FBI seizes Russian fake news domains
The FBI has seized 32 domain names it says were being used by Russian-government-backed interests to peddle fake news to influence the war in Ukraine and the upcoming US presidential elections.
The agency named three sanctioned Russian companies as the owners of the domains, which it said “covertly spread Russian government propaganda with the aim of reducing international support for Ukraine, bolstering pro-Russian policies and interests, and influencing voters in U.S. and foreign elections, including the U.S. 2024 Presidential Election”.
The FBI called the Russian campaign, which used cybersquatted domains such as fox-news.in and washingtonpost.pm as well as original creations such as waronfakes.com and vip-news.org, “Doppelganger”.
Eight domain registrars and registries have been told by a US court to redirect the domains in question to the FBI’s name servers, where they currently serve either a seizure notice, a placeholder, or counter-propaganda presented as news.
Identity Digital was told to grab the most domains — 11 in total, across .info, .media, .ltd, .agency and .io. Verisign was told to redirect six .com and .net names. Namecheap, as registrar, had to take action on six, in .org, .press and .us.
GoDaddy was told to seize three, in .co (as registrar) and .work (as registry). Domains at NameSilo and Tucows were also affected.
In one case, the FBI went after the Palau-based registry for forward.pw, and in another it went after Finland-based Sarek, the registrar for washingtonpost.pm.
US Feds seize 33 Iranian news site domains
The US government said it has seized control of 33 domain names previously belonging to an Iranian TV news station that the US considers linked to terrorism.
The Department of Justice said the domains had been registered by the Iranian Islamic Radio and Television Union, which it said is controlled by Islamic Revolutionary Guard Corps Quds Force, designated as a terrorist organization.
Among the domains is presstv.com, used by Press TV, an Iranian state-owned station that broadcasts news in English and French.
The DoJ said the sites were “disguised as news organizations or media outlets” and “targeted the United States with disinformation campaigns and malign influence operations”.
All of the seized names reportedly use .com, .net and .tv domains, which are all operated by Verisign.
The DoJ obtained a court order to grab the names.
As an overseas registrar was used to register the names, it appears the court order instructed Verisign, based in the US, to hand them over.
The domains now direct to a US government placeholder informing visitors of the seizure. Some of the affected web sites have reportedly started using new domains.
Under US law, “Specially Designated Nationals” listed by the Office of Foreign Assets Control are forbidden from obtaining services from US companies without a special license.
The DoJ said it has seized an additional three domains owned by Kata’ib Hizballah (Kataib Hezbollah), an Iraqi militia backed by Iran.
Spam is not our problem, major domain firms say ahead of ICANN 66
Eleven of the largest domain name registries and registrars have denied that spam is something they should have to deal with, unless it’s used to proliferate other types of abuse such as phishing or malware.
In a newly published “Framework to Address Abuse” (pdf), the companies attempt to define the term “DNS abuse” narrowly to capture only five (arguably only four and a half) specific types of online threat.
That abuse comprises malware, phishing, botnets, pharming and spam.
The companies agree that these are activities which registrars and registries “must” act upon.
But the document notes that not all spam is its responsibility, stating:
While Spam alone is not DNS Abuse, we include it in the five key forms of DNS Abuse when it is used as a delivery mechanism for the other four forms of DNS Abuse. In other words, generic unsolicited e-mail alone does not constitute DNS Abuse, but it would constitute DNS Abuse if that e-mail is part of a phishing scheme.
In other words, registrars and registries should not feel responsible for the billions of spams sent every day using their domains, unless the spam runs further malware, phishing, pharming or botnet abuse.
The signatories of the framework are Public Interest Registry, GoDaddy, Donuts, Tucows, Amazon Registry Services, Blacknight, Afilias, Name.com, Amazon Registrar, Neustar, and Nominet UK.
It may seem like they’ve presented a surprisingly narrow definition, but it’s in line with what current ICANN contracts dictate.
Neither the standard Registry Agreement nor Registrar Accreditation Agreement mention spam at all. Six years ago, ICANN specifically said that spam is “outside of ICANN’s scope and authority”.
Under the RA, registries have to oblige their registrars to ban registrants from “distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law”.
They also have to maintain statistical reports on the amount of “pharming, phishing, malware, and botnets” in their zones, and provide those reports to ICANN upon demand. A recent audit found that 5% of registries, mainly dot-brands, were not doing this.
However, ICANN’s Domain Abuse Activity Reporting system, an effort to provide some transparency into how gTLDs are being abused, does in fact track spam. It does not track pharming, which is a fairly obscure and little-used form of DNS attack.
The DAAR report for September shows that spam constituted 73% of all tracked abuse.
The ICANN board of directors today identified DAAR as one of a few dozen priorities for the coming year.
Similarly, the cross-community working group known as the CCT Review Team, which was tasked with looking into how the new gTLD program has impacted competition and consumer trust, had harsh words for spam-friendly registries, and provided a definition of “DNS Security Abuse” that specifically included “high volume spam”.
The review recommended that ICANN introduce more measures to force contracted parties to deal with this type of abuse. This could include incentives for registries to clean up their zones and abuse volume thresholds that would automatically trigger compliance actions.
The new framework document comes in the context of an ongoing debate within the ICANN community about what “DNS abuse” is.
Two partners at Interisle, a security consultancy that often works for ICANN, recently guest-posted on DI to say that this term has become meaningless and should be abandoned in favor of “security threat”.
They argued that the definition should include not only spam, but also stuff like IP infringement, election interference, and terrorism.
But the main threat to contracted parties probably comes from the Governmental Advisory Committee, backed by law enforcement, which is pushing for stronger rules covering abusive content.
During a webinar last week, the US Federal Trade Commission, the FBI, and Europol argued that registries and registrars should be obliged to do more to combat abuse, specifically including spam.
“Whether or not you call it phishing or spam or whether it has a malware payload or not, ultimately it’s all email, and email remains the most common tool of cybercriminals to ensnare their victims, and that’s why we in law enforcement care about the domains used to send emails,” said Gabriel Andrews of the FBI’s Cyber Initiative Resource Fusion Unit, on the call.
Registries and registrars countered, using the same language found in the new framework, that generic spam is a content issue, and outside of their remit.
The two sides are set to clash again at ICANN’s annual general meeting in Montreal next month, in a November 6 face-to-face session.
While 11 entities signed the new framework, it’s arguably only nine companies. Name.com is owned by Donuts and both Amazon firms obviously have the same parent.
But it does include the two largest registrars, and registries responsible for running several hundred commercial gTLDs, dot-brands and ccTLDs.
While none of the signatories of the framework have a particular reputation for being spam-friendly, other companies in the industry — particularly some of the newest and cheapest new gTLDs — tend to attract spammers like flies to a turd.
Some of the signatories are perhaps surprising, given their past or ongoing behavior to tackle content-based abuse in their own zones.
Nominet, notably, takes down tens of thousands of domains ever year based on little more than police assurances that the domains are being used to sell counterfeit merchandise or infringe copyright.
The .uk registry also preemptively suspends domains based on algorithms that guess whether they’re likely to be seen as encouraging sexual violence or could be used in phishing attacks.
Donuts also has a trusted notifier relationship with the movie and music industries that has seen it take down dozens of names being used for mass copyright infringement.
PIR has previous endorsed, then unendorsed, the principal of a “UDRP for copyright”, a method of giving Big Content a way of going through due process to have domains taken or suspended.
Outside the spam issue, while the new registry-registrar framework says that registries and registrars should not get involved in matters related to web site content, it also says they nevertheless “should” (as opposed, one assumes based on the jargon usually found in internet standards, to “must”) suspend domains when they’re being used to distribute:
(1) child sexual abuse materials (“CSAM”); (2) illegal distribution of opioids online; (3) human trafficking; and (4) specific and credible incitements to violence.
These are exceptions because they constitute “the physical and often irreversible threat to human life”, the framework says.
Ultimately, this all boils down to a religious debate about where the line is drawn between “DNS” and “content”, it seems to me.
The contracted parties draw the line at threats to human life, whereas others want action on other forms of abuse largely because registries and registrars are in the best position to help.
Cops say new gTLDs shouldn’t launch without a Big Brother RAA
Law enforcement agencies are not happy with the proposed 2013 Registrar Accreditation Agreement, saying it doesn’t go far enough to help them catch online bad guys.
Europol and the FBI told ICANN’s Governmental Advisory Committee yesterday that people need to have their full identities verified before they’re allowed to register domain names.
They added that new gTLDs shouldn’t be allowed to launch until a tougher RAA is agreed to and signed by registrars.
The draft 2013 RAA would force registrars to validate their customers’ email addresses or phone numbers after selling them a domain, but law enforcement thinks this is not enough.
“We need a bit more in this area,” Troels Oerting, head of Europol’s European Cybercrime Centre, told the GAC during a Sunday session. “We need a bit more to be verified in addition to the phone or email.”
“It’s very, very important that we are able to identify perpetrators able, to identify the originators, and it’s not enough that you just put in the email or phone,” he said.
He added that there should also be re-verification procedures and ongoing compliance monitoring from ICANN, and said that only registrars signing the 2013 RAA should be allowed to sell new gTLD domains.
Europol has sent a letter to ICANN (not yet published, it seems) outlining four areas it wants to see the RAA “improved”, Oerting said.
Given that many GAC members, including the US, seem to support this position, it’s yet another threat to ICANN’s new gTLD launch timetable, not to mention privacy and anonymous speech in general.
The law enforcement recommendations are not new, of course. They’ve been in play and GAC-endorsed for many years, but were watered down during ICANN’s RAA talks with registrars.
Cops seize 36 carder domains
The FBI and UK Serious Organised Crime Agency have seized 36 domain names that were allegedly being used to sell compromised credit card information.
As well as seizing the domains and a number of computers, SOCA said it has arrested two men “suspected of making large scale purchases of compromised data” from the sites.
The sites all used what SOCA calls “automated vending cart” software to process the sale of credit card information. Judging by the video below, some of the operations were fairly professional.
One of the seized domains was cvvplaza.com. SOCA provided the following video which really has to be seen to be believed.
I wonder if the spokesmodel had any idea what she was getting into when she accepted this gig.
While the full list of domains was not released, a SOCA spokesperson said the breakdown by TLD was as follows:
.name – 2
.net – 11
.biz – 4
.us – 5
.com – 11
.org – 3
These are all TLDs whose registries are based in the United States, so I’m guessing the US authorities did the actual seizing.
Feds seize billion-dollar poker domains
Five domain names associated with online poker sites have been seized by the FBI as part of an investigation that has also seen 11 people indicted.
The principals of PokerStars, Absolute Poker and Full Tilt Poker, along with third-party “payment processors”, stand accused of engaging in a massive money laundering scheme in order to accept billions of dollars of payments from American gamblers in violation of US laws.
The charges carry possible maximum sentences of between five and 30 years in prison, along with substantial monetary fines. Two men have been arrested, a third is due to be arraigned, and the remainder are currently outside of the US, according to a press release (pdf).
The US Attorney for the Southern District of New York said five domain names have been seized by the FBI in connection with the prosecutions.
It’s not yet clear which domains have been seized.
From where I’m sitting in London, absolutepoker.com already shows an FBI warning banner, but pokerstars.com and fulltiltpoker.com both resolve normally. I may be receiving cached DNS data.
Blogger Elliot Silver, sitting behind a resolver on the other side of the pond, reports that ub.com is among the seized domains.
Unlike previous recent seizures, which were carried out by the US Immigration and Customs Enforcement agency, this time the FBI appears to be the responsible agency.
And this time, these aren’t two-bit file-sharing forums or Chinese knock-off merchandise sites, we’re talking about businesses that are perfectly legal in many jurisdictions, clearing billions in revenue.
But according to US Attorney’s charges, the companies carried out an elaborate plan to cover up the sources of their revenue through third parties and phoney bank accounts.
The companies are even alleged to have made multi-million dollar investments in failing banks in order to get them to turn a blind eye to the illicit gambling activities.
It appears that the FBI went straight to the .com registry, VeriSign, as some of the affected domains appear to be registered through UK-based corporate registrar Com Laude.
If you’re wondering whether this is yet another confirmation that all .com domains are subject to US jurisdiction, this is your takeaway sentence, from Manhattan US Attorney Preet Bharara:
Foreign firms that choose to operate in the United States are not free to flout the laws they don’t like simply because they can’t bear to be parted from their profits.
The suits seek $3 billion in allegedly ill-gotten gains to be returned.
IP address privacy policy killed
A proposal that would have brought the equivalent of domain name proxy registrations to IP addresses in North America has been dropped after its author had a chat with the FBI.
The policy would have allowed ISPs that take their IP addresses from ARIN, the American Regional Internet Registry, to substitute their own contact information in place of their customers’ details.
Proposing the policy, Aaron Wendel of WholesaleInternet.com initially said that the requirement to publish customer lists into a Referral Whois (RWHOIS) database “runs contrary to good business practices” and allows ISPs to poach each other’s customers.
Wendel publicly withdrew his proposal an hour ago at the ARIN meeting in Toronto, shocking some attendees.
He said he was doing so after a late-night session hearing the concerns of an FBI agent who is at the meeting, as well as conversations with members of ARIN staff.
The proposed policy had also been criticized by companies including Paypal, and many security experts.
RWHOIS allows any internet user to identify the user of an IP address in much the same way as Whois allows domain name registrants to be identified.
It is regularly used by law enforcement to track down spammers and other online crooks.
Unlike Whois, RWHOIS has a carve-out protecting residential users.
Recent Comments