A Superlative Scam and Spam Site Registrar

Over the past week, a number of the Internet's largest data carriers have ceased providing online connectivity to Atrivo (a.k.a. "Intercage"), an ISP that security experts say is home to a huge number of scammers and spammers. This week, I'm turning the spotlight on EstDomains Inc., Atrivo's most important customer and the single biggest reason so many experts have condemned Atrivo.

According to RegistrarStats.com, EstDomains is the 49th largest domain name registrar, with more than 270,000 domains. Security Fix is still working on cataloging all of those domains, but for the purposes of this analysis we'll examine some 10,000 Web site names that are both registered through EstDomains and using the company's various domain name servers to route traffic to them.

I chose to focus on that particular subset of 10,000 domains mainly so that EstDomains could not simply disavow knowledge of the sites' activities by claiming it serves as nothing more than a registrar for those domains.

Turns out, at least one-third of those domains (.CSV) are currently blacklisted by SURBL.org, which tracks Web site names that are advertised in junk e-mail.

Have a look at the complete list of those 10,000 names -- which I've made available at this link here (.CSV file) -- and it should quickly become evident why so many are blacklisted.

Pick almost any spammy term that comes to mind and you will find dozens of sites with those terms currently registered at EstDomains and using their name servers. Below are just a few of the terms I picked, and beside each is the number of times the terms appeared in a domain name from the list of 10,000 (a longer list is available here):

pharm-100

viagra-42

casino-62

pill-82

soft (software)-164

rx-57

drug-68

meds-66

jewelry-46

porn-301

teen-120

Snowshoe Domains: Spreading the Love

Security experts at anti-spam group Spamhaus.org say EstDomains is a pioneer in setting up domains and domain name servers to accommodate a practice known as "snowshoe spamming." Spamhaus explains:

Like a snowshoe spreads the load of a traveler across a wide area of snow, some spammers use many frequently-changing IP addresses and domains to spread out the spam load in order to dilute recipient reputation metrics and evade filters. Conversely, legitimate mailers try hard to build their brand reputation based on a known domain and a small permanent range of sending IPs. Snowshoers also use anonymized or unidentifiable WHOIS records, whereas legitimate senders are proud to provide their real identity.

A stellar example of an operation primed for snowshoe spamming can be seen in the network set up by an entity called extendedhost.com That domain name is merely a placeholder: extendedhost.com doesn't actually have an official Web site, and all of its domain names are registered at EstDomains.

Could EXTendedhost be the same company as ESTdomains (which also owns a hosting service called ESThost)? The registration records for Extendedhost.com aren't much help, placing the company variously in Canada, Panama, and the Ukraine. But a domain name server history search on extendedhost.com shows it most recently used the DNS servers of a company called Bakler.com. Bakler is a domain auction service owned by Rove Digital, an entity that claims ownership of EstDomains (I'll have more on Rove Digital in follow-up blog post).

All 500 numeric Internet addresses assigned to extendedhost.com are blacklisted by Spamhaus for sending spam. But look a bit deeper into the entity's operations, and you'll notice that each spam domain has its own distinct name server.

Why bother assigning a unique domain name server to resolve each unique spam Web site name? For starters, anti-spam groups can blacklist thousands of spam sites in one fell swoop just by listing the handful of domain name servers that all of the sites have in common. But when each spam site has its own name server, it creates far more work for anti-spam groups.

"I call it 'horizontal scaling,'" said Suresh Ramasubramanian, head of anti-spam operations at Hong Kong based Outblaze.com. "You can pump up [spam] volume one of two ways: tons more from one or two sources, or spread the load across several sources, like a snowshoe spreads the weight of your feet across the snow."

Porn, Scareware, and Search Traffic Hijacking

Fake anti-virus and fake anti-spyware Web sites comprise the most persistent nuisance and source of illegal activity emanating from EstDomains today. Chief among these fake security products is the infamous XPAntivirus family of scareware, as exemplified by the still-active antivirus2008xp.com, pictured at right.

Typically, hackers are paid to compromise legitimate Web sites and silently redirect any visitors to these fake security software sites. Those sites in turn download malicious software that bombards the victim with incessant, bogus messages warning that his or her computer is infected with multiple privacy and security threats. Spy-partners.com, registered through EstDomains, is just one example of a company that pays affiliates to redirect traffic to its stable of scareware sites.

Experts say EstDomains also is the single largest source of domains affiliated with fake "codec," scam sites. These are mainly adult Web sites (or hacked, legitimate sites seeded with pornography) that tell visitors they need to install a special video codec in order to view the featured movies. The malware served by these fake codec sites also is fed by affiliate programs, such as cashcodec.com, ruler-cash.com, and vcstats.com (bonus points if you already figured out that each of these domains is active and registered through EstDomains).

One function of these codecs is to install software that changes the victim's domain name service settings, so that some percentage of their Web site and search engine traffic gets redirected to Web sites and search engines controlled by the attackers. The criminals in control of machines infected with these codecs can trivially hijack any victim traffic destined for online banking and other e-commerce Web sites.

At the end of my post last week on Atrivo/Intercage, I mentioned that I planned to take a hard look at EstDomains. A number of readers took that as an invitation to post in the comments section lists of sites registered at EstDomains that were serving up fake codecs and bogus security software.

Konstantin Poltev, the registry liason for EstDomains, responded to each of those posts individually, saying he had suspended them all. However, I found a couple hundred more, detailed at this list here. It's worth noting again that I found these domains in a sample of 10,000 domains registered through EstDomains - or out of roughly 3.5 percent of EstDomains' total domain portfolio.

Poltev said his company responds to abuse complaints within 24 hours. "However, sometimes making any decision is nearly impossible as there is an obvious lack of evidences, which prove the reported domain name's involvement in the infringement of the registration agreement," Poltev said in an e-mail to Security Fix. "In general, such complicated cases are brought into court, and it must be mentioned that we are strictly bound by our policy to discharge our obligations before court decisions."

"There are some cases that force court, federal agency, police or any other authority to make an official request for providing them with all the information available for the disputed domain name or its owner," Poltev said. As to criticisms that EstDomains welcomes cyber criminal activity on its network: "I am at a loss and cannot understand why someone should confer our company the rank of cyber space criminals."

The Role of Directi

No single security company has tracked the fake anti-malware and porn codec epidemic emanating from EstDomains more thoroughly than Clearwater, Fla., based Sunbelt Software. Patrick Jordan, a senior spyware researcher for Sunbelt, maintains a massive database that charts the connections between thousands of criminal Web sites as they've come and gone over the years.

Jordan's database illustrates what he calls the "Blackweb Network," an alliance of sites erected to push fake anti-spyware and anti-spyware products, porn, and to hire affiliates who get paid to spread this junk.

Jordan said that most of the sites in his database were registered either at EstDomains or at Directi, a domain registrar based in India that does business as Public Domain Registry. As it happens, EstDomains is a reseller of Directi's registration services. Among the services Directi offers is privacyprotect.org, which allows domain name registrants to obscure their contact details from the public.

"Most of the fake anti-malware and DNS changer guys are all registered through EstDomains using privacyprotect.org," Jordan said.

In June, Security Fix covered an analysis from anti-spam outfit Knujon that indicated some 15,000 Web site names advertised in junk e-mail were registered using Directi's privacyprotect.org service. Last week, Knujon released another report detailing what it called 48 "phatom domain name registrars" that cater exclusively to spammers and virus writers and trace back to Directi.

Knujon's report coincided with a separate report from security researchers at Hostexploit.com that tied Directi to cyber crime operations.

Chris Barton, lead scientist at McAfee Avert Labs, joined the chorus of criticism against Directi, with a strongly worded blog post that asked Directi's founders: "When will you completely stop supporting the illegal acts of EST[domains] and other very obvious darkside entities and kick the bad apples out?"

Directi vehemently denied turning a blind eye to abuses by EstDomains, and said it had stopped offering the registrar the use of privacyprotect.org services. Directi chief executive Bhavin Turakhia said the company considered dropping EstDomains as a customer entirely, but decided against it. "We are forced to reconsider ONLY for the sake of the several hundred thousand innocent domain registrants that happened to have registered their domain through EST. Pulling the plug on them can lead to the potential destabilization of several thousand innocent websites."

For its part, EstDomains appears to have already found a way to obscure the registrant information for new spam and scam domains, launching its own anonymity service called protectdetails.com. For example, sh0pp0rtal.net, an EstDomains-registered Web Fraud 2.0 service Security Fix previewed this month that lets cyber crooks verify the credit limits on stolen credit and debit cards -- now shields its registrants' data using protectdetails.com.

On Sunday, Directi, Hostexploit.com and Knujon declared a truce after a week's worth of squabbling in media coverage about the reports. In a post to its corporate blog Sunday, Directi said it had suspended a list of domains provided by Hostexploit and Knujon, including loads.cc, a Web Fraud 2.0 featured site that has long been a place where scam artists can go to rent botnets, or large groupings of compromised PCs.

That post from Directi's blog concludes with these promising words:

"HostExploit and Knujon did share with Directi a separate list of additional web sites known for badware that belong to Atrivo, enabling Directi's abuse team to swiftly suspend them. Directi HostExploit and Knujon intend to continue this information exchange to speedily resolve abuse issues, and to further demonstrate transparency the community can contact either Directi or / and HostExploit to ensure action is taken."



Security Fix would like to thank Jart Armin, Nicholas Bourbaki, Matt Jonkman and James McQuaid for contributing to this story.