2011/05/18

Heihachi Customers Arrested

http://www.polizei.bayern.de/lka/news/presse/aktuell/index.html/136840

So a lot of scammers have been arrested, good. But why mention it here?

Let us take a look at some of the domain names mentioned by this official German police press report:

ewe-ewe.com
Registration Service Provided By: Heihachi Ltd. WHOIS-Protection
Contact: abuse@heihachi.net
   
Domain name: ewe-ewe.com

Registrant Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov ()
  
   Fax:
   Calle 53
   Marbella, PA 10000
   PA

Administrative Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov (support@heihachi.net)
   507.6458546
   Fax: 507.6458547
   Calle 53
   Marbella, PA 10000
   PA

Technical Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov (support@heihachi.net)
   507.6458546
   Fax: 507.6458547
   Calle 53
   Marbella, PA 10000
   PA

Status: Active

Name Servers:
   ns1.heihachi.net
   ns2.heihachi.net
  
Creation date: 09 Aug 2010 01:26:36
Expiration date: 09 Aug 2011 01:26:00
dress4style.com
Registration Service Provided By: Heihachi Ltd. WHOIS-Protection
Contact: abuse@heihachi.net
   
Domain name: dress4style.com

Registrant Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov ()
  
   Fax:
   Calle 53
   Marbella, PA 10000
   PA

Administrative Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov (support@heihachi.net)
   507.6458546
   Fax: 507.6458547
   Calle 53
   Marbella, PA 10000
   PA

Technical Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov (support@heihachi.net)
   507.6458546
   Fax: 507.6458547
   Calle 53
   Marbella, PA 10000
   PA

Status: Active

Name Servers:
   ns1.heihachi.net
   ns2.heihachi.net
  
Creation date: 30 May 2010 17:30:10
Expiration date: 30 May 2011 17:30:00
elektro-grosshandel24.com
Registration Service Provided By: Dinghost Limited
Contact: whois@protected-ns.info

Domain name: elektro-grosshandel24.com

Registrant Contact:
Dinghost Limited
Dimitri Povak ()

Fax:
Calle 53, Marbella
Panama, PA 10000
PA

Administrative Contact:
Dinghost Limited
Dimitri Povak (whois@protected-ns.info)
507.8321668
Fax: 1. 507.8321668
Calle 53, Marbella
Panama, PA 10000
PA

Technical Contact:
Dinghost Limited
Dimitri Povak (whois@protected-ns.info)
507.8321668
Fax: 1. 507.8321668
Calle 53, Marbella
Panama, PA 10000
PA

Status: Active

Name Servers:
ns1.heihachi.net
ns2.heihachi.net

Creation date: 09 Feb 2010 11:23:17
Expiration date: 09 Feb 2011 11:23:00

The last domain linked to Dinghost and Heihachi is just a continuation of the pattern described on this blog after the Spamhaus attacks.

Similar domains linked to Heihachi and fraud can be found by simply using Google. You will quickly find the anti-abuse forums and victim forums are littered with these domains.

As such when the police report mentions the DDoS attacks linked to the arrested parties, it is no surprise. Heihachi has a dismal reputation of all things bad. Nothing good has yet been known to come from Heihachi, not even a mysterious . 

This further makes you wonder how a domain name system can be subverted, corrupted  and perverted as to be abused by criminals. It is also on record that Enom and their reseller Namecheap has been notified extensively of invalid whois details that Heihachi is using, also the activities of Heihachi.

If anything, the Heihachi can of worms will go down as a black mark against the credibility of the current registrar system and privacy abuse, which in itself is a danger to true accountable privacy.

Why? Let us look of all the whois issues linked to the actual Heihachi domain, where American registrars allowed the situation to continue and even acting as a proxy for them. Further Heihachi themselves were allowed to to act as a reseller and privacy proxy themselves for further criminality:

2008-09-05:
Heihachi is registered via EstDomains, EstDomains themselves closed down later after being linked to illegal activities.
Registration Service Provider: LovingDomains.com - E-Gold Domain Registration
Website: http://www.lovingdomains.com
Accept Pecunix, e-Bullion, E-Gold, PayPal, MoneyBookers, WebMoney, Epassporte, Liberty Reserve, Fethard Finance and Capital Collect

Domain Name: HEIHACHI.NET 

Registrant:
    Heihachi Host
    Peter Schneider        (heihachi.web@gmail.com)
    Mailgasse 42
    Berlin
    Berlin,10024
    DE
    Tel. +049.5545856852

Creation Date: 05-Sep-2008  
Expiration Date: 05-Sep-2009
The red flag here is "Mailgasse 42" which cannot be found in Berlin. Postal code 10024 is also invalid. The telephone number is a geographical number linked to Hedemünden in Germany.
Conclusion: Serious whois issues exists for this domain and the details are not credible.

On or around 2008-12-04 the Heihachi.net domain is moved to the registrar Direct-I in a bulk transfer of the EstDomains domain portfolio and Estdomains is not longer an ICANN registrar.

2009-01-02:
On or around 2009-01-02 the domain's regsitration details changes:
Registrant:
    Heihachi LTD
    Heihachi.net        (support@heihachi.net)
    233 Middleton rd
    Apt 1715
    Glenside
    Wellington,6037
    NZ
    Tel. +064.48311333
Looking at where this address is on map, leads to the industry and anti-abuse group jokes referring to Heihachi as "the reseller who lives in a tree".

We can clearly see from Google maps that 233 Middleton Rd, Glenside, Wellington will not ever be big enough for a building that could ever house an "apt 1715". Looking at this street corner property, shows it to be an undeveloped piece of property with only trees and not much more.

View Larger Map

2009-01-08:
For certain reasons, most likely Direct-I's low tolerance for Internet abuse, Heihachi moves away within a week of being transferred to Directi-I to Enom, using the Enom reseller Namecheap, also using their privacy protection:


Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
Visit: http://www.namecheap.com/
 
Domain name: heihachi.net

Administrative Contact:
   NameCheap.com
   NameCheap.com NameCheap.com (support@NameCheap.com)
   +1.6613102107
   Fax: +1.6613102107
   8939 S. Sepulveda Blvd. #110 - 732
   Westchester, CA 90045
   US
However the domain registrant details is immediately changed back to the invalid address used previously:
Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
Visit: http://www.namecheap.com/
 
Domain name: heihachi.net

Registrant Contact:
   Heihachi.net
   Heihachi Ltd WHOIS PROTECTION ()
   
   Fax: 
   233 Middleton rd
   Apt 1715
   Glenside, State 6037
   NZ

We also now see a bizarre  Heihachi Ltd WHOIS PROTECTION ().

At this stage, reports of invalid whois details and serious issues of criminality are being escalated to law enforcement and the Registrar Enom and reseller Namecheap. 

2010-04-11:
In reaction to continued pressure, the domain name now adopts the proxy services of Namecheap:
Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
 
Domain name: heihachi.net

Registrant Contact:
   WhoisGuard
   WhoisGuard Protected ()
   
   Fax: 
   8939 S. Sepulveda Blvd. #110 - 732
   Westchester, CA 90045
   US
Considering Heihachi themselves are in turn acting as a proxy for their clients that are later arrested,  we need to consider how transparent and desibrable a proxy for a proxy itself is. What message is this sending out to the global internet community? We also need to ask how this situation ever was ever allowed to develop as it make a mockery of the whois requirements in the DNS system. Naturally this decision is questioned and escalated to to Enom and reseller Namecheap. ICANN is also copied on some of the communications.

2010-05-02:
Registration Service Provided By: Heihachi LTD.
Contact: support@heihachi.net
Visit: www.heihachi.net
 
Domain name: heihachi.net

Registrant Contact:
   Heihachi.net
   Heihachi Ltd WHOIS-PROTECTION ()
   
   Fax: 
   Calle 53, Marbella
   Bella Vista
   Panama, PA 00000
   PA

Heihachi now suddenly sports a Panama address. Of note is that Heihachi, despite it's dismal record of ignoring valid whois requirements and in fact being implicated in numerous criminal issues, is now an Enom reseller!

Not unsurprisingly, the registrant address shown here does not bear closer scrutiny. The published address is that of the Panama City World Trade Centre!

It is possible that Heihachi may have an office or post box at this location and the lack of more exact details that would postal message persuant to the domain registration agreement to reach it, is just an honest oversight. Yet numerous telephone calls later to parties linked to the Panama City World Trade Centre, now indication can be found of Heihachi at this address.

Also linked to this address is telephone number +507.8321668. This is a VOIP (Voice over IP) number in Panama, indicating the number need not  be linked to Panama as such, but the recipient may find himself anywhere where the internet reaches. To date no records can be found of anybody calling this number successfully, despite repeated efforts by numerous parties.

ICANN registrar Enom is made aware of these issues.


2010-05-18:
The Heihachi domain now sports Enom's "Whois Privacy Protection Service":
Domain name: heihachi.net

Registrant Contact:
   Whois Privacy Protection Service, Inc.
   Whois Agent ()
   
   Fax: 
   PMB 368, 14150 NE 20th St - F1
   C/O heihachi.net
   Bellevue, WA 98007
   US

Administrative Contact:
   Whois Privacy Protection Service, Inc.
   Whois Agent (prjcxxfb@whoisprivacyprotect.com)
   +1.4252740657
   Fax: +1.4259744730
   PMB 368, 14150 NE 20th St - F1
   C/O heihachi.net
   Bellevue, WA 98007
   US

Technical Contact:
   Whois Privacy Protection Service, Inc.
   Whois Agent (prjcxxfb@whoisprivacyprotect.com)
   +1.4252740657
   Fax: +1.4259744730
   PMB 368, 14150 NE 20th St - F1
   C/O heihachi.net
   Bellevue, WA 98007
   US
The registrant details stays proxied using Enom's privacy services to date, despite Enoms being aware of serious issues linked to this domain.

Heihachi also retains it's Enom reseller status.

Furthermore domains sold via Heihachi all sport "Registration Service Provided By: Heihachi Ltd. WHOIS-Protection" and these domains are regularly linked to fraud. The domains ewe-ewe.com, dress4style.com, elektro-grosshandel24.com mentioned earlier and indicated in the police report is all evidence of this abuse.

Also, Heihachi is implicated in numerous DDoS attacks in this time.

We need to now ask ourselves how we ever got to the stage where millions of dollars/euros were defrauded from internet users? How come one of the top American registrars allows this farce to continue?

The German authorities catching some of the perpetrators is small consolation, but cannot make up for the damage done in terms of financial loss nor loss of trust in the internet, all due to fraud.

Note: The mentioned Lego scams where scamming those that could least afford it over the Christmas period, the financially challenged, and where parents were simply trying to get the best Christmas present possible for the little money they had in a recession that Christmas. Needless to say these children are will grow up to remember a certain Christmas when Santa never came. Money for their presents went to criminals and indirectly American corporates.

There will be no recovery of financial losses for the victims to the fraud, many of them which should and would not have been if Enom and Namecheap followed the rules of their accreditation agreements and had not gamed the requirements of the DNS system.

The recent USA court findings of Tucows not being responsible for abuse of their proxy services since the registrar accreditation allows no third party beneficiaries as per the , lays the foundation for much more similar abuse to the issue illustrated above. In a nutshell the ordinary user has no protection from ICANN either to ensure a healthy internet environment and ICANN can only be considered at best a mutual protection "club" for registrants, registrars and resellers. In the Heihachi saga the costs are being shifted to the authorities in Germany, while the profits are being diverted to criminals, some of who were caught, and unaccountable domains resellers and registrars who it appears chose self blinding.


At this stage I would like to say that Tucows is an excellent domain registrar and I consider them one of the best who proactively takes steps against abuse of their services. As such the Tucows court victory is a small personal consolation, but a sad day for the internet's ICANN unwashed.

Further it also flies directly against the sentiments voiced by President Obama in his document titled

In this document much is said in terms of fostering trust in the internet. We can only but hope that is a precursor to another "Heihachi" never being allowed to develop using American companies and resources to target foreign nationals, DDoS foreign and American infrastructure or any other party.

Heihachi has truly become a can of worms that could be well used by ICANN and it's SSAC as a case study of what not should be happening. We can ask what message this is sending out to the internet community and anyone contemplating using the DNS system for fraud.


It may be argued that perhaps the domain registrars and resellers were simply cooperating with the authorities. However the authorities actually set a date stamp on the initiation of the investigations:
Am 28.09.2009 meldete sich bei der Polizeiinspektion Nördlingen der Mitinhaber eines örtlichen Unternehmens. Der Grund lag in den zahlreichen Anfragen einiger Personen, die angeblich über die Internetseite „ja-kaufen.com“ (nicht mehr online)
Invalid and abuse reports to the sponsoring registrar were initiated well before this date.

2011/01/05

A note to AnonOps about their net provider

On a McAfee blog, "Don’t Confuse ‘Anonymous’ With a Russian Gang", Francois Paget gives a timeline of events leading up to the SpamHaus DDoS attack.

Of note he says: "I am opposed to illegal activity on or off the Internet. I want to alert all hacktivists to be careful of engaging in any virtual demonstration when they cannot verify the launching source. Not only could their actions in fact be detrimental to their causes, they could also expose people to identity theft, financial fraud, and other troubles." (this author's highlight)

Agreed Francois. This sentiment also reflects what I posted a few days ago; "Personally I have no doubt the Wikileaks situation became exploitable when SpamHaus highlighted this serious issue. Immediately Operation Payback became payback for past blacklistings by SpamHaus, using an instant army of unwitting do-gooders protecting freedom of speech, or so the DDoS'ers thought."

Past experience has shown that anyone that uses Heihachi is immediately under suspicion of trying to exploit normal users, this suspicion with a more than high probability of being correct as history has shown time  and again.

So of importance on the McAfee blog as Francois points out:
"As we examine this chronology, it seems to me that something is out of place:

  • The Anonymous group claims to have stopped DDoS attacks
  • The security community sends an alert about a suspicious WikiLeaks mirror site hosted on the dangerous Heihachi.net (a den of criminals)
  • Spamhaus suffers DDoS attacks but says neither LOIC nor LOIC-like tools are involved in the attacks
  • In some semiprivate forums AnonOps members deny responsibility
  • A new Anonymous communication network is created in Russia. Ten or so IRC servers are linked to the same Heihachi.net.
  • One of these IRC servers–irc.anonops.ru–drove #operationBoa (Bank of America, .." 
If we consider what cybercrime is and how it abuses the internet and anonymity to deprive ordinary users of their rights to legal recourse, this is a great injustice being done to these users, on par if not greater than anything Wikileaks may be exposing. Most victims to cybercrime are statistics if they report it, while the majority do not bother. The internet is a place of extremes, extreme good to extreme bad. Heihachi represents the extreme bad end of this spectrum.

As such it may now be argued that AnonOps by using Heihachi, is now supporting a hosting company run by unknown persons and encouraging a class of business that is extremely harmful to ordinary internet users and that has seen many people and their families defrauded. Additionally they are exposing their supporters to these same dangers.

Is this what AnonOps wants and what they support? I very much doubt it.


However it clear that there is a bad core in AnonOps and that any sympathy the public may have with AnonOps could disappear rather rapidly. AnonOps depends on the internet to achieve it's goal. Their most valuable resource is now being driven "on the dangerous Heihachi.net (a den of criminals)" (to borrow Francois's phrase, which many a security researcher can testify to).

This begs the questions:
  • Why despite being warned about the Heihachi issues, does AnonOps  insist on using this infamous provider?
  • Why did a DDoS attack follow on the above warning? (We need to consider SpamHaus protects the ordinary internet user and is not involved in anything Wikileaks related) 
  • Who in AnonOps is giving that group bad advice?
If AnonOps is not to go down in history as a case study of a civil protest that was hijacked for criminal purposes, where volunteers were led like lambs to the slaughter, they had better look into their trusted core and do some thorough introspection, expelling those that would abuse them and ordinary internet users. 

AnonOps: Heihachi has seen enough victims to crime already, please do not be part of this rotten core of the internet. Do not allow your supporters to be unknowing pawns to criminal activity. You owe at least this to your supporters.