[SecurityRatty] tag: registrar-level

Kentucky Gambling Domains Case Stayed by Court of Appeals

Mon, 17 Nov 2008 04:08:40 +0000

As reported on Poker News, the Kentucky Court of Appeals has granted a stay of a lower court's order to seize 141 gambling-related domain names. That order was made in a case brought by the state under its "gambling devices" statute, a law intended for things like slot machines. The motion to stay came from the Interactive Media Entertainment & Gaming Association, which is affiliated with the domains playersonly.com, sportsbook.com, sportsinteraction.com, mysportsbook.com and linesmaker.com. Several other outside groups have joined the battle, including the Interactive Gaming Council, the Poker Players Alliance, the Electronic Frontier Foundation, the Center for Democracy and Technology, domain registrar Network Solutions, and the Kentucky office of the American Civil Liberties Union. Hat tip to Domain Name News.

A Less Tasteful Internet

Fri, 14 Nov 2008 04:59:47 +0000

It may take awhile, but ICANN can change things for the good. The public comment period is still open on the formal policy on AGP DELETEs, but the stopgap budget measure in place seems to be very effective. ICANN announced that AGP DELETEs declined "... from approximately 17.6M in June 2008 to 2.8M in July 2008." 2.6M of the 2.8M were subject to the fee, so it would seem that even those would continue to decline as the people paying them realize they're wasting their money. AGP DELETEs are the mechanism used by "domain tasters" who register a domain, throw PPC ads up on it and DELETE the registration before five days are up for a full refund of all fees. Under the new budget policy, registrars who exceed a certain threshold of DELETEs as a percentage of total registrations can no longer refund the 20 cent ICANN fee. This alone has led to the massive decline in DELETEs, showing how little margin is involved in each domain. Let's hope that ICANN keeps the policy at least as restrictive as this. Domain tasting may no longer be a problem. ICANN has placed the EstDomains registrar back on death row. Read about it here.

Dissecting the Latest Koobface Facebook Campaign

Thu, 13 Nov 2008 05:08:12 +0000

The latest Koobface malware campaign at Facebook, is once again exposing a diverse ecosystem worth assessing in times of active migration to alternative ISPs tolerating or conveniently ignoring the malicious activities courtesy of their customers. The -- now removed -- binaries that the dropper was requesting were hosted at the American International Baseball Club in Vienna, indicating a compromise.

us.geocities .com/adanbates84/index.htm
lostart .info/js/js.js (79.132.211.51)
off34 .com/go/fb.php (79.132.211.51)
youtube-spyvideo .com/youtube_file.html (58.241.255.37)
ahdirz .com/movie1.php?id=638&n=teen (208.85.181.69)
top100clipz .com/m6/movie1.php?id=638&n=teen (208.85.181.67)
hq-vidz .com/movie1.php?id=638&n=teen (208.85.181.68)

The dropper then phones back home to : f071108 .com/fb/first.php (79.132.211.50) with the binaries hosted at a legitimate site that's been compromised :

aibcvienna.org/youtube/ bnsetup24.exe
aibcvienna.org/youtube/ tinyproxy.exe

Related fake Youtube domains participating :
catshof .com (79.132.211.51)
youtube-spy .info (94.102.60.119)
youtubehof .net (218.93.205.30)
youtube-spyvideo .com (58.241.255.37)
yyyaaaahhhhoooo.ocom .pl (67.15.104.83)
youtube-x-files .com (94.102.60.119)

The development of cybercrime platforms utilizing legitimate infrastructure only, has always been in the works. With spamming systems relying exclusively on the automatically registered email accounts at free web based providers, to the automatic bulk registration of hundreds of thousands of domains enjoying a particular domain registrar's weak anti-abuse policies, it would be interesting to monitor whether marginal thinking or improved OPSEC relying on compromised hosts will be favored in 2009.

Related posts:
Fake YouTube Site Serving Flash Exploits
Facebook Malware Campaigns Rotating Tactics
Phishing Campaign Spreading Across Facebook
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles

Summarizing Zero Day's Posts for October

Tue, 04 Nov 2008 05:28:07 +0000

Here's a brief summary of all of my posts at Zero Day for October. You can also go through previous summaries for September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles for October - Scammers introduce ATM skimmers with built-in SMS notification; Inside an affiliate spam program for pharmaceuticals; CardCops: Stolen credit card details getting cheaper.

01. Cybercriminals syndicating Google Trends keywords to serve malware
02. Scammers introduce ATM skimmers with built-in SMS notification
03. Atrivo/Intercage's disconnection briefly disrupts spam levels
04. Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick
05. Asus ships Eee Box PCs with malware
06. Fake Microsoft Patch Tuesday malware campaign spreading
07. Secunia: popular security suites failing to block exploits
08. Survey: 88% of Mumbai's wireless networks easy to compromise
09. Adobe's Serious Magic site SQL Injected by Asprox botnet
10. Inside an affiliate spam program for pharmaceuticals
11. Google to introduce warnings for potentially hackable sites
12. Lack of phishing attacks data sharing puts $300M at stake annually
13. CardCops: Stolen credit card details getting cheaper
14. Cybercrime friendly EstDomains loses ICANN registrar accreditation
15. Phishers apply quality assurance, start validating credit card numbers
16. Spammers targeting Bebo, generate thousands of bogus accounts

New Phishing Hits Domain Owners Accounts At eNom, NetworkSolutions

Thu, 30 Oct 2008 08:17:30 +0000

Sophos have reported a new kind of phishing campaign yesterday. Instead of the regular bank phish, or the more recent university/webmail email account phish, this new campaign targets domain registrar accounts, as per the email below: The email fakes the From address (purports to come from tech@enom.com) and ask the user to update their account due [...]

Spammers Domain Registrar EstDomains Receives ICANN Deactivation Notice

Wed, 29 Oct 2008 21:27:19 +0000

EstDomains, a domain name registrar that worked closely with cyber criminals, suffered another blow after the organization that oversees the net’s address system said it would revoke the company’s right to sell domain names because of a recent fraud conviction of its president in Estonia. EstDomains has been criticized by many security experts for registering [...]

ICANN delays shutting down spammy Estonian registrar

Wed, 29 Oct 2008 21:00:00 +0000

The overseer of the Internet's addressing system said on Wednesday it will delay shutting down a dodgy Estonian domain registrar pending a review.

Public Comment Open On ICANN AGP Limits

Tue, 21 Oct 2008 12:55:38 +0000

ICANN has formulated a new policy for limits on the use of domain DELETEs in the AGP (Add Grace Period). The DELETE was originally intended to allow a registrar to undo a mistake and provide refunds of fees, but it has given rise to the phenomenon of domain tasting in which speculators buy domains and test them out for PPC (pay per click) revenue for several days, and then delete them for refunds. Some then re-register the domains and serially taste them, a practice known as domain kiting. Under the new policy, during any given month, a gTLD operator may not refund to any ICANN-accredited registrar in excess of 10% of that registrar's net new registrations for the month or 50, whichever is higher. Since many registrars far exceed this threshold, with some in excess of 90% DELETEs, the new policy should put a huge dent in the problem. There are also stringent reporting requirements for the gTLD. There is also an "extraordinary circumstances" loophole, but this should be difficult to abuse. At the same time, a public comment period on the new policy has been opened. You may submit comments until November 29, at which point final deliberations on the policy will begin.

Gambling Domains Seized by Kentucky

Sun, 28 Sep 2008 03:32:49 +0000

From reports, it appears that Kentucky Governor Steve Beshear has attempted to seize 141 gambling-related domain names under a state law that allows for seizure of items used for illegal gambling. It appears that the seizure order (click here for a copy of the initial order) was signed by a circuit judge, but later reports indicate that the judge is holding further hearings and seeking further arguments. A hearing will be held Oct. 7, according to TheDomains. See page 4 of the seizure order for a complete list of the 141 domains. Here are some of them:

123bingo.com
777dragon.com
indiancasino.com
jackpotcity.com
powerbet.com
crazypoker.com
vegaslucky.com

That sort of thing. According to DomainNameNews, several of the domains are for popular sites, including PokerStars.com, FullTiltPoker.com, BodogLife.com, GoldenPalace.com, Bet21.com, DoylesRoom.com and IndianCasino.com. It also reports that at least one registrar (Enom) has transferred domains pursuant to the order, including one whose registrant died of a heart attack this summer. The seizure order says that the domains are to be transferred by any registrar to a plaintiff's account at that registrar (the plaintiff being the Commonwealth of Kentucky), but that the domain names' configuration will be otherwise unchanged. This means that any gambling sites run on those domains or, for that matter, anything else on those domains, such as PPC ads, would remain functional. All things considered, this seems like simple-minded grandstanding without any good law behind it. The Constitution vests Congress with power to regulate interstate commerce, which the domain name market clearly is. In fact, these businesses are truly international. And it's a safe bet that none of the gambling companies or registrars operates in Kentucky, perhaps not even any of the domain name holders. That the state argues that residents of Kentucky engage in illegal gambling doesn't give the state jurisdiction. The Internet Commerce Association, a domainer lobby, has weighed in on the matter in opposition to the state's move.

Enhanced Domain Protection Services Emerge

Wed, 24 Sep 2008 04:23:16 +0000

Registrars are beginning to offer new services to protect against domain name loss. Are they worth it? Well, they're worth something, but maybe not all the money being charged. Yesterday, Domain Name Wire revealed that GoDaddy has filed for a patent for "Domain Name Hijack Protection." The basic idea of the service is that domain name transfer-out requests are automatically ignored. The customer gets a notice that the request was received and ignored. The user then has the option of turning off the service, and must supply photo ID in order to do it. Comments on the Domain Name Wire article say it's an intentionally cumbersome process, which certainly works out well for GoDaddy, but I'm not so sure I'd call this innovative. This application may be related to GoDaddy's Protected Registration service, which similarly protects against casual transfers, a service they call Deadbolt Transfer Protection. In order to perform a transfer, more thorough verification procedures are required, probably involving genuine human beings. GoDaddy also claims to protect the domain in case of billing problems, such as "credit card expiration, failed billing or outdated contact information." If your domain expires and cannot be renewed because the credit card expired or some other such reason the domain will be placed in "invalid, protected status" for up to one year. In other words, it will be taken off-line, but not made available for anyone else to register. If you've parked it you may not notice, but if you're using the domain you will, because it won't work anymore. At this point you can go back to GoDaddy and make things right. All this costs $24.99 a year, which is a lot of money compared to the base registration. You'd be much better off with a standard domain lock and just being responsible about your domains and reading the e-mail GoDaddy sends you. And thanks to DomainNameNews for reporting that Moniker, a registrar aimed at higher-volume domain name owners, has launched their DomainMaxLock service. DomainMaxLock, like GoDaddy's Deadbolt, makes you provide more stringent identification for transfers. According to the company you must:

Provide a government I.D. number for verification of your identity.
Set up custom security questions and answers, further safeguarding your domain assets.
Provide special verification instructions and artifacts to ensure that your unique business or ownership interests are protected.
When you request that your domains be unlocked, our security team works directly with you to verify all of the above off-line - further eliminating risks of doing business in an online world!

It's essentially an admission of the failure of automated services with respect to security. The idea is we can trust humans in person, not software. The service costs $34.95 per domain per year for a limited time, but the cost will increase later to $59.99. These verification services are similar in many ways to those performed by CAs (certificate authorities). Since GoDaddy is also one of those, it's likely they can get better utilization out of that staff by offering such services.