFF. We are not trying to stop free speech.

Advance Fee Fraud is illegal internationally. Yet unlike spam, phishing and botnets, there is no recognition for AFF at ICANN. Yet AFF is a global plague on the internet and the forerunner of Business Email Compromise (BEC), sometimes going hand in hand with it, with the same groups being involved in many cases. This has created a separate industry where domains are part and parcel of the offerings of the parties facilitating AFF. These parties are both downstream hosting providers and domain name resellers.

Advance Fee Fraud is not Phishing!

Many ignorant parties conflate phishing and AFF. It’s not uncommon to even see UDRP decisions being won where a domain name was abused for AFF, yet the complainant claims the defendant (who normally never defends the case) was imposing on their brand to target their clients in phishing attacks! Not true!

While it would be easy mitigating fake bank domains being used in AFF and spoofing a bank as phishing, it would be unethical. We recently again saw a news article “Man who targeted Colorado women in ‘Nigerian romance scam’ arrested” stating:

“He convinced two women in El Paso County to send him money in excess of $78,000 between April 2017 and February 2018, and he used fake bank websites to convince them he had the means to pay them back,” the sheriff’s office said in a statement.

Such a fake bank may not even spoof a real bank, but may be a totally fictitious bank. While a spoof may be mitigated by the real bank owners using UDRP or URS processes, acting as a proxy for consumer protection, this rarely happens, whereas it does not allow for more fake banks impersonating other brands such a party may impersonate. With a totally fake bank there is no such protection for consumers in ICANN processes currently.

In a recent incident, more than 250 associated domains were found belonging to one party. Using the ‘phishing mantra’ would not have worked and would never assist in understanding what was uncovered. While a single domain spoofed the Bank of America, the exact same content was used with another domain and the fake bank name and logo was changed to create a new fake brand. This could not be seen as phishing. Further we saw fake couriers, that are hardly phishing, being used. These fake tracking systems to complete the illusion of being a real company. Bogus couriers have become extremely insidious in AFF. We only have to look at the phenomena of the infamous Parcel Scam. This type of fraud has also been responsible for enormous losses leaving victims destitute, especially in the Far East:

Victims of the parcel scam, he said, were usually women who were single or single mothers.

It would also be difficult explaining fake oil company websites on bespoke domains and even fake veterinarians as “phishing”. Yet they are all deliberately created to complete the illusion, a stolen photograph placed on the director or staff page, the very supposed person the victim is talking to. This is not phishing, yet it is malicious. Fake attorney websites were equally found in this scam nest. Many were stolen websites, copied from lawyers in the Mediterranean, given a new name, posted on a bespoke domain, then abused to further the illusion. This is not phishing either. Yet all these domains had patently fake registration details. The domain names were all carefully and deliberately selected to complete the illusion in a role play to defraud consumer victims. More to the point, the content was designed by the same party, a hosting provider who was also a domain name reseller.

Domain Names Solely for Fraud

Let’s consider a malicious party registering a domain name with the sole purpose of defrauding consumers with such a domain name. The domain name is carefully chosen based upon the type of fraud he wishes to commit. During the registration process, this party registers the domain with inaccurate or fake registration details. Once registered, he hosts malicious content on a hosting account using this domain name. He may even go as far as to use sub-domains to hide the content from casual scrutiny, yet supply the hidden sub-domain name and associated content to victims. Likewise he can set up an email server with email accounts linked to this domain. Having access to the DNS of the domain name, the malicious party can further undermine trust mechanisms intended to avoid abuse in email messages, using mechanisms such as SPF and DKIM, meaning there is less chances that the mechanisms designed to protect users from abuse will be triggered. The malicious party can now even abuse DNS based SSL authentication mechanisms (the little green padlock) to further exploit the confusion that exists between trustworthy and secure.

If the hosting provider suspends the hosting account associated with this domain, the malicious party has thousands of hosting providers he can chose from and where he can change the address to. Likewise he can alter the DNS records to change the destination for all emails.

What are these domain names used in this way but abusive? All the promises made during the registration process are deliberately violated, these domain names have no legitimate purpose and are intended to undermine the rights of consumers in fraud. How can this not be DNS abuse?

These are the types of domains Artists Against 419 has been listing and reporting since 2003. The usage is illegal globally and they have zero rights of existence in a healthy DNS ecosystem. While abusive content may associated with these domain names, the abuse is drivenfrom the DNS level. If a domain can survive 27 host suspensions to re-appear again on yet another host, how is this not DNS abuse? If a Bank of America spoof can be host suspended, the associated web page disappears and the DNS records rapidly changed to a professional email provider to facilitate further fraud with bespoke email addresses, how is this not DNS abuse? If a vehicle escrow fraud domain can continuously hop around to be re-hidden 19 times on different sub-domains with zero content on the index page, how is this not DNS abuse? How do we stop email fraud if the SPF record is set to ‘+any‘? If fraudsters have free reign at DNS level, the enemy is within the DNS gates.

We have long surpassed the old “content issues” definition here. It should be laid to rest when it comes to Advance Fee Fraud. BEC, at the hands of the very same parties, has long since proven this defense well past the point of self blinding.

]]> – Slizzy Slimzy: Why Your Motorcycle Will Not Arrive Sun, 04 Nov 2018 21:54:17 +0000 Read More Read More

Would you trust a Nigerian rapper to successfully run a diverse US and Indian located portfolio of businesses that sells electronic devices and motorcycles, as well as several logistics companies and banks? If your answer to this question is a resounding “no”, then you may have potentially just saved thousands of dollars.

By typing the email address into a search engine, to the untrained eye it is possible to see evidence of a “young, talented Afro hip hop artist” Slizzy Slimzy (as described in his social media profiles).

What is also clear is the fact that the hip-hop artist is not as “hard working” as he claims to be and is in fact dipping his toes into a more insidious past-time, advance-fee fraud facilitation. A clear first indicator of this is the sheer number of ScamWarners posts that lists the email address as being registered to a plethora of fake websites that are claiming to sell a variety of products, as well as several shipping companies that will ensure the “products” reach customers in a timely manner (or not at all).

To examine the full extent of the abuse, it is a simple process of pasting an email address into a few free online tools that can indicate the domains he has registered.
Now it is possible to categorise the domains Slizzy Slimzy has registered:

Motorcycle stores:

Tech stores:

Fake couriers:

Fake banks:

It is important to note that Slizzy Slimzy has not activated all of the websites yet, these are simply registrations. AA419 has enthusiastically catalogued and ensured that each active website has been swiftly brought offline. For the list of websites that Slizzy has actively used, it is a simple matter of checking here:
We have been adding to this list almost daily.

Now that the domains themselves have been identified, it is possible to establish how the Slizzy Slimzy syndicate is defrauding consumers in the USA and India – where these so-called “online stores” are claiming to be located. The scam begins with an unsuspecting victim innocently placing an order, paying for the product in advance of course. The scammer will, in-turn, graciously accept the payment and in an effort to exploit a further fee will provide a “suggestion” for a shipping company. The victim will consequently be required to pay the shipping and insurance fee for the product. Of course the product will never arrive and the scammer has hit pay dirt, with victims having potentially lost thousands of dollars.

AA419 seeks to catalogue and remove fraudulent websites at the first opportunity. In the case of Slizzy Slimzy, we have had the opportunity to work almost daily on this ongoing project due to the frequency of abuse. It is unclear whether the Slizzy Slimzy syndicate will stop in the effort to defraud consumers, but we will remain vigilant and with the patience to catalogue every new website that is active.

Avast highlights the failing in consumer protection Mon, 13 Aug 2018 17:45:34 +0000 Read More Read More

Sometimes we can learn a lot from what experts in their field of operation publish. Ironically we saw this yesterday again when Avast, a large anti-virus vendor, quoted an article by John Wasik on Forbes:

All online scams have one thing in common: They want to tap your greed to get at personal information they can steal. These “phishing” ruses are happening 24/7.

A typical banking scam will ask for information so the scammer can access anything from your credit cards to your checking account. Never reply to these emails.

What we learn here is how anti-virus vendors are failing consumers, using non-authoritative sources to blindly drive campaigns. We can understand why Advance Fee Fraud (AFF) is at an all time high. We can understand why BEC has grown to one of the top business facing threats. But does opportunity arise from this ill thought out post?

Avast Facebook post
Avast Facebook post

Let us first understand what was said an why the assumptions made are patently wrong.

All online scams have one thing in common: They want to tap your greed to get at personal information they can steal.

There are many online scams. Which person using the internet to shop, hunt for a bargain, has not come up against a fake shop or business? This shop will offer various goods, typically high value goods, at a slightly lower price than average market value, or scarce items hard to come by. Verification, in a due diligence attempt by the consumer, may well fail since business impersonation is rife on the web. It’s not uncommon to find the brand name of a known company reused, their address reused,  sometimes even their company and tax numbers. As any real security expert will know, the SSL certificate is commonly abused to establish trust. A perfect consumer trap. Where would the greed be in purchasing from a shop like this,  perhaps even resulting in the consumer getting his credit card details stolen? Artists Against 419 has been dealing with this issue for the longest of time.  The Japan Cybercrime Control Center (JC3) and the Anti-Phishing Working Group (APWG) most recently also released a report on a vicious form of this type of fraud. This report also states:

Given this situation, JC3 has been providing APWG with the URLs of “Fake Stores”, however, only some APWG member companies adopt the URLs to display an alert on users’ PCs, because the “Fake Stores” don’t meet the APWG’s core phishing website criteria.

Therefore, in the near future, it is expected that APWG should establish a new definition of “Fake Store” as a harmful threat for users. It is also expected that more APWG member companies leverage the URLs of “Fake Stores” that JC3 has been providing to APWG, in order to use in their alerting systems to protect users from the threat of “Fake Stores”.

Why was it necessary for this to become a crisis if we have known about this risk since at least 2003? Why has this not been protected against at any AV vendor’s package claiming to be protecting the consumer? As the report states: ‘because the “Fake Stores” don’t meet the APWG’s core phishing website criteria’.

Another salient point the report makes is domain abuse:

Infrastructures including IP address and domains used for “Fake Stores” are characterized by the following points.

  • Common IP addresses and email accounts are used for many domains used for “Fake Stores”.
  • While criminal groups seem to get hundreds of domains at the same day, these domains are used for a month or a couple of weeks at shortest.

Ironically domain abuse has been one of the most devastating threats to consumers and to date, largely ignored. Domain abuse is acknowledged in other areas, but not in consumer facing fraud. Most recently all domain registrations became subject to GDPR provisions, hiding domain registration details. Consumers have to rely on other parties (who are failing them) to do proper checks on at least some basic level in terms of domain registration details supplied. Such is mandated in policies and published. Yet we find it’s not being done! These are not isolated cases either.

Taking this one step further at showing why greed is not a factor: one of the most dangerous consumer facing threats is the common fake courier and variations thereof, also the fake escrow. These fake sites may either be bespoke fake companies or impersonating real companies. They are most definitely not phishing either. While phishing normally uses spoofing as a tool for stealing details such as bank credentials etc, not all malicious spoofing is necessarily phishing (simply put: all cats are animals, all animals are not cats). They are not necessarily out to steal your personal details, rather your money. The clues have been around for the longest of time, which some the experts chose to not understand in an unforgivable lack and betrayal of consumer trust. Let us consider a spoof of DPD Couriers. DPD Couriers has for the longest time used mechanisms such as UDPRs to mitigate spoofs of themselves. Yet their name is now once again abused in vehicle escrow fraud as extremely well documented by Scam Survivors after a consumer was targeted.  This posting most certainly shows the usage of malicious non-phishing websites many security experts will not even recognize, that of a fake dentist (previously Wikipedia was spoofed for this purpose). Any consumer trying to research this will be faced with a domain registered with Namecheap’s WhoisGuard proxy protection. A verification of an official business as suggested by the Berlin Group (emphasis in red that of the author) does not always hold true:

“7. Commercial data which may be disclosed must not include personal data.
While recognizing that commercial entities have less or no protection under data protection law than individuals, we recommend that ICANN acknowledges that commercial data may also include personal data. In its WHOIS-policies, ICANN should take into account that contact data from small business, sole contractors, home businesses and start-ups may be personal data. Secondly, ICANN should develop a procedure to distinguish between public contact data from companies and personal data from individual employees working for companies. The IWGDPT notes that businesses engaged in electronic commerce are likely to be regulated by national or regional law, in which case it is often mandatory for them to publish contact data on their website. This is not a role for ICANN or the WHOIS.

This discounts business owners not having to list certain details on all websites internationally, nor brand owners like banks and other companies not retaining the main brand affinity, rather using product domains as marketing. A real company may register a domain for each of their products, market the product from distinct websites. This creates the ideal environment for fraudsters to add another (fake) domain and website. Studies have been done by the likes of ICANN SSAC showing how malicious domains preferred proxy protection. This was ignored to the detriment of the consumer.

Yet the Berlin Working group advice was also held out as an unofficial measure for the GDPR implementation in the ICANN Whois discussions with the European Article 29 Working Group. The adoptions of this into ICANN policy was a failure at many levels undermining consumer rights and privacy in the AFF field. Not once does the Berlin Working Group acknowledge the massive DNS abuse of AFF. Not once does one of the corporations/protection rights groups say anything regarding DNS abuse in AFF targeting consumers, unless mentioning consumer protection and phishing in terms of their own interests. The GDPR meant to protect the privacy of ordinary consumers has now been turned against ordinary consumers in AFF and we’re seeing this more regularly. ICANN is not willing to take up the AFF challenge this far and recognize this type of DNS abuse. Certain registrars have most certainly been long term mitigators, likewise some registries. Other registrars and registries chose to pass this off as outside their mandate and rather focus on business at all costs, even if it is with malicious registrants.  Bullet proof DNS provision is a reality in AFF.

This is the background as to why a consumer is left with the impression they are dealing with a legitimate courier providing an escrow service to purchase a vehicle. A check on official government websites will show DPD Courier exists. Depending how users access the website, they may even encounter the little green padlock in SSL abuse. Surely it must be legitimate?  It even passes the anti-virus package browser check. Yet this is not, they are dealing with yet another escrow fraud domain shielded by registrar Namecheap (extremely well known for allowing these types of abuses).  Most anti-virus packages will gladly pass the consumer to this website, be happy that there is no consumer threat at this URL.

This type of escrow fraud has nothing to do with greed either (unless at scammer, and registrar and registry level for some). Nor phishing, it’s not the goal of the fraudster,  any abused consumer details is incidental. Buying and selling is a normal part of commerce on the web. As such we need to ask, is it fair to go into a victim blaming exercises here, more specifically by a company claiming to be “Protecting your digital life”? It most certainly is not.

Such an escrow/courier may not spoof a real company either. Where does this leave the “advance fee fraud phishing” confused experts? Let’s consider another vehicle escrow scam template extremely prevalent and using Namecheap registered domains with their free blanket WhoisGuard protection they offer, currently also called trdcorporationvehicles[.]com:

This scam is extremely distinctive. Any party caring about consumers would have long since flagged it. It’s implementation leaves a fingermark as wide as a mile. Any advanced threat protection mechanism could block it. We note the fake symbols of trust and affiliation. Yet it massively targets consumers in Canada and we regularly list it, example (mass DNS abuse with sub-domains). So much for promised consumer protection.

We need to ask what threat value a (non-spoofing) fake courier has in fraud? Does it rely on greed to succeed? Last year Delta Airlines  launched a John Doe lawsuit against pet scammers impersonating them.  It took the likes of the US BBB and Mr Steve Baker to expose how prevalent pet scams were. Even so, the security community selling consumer protection products is fast asleep.  Verifiable evidence is available to those caring to look, to discover how the same parties spoofing Delta Airlines, are using other non-spoofing couriers as well, once again in a thumb print a mile wide.  Is it any shock to discover these same parties also target consumers in drug scams? Before adopting the druggie victim blaming tangent, consider laws exist under which certain substances may be purchased for good reason. This is how cancer patients are regularly targeted, then end up facing extortion. There is a reason the FDA and the DEA published alerts on spoofing and extortion. The incumbent registrar Namecheap chose to distance themselves from this fraud as only being a registrar.  Their reseller in India closes tickets without responding. We have even recorded spoofs of the DEA trivially used in extortion! Most anti-virus protection packages are happy to accept these as safe in a false negative.  Is any party going to the trouble of obtaining a legal medial certificate to purchase marijuana for legitimate purposes, that of seeking relief from the symptoms of cancer, now greedy? How is this phishing? This is not! Yet uninformed opinions abound and ignorance is bliss.

Fake DEA Alert
Fake DEA Alert

Another usage of the fake courier is sending packages used in the infamous romance scam linked “gift scam”. Victims to fictitious partners on places like Facebook are groomed and led to believe they are in a relationship with a real person. All types of problems arise, many of these ruses are using fake websites on bespoke domains our traditional security vendors do not even recognize; an energy/construction/avionics company, a fake petroleum company with a bespoke login panel where accounts are pre-populated with fake contractors with a million or two outstanding to them, no phishing involved. Likewise fictitious banks that may or may not impersonate a real bank’s brand, some using stolen bank websites with logos and names changed.  Others are bespoke. Accounts are once again pre-populated with fictitious names and amounts, typically millions. Even the US Army is similarly spoofed, registered and hosted in Russia at a bulletproof registrar. The victim is shown these fake websites when the fictitious scamming partner needs to borrow a few thousand dollars as not being able to transact himself for some reason, or showing the monies outstanding to him yet to be paid. The scam relies on the goodwill and illusion he has spun in the mock relationship; he uses these instruments of fraud to convince the victim it’s okay to borrow money as he is good for it. In the process promises are made of marriage and other like romantic proposals. The fraudster sends a parcel to the victim via the fake courier – except we find there is a problem; custom fees, penalties and a myriad of other types of fraud. Where is the phishing in this? There is none. Where is the greed in this? There is none. We only see misplaced trust and caring, the very elements that makes us human. Is this worthy of victim blaming and shaming?

Media reports have been largely sensationalist on the this phenomena. Reporters want victims to tell their version of a story, but only if it fits into their pre-written script as related to them by parties which are not subject experts. Who makes better victims? The elderly as the media would like us believe? Or people in their twenties as others would have it? While they quote romance scams and military scams being at an all time high, the detailed underlying mechanisms of the fraud are not mentioned, it’s just another story to sell. Only on deeper investigation by real serious experts do we find how this all links to BEC and other similar AFF.

Such was a report earlier this year by serious players in the field, Agari, who did not follow the popular mantra of knowing it all, repeating myths of ill understood advice, rather researching: Behind the “From” Lines: Email Fraud on a Global Scale.

This report clearly mentions the link between AFF and BEC numerous times and is well worth the read, example:

Examination of the attackers’ activity shows that BEC scammers are involved in a whole host of other scams. Historically, these organized crime groups have engaged in romance scams, but more recently BEC attacks have emerged as a more lucrative and successful approach.

Even as these criminals have taken on more sophisticated attacks, they have continued romance scams. We believe there are two reasons for this. First, they provide steady cash flow to fund the criminal enterprise while it goes after larger prey. Second, they allow the gang to generate a continuous supply of new money mules who they depend on to retrieve their funds.

After an Australian citizen  ended up being victim to a romance scam and an unwitting drug courier, she is now facing the death penalty. While Artists Against 419 most definitely does not condone drug trafficking, our sympathy goes out to this victim. There is little understanding at senior (and supposedly knowledgeable) levels as to the full nature of romance scams, how everything around such a victim is twisted and perverted on the net:

Exposto had said she went to Shanghai to meet a U.S. serviceman with whom she had an online romance, and had been asked to carry a bag full of clothes. She said she was unaware that the bag also contained drugs.

Another serious piece of research linking these human rights abuses and organized criminality, is a paper published by Crowdstrike. It mentions:

Black Axe gangs are involved in a multitude of organized crime ventures such as running prostitution rings, human trafficking, narcotics trafficking, grand theft, money laundering, and email fraud/cybercrime. These activities primarily take place in Nigeria, and they also are conducted by Black Axe members (known as Axemen) in Europe and North America.

Exposto was not phished. She was turned into an unwitting drug mule. Most likely victim blaming will be in abundance by the ignorant, some even being IT security experts. We have no doubt she even had an anti-virus package on whatever medium she used to communicate. Can we then really blame the Millions of older Aussies missing out over ‘fear’ of the internet? Who are the players to blame for these failures? Law enforcement? No, they are the garbage can we throw the victims to after they become victims, it’s easier making it somebody else problem while holding yourself blameless. At best law enforcement mitigates where failures in earlier protections occurred. How is this consumer protection?

Is it coincidental that BEC is now targeting consumers? Not really, understanding that BEC originates with AFF and these bad actors are forever expanding their net, sometimes returning to the target group where they obtained their training wheels.

It’s also no surprise to see Malaysia mentioned in the arrest report. One facilitating party in AFF who we will mention by name, Henry O Njemanze, massively facilitated romance scams in Malaysia. Using about a 100 websites, this party and the syndicate targeted about 15,000 (fifteen thousand) people at about a 60% success rate, the victims predominantly being in the Far East, young single mothers. Their sin was not greed or being victims to phishing. They were merely trying to use the internet to learn more about different cultures and make friends. However they were set upon by fraudsters like a pack of hyenas with fake profiles, then targeted.  Well defined fake courier websites were used in systematic DNS abuse that started at domain reseller level for bespoke courier-like domains, to be published using reseller hosting facilities. In an audit, Henry’s domain account was found to be hundred percent fraudulent domains, apart from his company’s own domains, OBJAC International and Data Host. The incumbent upstream registrar took a dim view of this abuse and immediately terminated his facilities after substantiating the facts. Henry tried making two more comebacks at this registrar, but unsuccessfully. Henry then ran to Namecheap where he found registrar sanctuary. He is still welcome at his traditional hosting provider in Europe.


Despite many efforts at outreach via numerous channels, the Malaysian authorities have remained silent on this issue. Yet the existence of the Faker Makers was first documented, proven and immortalized in materials used for law enforcement training as far back as 2007, an issue Artists Against 419 and other groups easily discovered in 2003 and why Artists Against 419 exists today. Empires have been built upon this trade in fraud facilitation and it continues. Why? The diagram used in our article on this role player in advance fee fraud is essentially the same one created for the original materials at the time in 2007. Most recently the Crowdstrike report reiterated the cybercrime syndicate structure in an independent study:

These zones typically have a commander or crime boss referred to as an “Oga”.

In terms of eCrime, the Oga directs the scams and provides direction to his team. These teams are composed of spammers, catchers, and freelancers. Spammers acquire email lists and operate advanced mail systems. The catchers monitor the responses to the spam campaigns and make first contact with victims (known as a “magas”) in order to advance the scam. Freelancers perform additional duties such as assisting with romance scams, acquiring and developing infrastructure, and creating fake documents.

This tallies with the syndicate structure we described as far back as 2007, except the Faker Maker becomes the contractor in their description, but Crowdstrike’s description is not inaccurate either. In the past year, parties in India have been uncovered facilitating the propagation of fraudulent AFF websites and registration/hosting activities, both in the 419 and Cameroonian fraud spheres. What was at first thought to be a party from West Africa abusing a fake identity in the more traditional role, was later identified. This proved AFF was evolving and growing. These facilitators are an insider threat in domain reseller channel and at hosting providers, undermining the net. They make out not too shabby clients, supplementing registrar profits and account for much domain churn. Likewise in the hosting channel. It’s not uncommon to find vast infrastructures of fraudulent websites migrate between hosting accounts. It is understood why these actors are offered protection in plausible deniability excuses from the relevant providers. Money talks.

Palo Alto Networks Unit 42 also incidentally points of this hosting and domain abuse issue in their SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE report. While this report focuses in the incidence of malware in BEC threats, we have already seen other consumer facing threats making out part of this landscape and is also mentioned in this most worthy report. In their study they mention:

Among the list of actors are those who pursue cybercrime as a full-time activity; those who provide enabling activities, such as web hosting or domain resale; and those who own a mix of legitimate and fraudulent domains. With the latter, we assess that many such  actors view cybercrime as a means to supplement their legitimate income, as they most often maintain employment with organizations in the technology, education, media or music industries.

These observations tallies with our own, although in a different sphere of 419 operation. Any serious cyber security expert wishing to fast track on AFF and malware needs to read this report as well. It bears testimony to the fallacy dumb Nigerian Princes and dumb victims, where a supposed expert has collected a few scam emails, then deciding victim blaming is appropriate.

Europe has become the target of a growing number of loan scammers from Benin, West Africa. Even now we are mitigating a known bad actor once again. Increasingly we find victims to romance scams, or scammed businesses, having their private details leaked on AFF websites.  In a period when the GDPR has has the predictable unintended consequences of being abused in AFF, cyber-criminals are forming coalitions.  Yet the EU Foreign Affairs Council rejected attempts from Interpol in a consolidated approach at cybecrime:

The UN’s Group of Governmental Experts (UN GGE) tried mightily to convince governments that cooperation was the key to successful cyber-defense. However, that effort was rejected by the  EU Foreign Affairs Council, which took issue with how national sovereignty applies in cyberspace, how aggressive a country can be in its cyber-defense strategy, and whether or not international humanitarian law applies to cyber-operations.

At this stage we’ll just leave it at how many human rights there are and the rights of one party may not be to the detriment of other parties, a foundation principle of humans rights norms. This ill fated decision and lack of real consumer voices at a time when it was most needed, is a massive failure in terms of protecting human rights.

Meanwhile general consumers are facing threats emanating from Nigeria which is largely unchecked (as has been confirmed by three parties the past few months, the last time last week) where Artists Against 419 deals with authorities and like.  Despite continuous promises to clean up the mess from Nigeria, such efforts rapidly disappear into oblivion. Punishment is for the perpetrators without friends in high places or who don’t bribe officers. It no surprise to read this in the previously quoted SILVERTERRIER report:

For example, these actors take little to no care to remain anonymous. The credentials they use to register their malware infrastructure are easily associated with their public social media accounts on Google®, Facebook®, MySpace®, Instagram®, and various dating and blogging sites. Despite the passage of laws prohibiting fraud, scams and other illicit activity, the culture in Nigeria remains permissive of cybercrime, and widespread enforcement of the laws has yet to be observed.

Yet the grandstanding abounds.  Most recently researchers discounted the value of WHOIS details prior to trying to implement sanity into the GDPR-WHOIS discussions. Is it no coincidence that AFF and hard drugs keep on cropping up emanating from the same circles, or that victims are used as drug mules, just as we see in BEC and AFF mules. To these predators, the victim is no more than a commodity item to be used and abused and pimped out for personal profit. Who is protecting the consumer? Where are the human rights in this? Yet the experts in privacy chose to ignore this, further undermining basic human rights even as this was written.  It’s grossly unfair to embark on victim shaming against this background, more so if perpetuated by a company claiming to protect the consumer.

What Advance Fee Fraud is not, phishing!

A tip straight from the trenches: any party mentioning Artists Against 419 fighting phishing, or confusing phishing and AFF, is no expert. Leave and do something more constructive. Your time can be better spent feeding ducks while sipping a beer or a cup of coffee. Phishing and advance fee fraud are two separate threats. We escalate phishing to other parties that are experts in their fields. While a member or two may be involved in some other activities in the phishing sphere, having mitigated and assisted in those fields, the focus of Artists Against 419 is Advance Fee Fraud, not phishing. Ironically we find numerous supposedly authoritative peer reviewed studies describing us fighting phishing. Once such was found using this misguided understanding of the threats to criticize why it’s dangerous doing what we do, fighting phishing the way we do. Peace sister …

Generally phishing is impersonating a party to obtain credentials or other details the victim has, to then abuse it further, typically impersonating them. The idea is stealing information for abuse under false pretenses. We might see this where malicious actors send victims an email, pretending to be from the victim’s bank. They may further lure the victim to a website where the victim finds a copy of his bank. The victims enters his details and his credentials are stolen. This is a massive problem for banks where these criminals empty the victims account, leading to much distrust. Huge campaigns and efforts take place on various levels to protect against this. We only need to think of the APWG, NetCraft, Phishcops etc.

But what if a bank is spoofed, where a bespoke crude accounting system is bolted on, loaded with accounts and fictitious amounts? This is called flashing in 419 spheres. No credentials are asked of the victim. Instead the victim is given the credentials, or that of a fictitious partner (as mentioned earlier). In essence this spoof is not a phish, although still a spoof.  This bank may equally be a bank with content stolen from a real bank, but with name and logo changed. It may even be a totally bespoke bank. Likewise a bespoke synthetic fake bank template may suddenly be called Bank of America.  While the name of a real bank is used and perhaps commercial rights are abused, this is secondary to the primary 419 goal where consumers are the primary target and not the brand abused. This has been described in an article called Phishing sites vs Fake 419 Banks we published in an educational attempt. Much research matter exists to back that up. It’s not uncommon though, to see exposed 419 domains that have outlived the usefulness, abused in BEC-like phishing attacks, but that is not their main purpose. Consider yourself using a key to open up a box – the key is merely a tool that can be used for the purpose, although it has a different primary purpose.

Typically phishing happens on a compromised website, unlike the AFF domains and websites we list. AFF happens where the malicious actor registers the domain, populates it with content, having full control of this domain at all levels and can trivially abuse it, making any host based mitigation moot. A typical cure for phishing would be contacting the website owner or hosting provider, a vulnerability is fixed and the threat is cured. Phishing domains are also sometimes registered domains. Likewise a compromised website may be used for AFF, although this is extremely rare. Artists Against 419 does not list breached hosting accounts which are abused for AFF, we rather follow phishing mitigation techniques. The only exception was one breached website where the owner did not have time to fix the issue as was continuously promised for more than two years. At this stage we decided the owner clearly did not care and was no longer a victim to this fraud, rather perpetuating AFF through inaction. The website was listed and the upstream registrar and hoster was contacted with a long and full report on the events. The domain was suspended. Each rule has exceptions and a full understanding and situational awareness is required to evaluate what is being seen. Much fallacy exists in the AFF field.

Just as with a fake bank, any sector of the commerce can be spoofed or imitated. Conventional cures exists for copyright and trademark breaches, yet these are incidental in AFF. The fictitious bank is as dangerous as any other AFF website. We have discussed fake couriers. What about a fake lawyer website? Who needs a (fake) lawyer to look at his best worst interests? Consider the fake lawyer website Al Fatah Law Firm mitigated at hosting level, while the abuse starts off at DNS level: Yet conventional wisdom blindly subscribed to, would have this to be content issues as dictated by experts that never made a study of AFF. Such wisdom saw this website rehosted 27 times. Surely a website active for 4 years must be legitimate? Knowledge based intervention saw this domain being correctly reported and suspended. This was never was a hosting issue to start of with.

Ironically, many AFF websites are accidentally listed as phishing – accidental consumer protection under the phishing banner. While it’s tempting to use an easy phishing excuse to mitigate certain threats, it undermines understanding of the real threat and other associated threats and risks associated with AFF.

Mitigating at hosting level for traditional AFF is akin to putting a bucket under a leaky roof. Rather fix the roof or be doomed to be forever emptying the bucket, while the surrounding roof trusses silently rot. The consumer’s roof trusses are silently rotting, along with his security. So do we blame the victim when conventional wisdom is not knowledge based and quite frankly lazy, an exercise in passing the buck? “Make it somebody else’s problem, not mine” is all too easy. Do we want to chase shiny things like profit, selling to consumers claiming to be protecting their privacy, but not really protecting them, or taking time to understand their distinct threat landscape? Is this aimed at certain anti-virus vendors? Or perhaps certain registrars?  It’s all to easy hiring an actor and scriptwriter to publish articles on security and make a total mess, as we saw a while back at a certain registrar. Just act it out. It would have been comical if it was not such a serious issue.

Once again we will explain the threat landscape the common consumer faces.

Governments spend billions annually in cyber protection. They hire/poach the brightest minds. Law enforcement is there to protect breaches of the laws. They have the legal system on their side. Yet they fail from time to time and we read about those in sensationalist news articles. Yes, sometimes they are stupid in the things they do in hindsight. But then again bashing any party failing at cyber security has also become extremely popular in both the media and at the hands of other security actors.

Commerce has even a greater set of threats and protection. Equally large budgets running into billions of dollars are available to this sector, budgeted for and spent. Once again top security sector actors are employed. Brilliant legal minds are hired to protect them. The security sector is also at their beck and call for a slice of the action in a self fueling market.  Yet they fail. Once again the media and the other security actors are around to laugh, use it as an excuse to peddle more of their wares and services.

Meanwhile back at the ranch, Average Joe or Plain Jane who is the average family member each of us has, simply wants to watch a movie on Youtube, or perhaps spend some time with a Facebook friend or even check up on their bank balance. His or her protection? An anti-virus package. In many parts of the world they can hardly afford the bandwidth associated with the regular updates. The results are quite predictable. What chance does the average consumer have of staying safe where government and corporate networks fail, potentially facing the same malicious actors and threats?

Well done to those kicking this party, the consumer, the least protected and the most vulnerable player on the net. Your right of existence disappears if he disappears. But let’s bully, blame and shame them. There – job done, now you feel clever and self important, you’ve shown up stupidity and greed.

To each and every one involved in this sick syndrome, let’s hope your physician does not adopt the same attitude in your time of need when you may inadvertently skip a traffic sign or somebody else does. Did you not see it coming? Is it your stupidity and need to be in a rush that will be used to write you off?

A sad fact from the trenches: Many victims to AFF are people in the health care profession, slightly disproportionately high enough as to be noticeable. Their real sin is that they could not believe that any party could be as malicious as the one they met, could be allowed to flourish on the net by those responsible for due care in business. In turn the very care givers, who may have wanted to assist a stranger, got defrauded. A such this example is extremely appropriate.

The reality check:

The common user may see commercial threats, targeting his bank account or like – phishing. Anti-virus packages may protect him from this threat. This is the threat where commerce and consumer have overlapping interests, creating much awareness and subsidizing a secondary industry in consumer protection and education.

The average consumer faces threats where parties spoof the likes of the government in tax scams. Government engages, alrts goes out via government agencies and anti-virus packages blacklist. People are arrested.

How many antivirus vendors will blacklist pmkpaperline[.]com selling paper?  Or  petspom[.]us? How many security experts even know they are part of the same set of scams? How many know or have heard of the Cameroonian threat and scams, or the difference between them and 419 scams?  Anything from fictitious pets to combine harvesters are sold (even a refurbished manufacturing plant once), accompanied by massive SEO and social media abuse. Another specialty they have is their ability to spoof real company registrations in forged documents. As such the Berlin Group’s advice was ill timed. They also love imitating other successful online scams with twists.

Let’s just look at the scale of the operations of the owner of petspom[.]us:


1015 domains!? With registration details like

Registrant Name: Morgan Lorga
Registrant Organization: Anonymouse Host
Registrant Street: Down street Rus
Registrant Street:
Registrant Street:
Registrant City: welmshi
Registrant State/Province: North West
Registrant Postal Code: 101000
Registrant Country: RU
Registrant Phone: +7.675552377
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: al.mamarirashidsulaiyam(at)
Registrant Application Purpose: P1

Registrant Nexus Category: C11

Compliance experts Neustar do not care to listen and learn, yet they are experts running this registry for the NTIA. In a previous incident they took three months to investigate a similar party, ended up allowing it despite the non-compliant category and nexus as well as fake details. They were made aware of the above registrant, also that this issue was prevalent  at this registrar. Why is the incumbent registrar given free reign to profit accepting any junk into the registry, undermining and defrauding US consumers? This is not a commercial threat and all is good, or is it? Will an anti-virus package says pass? Are consumers stupid and greedy if they wish to buy a dog?

Another irony is that so many fraudulent domains were allowed into the .US registry, that it has become impossible to monitor the status of all the threats in this registry. Artists Against 419 does a distributed weekly check on each domain abused in fraud during it’s entire life cycle until it finally expires, with a pause between each check, to avoid being seen as abusive in terms of resource hogging. Yet we regularly are seen by Neustar as abusive and denied access with too many lookups. Considering this registry is a thick registry, there is no way to see if the domain is in a clienthold, serverhold, redemption period or pendingdelete status, without obtaining all the data. We are most certainly not trying to steal data and Neustar has no other mechanisms available that allows for safe verifiable access (as was queried).  A special process had to be created to recheck all the failures at Neustar.  Surely any serious player in this field would accept there is such a thing as domain abuse, not self blind to a span of P1/C11 domain registrations (violating policy) from the Cameroon and Russia all abused in the well documented pet scams mentioned before that was demonstrated in the US BBB report. Whose security is Neustar protecting? Miscreants abroad with ever changing fake registrations details, or their fellow US citizens that are the target to these frauds?  It’s not as if ICANN SSAC has not mentioned the problem in SSAC101 of overzealous limiting. So this is a known problem affecting security. While it has to be verified, it appears that too many checks on .US domains also see checks on .BIZ domains impacted. We are recording failures on the odd unpopular .BIZ domains after encountering .US lookup failures. We have requested that our access issue and the inordinate number of non-compliant .US domains be looked at by Neustar Legal. Downstream registrar Namecheap was not willing to do so. No response was ever received. This economic interest overrides consumer interest and rights.

What about evergreenfedbnk[.]us?

Evergreen Federal Bank
Evergreen Federal Bank

Who said “Hold on, but that is phishing”? Wrong – it’s not, it’s 419 fraud. However many anti-virus vendors will use incorrect classifications to protect consumers by accident, further led astray by expert classifications. Of note is the registration details?

Registrant Name: Rae D. Garcia
Registrant Organization: Elek-Tek
Registrant Street: 22 Trehafod Road
Registrant City: BUCKFASTLEIGH
Registrant State/Province: London
Registrant Postal Code: TQ11 1WU
Registrant Country: GB
Registrant Phone: +47.0785640
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email:
Registrant Application Purpose: P1
Registrant Nexus Category: C11

Luckily dhxcourier[.]us is safe for consumers says the experts … except it’s not. The .US registry allows us to see what passed for registration details at certain registrars. These experts are not keeping consumers safe. Domain edexexpresscourier[.]com may have a familiar name – perhaps missing an F – active and scamming since 2015 and host hopping. The logo may also ring a bell for some, even if not quite for others … yes, it’s an adapted USPS Logo:

Stolen USPS Logo

Is this now suddenly a copyright issue and that alone, or part of a bigger threat? Likewise the domain name dhxcourier[.]us may sound somewhat familiar. Anybody noticing patterns? Will it be an invasion of privacy looking at (fake) registration details? If this does bother you (as the privacy experts are now telling consumers and not allowing themselves to protect themselves using WHOIS and actively not allowing it in many TLDs), it’s the same party all along. WHOIS failing, failing the consumer?

More importantly, which anti-virus package is protecting consumers from these? The NTIA appointed experts and some of their downstream registrars most certainly did not. We are now in a blind spot for most commercial protection packages. The consumer is on his own as there is no overlapping governmental or commercial threat interest. He cannot claim any protections in terms of domain policy.

We can illustrate the protection landscape as three overlapping circles, the darkness of the red indicating the threat protection. The private consumer’s protection is mostly by accident in threat identification, rather than by design, in the non-overlapping areas.

Cyber Threats
Cyber Threats

The irony is a lesser know products is. At the risk of sounding like marketing, which we aren’t, it’s worth mentioning the name of a long term acquaintance in the AFF war arena.

Users are free to install the Web Of Trust (MyWOT) browser plugin as 140,000,000 other users did, which will block such known websites.
MyWoT became friends in the 2010 Heihachi/Fake Shopkeeper gang wars which even saw the likes of SpamHaus attacked via DDoS. Just as Artists Against 419 was. This was never an issue to the domain experts which gave these criminals sanctuary. These were criminals that were tried and convicted, as such we can call them criminals. Yet never an eyelid was batted in the registrar community that gave to one of the biggest consumer facing frauds at the time the tools to commit their fraud. This only became an issue when the attacks shifted from consumer to PostBank. MyWoT led the initiative in flagging malicious domains during that time. A shout out to them.

It’s sad that JWSpamSpy is no longer available. Joe is one of the real experts in the AFF war, still posting at and silently doing his thing.

How can any provider claim to be protecting consumers if they are protecting against phishing and malware, but not other threats? Any such provider has supplied the consumer with an umbrella where half the panels missing in the midst of an electrical thunder shower, giving them a false sense of security.

Considering all the research that has already been done in the field of AFF, there is no reason to adopt a blindness to this threat. Artificial Intelligence can be implemented. Other legal methods exist of threat identification and mitigation. We are not adverse to sharing our work, knowledge or advice if it will lead to consumer protection. We regularly partner not only with other consumer protection facing partners, but also other brand protection agencies. Does that sound wrong? Not really upon considering our select set of fraudsters we deal with, regularly impersonate brands to confuse and deceive consumers. We were the ones to alert a certain bank in France, just as they launched a UDRP for the second time in as many years to mitigate a party spoofing them, that he had just registered a third spoof. Once again traditional wisdom and policy had failed at many levels and the result was predictable based on open source intelligence gained.  It’s not uncommon to see phishing excuses used by WIPO approved lawyers in pure AFF threats, thereby winning the right for their clients to take over a malicious domain; the right results for all the wrong reasons. It’s not uncommon to see phishing style take-downs on malicious domains, to only have them change to email-only threats (keep your enemy in sight). Similarly we see content hidden on sub-domains or on sub-directories where targets are given URLs. This is also an open invitation to any provable rights holder or their agents to obtain a report from us on anything we list, be it to mitigate or litigate: we have records of serial abuse and fraud attempts on many of these malicious actors, even if not always their (real) names.  One party has over 1600 records in our database and going strong.

An example of the details for a report is shown below with details redacted for obvious purposes.

Report Page
Record Page

The report includes snapshots with metadata embedded showing the date and URL address when it was made, also shown at the top of each snap.


Detailed first snap:

Exmaple Snapshot
Example Snapshot


The eagle eyed may have noticed we switch between AFF (Advance Fee Fraud) and 419. AFF is a vast set of consumer threats. We specifically focus on vehicle and mule scams emanating from Eastern Europe, 419 scams from West Africa and Cameroonian Scams. Each of these three sets makes up a further family of complex threats the average consumer is ill equipped to deal with and no proactive protection is available. While generic advice is given in the broadest sense of references in the media, the reports do not indicate the real danger flags. Commercial and like threats shown make up many of the warnings the consumer is hounded with, desensitizing them to lesser known yet equally serious threats rarely reported on in a knowledge driven way. The consumer needs and deserves our understanding and protection.  We can show the expectation of basic checks done at registry level is not met despite promises and marketing, yet something a consumer expects is done in any sane world where a registry is mentioned.  Disparate laws further undermines the consumer rights. While it may be problematic understanding the madness that is consumer supplied information,  rather gear up develop systems that can be used to create an early alert system in a feedback loop that also protects consumers while also protecting self interests in a fair win-win situation.  Do not make the consumer a mere product to be profited from. These are the real people. We are willing to assist in our relevant field of expertise. We are not even asking formal recognition. But let us rather work together to give the average consumer a better deal.

Subscription fee: An honest desire to protect consumers, people who may be your sister, brother, friend, daughter,  granny … the small mom and pop shop … perhaps a bit too naive, trusting marketing experts and opinions, not IT security experts. People getting a raw deal. These are the people driving the real internet. We promised them a better deal in the 90’s, let’s deliver on it.

Apply here

Thank you to the parties that already use our data!

Since posting this, other parties have responded, sharing news articles. They are well worth reading, proving exactly the consumer dilemma and dangers mentioned above. Most do not mention the associated domains and websites used, although this is a well known fact.

“All these people sit back in some form of judgement, instead of actually thinking, ‘My God, that could be my mother, it could be my sister, it could be my daughter, my uncle, my brother, my father, my grandfather, my best friend’,” she said.

“There are people out there whose sole intent in turning up to work every day is to extort someone in some way, be it emotionally, be it financially, be it by making them an unwitting drug mule. But [trolls] are not focusing on that; they’re blaming the ‘dumb, stupid’ victims.”

The FBI and Secret Service say they don’t have the resources to investigate all of the reports.

Or imagine if your partner was approached with an investment opportunity. They do their research, do “due diligence”, and it seems to check out. There are glossy brochures, a website of testimonials, and an array of staff to whom they speak on a regular basis.

So they invest thousands of dollars and are able to log in to an account to track the progress of their investment. But one day the website disappears – along with all of your combined savings.

The men are accused of making fake websites of various companies to cheat people through online shopping, providing customers with fake license and documents of the product.


Global drug trafficking operation run out of Villawood detention centre, phone taps reveal

Global drug trafficking operation run out of Villawood detention centre, phone taps reveal

This article does some real deep diving into the phenomenon of online fraud linked to romance scams with the victims being turned into money and drug mules. Currently no anti-virus will protect you from these scams.

See if you can spot the black money scam abused. That is the ‘SSD Solution’, ‘Red Mercury’, ‘Vectrol Paste’ etc, commonly seen in scam websites that does not exist, but a search engine will make you believe does.



The GDPR and blanket privacy: Hold on – who watches the guardians ICANN? Mon, 06 Aug 2018 16:55:44 +0000 Read More Read More

ICANN had two complaints they closed, escalated back to them last week. One was a Registrar Standards complaint, one was regarding a rogue reseller proxy at the registrar which is the subject of the first complaint. Why?

What happens where we have a registrar that serially accepts and has been accepting weak unverified registration details, for at least the past four years into the registries, in violation of the ICANN RAA and this leads to mass abuse?

What happens if this is pointed out to ICANN via existing mechanisms,  then  it’s made out by the registrar as content issues and blindly accepted by ICANN as such, despite the last* Registrar Standards complaint being an analysis of WHOIS details showing unverifiable non-existent telephone numbers, registrant details being nothing more than non existent made up registration details stuffing? Example: “Bar Clay” (for a Barclays spoof) and then used again and again? Ditto “Inno Cent”? Sure, when hell freezes over. Even if it convinces the registrar and ICANN, it doesn’t convince us. Why? This malicious actor is making a mockery of the domain registry system, yet ICANN accepted the registrar’s response that these are mere content issues.

/Update 2018/09/11: These Complaints can now be found on ICANN’s website at as Complaint Numbers 00006097 and 00006198.

It’s for this reason Artists Against 419 escalated the handling of it’s latest two complaint’s and closure within ICANN back to them, also making the ICANN President Mr Marby aware of this most serious issue.

* Last: This was the second complaint about the same issue and the same registrar in as many years. This violation was previously devolved to a mere WHOIS issue about a single domain, then resolved and closed by ICANN with the domain they devolved it to,  still resolving with clearly fake registration details and spoofing the Reserve Bank of India. This was after a similar closure of a report regarding another Registrar with similar attitude, that saw the complaint devolved to an issue about an American bank spoof with fake registration details, that eventually became an escalation to the ICANN Ombudsman, to be never heard of again.

Who are the guardians of the RAA Whois Accuracy Program Specification and upholds Registrar Standards if ICANN does not accept this role for GTLDs where they oversee policy development and standards? It makes any such policies moot and nothing more than window dressing if such policy is not enforced.

What happens when we end up with abused proxies when the above mentioned registrar’s main reseller responsible for greater than 60% of domains targeting consumer in fraud, is running a proxy not in line with the RAA Specification on Privacy and Proxy Registrations? On said proxy we see banks and commerce being spoofed, phishing attacks, all carefully hiding the perpetrators? A proxy with no polices and a perfect shield to ensure accountability. In some cases we even end up with proxies behind proxies, where the downstream proxy and reseller registers domains for their clients based upon usage (the author had an interesting chat with the downstream proxy/reseller who thought he was one of the regulars. This reseller does jurisdiction/Registrar shopping. Registrars in Russia, China and the USA are fair and willing game).

ICANN’s view on closing the complaint was :

Upon request by ICANN, the registrar took corrective actions and is now in compliance with the relevant provisions of the Specification on Privacy and Proxy Registrations of the 2013 Registrar Accreditation Agreement (RAA).

Which was later changed to:

To clarify this matter, the registrar of record confirmed with ICANN that the domain names referenced in your complaint (domain names redacted), and those registered with similar information, are registered to a third party or reseller and not a proxy service. Under the 2013 Registrar Accreditation Agreement (RAA), resellers may be registrants for domain names.

This was the reply, despite said reseller have their own complete domain registration panel etc, separate from sponsoring Registrars system (we are unsure what back-end integration there may be), also the RAA saying under the proxy provisions:

1.4 “P/P Provider” or “Service Provider” is the provider of Privacy/Proxy Services, including Registrar and its Affiliates, as applicable.

2 Obligations of Registrar. For any Proxy Service or Privacy Service offered by the Registrar or its Affiliates, including any of Registrar’s or its Affiliates’ P/P services distributed through Resellers, and used in connection with Registered Names Sponsored by the Registrar, the Registrar and its Affiliates must require all P/P Providers to follow the requirements described in this Specification and to abide by the terms and procedures published pursuant to this Specification.

What is an affiliate?

Electronic commerce: Firm which sells other merchants’ products at its own website. Visitors to the firm’s website may order merchandise from there, but the sale is transacted actually at the principal’s site who passes on a commission to the website from where the order originated.


… unless we are to believe the reply to ICANN and it’s the reseller spoofing banks like The Bank of England, Cater Allen Private Bank, stealing content from lawyers like Edwin Coe LLP to create a fake lawyer (see below), or even spoofing NATO procurement (where we have an email with headers)? Which, if it were true, surely said reseller has no place in the domain channel and it could be suggested some time rather  sepentin jail, not excused and silently absolved as affiliates of the accredited registrar?  We see massive gaming of the DNS system at everybody else’s expense:

We are now seeing some strange language other than common logical English emanating as an excuse. The sponsoring Registrar was aware of this proxy as was demonstrated. There is a logical departure from reality here in ICANN’s reply regarding this proxy. It is for this reason this response was also escalated within ICANN along with the first.

Taking this a step further: what acknowledgement is there for a polluted reseller channel where the hoster and domain reseller via an affiliate program is the very one receiving abuse reports? There is plenty evidence of this.

To briefly illustrate the problem, we will oust a facilitator, VBHostNet. Naturally all evidence has been captured. If you can’t say it; “shush”. If you have evidence, you can shout it out. Domains below were mitigated rapidly at the respective registrars and are for illustration purposes. Initially the reseller/hoster was playing abuse games on AceNet, disabling spoofs and scams upon abuse report receipt, then to sneak them back hiding content:

Email address provider is an open to anybody, disposable email address at FakemailGenerator , also serving email addresses ending in,,,,,,, and

Looking at the email address used for registering the Danske Bank spoof, we find another identity with another address using the same email address:

 . . .
Updated Date: 2017-05-02T17:44:38Z
Creation Date: 2017-05-02T17:44:37Z
 . . .
Registrant Name: Stephen B. Pier
Registrant Organization:
Registrant Street: 2867 Black Stallion Road
Registrant City: Cincinnati
Registrant State/Province:
Registrant Postal Code: 45214
Registrant Country: US
Registrant Phone: +1.8594954405
Registrant Email:
 . . .
Updated Date: 2017-04-13T16:25:05Z
Creation Date: 2017-04-13T16:25:05Z
 . . .
Registrant Name: Kyle N. Deleon
Registrant Organization:
Registrant Street: 502 Fleming Way
Registrant City: Richmond
Registrant State/Province:
Registrant Postal Code: 23219
Registrant Country: US
Registrant Phone: +1.8047830943
Registrant Email:

We see the registrant name, address and telephone number changing for email

(We show domains to illustrate a scam nest):


DomaindbURLSite Name
stancharteredb.com Chartered
nat-oilcompany.com Oil
baylinelaw.com Solicitors
shullyblogistics.com B Logistics
teaboconline.com East Asia Bank of China
esquirebonline.com Bank
cargofr-china.com From China
globalwiledsafe.com Safe Security & Shipping Company
devonenergy-corporations.com Energy
integrityfinanceloans.com Finance and Loan
dcecourierservices.org Courier Express
wheatlandb.com Bank
jpcorpllc.com Construction LLC
cts-freight.com TS Freight
creditsmutuel.com Mutuel
chelsharbour.com Chelsea Harbour Hotel
unihospae.com Hospitals
saugerhosp.com German Hospitals Group
saugerhos.com German Hospital Dubai
capfcu.com Federal Credit Union
vtbconline.com Group
intlmonetaryfund.com Monetary Fund
speed-cs.com Couriers Service
unicef-online.com United Nations Children's Fund
candidhelp.com Help
fadeeslogistics.com Logistics
landforexfx.com Prime Ltd / LandFX Ltd
danskebonline.com Bank
santatravelsae.com Travels & Tours LLC
capunityonline.com Unity Bank
elite-courieronline.com Logistics
elite-logisticsonline.com Logistics
VBHostNet Facilitated Advance Fee Fraud

This is big business in certain parts of the world where the very party designing fraudulent websites, registering domains for criminal enterprise and publishing them for criminal syndicates, is also the party that has reseller privileges, apart from hosting reseller accounts etc. Sometimes this party operates purely email only domains portfolios. This type of pollution is well hidden and an insider threat to the ICANN system, but regularly encountered upon closer inspection. The one report ICANN has in their possession shows something similar, but a magnitude of size greater, also previously reported in a compliant. This has led to two years of profuse consumer harm while undermining the legal rights of banks, lawyers, governments  etc.

What acknowledgement is there for the dangerous nature of consumer harm that can be done with domains? What about the consumer rights? That consumer may be a bank or an ordinary man/woman/even child in some remote jurisdiction where law enforcement is not that mature? It may be a government. If we go onto the net, we are consumers of the DNS system. Each and every user clicking on a link on the the web, or email, or even typing a website name into an address bar, is consuming DNS to resolve that website to an IP address. It’s that DNS that’s being poisoned with malicious entries.  The consumer is not only a privileged group called registrants, a special club, as has been implied before at some ICANN events. Even if it were, the legal rights of “club registrant” is being undermined by malicious actors in the DNS system.

The GDPR was meant to protect the privacy of natural persons. What acknowledgement is there in spirit for the GDPR if “anything goes” into the registry via certain registrars who feel themselves absolved to not to uphold the RAA or any form of consumer protection?  How much of this mess is currently being hidden by proxies and of late, the GDPR?  Speaking wider than the above mentioned registrar, certain disposable email addresses have online pages actually publishing such email communications. We see credit card fraud charge-backs, spam complaints, phishing complaints and even CP feedback from certain registrars on these disposable emails as reasons for termination and suspension. Where is the consumer protection? Yet many of these domains survive if these small obstacles are bypassed. Disposable (fake) registration details and disposable emails go hand in hand with abuse.  There is very little acknowledgement for the rights of ordinary consumers except to consider them a third party with no rights in any of these agreements. The registrar holds the registrant liable for any issues and the RAA and Registrar/Registrant agreement requires the registrant will not use the domain to directly or indirectly infringe third party rights. What if the malicious actor uses that domain to point to fraudulent content, perhaps even stolen content, as to defraud? Perhaps even causally spoofing? Or perhaps uses the domain to spoof in email only attacks, for example to impersonate the FBI etc? The Registered Name Holder shall represent that, to the best of the Registered Name Holder’s knowledge and belief, neither the registration of the Registered Name nor the manner in which it is directly or indirectly used infringes the legal rights of any third party. The Registered Name Holder shall indemnify and hold harmless the Registry Operator and its directors, officers, employees, and agents from and against any and all claims, damages, liabilities, costs, and expenses (including reasonable legal fees and expenses) arising out of or related to the Registered Name Holder’s domain name registration.

But what happens to if that registrant is a bogus entity and the registrar knows it? Can the registrar still be held harmless on the basis of the RAA? Indeed, what about ICANN, if they know about such an issue and and do nothing about it?

What if the registrar or it’s affiliate provides proxy protection to a malicious client instead? Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it discloses the current contact information provided by the licensee and the identity of the licensee within seven (7) days to a party providing the Registered Name Holder reasonable evidence of actionable harm.

Ironically this is being massively gamed. To date no registrar or the affiliate proxy provider has been held accountable, yet some operate proxies with reckless abandon, ignoring these provisions. Will that change when we illustrate a pattern of deliberate self blinding? At one registrar providing blanket protection, we get some insight into what qualifies as acceptable, much hidden behind proxies (although via indirect methods).

We do have a small acknowledgement for commercial rights in the RAA in terms of UDRP mechanisms (or URS – depending on the TLD). But if we see a bank like Société Générale lodge UDRP proceedings for a second time to protect their rights, and the same respondent that does not reply use the same weak unverified details to register a third spoof even while the second UDRP is taking place, does the $10 domain the malicious actor pays not trump the rights of the ~$2500 the bank pays, turning the party using ICANN’s own UDRP sanctioned system into a victim at the hands of non-caring reckless registrars? Where does the responsibility lay for this abuse – merely the registrant? Or can the registrar be held accountable? Indeed, what about ICANN, once they are aware of this and do not remedy the situation?

How will the ordinary consumer in country XYZ defend their rights if their authorities does not wish to engage? This is extremely topical: The UK has been more transparent than most countries in this regard. Only 1% of reports leads to an arrest. About 10% gets investigated. Official stats says only 10% of victims report (this figure is being revised, it’s way too high).  So less than 0.1% of cyber crime victims  ever get restitution of see justice. What happens to the other people, the other victims, and their rights? They are doomed to become statistics simply because a malicious actor payed a “I can’t care a hoot” Registrar using ICANN accreditation as marketing material for $10? Do the victims have rights? Human rights? Privacy is one right – but in a poisoned DNS system where not much can really be verified, risk increases. Business identity theft is rife: just because a website gives details of itself does not mean those details belongs to it. This is not something the Berlin Group anticipated. Even the authorities are being spoofed with impunity. How do you stop a consumer entering his details on a spoof domain or like, to end up on a sucker list forever more, unless he totally stops using the net and anything electronic? Even then it may not be enough. Once the damage is done, it’s extremely difficult undoing such damage – much like trying to un-spill water.

How do you stop a domain being used for abuse where there is no content and a proxy protection? This is as one senior IT security staff member in the EU found out recently after being defrauded with a Standard Chartered Bank spoof, loosing his livelihood. This was just after a certain large registrar blanked their registry details even before the GDPR mandated it, blindly applying blocks on large tracts of IP addresses, protecting club registrant at the cost of the rest of the world with no checks and balances in place. We also were subject to a block and were told via ICANN that Artists Against 419 was harvesting registrant details (hogwash – we never did), but it was blindly accepted. It seems this was a common excuse at the time. Apparently even ICANN abused the system as it was blocked at a stage. This was looked at by an ICANN SSAC member.  This largest registrar was invited to do an audit on our systems. Yet it was easier casting aspersions on one of  the most anti-abusive, altruistic and non-commercial causes which we uphold, protecting consumers.  Artists Against 419 was one of those that saw retaliation, unbeknownst to Mr Brian Winterfeldt, but which he predicted.  The ICANN RAA was flouted and we ended up with the tail wagging the dog. Does commercial interest trump consumer rights? Every bad decision on the net has victims, many ordinary consumers.

Certain registrars tend to make law enforcement and/or EC3 their garbage disposal abuse agents after abuse takes place with domains they sponsor. Or insist on a court order. Or insist the complainant has no rights to complain about a spoof. Yet the very consumer is the target when it comes to predatory domain abusers. Many a time spoofing is a crime of convenience in fraud. Ditto stealing content. Law enforcement are overwhelmed and simply cannot do all the mitigation, that is why they ask consumers to report fraud. They try and address the worst of the worst. But geographical boundaries dictate where a party may report it. We wish anybody in most of the Far East, South America or Africa  trying to report serial fraud to their local authorities if they are not a victim. They have much less chance if that fraud is targeting the European Union. Europe only accept reports from their own citizens or law enforcement via certain channels. Suddenly we find a disjuncture between registrar theory of operation and reality. Is this deliberate? A simple reality check – and Google/Bing/Yandex/… search shows online fraud is at an all time high. Even from China we find this interesting article:

Technology giant Tencent Holdings detected 96.8 million malicious websites, tagged 29.7 million phone numbers used for fraud, and blocked 18.3 million fraudulent messages in the first six months of 2018, according to the report jointly released by Tencent Research Center and the Data Center of China Internet.

The most common fraudulent messages included those on illegal loans, virus software, malicious websites, fake job positions offering high salaries, and online shopping.

While the breakdown of the numbers will cause a few smiles or giggles in certain jurisdictions, the bottom line is Tencent says there are 56.9% pornographic websites and 34.4% gambling websites in those 96.8 million malicious websites. That leaves  8.7% malicious websites, assuming the gambling websites are real (Tencent points out the upsurge in these with the 2018 FIFA world cup in Russia and we know from history many would be fraudulent and on bespoke domains). 8.7% x 96.8 million is approximately 842,000 malicious websites. Even if we discount political websites and like, as they are most probably included, we also need to accept they probably also overlooked unrecognized threats, so we still have an astronomical number of  malicious websites living right next to you and me on the net. Many of these will be using domains registered with fake registration details and each of us are the target. The simple reality is nobody really knows the extent of the global malicious domain problem. Only of late have commercial sector cyber security actors started looking at traditional 419-type fraud. They recognized the “contractor“, a party well described in Artists Against 419 training materials as far back as 2007 as the “faker maker“. The world has moved on. Even now that picture has changed and malicious domain provisioning is taking root in a new way for advance fee fraud syndicates. The parties selling SEO, retweets and followers on Twitter, Facebook etc are now also selling domains, hosting and content to the cybercrime syndicates.

But that aside, is law enforcement consumer protection? No, it’s mitigation of damage after the fact, when the consumer already became a statistic and the harm is already done.

So how does the ICANN environment measure up to consumer privacy protection the GDPR is meant to create while citing human rights? Is ICANN and all registrars really living up to the spirit of the GDPR, or is it simply an opportunity to sweep a big can of worms under the rug, undermining the GDPR, creating a situation where the GDPR becomes a tool to undermine not only privacy but also other human rights? We need to remember that, regardless of which version of human rights you subscribe to, there is a balance between rights and one party’s rights (or abuse thereof) should not be condoned if it undermines the rights of others. Balance of rights is key.

Are the bottoms up processes commonly held out to be followed merely a placebo, while registrars are free to sponsor criminality on the net using domains with fake registration details or proxy protection for $10 a shot as many times as they can do it, simply because they are “not an arbiter of the legality of content hosted on web sites”? Any sane, mature person will know heroin, cocaine etc drugs  are illegal in the USA. Or at least you should if you are a business in the USA. Apparently that excludes certain registrars.  Did the abuse process not start before the content is active online, spoofing the United Nations/Reserve Bank of India or pretending to be Joe Blogg Drugs targeting consumers internationally? Did the abuse not start during the domain registration process when the registrant deliberately supplied inaccurate registration details? This was most certainly recognized in 2003 in an ICANN advisory. But it seems the system has now dumbed down 15 years later – or is it self blinding for the sake of profit?

Does the GDPR not place an expectation on ICANN and registrars to verify registration details? Does the GDPR not even go as far as allowing the sharing of data for anti-fraud purposes? Is there not an expectation within the GDPR which is overlooked and not taking place in ICANN circles, to take due care and try and keep fraud out of the system? Surely by the 10th time a registrant crops up spoofing “A B C” with a new domain and every changing details, or using a domain to defraud consumers, private people or commercial, we have a pattern? Likewise if a party serially registers fictitious drug selling domains fro later websites?

If somebody with serial abuse history claims to be selling Nembutal in the USA, surely  there should be a red flag?

This is in reference to a particularly nasty type of fraud leading to extortion which the DEA and FDA warns about.  We even have a spoof of the DEA recorded in our database showing the victims being extorted! This type of fraud specifically targets cancer sufferers  and like,  first with other fake medication offers while also stealing their credit card details. When the victims give up all hope, the Nembutal drug scam targets them again (remember – sucker lists). Let’s look at Greenlight Pharmacy:

Ironically this domain was put onto hold, but is now resolving again. How innocent! A redeemed fraudster now offering health advice? Did said registrar now not use content issues to decide on DNS abuse?

Meanwhile elsewhere in the real world, the domain’s email  is being used to sell cocaine, LSD, opium … so is this a content issue? Or an excuse?

Remember, while this party has access to the domain’s DNS, he can set the SPF/DKIM to whatever he likes. We now have a dangerous domain able to send verified email from anywhere and receive it whereever the fraudster desires. Our fraudster has now undermined SPF and DKIM mechanisms. Does it help that we say that, despite this party’s proxy protection, we know full well who he is? Hello “Apteka HealthCare”. Does it help to say that this registrar welcome this fraudster with open arms, even offering him sanctuary and defending him when honorable Registrar Joker booted him for similar drug scams and abuse of their proxy services?  Does it help saying he is also a John Doe party in the Delta Airways vs John Does case: The close link between pervasive pet scams and drugs scams are well established. Who would have ever expected the Asian Arowana sales were extortion – they are CITES protected species. Our fictitious DEA/FDA agents are also fictitious US Fish and Wildlife officials out to get the gullible who believed the fraudster advertising on the net and buying from him, with fake promises of permits for non-existent Arowana, then using non-existent couriers (leaking privacy like a sieve) to complete the consumer trap as “These fish may not be imported for commercial or personal pet purposes.” Pay up!

Likewise which is spoofing the New York Federal Bank and had content hidden at and the domain was suspended.  The content was removed and the domain un-suspended. Once again we see what the registrar claims vs what they do, does not tally. Was the content removed, or merely moved? Well, the New York Fed is now being spoofed from – is that us. a clue to DNS abuse or not? While a simple example, there is a myriad number of ways that a malicious registrant can mitigate host based take downs. The Bank of America incidentally mitigated a spoof of themselves at hosting level ala anti-phishing style for a domain registered at this registrar. Result? The domain was promptly transferred to a professional email hosting provider. The content was gone, the fraud continued. The domain was not phishing, it was being used for advance fee fraud (419-fraud). Email abuse in the DNS system is pervasive, why not in advance fee fraud? Is this so difficult to understand or unexpected?

At another registrar we saw a fake lawyer website, with content stolen from the real lawyer, mitigated and jumping between hosting providers no less than 27 times before the registrar finally intervened and placed the domain on hold.  As any realistic hosting provider will tell anybody caring to listen, mitigating at hosting level while the malicious registrant still has access to the domain’s DNS is an exercise in futility. And what if the hoster is one of those protected sanctuaries for criminality, incidentally also the downstream domain reseller?

Back to the registrar of the topic: Ironically one of the issues mentioned in the report was said registrar not responding to complaints. KnuJon encountered a similar issue and reported on it publicly last year,, describing how:

the site became “hidden” from certain IP addresses. As of today domain is still selling Fentanyl.

We see a report of similar tardiness to address illegality and abuse in a CSIP / LegitScript report in June 2018, The State of Opioid Sales on the Dark Web (comment in bold that of the author for the sake of clarity after redaction):

website lists opioids for sale, including fentanyl, morphine, and codeine. We were unable to verify whether products are actually
shipped …

… but the company (the registrar) has been slow to respond, sometimes taking months to process complaints that often result in no action.

While KnuJon  and LegitScript are trying to address an illegal drug sales problem, Artists Against 419 is trying to address an Advance Fee Fraud issue. Apparently both are equally at home at said registrar. Ironically is in the fraud category, also targeting the desperate with Nembutal and not surprisingly most probably linked to the previously mentioned Greenlight Pharmacy above. Recorded 2017/06/18:

This is what happens when self blinding to obvious issues for the sake of ease and profit occurs, criminals find a foothold from where to launch attacks against the most vulnerable of the vulnerable. What has become of the hope and promise of the Internet?

Advance fee fraud is DNS abuse when the fraudster has a bespoke domain for all the stated reasons and with zero legitimate purpose. Anything further abuse related that follows, is a product of this abuse of the DNS system. While it’s trivially easy abusing a registrar, it becomes unforgivable when a registrar self blinds to the obvious and becomes a knowing facilitator, even if indirectly. Likewise any system that allows it.

Most registrants are honest upstanding people/companies. But then again they will only ever own one or a few domains. A few more brand protection agencies or domain speculators will have vast portfolios. Yet advance fee fraudsters also massively register domains, abusing privacy mechanisms or fake registration details, for one single purpose – to defraud. One party is sitting at far over 1,600 domains. When registrars get wise and boot him, he simply uses another one. Rinse and repeat the domain abuse. Let consider … the privacy purists  – please relax,  it’s a synthetic identity showing why we need WHOIS access to protect consumers:

Ouch!!! An old acquaintance in compliance at Tucows; will remember him as Bola Olorunlogbon – yes, he’s still at it abusing the DNS system more than 10 years later! Thanks for the many times you mitigated him!

Aliases,,,, … the list goes on an on!

Another malicious party targeted ~15,000 victims with just under a 100 domains, leading to loss of victim privacy and defrauding >60% of these victims, many left destitute; mostly single young mothers and even children. Law enforcement never engaged despite outreach via the appropriate channels. He retried abusing said registrar two more times and got booted both times (all honor to the registrar and relevant registry – thanks to friend). He was welcomed at a certain large US registrar offering blanket proxy protection with an extremely bad reputation in IT Security circles. He promptly spoofed numerous legitimate couriers to perpetuate his gift scam again (how did we know how many victims were targeted? read on). Some registrars self-blind to the obvious. The bullet proof registrar has become a reality in the USA.

This article explains the gift scam:  While this is not part of the previous scam nest, South Africa is known to be the location of a reseller massively targeting consumers and business in orchestrated fraud, using the registrar at hand. This reseller also targets business in a variation of a procurement scam called a tender scam, spoofing government and having a devastating effect on small business, destroying many.  Who would have ever thought the humble courier is probably one of the biggest consumer threats today? There is a reason why DPD Couriers has had to defend their good name with with UDRPs (not cheap). While some registrars who are quick on the draw when they see a bank spoof (ooh, a phish …), many hardly care about fake couriers. These trivially leak private consumer information (yes, that’s how we knew how many target victims there were earlier). Some offer credit card facilities to pay, claiming the card was rejected, using this as a reason to demand a Western Union or other unaccountable payment method. Is it not money laundering this leads to? Regardless of paying or not after this, or smelling a rat, victims have their credit cards abused if they tried using them. Let’s Encrypt certificates are trivially abused to complete the illusion. The courier is probably the most abused scam type. The Eicra Courier Template is probably the most abused and virtually a guaranteed danger sign. The owners of the Eicra template decided not to defend their design and is probably now useless. This does not mean harm did not follow. Many consumers probably silently regret ever seeing it. Despite this continuous abuse, there is little recognition and acknowledgement for the danger of fake couriers.

Mainstream IT security are extremely busy mitigating commercial and governmental threats. There is little recognition for pure consumer facing threats and as such little understanding of the latent threats. It was against this background that BEC evolved from consumer to commercial threat. Even now the puppy scam actors targeting the USA is a massive problem in Far East and lurking in shadows in Europe. The same fictitious couriers used to transport fictitious pets in the USA are being used to transport a few tons of fictitious lobster tail/scrap/paper in the Far East, also Europe of late. Incidentally also the drugs mentioned above.  Since a few syndicate members find themselves in Europe, this is no surprise.  Yet these are not our Nigerian Princes that have evolved, we need to look a bit South East to where we have unrest, the Cameroon. These parties have syndicated in a threat that’s equal to, if not greater than, their Nigerian counterparts. Even now we are seeing European companies spoofed, vehicle scams that are near indistinguishable from the traditional vehicle scams, fake European commodity scams with stolen European business registrations displayed as their own. Earlier this year a certain Spanish company bought seafood that never arrived.  The commodity scam has taken hold in Europe and destroys businesses, the small mom and pop shops are extremely vulnerable.  Of late the same drugs scams targeting the USA have been seen targeting Europe and Canada. We only need to read Steve Baker’s  Better Business Bureau report on pet scams and arrests in the USA to get a peek of this hidden threat. Fake passports? Forged Euros? IETLS/TOEFL certificates? Visas? No problem. These parties massively abuse domains as the report shows.  More so, social media and online classifieds are also abused. Once the fraud is established, online content is secondary. A working email that can’t be mitigated is vital – welcome email-only domain abuse.

What is ironical is how this group uses the one tolerant US registrar for their pet scams and vehicle scams, the other tolerant US registrar referred to in this report for their hard core drug scams and like. Couriers are distributed across the two. It’s no coincidence these correspond to the first and second highest fraud sponsoring registrars for long lived advance fee fraud domains recorded in 2017. ICANN is sitting on a time bomb.

No matter which way we spin these issues, this is systematic DNS abuse as these type of domains have no legitimate purpose in a legitimate DNS system. They only have one sole purpose, defrauding unwary consumers.  Typically this fraud is illegal internationally, from (enter your favorite jurisdiction), to (enter your most hated jurisdiction).  This begs the question: why this is tolerated? This fraud is also accompanied by all types of other human rights abuses. Law enforcement will not always engage for various reasons such as financial loss size, law enforcement goals, jurisdictional issues, local unrest (Cameroon?), under-reporting in law enforcement statistics, even political reasons etc. Many victims are left destitute and cannot afford a lawyer abroad. But then again, to what effect? To uncover garbage registration details the registrar will never be held accountable for while the miscreants abusing the DNS system get a fee pass?

Right now the GDPR has ironically also become a shield for bad actors abusing the DNS system claiming to be based in Europe. Some registrars do not tolerate these games and immediately stop such abuse. Well done to you, you know who you are. Likewise some savvy Registries have followed this route – kudos to you!

But then again other registrars are quite content accepting stolen money for more domains, quite willing to allow abuse of their proxies or even the GDPR for registrants rapidly changing names, continents and even gender multiple times per month. These registrars are sponsoring a part of hidden time bomb in ICANN; what will the European regulators do when they learn that their citizens are being defrauded and having their private details trivially leaked and distributed, while certain registrars self-blinded to this? What will they do when they see the details ICANN chose to ignore that is in conflict with publicly stated polices, the RAA verification claims even used in the public ICANN discussions on the GDPR? The current spirit of the GDPR does not live in the current policy enforcement at many registrars. Even some European registrars. A quick $10 is enough to sacrifice consumer rights. Yet consumers cannot enforce agreements between ICANN and registrars, but ultimately we can cry, and cry “foul” very loudly, when ICANN does not hold it’s accredited registrars accountable as per stated policies and consumer harm follows. That harm is affecting government, commerce and us mere mortals alike. Right now ICANN is sitting with a report showing how the Reserve Bank of India was spoofed countless times with impunity, using fake registration details for the past four years at least, while the one accredited registrar self blinded, something complained about twice. Other banks like RBS, Citi  etc are spoofed. Perhaps Société Générale would not have wasted the time and money for another fruitless UDRP if somebody listened. Perhaps US lawyers, banks and companies would not have had their websites trivially stolen and republished behind bogus hiding pages to be sent to target victims, perhaps innocent US lawyers would not have had their faces plastered on these instruments of fraud propagated with abusive DNS records not worth a spit, perhaps there would have been a lot less victims in remote jurisdictions who thought they were dealing with a real company when applying for a job, or defrauded companies participating in a tender process. Indeed, in the one complaint we described how we literally saw an attack develop just after the domain was registered, changing from a spoof of a Canadian bank to phishing. This is the breeding ground for BEC.  “Mike” was no surprise to us. Our data was used and mined in the lead up to the “Mike” investigations by savvy law enforcement.

While we reported the one registrar to ICANN again, also reporting the affiliated downstream reseller proxy at the same registrar, others exist. In the malicious domain data-set example used, the malicious actor registers his domains at two registrars. Did we also not report this second registrar’s lacking standards? Yes we did. Was this complaint not also similarly closed in 2016, with an American bank still being spoofed with equally fake registration details as now again? Why is the registrar now allowing malicious registrants to lie consistently about their identity when caught out spoofing banks with fake registration details? The owner of this registrar was quick to point out this is what ICANN told him to do. What can we say?

We chose the registrar in last weeks escalation, as they had the second highest incidence of advance fee fraud they decided to self blind to. One registrar chose to turn the .US registry into a trash can for scammers with the Registry idly standing by, allowing US consumers to be targeted in relatively low value fraud. They had a higher total fraud incidence. Yet the registrar described at the start allows the most dangerous domains into the DNS system. A fraud targeting a cancer victim in a drug scam followed by extortion, and finally leaving him destitute with his last cash stolen in a suicide drug scam, is and will always be the worst of the worst in human rights violations and despicable type of fraud. These victims will not come forward and silently slip into the night, giving up the fight.  As such we attacked the most dangerous problem. But then the problem became even bigger when ICANN chose to overlook the obvious along with their own policies. Likewise other similar issues were swept under the carpet in the past. This madness has to stop.

To each and everyone discussing and deciding what to do with the event of the GDPR in the ICANN policy space:

Do not let theory of operation in your small sphere of the world dictate that you make bad decisions that will have massive ramifications in a distant part of the world, where human rights protection is not a priority, or be abused as an excuse to allow consumer harming practices. Unfortunately there is no security in the DNS without a way for independent parties to measure the effectiveness of a policy enforcement. There are poisoned apples in the DNS system and many upstream sponsors simply pass issues downstream if not ignoring them. Without accountability, everything becomes moot in Lala Land discussions with no real meaning.

This is also why we consider it vital for a full study be made of Advance Fee Fraud abuse in the DNS system by perhaps experts like ICANN SSAC. There is most certainly more than enough material available in DNS records. Government expert input should also be sought. Media reports are typically dramatic, never analyzing the problem from a DNS perspective. There is a consumer expectation that a bespoke domain name is a sign of trust; surely somebody checked. ICANN does require registrars do checks? Or not? The truth is many DNS custodian Registrars do not care – please pay $10 – perhaps as low as 79c discounted. Domain control is key at the SSL providers to obtaining SSL certificates and the green padlock lost all meaning, only perhaps meaning you may be defrauded securely. Let’s Encrypt considers Google Safe Browsing and Microsoft to be an indicator of a domains suitability for a SSL certificate to avoid phishing attacks and malware domains.  Yet this mechanism does not acknowledge domain based advance fee fraud.  Perhaps if a bank is spoofed, it will incorrectly get flagged as phishing (AFF is not phishing). If the fraudster has a bespoke bank or other fraudulent domain and website – the criminal is  good to defraud securely, it’s not phishing as no brand is being impersonated. Anti-virus vendors have adopted this same distinct blindness for the mess that is advance fee fraud in the DNS system, this while advance fee fraud has steadily grown to a multi-billion dollar industry. This madness of annually increasing victim fraud statistics has to stop.  Currently ICANN has a role to play if they accept realities – they need look no further than two reports and complaints which were escalated back to them, also making Mr Marby aware of the obvious problem. Don’t simply reject those as a matter of policy with weak excuses, read them – they have many clues and the exercise that was done is repeatable. Pass them on to the real experts if in doubt, not the nay-sayer excuse makers. There is a reason why the authorities took a good look at those details, took additional legal steps, but had to stand down – victim jurisdiction. It also shows why law enforcement makes for weak custodians of ICANN policies.

However that can be changed if the parties trivially having their content stolen choose to pursue the matter. Currently as many parties have a dog in this fight as the victims, at one with the common consumer, without them even knowing it. Government, commercial and casual user rights meet massively in this issue. It affects and undermines a healthy trusted internet for each and every person that has touched or will touch a keyboard or use some internet device to communicate. It affects everybody.