Registrar Namesilo reseller QHoster is providing a proxy service for registrants. Malicious activities linked to domains abusing this proxy service have been noticed on more than on occasion. One of the latest QHoster proxy protected domain was a domain spoofing NATO. Here we see a fraudster pretending to be a NATO officer, concluding a contract for the supply of items:

Good day to you.

I wish to inform you that your mail with REF number was well received for the supply of the Pneumatic Rivet 4000000i chemical from Dr. James Owen. I have attached your contract agreement and I wish to inform you that you should study the agreement before signing the RED seal in the attached agreement.

You are advised to print out the copies of the agreement and sign page one to four any where at the bottom of each copy and in page five you are to fill in your name, address and sign the red seal. In Page four, you are to fill in your bank details in CAP letters.

After signing the contract agreement, you are to scan and send all scanned copy from page one to page five back to me, only then your contract approval letter can be sent to you along with your contract certificate,your license buyer certificate, your Power of attorney (POA) and the Chemical Company details then you can contact the chemical company for purchase of the one liter sample of the Pneumatic Rivet 4000000i chemical for approval of the 10,000 liters of the Pneumatic Rivet 4000000i chemical.

If you have any difficulties, you can always ask and I will be glad to make understanding to you.

Gen. Hollan Rodrick
Email: hollan.rodrick@natoprocurement-int.com

The headers clearly show this email originated on this domain. The associated website is blank with no content apart from an empty /en/ subdirectory.

Obviously such impersonation with the intent of defrauding is totally unacceptable, is actionable harm and illegal as defined in the ICANN RAA.

Domain natoprocurement-int.com is registered with QHoster as a proxy provider.

A check on QHoster’s web pages show no details of this QHoster proxy service, only a brief part on Privacyprotect.com at ID Protection (WHOIS Privacy). But this is a different service and no other details pertaining to this proxy.  As such the following email query was sent on 2017-10-27, also copied to upstream sponsoring registrar Namesilo:

Hello QHoster

cc NameSilo – Sponsoring Registrar

Re: Qhoster proxy services

We notice you are offering domain proxy protection services for
domains using yourself as the proxy agent, Typically these details are
shown:

> Registrant Organization: Fast Serv Inc. d.b.a. QHoster.com
> Registrant Street: 1 Mapp Str.
> Registrant City: Belize
> Registrant State/Province: BZ
> Registrant Postal Code: 00000
> Registrant Country: BZ
> Registrant Phone: +501.18774231155
> Registrant Phone Ext:
> Registrant Fax:
> Registrant Fax Ext:
> Registrant Email: info@QHoster.com

This just became topical where we found a domain spoofing NATO with
these domain details, the domain being sourced from QHoster
with NameSilo as sponsoring Registrar.

A closer look shows this to be a common occurrence, even spoofing
banks, for example:

> Domain Name: santanderin.com
> Registry Domain ID: 2178808041_DOMAIN_COM-VRSN
> Registrar WHOIS Server: whois.namesilo.com
> Registrar URL: https://www.namesilo.com/
> Updated Date: 2017-10-26
> Creation Date: 2017-10-25
> Registrar Registration Expiration Date: 2018-10-25
> Registrar: NameSilo, LLC
> Registrar IANA ID: 1479
> Registrar Abuse Contact Email: abuse@namesilo.com
> Registrar Abuse Contact Phone: +1.4805240066
> Reseller: QHOSTER.COM
> Status: clientTransferProhibited
> Registry Registrant ID:
> Registrant Name: Michael Dwen
> Registrant Organization: Fast Serv Inc. d.b.a. QHoster.com
> Registrant Street: 1 Mapp Str.
> Registrant City: Belize
> Registrant State/Province: BZ
> Registrant Postal Code: 00000
> Registrant Country: BZ
> Registrant Phone: +501.18774231155
> Registrant Phone Ext:
> Registrant Fax:
> Registrant Fax Ext:
> Registrant Email: info@QHoster.com

We find a Santander Bank spoof here:
http://santanderin.com/en/personal.php

What is even more disconcerting, is that we uncover an extremely well
known login panel for bank spoofs massively abused by a certain party;
http://santanderin.com/en/onlinebn/login.php

Since QHoster is an official NameSilo reseller, the ICANN RAA 2013
SPECIFICATION ON PRIVACY AND PROXY REGISTRATIONS applies.
https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#privacy-proxy

This section makes it clear that this also applies to your as an
official QHoster reseller.

We closely checked your website for these terms. They could not be
found. The closest we could find was this, which does not meet these
terms:
https://www.qhoster.com/domains.html

As per sect 3 of this part:
> 3 Exemptions. Registrar is under no obligation to comply with the requirements of this specification if it can be shown that:
>
> 3.1 Registered Name Holder employed the services of a P/P Provider that is not provided by Registrar, or any of its Affiliates;
>
> 3.2 Registered Name Holder licensed a Registered Name to another party (i.e., is acting as a Proxy Service) without Registrar’s knowledge; or
>
> 3.3 Registered Name Holder has used P/P Provider contact data without subscribing to the service or accepting the P/P Provider terms and conditions.

As per the ICANN RAA 2013 definitions, the Registered Name Holder is
QHoster.

As per 3.1, QHoster is an affilate.
As per 3.2, NameSilo is being copied on this email.
As per 3.3, Namesilo is clearly offering this service as 1309 recorded
domain names indicates.

As per the ICANN RAA definitions:
> 1.13 “Illegal Activity” means conduct involving use of a Registered Name sponsored by Registrar that is prohibited by applicable law and/or exploitation of Registrar’s domain name resolution or registration services in furtherance of conduct involving the use of a Registered Name sponsored by Registrar that is prohibited by applicable law.

Spoofing NATO, Banks and like to defraud consumers by registering
domain names to host email services and furthering these malicious
impersonation activities, meets this definition.

Also note that as per SECT 3.7.7.3 of the ICANN RAA:
> Any Registered Name Holder that intends to license use of a domain
> name to a third party is nonetheless the Registered Name Holder of
> record and is responsible for providing its own full contact
> information and for providing and updating accurate technical and
> administrative contact information adequate to facilitate timely
> resolution of any problems that arise in connection with the
> Registered Name. A Registered Name Holder licensing use of a
> Registered Name according to this provision shall accept liability for
> harm caused by wrongful use of the Registered Name, unless it
> discloses the current contact information provided by the licensee and
> the identity of the licensee within seven (7) days to a party
> providing the Registered Name Holder reasonable evidence of actionable
> harm.

This begs the question: Will you disclose the licensee information?

According to our database statistics, over 60% of all malicious
419-type domains sponsored via Namesilo we recorded, originated at
QHoster.

We are noticing a trend by malicious parties that have their domains
suspended at other registrars moving to the likes of QHoster and
Namesilo. This creates a bullet-proof environment for malicious
domains. To be clear, the malicious activity starts when the domain
name is chosen to impersonate a party or match the fraud. This is not
some innocent domain where the attached hosting services are
compromised and abused.

As such we wish to know where we can find these mandated the ICANN RAA
2013 SPECIFICATION ON PRIVACY AND PROXY REGISTRATIONS terms on the
QHoster website?

Also, please be as kind as to reveal the licensee details for
santanderin.com as what has been illustrated to you at URL
http://santanderin.com/en/personal.php is actionable harm.

Thank you.

An automated ticket number was generated and received, Ticket ID: 915013

The next response was:

Subject: [Ticket ID: 915013] ICANN RAA Mandated Proxy provisions?
Date: 28 Oct 2017 11:14:17 -0400
From: QHoster.com Support <support@qhoster.com>
Reply-To: QHoster.com Support <support@qhoster.com>

QHoster.com

santanderin.com has been disabled.

Let us know the rest active abusing domains so we can check them 1 by 1.

We note the QHoster never supplied the requested details of their proxy service. Nor did they reveal the details of the party spoofing Santander, targeting consumers in 419 fraud.

A day later the following was received:

Subject: [Ticket ID: 915013] ICANN RAA Mandated Proxy provisions?
Date: 29 Oct 2017 14:03:17 -0400
From: QHoster.com Support <support@qhoster.com>
Reply-To: QHoster.com Support <support@qhoster.com>

QHoster.com

Derek Smythe,

This is a notification to let you know that we are changing the status
of your ticket #915013 to Closed as we have not received a response
from you in over 24 hours.

Subject: ICANN RAA Mandated Proxy provisions?
Department: Support
Priority: Medium
Status: Closed

If you have any further questions then please just reply to re-open
the ticket.
Regards,

*QHoster.com*

We notice QHoster never supplied any details of their proxy service, yet it is clearly being abused by malicious parties in actionable harm.

We also notice the willingness to investigate the abuse “1 by 1”, yet closing the ticket within 24 hours and not addressing the background issue queried.

Based upon past history of QHoster willing to tolerate domain registrations with clearly bogus registration data, yet denying responsibility for such and making it Namesilo’s problem (in conflict with provisions of the ICANN RAA), this latest proxy game being played is totally unacceptable.

It is for all these reasons QHoster’s proxy is being labeled as a Rouge Proxy.

Artists Against 419 is currently contacting the parties spoofed or had their content stolen, abusing domains protected by this proxy.