ICANN is to terminate the contract of a Chinese registrar linked to dodgy pharmaceuticals web sites and other malfeasance.
Nanjing Imperiosus Technology Co, which does business as DomainersChoice.com, has been told it will lose its registrar accreditation February 3.
ICANN said in the termination notice that the company had failed to keep records related to abuse reports, failed to validate Whois records, and failed to provide ICANN with registration records, all in breach of the Registrar Accreditation Agreement.
The breaches related to complaints filed by illegal pharmacy watchdog LegitScript last September, I believe.
DomainersChoice and its CEO Stefan Hansmann were listed in Whois as the owners of potentially hundreds of domains that were being used to sell medicines for conditions ranging from heart disease to erectile dysfunction.
The domains 5mg-cialis20mg.com, acheterdutadalafil.com, viagra-100mgbestprice.net and 100mgviagralowestprice.net were among those apparently owned by the registrar.
According to LegitScript, thousands of DomainersChoice domains were “rogue internet pharmacies”.
The registrar has also been linked by security researchers to mass typosquatting campaigns.
The company’s web site even has a typo generator. While one could argue such tools are also useful to brand owners, DomainersChoice’s name suggests it’s geared towards domainers, not brands.
DomainersChoice had about 27,000 domains under management at the last count, which ICANN will now migrate to another registrar.
It’s not known how many of those were self-registered domains and how many were being used nefariously, but LegitScript CEO John Horton estimated (pdf) at least 2,300 dodgy pharma sites used the registrar.
A convicted fraudster reportedly escaped from a UK prison by typosquatting.
Neil Moore was serving time on remand when he used a smuggled mobile phone to register a domain name that looked a lot like that of the UK court service, according to local media reports.
The domain, registered last March, was hmcts-gsi-gov.org.uk, a typo of the genuine hmcts.gsi.gov.uk.
Had Moore registered the name after last June, when Nominet enabled direct second-level .uk registrations, he would have been able to get a much more convincing typo.
He populated the Whois with the name of his case’s investigating officer and the address for the Royal Courts of Justice.
He then emailed the prison from his new domain with instructions for his bail.
Prison staff fell for it and he was released.
The scam went unnoticed for three days until his lawyers went to interview him. He handed himself back in to police hours later.
Moore was in prison for socially engineering over £1.8 million ($2.6 million) out of major firms by pretending to be bank staff.
He’s fessed up to several counts of fraud and one count of escape from lawful custody. He’ll be sentenced in April.
Two typosquatters have been fined £100,000 ($156,000) by the UK premium rate phone services regulator.
PhonepayPlus said today that the owners of the typos wikapedia.com and twtter.com, both Dutch companies, were issued the fines for violating its Code of Practice.
R&D Media Europe and Unavalley use the now depressingly commonplace practice of tricking visitors with the promise of iPad prizes into signing up for bogus SMS services at ridiculous fees.
They’ve both been ordered to refund disgruntled customers’ fees.
PhonepayPlus has no powers to take away domain names, of course, so both typos are still active, albeit not no longer mimicking the Wikipedia or Twitter look-and-feel.
The regulator did however issue clear guidance that typosquatting is against its rules, stating:
This guidance reminds PRS [premium rate service] providers that they are responsible for all their digital promotions and, if they use marketing firms that mislead consumers through typosquatting, they will be in breach of the Code of Practice.
A Facebook attorney said last year that typos of high-traffic sites, such as facebok.com, could expect to get 250 million visits a year.
A study of typosquatted domain names has found that the practice is reaching pandemic levels for the largest brands, but that there’s surprisingly little malware distribution going on.
The security company Sophos surveyed 2,249 domains that were one letter different to the .com sites of Facebook, Google, Twitter, Apple and Microsoft, and found that two thirds resolved.
Not all of those 1,502 sites were malicious typosquats; some were legitimate sites that just happened to have similarly spelled names (such as goole.com and witter.com) Sophos noted.
Apple was the most-squatted company, according to this method: resolving Microsoft typos were at 61%, Twitter at 74%, Facebook at 81%, Google at 83% and Apple at 86%.
Sophos concluded that “there is a significant typosquatting ecosystem around high-profile, often-typed domain names.”
But it did not find as much malware as it was expecting, with only one domain leading to a malware site, 0.07% of the total.
However, 2.7% of the URLs “fell into the loose category of cybercrime”, which “means they are, or have been, associated with hacking, phishing, online fraud or spamming”.
The report, which also fingers parking services from Demand Media, Sedo, Oversee and Bodis as the recipients of 37% of the typo traffic, contains much more data and is well worth a read.
Annoyingly, it appears that Sophos only surveyed .com domains, so the data doesn’t really tell us much about the impact of TLDs (such as .co) on the typosquatting problem.
Forget phishing, forget cybersquatting, forget typosquatting, high-value domain name owners may have a whole new threat to worry about – “bit-squatting”.
This appears to be the conclusion of fascinating new research to be presented by Artem Dinaburg at the Black Hat and DEF CON hacker conferences in Las Vegas next week.
Defective internet hardware, it turns out, may be enabling a whole new category of typosquatting that could prove worrying for companies already prone to domain name abuse.
According to a summary of Dinaburg’s research, RAM chips can sometimes malfunction due to heat or radiation, resulting in “flipped bits”, where a 1 turns into a 0 or vice-versa.
Because the DNS uses ASCII encoding, a query containing a single flipped bit could actually send the user to a completely different domain name to the one they intended to visit.
To test the theory, Dinaburg appears to have registered the typo domain name mic2osoft.com. While it’s not visually confusing or a likely typo, in binary it is only one bit different to microsoft.com.
The ASCII binary code for the digit 2 is 00110010, which is only one bit different to the lower-case letter r, 01110010.
The binary for the string “microsoft” is:
and the binary encoding for “mic2osoft” is (with the single changed bit highlighted):
Therefore, if that one bit were to be accidentally flipped by a dodgy chip, the user could find themselves sending data to the bit-squatter’s domain rather than Microsoft’s official home.
I would assume that this is statistically only a concern for very high-traffic domains, and only if the bit-flipping malfunction is quite widespread.
But Dinaburg, who works for the defense contractor Raytheon, seems to think that it’s serious enough to pay attention to. He wrote:
To verify the seriousness of the issue, I bit-squatted several popular domains, and logged all HTTP and DNS traffic. The results were shocking and surprising, ranging from misdirected DNS queries to requests for Windows updates.
I hope to convince the audience that bit-squatting and other attacks enabled by bit-flip errors are practical, serious, and should be addressed by software and hardware vendors.
His conference presentations will also discuss possible hardware and software solutions.
For large companies particularly at risk of typosquatting, the research may also present a good reason to conduct a review of their trademark enforcement strategies.
I’m not going to be in Vegas this year, but I’m looking forward to reading more about Dinaburg’s findings.
The annual Black Hat and DEF CON conferences are frequently the venues where some of the most beautifully creative DNS hacks are first revealed, usually by Dan Kaminsky.
Kaminsky is not discussing DNS this year, judging by the agendas.
The conferences were founded by Jeff Moss, aka The Dark Tangent, who joined ICANN as its chief security officer earlier this year.