Domain seized

NamecheapNamecheap
Namecheap AuctionsNamecheap Auctions
SpaceshipSpaceship
Watch

boker

Top Member
Impact
4,328
Looks like one of my domains was used in some kind of cyber attacks or something like that. The domain oreux in king, was a hand reg from a year ago and I wanted to transfer it to another registrar. The transfer failed because the domain was locked. I've double checked with my registrar, and everything showed fine in the control panel, domain unlocked and the nameservers where ns1.undeveloped.com, but when I did a whois check, the domain was transfer prohibited and the nameservers were something like:
SC-C.SINKHOLE.SHADOWSERVER.ORG
Looks like the domain was used in some kind of cyber attack and they have seized around 800.000 domains. Nobody has told me anything about it and I still have access to everything in the control panel, the only issue is that control panel doesn't have control over everything. Couple of months ago everything was fine, so looks like they have changed the nameservers in the last months. So be aware, you could own some of the 800.000 domains seized. I have found a link here about it: https://www.europol.europa.eu/newsr...k-dismantled-in-international-cyber-operation
I will wait and see if I can do something about this transfer to epik.
 
15
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Unstoppable Domains — AI StorefrontUnstoppable Domains — AI Storefront
Try to stay with me on this.

"[1] Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company. This may be done by assuming control of the domains used by the criminals or IP addresses. "

Knowing that, here is a tweet form Shadowserver:

"Shadowserver @Shadowserver Replying
Sinkhole and ASN resolution is separate. Sinkhole is run by MalwareTech who feeds us the data, we then do ASN matching to IP's "

So MalwareTech runs the sinkhole, according to Shadowserver. Right?

So who is MalwareTech?

According to Wikipedia:

"MalwareTech, is a British computer securityresearcher known for temporarily stopping the WannaCry ransomware attack.[1][2] He is employed by cybersecurity firm Kryptos Logic.[3][4] In August 2017, Hutchins was arrested in Las Vegas (where he was attending the DEF CONconference) after being indicted on six hacking-related federal charges in the U.S. District Court for the Eastern District of Wisconsin. Prosecutors allege that Hutchins assisted in the creation and spread of a piece of banking malware known as Kronos in 2014 and 2015. The charges are not related to WannaCry,[5][6] but included the allegations that he created the Kronos malware in 2014, and sold it in 2015 via the AlphaBayforums.[7][8] Hutchins denied any wrongdoing and pleaded not guilty to the charges against him on August 2017.[9] He is out on bailpending trial and remains in Los Angeles.[10]In early June 2018, the U.S. government added four more charges to his indictment.[11 "

It should also be noted that MalwareTech found a temporary "kill switch" for WannaCry ransomware by sinkholing a domain.

Does anyone else see a problem with all of this?
I've just received the court order. It was given on 26 november 2018, almost one year after registration , looks like the registrar found out 4 days later, at that time it was already seized. The order is saying something that they have the authority to seize any domains from the bunch of 800k, from that action two years prior. They have the authority to do whatever they want to. It's not good to give this kind of authority to just couple of guys. What will happen is they don't like ngtlds, .info or any other tld related to icann, they could seize everything. This is a court order from a US judge, I can bet it will be ten times more difficult to do that for cctlds in Europe, you can'd give a court order like this without giving the owners the right to defend.
 
5
•••
I've just received the court order. It was given on 26 november 2018, almost one year after registration , looks like the registrar found out 4 days later, at that time it was already seized. The order is saying something that they have the authority to seize any domains from the bunch of 800k, from that action two years prior. They have the authority to do whatever they want to. It's not good to give this kind of authority to just couple of guys. What will happen is they don't like ngtlds, .info or any other tld related to icann, they could seize everything. This is a court order from a US judge, I can bet it will be ten times more difficult to do that for cctlds in Europe, you can'd give a court order like this without giving the owners the right to defend.

The case is being heavily discussed in the ICANN registrar stakeholder group. Several Chinese registrars have seen this issue and it is common that the registrars cannot delete the sinkholes domains and they keep renewing at the registrar's expense.

As for getting the domain unrestricted, I sent the phone number for the responsible court. You should call them and find out the procedure. Alternatively you can authorize me to do it as your agent and will try to get in touch there and document the whitelisting procedure.

For anyone not familiar with Registrar of Last Resort, it is time to learn about them because registrars are apparently now going to be asked to register these unusable domains at that their expense and then transfer the domains to RoLR. See screen shot of the complaint.

upload_2018-12-28_4-46-47.png


In other words, as of 11/26/18, Sinkholing is the new Gulag. Orwell would be impressed.
 
9
•••
Just talked to the Western PA District Court Clerk's office. There are no law clerks in their office until next Wednesday. They will call me back. They did acknowledge the civil action as being theirs but had no documented process for getting removed. The individual domain gets reviewed by a clerk in the court, and it happens on their timing. So, will pursue this and see where it nets out.

In parallel, a few folks including James Bladel from Godaddy are thoughtfully engaged in the conversation in the registrar stakeholder group. I have summarized the issue as being these:

1. How registrars and registrants get notified about a takedown action.

2. How registrants appeal to be removed from a takedown action and restored to a working state.

3. Who pays for domains that are subject to takedown while the domain is in a sinkhole.

I am quite sure that this is some nasty unaccountable stuff with large scope for abuse. I also find it troubling that Pittsburgh, PA has become ground zero for global takedowns of domains.

I don't doubt that ShadowServer started in 2004 with benevolent intentions by this guy:

https://www.linkedin.com/in/adimino/

However, now it is a nameless and faceless organization complicit in massive takedown operations through the PA court system without due process. That is very troubling.

If anyone has recent experience with ShadowServer or Registrar of Last Resort, or knows the current management personally, please contact me via Direct Message.
 
9
•••
Thanks Rob. In the section on how they operate they say the following that does not seem to be congruent with what was done here in taking control without even notification.

How do we operate?
Carefully. Working with friendly registrars we have been registering previously and future malicious domain names and pointing those records to our sinkhole servers. This means that if there are any infections still attempting to access previously malicious domain names, we can track and report those out. In the case of future malicious domain names, we are helping take a preventive measure by tracking up coming infections such as Srizbi and Conficker/Downadup.

Friendly registrars .... "Co-conspirators". Fixed it for you.
 
3
•••
If domains are subject to wild west justice, they can never be viable investment assets because their value can be arbitrarily impaired.

To me the term "investment" goes beyond just aftermarket domains with high price tags for domainers or endusers. Investment in a name can also be choosing, branding, printing, development, SEO linking, and use for email. If you build on a reg fee domain name and base your email on it then have it taken away, you are screwed - plus whoever takes it can set up a catchall email and capture all your email and possibly also related accounts.

And your domain could be grabbed after someone else hijacked it and abused it without your knowledge or consent, or it could be grabbed for actions carried out by someone renting the domain or buying it on installments. Or for actions of a previous registrant.
 
Last edited:
5
•••
Update here. Talked to Western District Court Clerk. They could not clarify the appeal process but said to contact the responsible attorneys. I went online and used the PACER database to find the case.

Here are the responsible attorneys:

upload_2018-12-28_8-8-47.png


This is a US Federal District court.

As Pittsburgh is clearly driving this operation, I reached out to Colin Callahan via voicemail and email with cc to the registrant. We'll see how they reply on clarifying the criteria used and the appeal process for removal from this list without onerous or tedious legal action.
 
6
•••
was this more likely to happen this way cause its a european registrar...or things would still happen if say it was on godaddy..epik..etc
 
1
•••
was this more likely to happen this way cause its a european registrar...or things would still happen if say it was on godaddy..epik..etc

Interpol is in the mix here so I doubt it mattered -- the registries are global and the "judicial" (and extrajudicial) machinery are similarly global.

The lead attorney on this case is Jesuit-trained Colin Callahan from GeorgeTown Law. Georgetown is also where ShadowServer was founded. Those with eyes to see can connect the dots.
 
4
•••
1. MalwareTech creates lists of the domains under diguise of ShadowServer.
2. ShadowServer sells list to ISP's.
3. ISP's inform law enforcement.
4. From here it gets cloudy
 
0
•••
1. MalwareTech creates lists of the domains under diguise of ShadowServer.
2. ShadowServer sells list to ISP's.
3. ISP's inform law enforcement.
4. From here it gets cloudy

Do you have incontrovertible proof of this allegation?
 
0
•••
Do you have incontrovertible proof of this allegation?
All of this was found using social media, news interviews, cybersecurity blogs and their own websites, etc.

Is it proof, or enough proof? I would let the lawyers argue that, but it definitely appears to be enough for further investigation.
 
1
•••
All of this was found using social media, news interviews, cybersecurity blogs and their own websites, etc.

Is it proof, or enough proof? I would let the lawyers argue that, but it definitely appears to be enough for further investigation.

Right, I believe it. If you have a reasonably authoritative source I think useful to understand. The folks at RoLR an ShadowServer are very quiet. See on Twitter:

https://twitter.com/Shadowserver

I believe that your conclusion is plausible but a more evidenced summary would be helpful if you can produce one soon.
 
3
•••
So for us beginners—and l am a beginner despite all the stars next to my name, as l took a sabbatical from domaining soon after taking up the undertaking (perhaps the wrong choice of words) and just returned three months ago—is there anyway to protect our domains from such blatant skullduggery?

Thanking any responders in advance....

Lew Riley
 
1
•••
So for us beginners—and l am a beginner despite all the stars next to my name, as l took a sabbatical from domaining soon after taking up the undertaking (perhaps the wrong choice of words) and just returned three months ago—is there anyway to protect our domains from such blatant skullduggery?

Thanking any responders in advance....

Lew Riley

Yes, there is.

First and foremost it is through the existing governance frameworks and through exposing acts of malfeasance and non due process as they occur. I am doing that as are others. There is no joy in it since you make enemies that are not averse to dirty tricks like this one:

https://www.huffingtonpost.com/entr...9e4b05d7e5d846f72?ncid=tweetlnkushpmg00000067

The other thing that the industry can do is design counter-measures that render domains useful independent of ICANN. You could call it seceding from the union but really only as a matter of last resort. I describe it here:

https://gab.com/epik/posts/44196461

My hope is that cooler heads prevail and that industry stakeholders show backbone to protect sovereignty of intellectual property. In particular, Verisign and Godaddy need to show backbone, but otherwise it will come down to the small fry.
 
1
•••
Hello NP's,
IMO the main feasibility of the above mentioned processing is fully argumented and documented proceeding from those all regulators. For example database of logs of any illegal activity on domain(s) owned by private registrars that are by the way obligated with Registry Terms to abide legal and fair usage practice and avoid any misuse especially in terms of malicious IT involvement. Furthermore there are very different developing directions in that regards, for example some advantageous registries are introducing add-on service as a Domain Lock service, while on the other side, in the area of some cCTLD registrars those aside from globally integrated planning - there are periodically occurrences of the major hacks at top NIC registry tables infrastructure affecting many, but specifically major international companies on their locally developed domains/web services. So, to repeat domainers are having a legal responsibility(Terms of Registration) for keeping their registered intellectual property in a good standing(as with many property in realty) particularly from malware broadly affecting internet space system and third parties property as well.
Regards
 
Last edited:
0
•••
Hello NP's,
IMO the main feasibility of the above mentioned processing is fully argumented and documented proceeding from those all regulators. For example database of logs of any illegal activity on domain(s) owned by private registrars that are by the way obligated with Registry Terms to abide legal and fair usage practice and avoid any misuse especially in terms of malicious IT involvement. Furthermore there are very different developing directions in that regards, for example some advantageous registries are introducing add-on service as a Domain Lock service, while on the other side, in the area of some cCTLD registrars those aside from globally integrated planning - there are periodically occurrences of the major hacks at top NIC registry tables infrastructure affecting many, but specifically major international companies on their locally developed domains/web services. So, to repeat domainers are having a legal responsibility(Terms of Registration) for keeping their registered intellectual property in a good standing(as with many property in realty) particularly from malware broadly affecting internet space system and third parties property as well.
Regards
There is no possible way domain owners can currently protect their domain from malware, especially WannaCry, under the current system (that may change). If you feel it is the domain owners legal responsibility, please contribute what could be done by the domain owner.
 
1
•••
Hi, well I'm not much introduced into registry sys networking, but as announced for last year infections the spread through networks was switched off by registration of domain name used for sending endless request intrusions. So, for already present records in registry that should not be a problem but rather the problems are bad practices of non resolving domains left at registrar company default servers that later went changed or so, making significant amount of domain names globally non functioning and thus hazard for other server abuses and spreading malware other ways than mentioned for above specific one. So the best precaution is to set any page than leaving domain reside non configured after registration or transfer and ensure host directories permission protections, to repeat, even for the blank web site / default domain landing page. Regards
 
Last edited:
0
•••
Hello NP's,
IMO the main feasibility of the above mentioned processing is fully argumented and documented proceeding from those all regulators. For example database of logs of any illegal activity on domain(s) owned by private registrars that are by the way obligated with Registry Terms to abide legal and fair usage practice and avoid any misuse especially in terms of malicious IT involvement. Furthermore there are very different developing directions in that regards, for example some advantageous registries are introducing add-on service as a Domain Lock service, while on the other side, in the area of some cCTLD registrars those aside from globally integrated planning - there are periodically occurrences of the major hacks at top NIC registry tables infrastructure affecting many, but specifically major international companies on their locally developed domains/web services. So, to repeat domainers are having a legal responsibility(Terms of Registration) for keeping their registered intellectual property in a good standing(as with many property in realty) particularly from malware broadly affecting internet space system and third parties property as well.
Regards
So, according to you its, let's put the blame on the owner of the stolen car, for the bank robbery?
 
0
•••
Well, I didn't intend to play with you here as a smart a#@.. Still you probably know what is worth about regulations, where all parties obey rules. So in this practical example it should be both registrants and host/registrar responsibility to isolate access to domains configuration, but as with most web companies they are directing advanced services to full service customers as VPS hosters etc. So basic domains accounts without hosting/content are on their own(settings panel) without services known as ddos mitigation, ip filtering etc. At the end to add info on a couple new trends as Domain Lock(speciality of DirectNic), PremiumDNS(NameCheap, ClouDns), and CloudFlare - that in the cases of malicious traffic influx would protect at some degree domains alone without before mentioned website firewall protection mods, and prevent blacklisting at Net security agencies.
 
0
•••
So, according to you its, let's put the blame on the owner of the stolen car, for the bank robbery?
By my knowledge you are certainly obligated to report stolen car as with rules for car registration, insurance etc. that could with now days technics resolve other collateral risks.
 
Last edited:
0
•••
Appraise.net

We're social

Escrow.com
Spaceship
Domain Recover
CryptoExchange.com
Catchy
DomDB
NameFit
  • The sidebar remains visible by scrolling at a speed relative to the page’s height.
Back