Part 12 (1/2)
Every bulletproof network begins with the inherent weakness of ICANN to enforce accurate WHOIS information.
ICANN.
ICANN is a nonprofit organization with headquarters in Marina del Rey, CA. The organization took over registration and accreditation responsibilities from the US government in 1998.
When you register a domain name with an accredited registrar, ICANN issues a corresponding IP address. The registration process requires that the customer provide accurate WHOIS information. Unfortunately, ICANN hasn't been effective in enforcing its own rules.
A GAO audit in 2005 looked into this problem and found that an estimated ”2.31 million domain names (5.14 percent) have been registered with patently false data-data that appeared obviously and intentionally false without verification against any reference data-in one or more of the required contact information fields” (from the GAO report ”Internet Management-Prevalence of False Contact Information for Registered Domain Names,” published in November 2005; see Figure 7-2).
Figure 7-2. GAO a.n.a.lysis of domain contact information ICANN relies on registrars to enforce the collection of accurate registration information, which is level two of the bulletproof network: an ICANN-accredited registrar.
The Accredited Registrar.
A person who wants to create an Internet presence for nefarious purposes needs to find an accredited registrar that won't seek to verify false registration information. This will allow her to enter a pseudonym instead of her real name, as well as false contact information (email and telephone). In the case of StopGeorgia.ru, that registrar was Naunet, a Russian Internet services company that offers domain registration and hosting services.
The Hosting Company.
In the case of StopGeorgia.ru, the registrant acquired hosting services through a small Russian company, SteadyHost.ru, which in turn was a reseller for a London company, Innovation IT Solutions Corp, which contracted with a very large data center and hosting company, SoftLayer Technologies.
SoftLayer Technologies and The Planet, both based in Texas, have proven to be attractive options for spam and phis.h.i.+ng websites, as had Atrivo/Intercage, based in Northern California. Atrivo was finally shut down in October 2008, resulting in a temporary world-wide plunge in spam levels, according to the Was.h.i.+ngton Post's Security Fix column of October 9, 2008.
The Bulletproof Network of StopGeorgia.ru.
Figure 7-3 shows linkages between companies that support the StopGeorgia.ru forum.
StopGeorgia.ru.
As we discussed in Chapter 2, StopGeorgia.ru was a pa.s.sword-protected forum built with a bulletin board software application (phpBB) and launched within 24 hours after the commencement of Russia's ground, sea, and air a.s.sault on the nation of Georgia on August 8, 2008.
Cyber attacks against Georgian government websites occurred as early as July 21, 2008, but this particular forum was not active until the day after the invasion. It provided hackers of all levels with vetted target lists, links to malware to be used to attack Georgian government websites, and expert advice for novice hackers (of which there were many).
A WHOIS search on the StopGeorgia.ru domain revealed the following information: Domain StopGeorgia.ru Type CORPORATE.
Nserver ns1.gost.in Nserver ns2.gost.in State Registered, Delegated Person Private Person Phone
7 908 3400066.
E-mail [email protected] Registrar NAUNET-REG-RIPN.
Figure 7-3. The StopGeorgia.ru network.
NAUNET.RU.
NAUNET is a Russian registrar that is blacklisted by the Spamhaus Project for providing cyber crime/spam/phish domains (Spamhaus SBL advisory #SBL67369 01 Dec 2008).
The domain name StopGeorgia.ru was acquired at Naunet.ru. Part of the complaint against Naunet on file at Spamhaus is that it has knowingly accepted false information (specifically related to invalid IP DNS addresses in the WHOIS info), which is in violation of Russian Inst.i.tute for Public Networks (RIPN) rules.
In the WHOIS info for StopGeorgia.ru, the phone number 7 908 3400066 and email address [email protected] are both listed in the registrar information for a variety of websites selling things such as fake pa.s.sports, adult p.o.r.n, and ATM skimmers.
Although the domain information for StopGeorgia.ru doesn't list a person's name, opting instead for the ubiquitous ”private person,” other domains with the same telephone number and email address have been registered under the name Andrej V Uglovatyj.
Andrej V Uglovatyj, however, is most likely a fict.i.tious person. A search on Yandex.com returns only two unique hits for the name. Considering the amount of data being collected online for individuals today, as well as the fact that Andrej V Uglovatyj is purportedly conducting a number of businesses online, receiving so few hits can only be due to this name being a pseudonym used in shady domain registrations. For example, see the one shown in Figure 7-4 for fake pa.s.sports at a website named Dokim.ru.
Figure 7-4. One of Andrej V Uglovatyj's shady domains selling forged doc.u.ments The tagline under Dokim.ru reads ”Creation of pa.s.sports and driver licenses for Russia and EU countries.”
SteadyHost.ru.
Performing a WHOIS on the IP address is an important step in the money trail process. Someone needed to purchase time on a server to host the PHP forum, which, ironically, used the Army-themed forum template (the ever-stylish camouflage look). The StopGeorgia.ru IP address is 75.126.142.110, which resolves to a small Russian company called SteadyHost ( Nserver ns2.steadyhoster.com State Registered, delegated Person Sergey A Deduhin Phone.
7 905 4754005.
Email [email protected] Registrar RUCENTER-REG-RIPN.