2012/08/20

Heihachi - RIP, Internet Trust - RIP

Well, it time to put the Heihachi saga, the Enom Reseller that lived in a tree, to rest here. However I hope that the ICANN community will read this, also the security community and all those parties involved that can make a change for the better. It needs to be noted this issue was not brought to a head by Registrar intervention.  It is my contention that the situation was exacerbated by Registrar non-intervention when it was required.

http://www.spiegel.de/spiegel/print/d-87482685.html

Ein solcher Provider war die Firma Heihachi. Betrieben wurde sie aus Österreich von Dominik Sascha B., die Server standen in Russland und später in der Ukraine - und waren damit weit weg von deutschen Behörden. Entsprechend schwierig gestalteten sich die Ermittlungen.
 This roughly translates as:
One such provider was the firm Heihachi. Operated from Austria by Dominik Sascha B., the server was in Russia and later in the Ukraine, far away from the German authorities and thus difficult to investigate.
So what happened to that spot in New Zealand as the domain registration claimed, that lovely spot of trees with no buildings or post boxes?
2010-02-12

Registrar: ENOM, INC.
Server: whois.enom.com
Created: 2008-09-04
Updated: 2009-01-10
Expires: 2010-09-04

Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
Visit: http://www.namecheap.com

Domain name: heihachi.net

Registrant Contact:
Heihachi.net
Heihachi Ltd WHOIS PROTECTION ()

Fax:
233 Middleton rd
Apt 1715
Glenside, State 6037
NZ


View Larger Map

Why was this reseller afforded privacy protection despite numerous issues being highlighted with the fraudulent class of registrants it was attracting, while Heihachi had a proven fake address but was allowed to offer privacy protection in turn?

We need to be aware that abuse letters had been streaming in to Namecheap and Enom at this stage and they could not say they were not aware of the issues at hand!

2011-01-01
Registrar: ENOM, INC.
Server: whois.enom.com

Domain name: heihachi.net

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()

Fax:
PMB 368, 14150 NE 20th St - F1
C/O heihachi.net
Bellevue, WA 98007
US

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (prjcxxfb@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O heihachi.net
Bellevue, WA 98007
US
Later when the privacy was revoked, we found yet another fake address:

2011-06-19
Registrar: ENOM, INC.
Registration Service Provided By: Heihachi Ltd. WHOIS-Protection
Contact: abuse@heihachi.net

Domain name: heihachi.net

Registrant Contact:
Heihachi Ltd. WHOIS-Protection
Sergey Ershov ()

Fax:
Calle 53
Marbella, PA 10000
PA

Administrative Contact:
Heihachi Ltd. WHOIS-Protection
Sergey Ershov (support@heihachi.net)
507.6458546
Fax: 507.6458547
Calle 53
Marbella, PA 10000
PA
Once again it was pointed out to the registrar Enom that this address was that of the World Trade Centre in Panama. The address did not meet the criteria for a domain registration and more to the point, nobody at the World Trade Centre knew anything of Heihachi. As for the claimed number 507.6458547, it was not operational but appeared to be a failed attempt at setting up some VoIP number. This was verified by at least two parties. Once again this issue was reported.

Ironically, this domain registration with invalid details still stands today. Somewhere in this mess the address of a luckless tile shop in Austria was used.

Enom and Namecheap has a lot to answer to the public to. How did we end up in this situation? What message is this sending out if one of America's largest Registrars allows the following to happen on their watch; roughly half of the mentioned fake shop gang's scams went via Enom as sponsoring registrar.*

Fake shops: 190
Losses: 1.1million
Fraud cases opened: 2050

Considering the price is on average ~$11/domain ~  8.9 €/domain

8.9/domain * 190 domains =  1691 € 

Consider the price of hosting about equivalent to that per month as the hosting was short lived, cost of hosting and domains: 1691 € * 2 = 3382 € 
(https://rdns.im/review-heihachi-net-vps-server/comment-page-1 shows it to be 5 €)
 
We can see the hosting and domain costs were neglible in relation to the total losses to fraud. If we consider that not all the victims may have reported themselves being scammed, this pure profit to be made in fraud is simply astronomical!

The simple fact that the DNS system can be so easily abused and to such an extent is simply mind boggling.

We also need to consider that the domains of the fake shop scams mentioned in the article accounted for a miniscule part of Heihachi's business. Heihachi was riddled with carding sites, DDos for hire and other malicious web sites. In fact the one Wikileaks website of unknown origins was also hosted at Heihachi. (http://news.cnet.com/8301-30685_3-20025702-264.html - "a provider run 'by criminals for criminals,'")

The news article mentions greedy people trying to obtain a bargain. However the reality was business was booming for the scammers in a Christmas period when money was tight. One such scam was a fake Lego site. Some parents used the little money they had to try and buy the best they could for Christmas. Santa never arrived that year, an absolutely pathetic situation.

Registrar Enom was also of no help. Abuse email were delegated to NameCheap, Namecheap refused to address serious WHOIS issues as pointed out above, blatant violations of the R.A.A. There was either never "enough evidence" (Enom) or "not in a position to judge" (Namecheap).

Only continuous web exposure eventually forced the scams to be useless to the scammers (cheers to the various anti-fraud sites - an acknowledgement for good work done!)

Heihachi either jested at abuse emails, or ignored them directly. Indirectly was another issue. Abuse reports also resulted in a numerous DDoS attacks on the various anti-abuse sites.  Precursors to these DDoS attacks were  taunting/threatening emails from the scam gang. Indeed the early part of 2010 was a cyber war between Heihachi and the fake shop gang vs the anti-abuse groups. ICANN was also made aware of the situation as it was the belief of some that the situation affected the stability of the net. A request that ICANN SSAC advice be sought, was sent to ICANN.

The situation was quite out of hand. Relief came from unexpected quarters when an independent researcher found traces of a new botnet. Key infrastructure was hosted on DirectI sponsored domains. They resolved in the issue in 20 minutes.

I want to ask the readers to ask themselves what went wrong here? Enom Legal had numerous emails on the issues that spanned the fake shop gang, through carding issues and DDoS attacks showing Heihachi was not intolerant of these activities, in fact actively supporting this business.

More importantly:  How do we avoid a situation like this ever again?

Is it not time that Enom accepts that the abuse reporting parties are not out to chase away harass the legitimate clients, but that there may actually be bad actors out there? Resellers may be big business, but also a big risk.

If the prescribed WHOIS policies were enforced, how many luckless victims would have been spared? Numerous  parties pointed out Heihachi's problematic WHOIS details.

Why was a party with problematic WHOIS details allowed to act as a proxy for other parties using those same problematic WHOIS details? This makes a mockery of the ICANN R.A.A, specifically clause 3.7.7.3. How can you hold an untraceable party accountable or allow such a situation to develop if you respect the R.A.A.?

Why was a privacy provider themselves allowed privacy when it became clear the WHOIS details were fictitious?

Maybe it is time to not try and surgically split domain issues from malicious activities. Many times they are two sides to the same coin.

A domain is a tool in the criminal's toolkit. He or she would not purchase it just for the sake of purchasing it, their is criminal and fraudulent intent when purchasing the domain. Anonymity in the form of fake domain registration details are just part of the traces to look for. These cannot be separated from the intent. One domain can do great damage if left unchecked. Most importantly, a malicious domain needs a sponsoring Registrar. It may be worthwhile remembering that registrars are the guardians to the internet.

The contirbuting factors in this saga were:
A criminal gang abusing domains for fake shops,
A reseller that should not have passed muster,
A second Registrar using another sponsoring Registrar, both not adhering to WHOIS policies as promised in the RAA.

The result was:
Fake shops: 190
Losses: 1.1million
Fraud cases opened: 2050
This was one of Germany's biggest cyber-crime cases. However an American and a Turkish registrar was used. Surely we dare not let this lesson in sanity slip by.

* The other domains for this scam were sourced via MediaOn's in-house Registrar Alantron. MediaOn had a special web page deliberately designed to attract these type of web sites. It was only after a SpamHaus blow-up and the bulk of MediaOn being null routed, that the above party moved to Heihachi.

References:

http://www.heise.de/newsticker/meldung/Internet-Betrueger-zu-vier-Jahren-Haft-verurteilt-1650121.html
http://www.heise.de/newsticker/meldung/Prozess-um-grossangelegten-Internet-Betrug-1614827.html
http://www.spiegel.de/spiegel/print/d-87482685.html
http://www.heise.de/newsticker/meldung/Urteil-gegen-mutmasslichen-Fakeshop-Betrueger-erwartet-1670109.html

Heihachi Domains:

GoogleDocs Spreadsheet