Forwarded message. Danny, In our continuing effort to shed light on the dark corners of the Internet we have produced this report on the Directi Group, a fairly large player in the Registrar world. We have highlighted their use of the controversial service PrivacyProtect.org, their continued sponsorship of fake pharmacy domains, and their apparent ability to get Registrar accreditations for 48 Phantom Companies. The full report with documentation, data and links to supporting articles is here: http://www.knujon.com/news.html#directi PDF version: http://www.knujon.com/KnujonReport_directi_fakeRX_privacyprotect082808.pdf ******************************************** 48 Phantom Registrars KnujOn has found at least 48 ICANN-accredited Registrars that do not seem to exist. All of the Registrars in question are affiliated with the Directi Group (Directi, PublicDomainsRegistry, Answerable, LogicBoxes). Our attention was first brought to them when we released our report of the Ten Worst Registrars for illicit domains, spam, and false registrations. At the time, in some records Directi’s address was listed as: “14525 SW Millikan #48732 Beaverton Oregon”. Directi has since denied this and now disclosed its address as being in Mumbai, India. This prompted us to take a closer look at all the Registrars in Internic’s (ICANN) directory affiliated with Directi and presenting themselves as being located in the United States. 8 Directi–affiliated Registrars list their address on the Internic Registrar Directory as: 14525 SW Millikan #48732 Beaverton Oregon. In examining the directory for the other 40 Direct-affiliated Registrars, we find an even more confusing address: 15 West 47th Street New York, NY 10036 Oregon United States +1-650-331-0716 The first line is obviously ambiguous with “Oregon” on the end of a New York address. An additional layer of confusion is added by the fact that “650-331-0716” is a San Mateo, California phone number. So, where are these companies? New York, Oregon, California or Mumbai? There is nothing wrong with having multiple business locations, but this fact is not disclosed on any their websites or at Internic. Next, we set out to verify if any of these companies were real. Because of the confusing addresses we researched the New York, Oregon, California and India business registries. None of the Directi-affiliated companies listed in the Internic Registrar Directory are real licensed companies: Jumbo Name, Inc. Your Domain King, Inc. Fenominal, Inc. Game For Names, Inc. Ever Ready Names, Inc. Find Good Domains, Inc. Go Full House, Inc. Instinct Solutions, Inc. Name Perfections, Inc. Need Servers, Inc. Network Savior, Inc. Power Carrier, Inc. Power Namers, Inc. Super Name World, Inc. Tech Tyrants, Inc. The Registrar Service, Inc. Trade Starter, Inc. Unpower, Inc. Venus Domains, Inc. Yellow Start, Inc. Zone Casting, Inc. Extend Names, Inc. Extremely Wild Key Registrar, Inc. Magic Friday, Inc. Name To Fame, Inc. Net Juggler, Inc. Unified Servers, Inc. Names Bond, Inc. Specific Name, Inc. Genuine Names, Inc. Best Site Names, Inc. Get Real Names, Inc. Global Names Online, Inc. Naming Associate, Inc. The Names Registration, Inc. Cool Ocean, Inc. Names Real, Inc. Big Domain Shop, Inc. Colossal Names, Inc. Click Registrar, Inc. Cotton Water, Inc. Crystal Coal, Inc. Curious Net, Inc. Domain Band, Inc. Domain Mantra, Inc. Platinum Registrar, Inc. There is an expression that a company can “exist only on paper”, but in this case we don’t even have that. ******************************************** The Fake Pharmacies We have collected content and data for the 19,000 plus domains using the PrivacyProtect.org service that have been advertised through spam and narrowed the analysis down to 9,156 domains that are currently active. What has been found is very interesting and helps explain how a rogue Registrar can play a big role in supporting massive fake pharmacy networks. Starting with a list of 1,820 fake pharmacy domains all using PrivacyProtect.org and all registered through Directi/PublicDomainsRegistry we find these sites are all served from 132.206.106.15, an IP at the McGill University (likely a compromised machine, maybe even that of a student). Half of the content for the sites is served from an IP in Austria, the other half from an IP in the UK. (See the full list) We could call McGill today and get this IP closed but it would only be a temporary obstacle for the criminals. In fact, since KnujOn collected this data the sites have already moved to 61.153.209.98, which is Donghai University in China. These networks are very nimble, the content is highly portable and deployed by scripted kits. This is where the Registrar comes in. They have to make the sites resolve at a new location quickly. The IP addresses of the fake pharmacies change, but the Registrar and proxy registration service are constants. The nameservers for these sites are all at Directi/PublicDomainsRegistry and also shielded by PrivacyProtect.org. Their subtle misdirection provides cover. If a consumer complains to Directi/PublicDomainsRegistry about these sites they simply direct them to the ISP host that serves the content. If and when the site content is closed by the ISP host, Directi/PublicDomainsRegistry just helps them set up at a new IP. The true owners are of course shielded by PrivacyProtect.org. It’s a cycle they have adapted to, so the fake online pharmacy business continues with minimal interruptions. (Download full list of Directi/PrivacyProtect Rx domains with most recent IP) ******************************************** Secret Infrastructure The service that shields ownership of the unlicensed pharmacies, PrivacyProtect.org, is itself a phantom with undisclosed ownership. It was revealed in a Washington Post article that the Directi Group actually owns PrivacyProtect.org, a fact they did not deny when they responded to the article. In summary, we have thousands of illicit domains cloaked by a company which is also anonymously owned. The domains are all sponsored by the Directi Group which is affiliated with 48 Registrars that cannot be proven to be real entities. Clearly there are serious problems with oversight, due diligence, and accountability. How can the consumer be protected under these conditions? While Directi claims they will suspend illicit domains, KnujOn has found on many occasions Directi sponsored domains being removed temporarily only to be restored after a brief period with the same content (See "Suspended" Pharmacy Domains Reappear at Same Registrar & Nameserver). The sheer volume of fake pharmacies at Directi is daunting, and given the fact that they can all be traced to one source: PrivacyProtect.org, would it not be time for Directi to reconsider its relationship with PrivacyProtect.org if they are serious about solving the problem? As for ICANN, how is it possible that so many companies can be granted accreditation with unverified credentials? -Garth ------------------------------------- Collect, analyze, enforce, repeat... Garth Bruen gbruen@knujon.com http://www.knujon.com Presenting at the NYC OWASP 09.24.08 http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference