2011/05/18

Heihachi Customers Arrested

http://www.polizei.bayern.de/lka/news/presse/aktuell/index.html/136840

So a lot of scammers have been arrested, good. But why mention it here?

Let us take a look at some of the domain names mentioned by this official German police press report:

ewe-ewe.com
Registration Service Provided By: Heihachi Ltd. WHOIS-Protection
Contact: abuse@heihachi.net
   
Domain name: ewe-ewe.com

Registrant Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov ()
  
   Fax:
   Calle 53
   Marbella, PA 10000
   PA

Administrative Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov (support@heihachi.net)
   507.6458546
   Fax: 507.6458547
   Calle 53
   Marbella, PA 10000
   PA

Technical Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov (support@heihachi.net)
   507.6458546
   Fax: 507.6458547
   Calle 53
   Marbella, PA 10000
   PA

Status: Active

Name Servers:
   ns1.heihachi.net
   ns2.heihachi.net
  
Creation date: 09 Aug 2010 01:26:36
Expiration date: 09 Aug 2011 01:26:00
dress4style.com
Registration Service Provided By: Heihachi Ltd. WHOIS-Protection
Contact: abuse@heihachi.net
   
Domain name: dress4style.com

Registrant Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov ()
  
   Fax:
   Calle 53
   Marbella, PA 10000
   PA

Administrative Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov (support@heihachi.net)
   507.6458546
   Fax: 507.6458547
   Calle 53
   Marbella, PA 10000
   PA

Technical Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov (support@heihachi.net)
   507.6458546
   Fax: 507.6458547
   Calle 53
   Marbella, PA 10000
   PA

Status: Active

Name Servers:
   ns1.heihachi.net
   ns2.heihachi.net
  
Creation date: 30 May 2010 17:30:10
Expiration date: 30 May 2011 17:30:00
elektro-grosshandel24.com
Registration Service Provided By: Dinghost Limited
Contact: whois@protected-ns.info

Domain name: elektro-grosshandel24.com

Registrant Contact:
Dinghost Limited
Dimitri Povak ()

Fax:
Calle 53, Marbella
Panama, PA 10000
PA

Administrative Contact:
Dinghost Limited
Dimitri Povak (whois@protected-ns.info)
507.8321668
Fax: 1. 507.8321668
Calle 53, Marbella
Panama, PA 10000
PA

Technical Contact:
Dinghost Limited
Dimitri Povak (whois@protected-ns.info)
507.8321668
Fax: 1. 507.8321668
Calle 53, Marbella
Panama, PA 10000
PA

Status: Active

Name Servers:
ns1.heihachi.net
ns2.heihachi.net

Creation date: 09 Feb 2010 11:23:17
Expiration date: 09 Feb 2011 11:23:00

The last domain linked to Dinghost and Heihachi is just a continuation of the pattern described on this blog after the Spamhaus attacks.

Similar domains linked to Heihachi and fraud can be found by simply using Google. You will quickly find the anti-abuse forums and victim forums are littered with these domains.

As such when the police report mentions the DDoS attacks linked to the arrested parties, it is no surprise. Heihachi has a dismal reputation of all things bad. Nothing good has yet been known to come from Heihachi, not even a mysterious . 

This further makes you wonder how a domain name system can be subverted, corrupted  and perverted as to be abused by criminals. It is also on record that Enom and their reseller Namecheap has been notified extensively of invalid whois details that Heihachi is using, also the activities of Heihachi.

If anything, the Heihachi can of worms will go down as a black mark against the credibility of the current registrar system and privacy abuse, which in itself is a danger to true accountable privacy.

Why? Let us look of all the whois issues linked to the actual Heihachi domain, where American registrars allowed the situation to continue and even acting as a proxy for them. Further Heihachi themselves were allowed to to act as a reseller and privacy proxy themselves for further criminality:

2008-09-05:
Heihachi is registered via EstDomains, EstDomains themselves closed down later after being linked to illegal activities.
Registration Service Provider: LovingDomains.com - E-Gold Domain Registration
Website: http://www.lovingdomains.com
Accept Pecunix, e-Bullion, E-Gold, PayPal, MoneyBookers, WebMoney, Epassporte, Liberty Reserve, Fethard Finance and Capital Collect

Domain Name: HEIHACHI.NET 

Registrant:
    Heihachi Host
    Peter Schneider        (heihachi.web@gmail.com)
    Mailgasse 42
    Berlin
    Berlin,10024
    DE
    Tel. +049.5545856852

Creation Date: 05-Sep-2008  
Expiration Date: 05-Sep-2009
The red flag here is "Mailgasse 42" which cannot be found in Berlin. Postal code 10024 is also invalid. The telephone number is a geographical number linked to Hedemünden in Germany.
Conclusion: Serious whois issues exists for this domain and the details are not credible.

On or around 2008-12-04 the Heihachi.net domain is moved to the registrar Direct-I in a bulk transfer of the EstDomains domain portfolio and Estdomains is not longer an ICANN registrar.

2009-01-02:
On or around 2009-01-02 the domain's regsitration details changes:
Registrant:
    Heihachi LTD
    Heihachi.net        (support@heihachi.net)
    233 Middleton rd
    Apt 1715
    Glenside
    Wellington,6037
    NZ
    Tel. +064.48311333
Looking at where this address is on map, leads to the industry and anti-abuse group jokes referring to Heihachi as "the reseller who lives in a tree".

We can clearly see from Google maps that 233 Middleton Rd, Glenside, Wellington will not ever be big enough for a building that could ever house an "apt 1715". Looking at this street corner property, shows it to be an undeveloped piece of property with only trees and not much more.

View Larger Map

2009-01-08:
For certain reasons, most likely Direct-I's low tolerance for Internet abuse, Heihachi moves away within a week of being transferred to Directi-I to Enom, using the Enom reseller Namecheap, also using their privacy protection:


Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
Visit: http://www.namecheap.com/
 
Domain name: heihachi.net

Administrative Contact:
   NameCheap.com
   NameCheap.com NameCheap.com (support@NameCheap.com)
   +1.6613102107
   Fax: +1.6613102107
   8939 S. Sepulveda Blvd. #110 - 732
   Westchester, CA 90045
   US
However the domain registrant details is immediately changed back to the invalid address used previously:
Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
Visit: http://www.namecheap.com/
 
Domain name: heihachi.net

Registrant Contact:
   Heihachi.net
   Heihachi Ltd WHOIS PROTECTION ()
   
   Fax: 
   233 Middleton rd
   Apt 1715
   Glenside, State 6037
   NZ

We also now see a bizarre  Heihachi Ltd WHOIS PROTECTION ().

At this stage, reports of invalid whois details and serious issues of criminality are being escalated to law enforcement and the Registrar Enom and reseller Namecheap. 

2010-04-11:
In reaction to continued pressure, the domain name now adopts the proxy services of Namecheap:
Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
 
Domain name: heihachi.net

Registrant Contact:
   WhoisGuard
   WhoisGuard Protected ()
   
   Fax: 
   8939 S. Sepulveda Blvd. #110 - 732
   Westchester, CA 90045
   US
Considering Heihachi themselves are in turn acting as a proxy for their clients that are later arrested,  we need to consider how transparent and desibrable a proxy for a proxy itself is. What message is this sending out to the global internet community? We also need to ask how this situation ever was ever allowed to develop as it make a mockery of the whois requirements in the DNS system. Naturally this decision is questioned and escalated to to Enom and reseller Namecheap. ICANN is also copied on some of the communications.

2010-05-02:
Registration Service Provided By: Heihachi LTD.
Contact: support@heihachi.net
Visit: www.heihachi.net
 
Domain name: heihachi.net

Registrant Contact:
   Heihachi.net
   Heihachi Ltd WHOIS-PROTECTION ()
   
   Fax: 
   Calle 53, Marbella
   Bella Vista
   Panama, PA 00000
   PA

Heihachi now suddenly sports a Panama address. Of note is that Heihachi, despite it's dismal record of ignoring valid whois requirements and in fact being implicated in numerous criminal issues, is now an Enom reseller!

Not unsurprisingly, the registrant address shown here does not bear closer scrutiny. The published address is that of the Panama City World Trade Centre!

It is possible that Heihachi may have an office or post box at this location and the lack of more exact details that would postal message persuant to the domain registration agreement to reach it, is just an honest oversight. Yet numerous telephone calls later to parties linked to the Panama City World Trade Centre, now indication can be found of Heihachi at this address.

Also linked to this address is telephone number +507.8321668. This is a VOIP (Voice over IP) number in Panama, indicating the number need not  be linked to Panama as such, but the recipient may find himself anywhere where the internet reaches. To date no records can be found of anybody calling this number successfully, despite repeated efforts by numerous parties.

ICANN registrar Enom is made aware of these issues.


2010-05-18:
The Heihachi domain now sports Enom's "Whois Privacy Protection Service":
Domain name: heihachi.net

Registrant Contact:
   Whois Privacy Protection Service, Inc.
   Whois Agent ()
   
   Fax: 
   PMB 368, 14150 NE 20th St - F1
   C/O heihachi.net
   Bellevue, WA 98007
   US

Administrative Contact:
   Whois Privacy Protection Service, Inc.
   Whois Agent (prjcxxfb@whoisprivacyprotect.com)
   +1.4252740657
   Fax: +1.4259744730
   PMB 368, 14150 NE 20th St - F1
   C/O heihachi.net
   Bellevue, WA 98007
   US

Technical Contact:
   Whois Privacy Protection Service, Inc.
   Whois Agent (prjcxxfb@whoisprivacyprotect.com)
   +1.4252740657
   Fax: +1.4259744730
   PMB 368, 14150 NE 20th St - F1
   C/O heihachi.net
   Bellevue, WA 98007
   US
The registrant details stays proxied using Enom's privacy services to date, despite Enoms being aware of serious issues linked to this domain.

Heihachi also retains it's Enom reseller status.

Furthermore domains sold via Heihachi all sport "Registration Service Provided By: Heihachi Ltd. WHOIS-Protection" and these domains are regularly linked to fraud. The domains ewe-ewe.com, dress4style.com, elektro-grosshandel24.com mentioned earlier and indicated in the police report is all evidence of this abuse.

Also, Heihachi is implicated in numerous DDoS attacks in this time.

We need to now ask ourselves how we ever got to the stage where millions of dollars/euros were defrauded from internet users? How come one of the top American registrars allows this farce to continue?

The German authorities catching some of the perpetrators is small consolation, but cannot make up for the damage done in terms of financial loss nor loss of trust in the internet, all due to fraud.

Note: The mentioned Lego scams where scamming those that could least afford it over the Christmas period, the financially challenged, and where parents were simply trying to get the best Christmas present possible for the little money they had in a recession that Christmas. Needless to say these children are will grow up to remember a certain Christmas when Santa never came. Money for their presents went to criminals and indirectly American corporates.

There will be no recovery of financial losses for the victims to the fraud, many of them which should and would not have been if Enom and Namecheap followed the rules of their accreditation agreements and had not gamed the requirements of the DNS system.

The recent USA court findings of Tucows not being responsible for abuse of their proxy services since the registrar accreditation allows no third party beneficiaries as per the , lays the foundation for much more similar abuse to the issue illustrated above. In a nutshell the ordinary user has no protection from ICANN either to ensure a healthy internet environment and ICANN can only be considered at best a mutual protection "club" for registrants, registrars and resellers. In the Heihachi saga the costs are being shifted to the authorities in Germany, while the profits are being diverted to criminals, some of who were caught, and unaccountable domains resellers and registrars who it appears chose self blinding.


At this stage I would like to say that Tucows is an excellent domain registrar and I consider them one of the best who proactively takes steps against abuse of their services. As such the Tucows court victory is a small personal consolation, but a sad day for the internet's ICANN unwashed.

Further it also flies directly against the sentiments voiced by President Obama in his document titled

In this document much is said in terms of fostering trust in the internet. We can only but hope that is a precursor to another "Heihachi" never being allowed to develop using American companies and resources to target foreign nationals, DDoS foreign and American infrastructure or any other party.

Heihachi has truly become a can of worms that could be well used by ICANN and it's SSAC as a case study of what not should be happening. We can ask what message this is sending out to the internet community and anyone contemplating using the DNS system for fraud.


It may be argued that perhaps the domain registrars and resellers were simply cooperating with the authorities. However the authorities actually set a date stamp on the initiation of the investigations:
Am 28.09.2009 meldete sich bei der Polizeiinspektion Nördlingen der Mitinhaber eines örtlichen Unternehmens. Der Grund lag in den zahlreichen Anfragen einiger Personen, die angeblich über die Internetseite „ja-kaufen.com“ (nicht mehr online)
Invalid and abuse reports to the sponsoring registrar were initiated well before this date.

No comments:

Post a Comment