NameSilo

Domain seized

Located in General Domain Discussion started by boker, Dec 27, 2018.

Replies:
67
Views:
3,477

  1. boker

    boker Active Member VIP

    Posts:
    7,598
    Likes Received:
    1,273
    Looks like one of my domains was used in some kind of cyber attacks or something like that. The domain oreux in king, was a hand reg from a year ago and I wanted to transfer it to another registrar. The transfer failed because the domain was locked. I've double checked with my registrar, and everything showed fine in the control panel, domain unlocked and the nameservers where ns1.undeveloped.com, but when I did a whois check, the domain was transfer prohibited and the nameservers were something like:
    SC-C.SINKHOLE.SHADOWSERVER.ORG
    Looks like the domain was used in some kind of cyber attack and they have seized around 800.000 domains. Nobody has told me anything about it and I still have access to everything in the control panel, the only issue is that control panel doesn't have control over everything. Couple of months ago everything was fine, so looks like they have changed the nameservers in the last months. So be aware, you could own some of the 800.000 domains seized. I have found a link here about it: https://www.europol.europa.eu/newsr...k-dismantled-in-international-cyber-operation
    I will wait and see if I can do something about this transfer to epik.
     
    The views expressed on this page by users and staff are their own, not those of NamePros.
  2. Bob Hawkes

    Bob Hawkes formerly MetBob NameTalent VIP

    Posts:
    2,270
    Likes Received:
    4,501
    Thanks for letting us know. So I see that the alleged use was well prior to your hand registration. It seems to me that a hand registration should not have been allowed and your money should be returned. I am concerned that it can be done without owner informed - so I take it you would be allowed to build website on it, just can't transfer it?
     
  3. boker

    boker Active Member VIP

    Posts:
    7,598
    Likes Received:
    1,273
    No, they have changed the nameservers as well, even do in the control panel it shows undeveloped nameservers. As far as I know until a few months ago the domain was revolving fine, to undeveloped, so it's something recent.
     
  4. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    321
    Likes Received:
    1,107
    Discussing this case with @boker.

    The domain was a hand-registration in 2018. The ShadowServer sting operation referenced here was in December 2016. Apparently long after that they were able to update the registrant's DNS without notification for a domain that was no longer owned by the same organization as was the apparent registrant in 2016.

    The domain is locked against his will at the current registrar, Registrar.IT, where he holds 30 domains. This domain had its DNS changed without notification to the registrant. It appears as follows now:

    Domain Name: OREUX.COM
    Registry Domain ID: 2211579716_DOMAIN_COM-VRSN
    Registrar WHOIS Server: whois.register.it
    Registrar URL: http://we.register.it
    Updated Date: 2018-07-28T00:00:00Z
    Creation Date: 2018-01-11T00:00:00Z
    Registrar Registration Expiration Date: 2019-01-11T00:00:00Z
    Registrar: REGISTER.IT S.P.A.
    Registrar IANA ID: 168
    Registrar Abuse Contact Email: [email protected]
    Registrar Abuse Contact Phone: +39.5520021555
    Reseller:
    Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
    Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
    Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited

    Name Server: SC-D.SINKHOLE.SHADOWSERVER.ORG
    Name Server: SC-A.SINKHOLE.SHADOWSERVER.ORG
    Name Server: SC-B.SINKHOLE.SHADOWSERVER.ORG
    Name Server: SC-C.SINKHOLE.SHADOWSERVER.ORG

    For those unaware, ShadowServer is the group that is aligned and funds Registrar of Last Resort, who Epik has called out for running the "Gitmo" of domains. More here:

    https://twitter.com/EpikDotCom/status/1073638817373061120

    It seems pretty clear that we have a case where a registrant was not given due process before their DNS was disabled and the domain was quarantined at the existing registrar -- the registrant cannot move or use the domain presently.

    Finally, since we are talking about 800,000 domains included in the December 2016 sting operation, it is entirely possible that this was some clerical error that re-seized a domain from that list. Nevertheless, the registrant is still owed disclosure and due process and therein lies a major problem.
     
  5. boker

    boker Active Member VIP

    Posts:
    7,598
    Likes Received:
    1,273
    The main thing it's not about the domain name, because it was a hand reg, so I will not loose big, but what about the one's who paid big money for a domain which was seized? 800k domains to seize it's a big number and it could affect the new owners who don't have anything to do with it. @Rob Monster from epik will check it out, so if something can be done, for sure he will be able to do it.
     
  6. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    321
    Likes Received:
    1,107
    The issue is a "Due Process" issue. Anyone here that is on the ICANN Registrar Stakeholder Group knows that I have taken a strong stance on this issue. It domains are subject to wild west justice, they can never be viable investment assets because their value can be arbitrarily impaired. That is one of the main reasons that I have been dogmatic about due process. Gab.com was much higher profile but it was the same issue -- unlawful impairment of a domain name without due process. This case here is for a parked domain but it actually is more egregious because the registrant was apparently not notified of the impairment action. I have written to the Registrar Stakeholder Group now to see if someone familiar with Registrar.IT or ShadowServer can explain what happened and expedite a resolution.
     
  7. boker

    boker Active Member VIP

    Posts:
    7,598
    Likes Received:
    1,273
    I don't think that register.it knows anything about it, because at registrar level everything shows fine, my contact info, I have access to dns settings, auth code and everything else, so looks like it's a perfectly viable domain, but when you want to use it, than you notice that something is fishy. I will have to wait a response from register.it, but sometimes it takes days for them to respond, so you can't count on them.
     
  8. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    321
    Likes Received:
    1,107
    That would be even more concerning - a .com that was centrally updated without notifying the registrar. I have not heard of such a thing so I would be very surprised to discover it here. There is a "Trusted Notifier" program being adopted by some registries. That said, stealth updates of domains would be something new as far as I know. Let's see what comes back from the ICANN Registrar Stakeholder Group or Registrar.It.
     
  9. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    321
    Likes Received:
    1,107
  10. CJ6

    CJ6 This BlTCH is hooked on NP. Gotta have it. VIP

    Posts:
    2,487
    Likes Received:
    2,758
    I wonder how many of HugeDomains' domains were seized.
     
  11. boker

    boker Active Member VIP

    Posts:
    7,598
    Likes Received:
    1,273
    I wonder more how valuable were the domains seized. My was a 5l.com but I can bet there were more valuable domains seized out of the 800k. Looks like it's very easy to seize a domain, without even to notity the owner, so that he can defend himself.
     
  12. Bob Hawkes

    Bob Hawkes formerly MetBob NameTalent VIP

    Posts:
    2,270
    Likes Received:
    4,501
    Thanks Rob. In the section on how they operate they say the following that does not seem to be congruent with what was done here in taking control without even notification.

    How do we operate?
    Carefully. Working with friendly registrars we have been registering previously and future malicious domain names and pointing those records to our sinkhole servers. This means that if there are any infections still attempting to access previously malicious domain names, we can track and report those out. In the case of future malicious domain names, we are helping take a preventive measure by tracking up coming infections such as Srizbi and Conficker/Downadup.
     
  13. Internet.Domains

    Internet.Domains Active Member VIP

    Posts:
    999
    Likes Received:
    2,451
    "Future malicious names"....That sounds very troubling.

    How can anyone, or any bot, know what a "future malicious name" is?

    Are they cross checking databases and going after other domains owned by a portfolio holder?
     
  14. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    321
    Likes Received:
    1,107
    No reply yet from ShadowServer.

    As for the description, it does sound like a page out of Minority Report, i.e. registering and holding tons of domains that could be malicious in the future. This entails a cost. Who pays it?

    I get why services like this exist as there are malware distributors and phishers. Where it gets complicated is when these same services become apparatus for arbitrary takedowns and quarantine without due process.

    In light of the rise of arbitrary censorship, we are all getting a crash course in the function and mandate of services like ShadowServer and Registrar of Last Resort as their roles seem to be evolving.
     
    Last edited: Dec 28, 2018
  15. maksimfa

    maksimfa Active Member VIP Trusted Contest Holder

    Posts:
    1,024
    Likes Received:
    936
    The lack of due process is severely disturbing... akin to the "no fly" lists out there.
     
  16. Internet.Domains

    Internet.Domains Active Member VIP

    Posts:
    999
    Likes Received:
    2,451
    Question's for clarification @Rob Monster

    Is the registrar notified when there is a quarantine?

    If so, is there any responsibility for the registrar to inform the registrant?

    Or, are these questions that need to be addressed in the "due process" guidelines which you so rightly advocate?
     
  17. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    321
    Likes Received:
    1,107
  18. Internet.Domains

    Internet.Domains Active Member VIP

    Posts:
    999
    Likes Received:
    2,451
    To add further confusion I found this from ShadowServer:


    Shadowserver does not create, maintain, or distribute any blacklists. It does not make such lists available for this purpose in any format. What Shadowserver does is to assemble reports and data sets that provide information on any activity detected on an IP that was involved or referenced in a malicious act. Providing this scope of data pertaining to malicious activity means that absolutely innocent IP's could potentially be reported. This is understood, and must be processed accordingly by the consumers of our reports. There are many different reasons why this can occur. Some of the ways we see this are as follows: Spam messages referring to a real URL to help show legitimacy of the messageURL forwarding to a sinkhole locationReferenced URL in a communication between malicious actors Of course, there are many ways that people may believe themselves innocent while being infected. The purposes of our reports are to illuminate a possible problem. The consumers of these reports are the ones that need to decide an appropriate action from those reports. Several of our consumers create black or block lists from our data. Any issues pertaining to this blocking activity needs to be addressed directly with them. We do not suggest any specific action except investigation and possible remediation.


    So who are the "consumer(s)" that seizes the reported domains? ICANN? Registries?

    Source:
    https://www.shadowserver.org/wiki/pmwiki.php/Involve/BlacklistsAndBlocking
     
    Last edited: Dec 28, 2018
  19. Internet.Domains

    Internet.Domains Active Member VIP

    Posts:
    999
    Likes Received:
    2,451
    In the name of security, "low level bad domains" can be quarantined. Basically any domain can be identified and quarantined accordingly.

     
    Last edited: Dec 28, 2018
  20. Internet.Domains

    Internet.Domains Active Member VIP

    Posts:
    999
    Likes Received:
    2,451
    Try to stay with me on this.

    "[1] Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company. This may be done by assuming control of the domains used by the criminals or IP addresses. "

    Knowing that, here is a tweet form Shadowserver:

    "Shadowserver @Shadowserver Replying
    Sinkhole and ASN resolution is separate. Sinkhole is run by MalwareTech who feeds us the data, we then do ASN matching to IP's "

    So MalwareTech runs the sinkhole, according to Shadowserver. Right?

    So who is MalwareTech?

    According to Wikipedia:

    "MalwareTech, is a British computer securityresearcher known for temporarily stopping the WannaCry ransomware attack.[1][2] He is employed by cybersecurity firm Kryptos Logic.[3][4] In August 2017, Hutchins was arrested in Las Vegas (where he was attending the DEF CONconference) after being indicted on six hacking-related federal charges in the U.S. District Court for the Eastern District of Wisconsin. Prosecutors allege that Hutchins assisted in the creation and spread of a piece of banking malware known as Kronos in 2014 and 2015. The charges are not related to WannaCry,[5][6] but included the allegations that he created the Kronos malware in 2014, and sold it in 2015 via the AlphaBayforums.[7][8] Hutchins denied any wrongdoing and pleaded not guilty to the charges against him on August 2017.[9] He is out on bailpending trial and remains in Los Angeles.[10]In early June 2018, the U.S. government added four more charges to his indictment.[11 "

    It should also be noted that MalwareTech found a temporary "kill switch" for WannaCry ransomware by sinkholing a domain.

    Does anyone else see a problem with all of this?
     
    Last edited: Dec 28, 2018
  21. boker

    boker Active Member VIP

    Posts:
    7,598
    Likes Received:
    1,273
    I've just received the court order. It was given on 26 november 2018, almost one year after registration , looks like the registrar found out 4 days later, at that time it was already seized. The order is saying something that they have the authority to seize any domains from the bunch of 800k, from that action two years prior. They have the authority to do whatever they want to. It's not good to give this kind of authority to just couple of guys. What will happen is they don't like ngtlds, .info or any other tld related to icann, they could seize everything. This is a court order from a US judge, I can bet it will be ten times more difficult to do that for cctlds in Europe, you can'd give a court order like this without giving the owners the right to defend.
     
  22. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    321
    Likes Received:
    1,107
    The case is being heavily discussed in the ICANN registrar stakeholder group. Several Chinese registrars have seen this issue and it is common that the registrars cannot delete the sinkholes domains and they keep renewing at the registrar's expense.

    As for getting the domain unrestricted, I sent the phone number for the responsible court. You should call them and find out the procedure. Alternatively you can authorize me to do it as your agent and will try to get in touch there and document the whitelisting procedure.

    For anyone not familiar with Registrar of Last Resort, it is time to learn about them because registrars are apparently now going to be asked to register these unusable domains at that their expense and then transfer the domains to RoLR. See screen shot of the complaint.

    upload_2018-12-28_4-46-47.png

    In other words, as of 11/26/18, Sinkholing is the new Gulag. Orwell would be impressed.
     
  23. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    321
    Likes Received:
    1,107
    Just talked to the Western PA District Court Clerk's office. There are no law clerks in their office until next Wednesday. They will call me back. They did acknowledge the civil action as being theirs but had no documented process for getting removed. The individual domain gets reviewed by a clerk in the court, and it happens on their timing. So, will pursue this and see where it nets out.

    In parallel, a few folks including James Bladel from Godaddy are thoughtfully engaged in the conversation in the registrar stakeholder group. I have summarized the issue as being these:

    1. How registrars and registrants get notified about a takedown action.

    2. How registrants appeal to be removed from a takedown action and restored to a working state.

    3. Who pays for domains that are subject to takedown while the domain is in a sinkhole.

    I am quite sure that this is some nasty unaccountable stuff with large scope for abuse. I also find it troubling that Pittsburgh, PA has become ground zero for global takedowns of domains.

    I don't doubt that ShadowServer started in 2004 with benevolent intentions by this guy:

    https://www.linkedin.com/in/adimino/

    However, now it is a nameless and faceless organization complicit in massive takedown operations through the PA court system without due process. That is very troubling.

    If anyone has recent experience with ShadowServer or Registrar of Last Resort, or knows the current management personally, please contact me via Direct Message.
     
  24. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    321
    Likes Received:
    1,107
    Friendly registrars .... "Co-conspirators". Fixed it for you.
     
  25. carob

    carob Active Member VIP

    Posts:
    3,027
    Likes Received:
    3,602
    To me the term "investment" goes beyond just aftermarket domains with high price tags for domainers or endusers. Investment in a name can also be choosing, branding, printing, development, SEO linking, and use for email. If you build on a reg fee domain name and base your email on it then have it taken away, you are screwed - plus whoever takes it can set up a catchall email and capture all your email and possibly also related accounts.

    And your domain could be grabbed after someone else hijacked it and abused it without your knowledge or consent, or it could be grabbed for actions carried out by someone renting the domain or buying it on installments. Or for actions of a previous registrant.
     
    Last edited: Dec 28, 2018

Want to reply or ask your own question?

It only takes a minute to sign up – and it's free!

Share This Page

Lysted
  1. NamePros uses cookies and similar technologies. By using this site, you are agreeing to our privacy policy, terms, and use of cookies.
    Dismiss Notice
Loading...