2014/10/19

NamCheap under fire

NameCheap has come under fire from the anti-fraud community again.




From what can be gathered, NameCheap has been playing anti-abuse games again. In the past Enom has diverted all issues linked to NameCheap to them for abuse handling, despite Enom being the registrar of record and ultimately responsible. In the process deserving cases for termination due to fraudulent domain registrations details and usage are ignored. Namecheap is using any excuse possible not to act on abuse reports apart from replying why they can't do anything.

This has a ring of Heihachi and fake German shopkeeper to it. I would have really thought that these parties have learnt from lessons past, but it seems not.

A list of open issues with Enom/NameCheap has just been posted here: http://forum.aa419.org/viewtopic.php?t=69328

Grabbing a pack of peanuts and popcorn. It seems this situation has gone on too long and the anti-abuse community is gearing up ...




2012/08/20

Heihachi - RIP, Internet Trust - RIP

Well, it time to put the Heihachi saga, the Enom Reseller that lived in a tree, to rest here. However I hope that the ICANN community will read this, also the security community and all those parties involved that can make a change for the better. It needs to be noted this issue was not brought to a head by Registrar intervention.  It is my contention that the situation was exacerbated by Registrar non-intervention when it was required.

http://www.spiegel.de/spiegel/print/d-87482685.html

Ein solcher Provider war die Firma Heihachi. Betrieben wurde sie aus Österreich von Dominik Sascha B., die Server standen in Russland und später in der Ukraine - und waren damit weit weg von deutschen Behörden. Entsprechend schwierig gestalteten sich die Ermittlungen.
 This roughly translates as:
One such provider was the firm Heihachi. Operated from Austria by Dominik Sascha B., the server was in Russia and later in the Ukraine, far away from the German authorities and thus difficult to investigate.
So what happened to that spot in New Zealand as the domain registration claimed, that lovely spot of trees with no buildings or post boxes?
2010-02-12

Registrar: ENOM, INC.
Server: whois.enom.com
Created: 2008-09-04
Updated: 2009-01-10
Expires: 2010-09-04

Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
Visit: http://www.namecheap.com

Domain name: heihachi.net

Registrant Contact:
Heihachi.net
Heihachi Ltd WHOIS PROTECTION ()

Fax:
233 Middleton rd
Apt 1715
Glenside, State 6037
NZ


View Larger Map

Why was this reseller afforded privacy protection despite numerous issues being highlighted with the fraudulent class of registrants it was attracting, while Heihachi had a proven fake address but was allowed to offer privacy protection in turn?

We need to be aware that abuse letters had been streaming in to Namecheap and Enom at this stage and they could not say they were not aware of the issues at hand!

2011-01-01
Registrar: ENOM, INC.
Server: whois.enom.com

Domain name: heihachi.net

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()

Fax:
PMB 368, 14150 NE 20th St - F1
C/O heihachi.net
Bellevue, WA 98007
US

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (prjcxxfb@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O heihachi.net
Bellevue, WA 98007
US
Later when the privacy was revoked, we found yet another fake address:

2011-06-19
Registrar: ENOM, INC.
Registration Service Provided By: Heihachi Ltd. WHOIS-Protection
Contact: abuse@heihachi.net

Domain name: heihachi.net

Registrant Contact:
Heihachi Ltd. WHOIS-Protection
Sergey Ershov ()

Fax:
Calle 53
Marbella, PA 10000
PA

Administrative Contact:
Heihachi Ltd. WHOIS-Protection
Sergey Ershov (support@heihachi.net)
507.6458546
Fax: 507.6458547
Calle 53
Marbella, PA 10000
PA
Once again it was pointed out to the registrar Enom that this address was that of the World Trade Centre in Panama. The address did not meet the criteria for a domain registration and more to the point, nobody at the World Trade Centre knew anything of Heihachi. As for the claimed number 507.6458547, it was not operational but appeared to be a failed attempt at setting up some VoIP number. This was verified by at least two parties. Once again this issue was reported.

Ironically, this domain registration with invalid details still stands today. Somewhere in this mess the address of a luckless tile shop in Austria was used.

Enom and Namecheap has a lot to answer to the public to. How did we end up in this situation? What message is this sending out if one of America's largest Registrars allows the following to happen on their watch; roughly half of the mentioned fake shop gang's scams went via Enom as sponsoring registrar.*

Fake shops: 190
Losses: 1.1million
Fraud cases opened: 2050

Considering the price is on average ~$11/domain ~  8.9 €/domain

8.9/domain * 190 domains =  1691 € 

Consider the price of hosting about equivalent to that per month as the hosting was short lived, cost of hosting and domains: 1691 € * 2 = 3382 € 
(https://rdns.im/review-heihachi-net-vps-server/comment-page-1 shows it to be 5 €)
 
We can see the hosting and domain costs were neglible in relation to the total losses to fraud. If we consider that not all the victims may have reported themselves being scammed, this pure profit to be made in fraud is simply astronomical!

The simple fact that the DNS system can be so easily abused and to such an extent is simply mind boggling.

We also need to consider that the domains of the fake shop scams mentioned in the article accounted for a miniscule part of Heihachi's business. Heihachi was riddled with carding sites, DDos for hire and other malicious web sites. In fact the one Wikileaks website of unknown origins was also hosted at Heihachi. (http://news.cnet.com/8301-30685_3-20025702-264.html - "a provider run 'by criminals for criminals,'")

The news article mentions greedy people trying to obtain a bargain. However the reality was business was booming for the scammers in a Christmas period when money was tight. One such scam was a fake Lego site. Some parents used the little money they had to try and buy the best they could for Christmas. Santa never arrived that year, an absolutely pathetic situation.

Registrar Enom was also of no help. Abuse email were delegated to NameCheap, Namecheap refused to address serious WHOIS issues as pointed out above, blatant violations of the R.A.A. There was either never "enough evidence" (Enom) or "not in a position to judge" (Namecheap).

Only continuous web exposure eventually forced the scams to be useless to the scammers (cheers to the various anti-fraud sites - an acknowledgement for good work done!)

Heihachi either jested at abuse emails, or ignored them directly. Indirectly was another issue. Abuse reports also resulted in a numerous DDoS attacks on the various anti-abuse sites.  Precursors to these DDoS attacks were  taunting/threatening emails from the scam gang. Indeed the early part of 2010 was a cyber war between Heihachi and the fake shop gang vs the anti-abuse groups. ICANN was also made aware of the situation as it was the belief of some that the situation affected the stability of the net. A request that ICANN SSAC advice be sought, was sent to ICANN.

The situation was quite out of hand. Relief came from unexpected quarters when an independent researcher found traces of a new botnet. Key infrastructure was hosted on DirectI sponsored domains. They resolved in the issue in 20 minutes.

I want to ask the readers to ask themselves what went wrong here? Enom Legal had numerous emails on the issues that spanned the fake shop gang, through carding issues and DDoS attacks showing Heihachi was not intolerant of these activities, in fact actively supporting this business.

More importantly:  How do we avoid a situation like this ever again?

Is it not time that Enom accepts that the abuse reporting parties are not out to chase away harass the legitimate clients, but that there may actually be bad actors out there? Resellers may be big business, but also a big risk.

If the prescribed WHOIS policies were enforced, how many luckless victims would have been spared? Numerous  parties pointed out Heihachi's problematic WHOIS details.

Why was a party with problematic WHOIS details allowed to act as a proxy for other parties using those same problematic WHOIS details? This makes a mockery of the ICANN R.A.A, specifically clause 3.7.7.3. How can you hold an untraceable party accountable or allow such a situation to develop if you respect the R.A.A.?

Why was a privacy provider themselves allowed privacy when it became clear the WHOIS details were fictitious?

Maybe it is time to not try and surgically split domain issues from malicious activities. Many times they are two sides to the same coin.

A domain is a tool in the criminal's toolkit. He or she would not purchase it just for the sake of purchasing it, their is criminal and fraudulent intent when purchasing the domain. Anonymity in the form of fake domain registration details are just part of the traces to look for. These cannot be separated from the intent. One domain can do great damage if left unchecked. Most importantly, a malicious domain needs a sponsoring Registrar. It may be worthwhile remembering that registrars are the guardians to the internet.

The contirbuting factors in this saga were:
A criminal gang abusing domains for fake shops,
A reseller that should not have passed muster,
A second Registrar using another sponsoring Registrar, both not adhering to WHOIS policies as promised in the RAA.

The result was:
Fake shops: 190
Losses: 1.1million
Fraud cases opened: 2050
This was one of Germany's biggest cyber-crime cases. However an American and a Turkish registrar was used. Surely we dare not let this lesson in sanity slip by.

* The other domains for this scam were sourced via MediaOn's in-house Registrar Alantron. MediaOn had a special web page deliberately designed to attract these type of web sites. It was only after a SpamHaus blow-up and the bulk of MediaOn being null routed, that the above party moved to Heihachi.

References:

http://www.heise.de/newsticker/meldung/Internet-Betrueger-zu-vier-Jahren-Haft-verurteilt-1650121.html
http://www.heise.de/newsticker/meldung/Prozess-um-grossangelegten-Internet-Betrug-1614827.html
http://www.spiegel.de/spiegel/print/d-87482685.html
http://www.heise.de/newsticker/meldung/Urteil-gegen-mutmasslichen-Fakeshop-Betrueger-erwartet-1670109.html

Heihachi Domains:

GoogleDocs Spreadsheet

2011/05/18

Heihachi Customers Arrested

http://www.polizei.bayern.de/lka/news/presse/aktuell/index.html/136840

So a lot of scammers have been arrested, good. But why mention it here?

Let us take a look at some of the domain names mentioned by this official German police press report:

ewe-ewe.com
Registration Service Provided By: Heihachi Ltd. WHOIS-Protection
Contact: abuse@heihachi.net
   
Domain name: ewe-ewe.com

Registrant Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov ()
  
   Fax:
   Calle 53
   Marbella, PA 10000
   PA

Administrative Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov (support@heihachi.net)
   507.6458546
   Fax: 507.6458547
   Calle 53
   Marbella, PA 10000
   PA

Technical Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov (support@heihachi.net)
   507.6458546
   Fax: 507.6458547
   Calle 53
   Marbella, PA 10000
   PA

Status: Active

Name Servers:
   ns1.heihachi.net
   ns2.heihachi.net
  
Creation date: 09 Aug 2010 01:26:36
Expiration date: 09 Aug 2011 01:26:00
dress4style.com
Registration Service Provided By: Heihachi Ltd. WHOIS-Protection
Contact: abuse@heihachi.net
   
Domain name: dress4style.com

Registrant Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov ()
  
   Fax:
   Calle 53
   Marbella, PA 10000
   PA

Administrative Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov (support@heihachi.net)
   507.6458546
   Fax: 507.6458547
   Calle 53
   Marbella, PA 10000
   PA

Technical Contact:
   Heihachi Ltd. WHOIS-Protection
   Sergey Ershov (support@heihachi.net)
   507.6458546
   Fax: 507.6458547
   Calle 53
   Marbella, PA 10000
   PA

Status: Active

Name Servers:
   ns1.heihachi.net
   ns2.heihachi.net
  
Creation date: 30 May 2010 17:30:10
Expiration date: 30 May 2011 17:30:00
elektro-grosshandel24.com
Registration Service Provided By: Dinghost Limited
Contact: whois@protected-ns.info

Domain name: elektro-grosshandel24.com

Registrant Contact:
Dinghost Limited
Dimitri Povak ()

Fax:
Calle 53, Marbella
Panama, PA 10000
PA

Administrative Contact:
Dinghost Limited
Dimitri Povak (whois@protected-ns.info)
507.8321668
Fax: 1. 507.8321668
Calle 53, Marbella
Panama, PA 10000
PA

Technical Contact:
Dinghost Limited
Dimitri Povak (whois@protected-ns.info)
507.8321668
Fax: 1. 507.8321668
Calle 53, Marbella
Panama, PA 10000
PA

Status: Active

Name Servers:
ns1.heihachi.net
ns2.heihachi.net

Creation date: 09 Feb 2010 11:23:17
Expiration date: 09 Feb 2011 11:23:00

The last domain linked to Dinghost and Heihachi is just a continuation of the pattern described on this blog after the Spamhaus attacks.

Similar domains linked to Heihachi and fraud can be found by simply using Google. You will quickly find the anti-abuse forums and victim forums are littered with these domains.

As such when the police report mentions the DDoS attacks linked to the arrested parties, it is no surprise. Heihachi has a dismal reputation of all things bad. Nothing good has yet been known to come from Heihachi, not even a mysterious . 

This further makes you wonder how a domain name system can be subverted, corrupted  and perverted as to be abused by criminals. It is also on record that Enom and their reseller Namecheap has been notified extensively of invalid whois details that Heihachi is using, also the activities of Heihachi.

If anything, the Heihachi can of worms will go down as a black mark against the credibility of the current registrar system and privacy abuse, which in itself is a danger to true accountable privacy.

Why? Let us look of all the whois issues linked to the actual Heihachi domain, where American registrars allowed the situation to continue and even acting as a proxy for them. Further Heihachi themselves were allowed to to act as a reseller and privacy proxy themselves for further criminality:

2008-09-05:
Heihachi is registered via EstDomains, EstDomains themselves closed down later after being linked to illegal activities.
Registration Service Provider: LovingDomains.com - E-Gold Domain Registration
Website: http://www.lovingdomains.com
Accept Pecunix, e-Bullion, E-Gold, PayPal, MoneyBookers, WebMoney, Epassporte, Liberty Reserve, Fethard Finance and Capital Collect

Domain Name: HEIHACHI.NET 

Registrant:
    Heihachi Host
    Peter Schneider        (heihachi.web@gmail.com)
    Mailgasse 42
    Berlin
    Berlin,10024
    DE
    Tel. +049.5545856852

Creation Date: 05-Sep-2008  
Expiration Date: 05-Sep-2009
The red flag here is "Mailgasse 42" which cannot be found in Berlin. Postal code 10024 is also invalid. The telephone number is a geographical number linked to Hedemünden in Germany.
Conclusion: Serious whois issues exists for this domain and the details are not credible.

On or around 2008-12-04 the Heihachi.net domain is moved to the registrar Direct-I in a bulk transfer of the EstDomains domain portfolio and Estdomains is not longer an ICANN registrar.

2009-01-02:
On or around 2009-01-02 the domain's regsitration details changes:
Registrant:
    Heihachi LTD
    Heihachi.net        (support@heihachi.net)
    233 Middleton rd
    Apt 1715
    Glenside
    Wellington,6037
    NZ
    Tel. +064.48311333
Looking at where this address is on map, leads to the industry and anti-abuse group jokes referring to Heihachi as "the reseller who lives in a tree".

We can clearly see from Google maps that 233 Middleton Rd, Glenside, Wellington will not ever be big enough for a building that could ever house an "apt 1715". Looking at this street corner property, shows it to be an undeveloped piece of property with only trees and not much more.

View Larger Map

2009-01-08:
For certain reasons, most likely Direct-I's low tolerance for Internet abuse, Heihachi moves away within a week of being transferred to Directi-I to Enom, using the Enom reseller Namecheap, also using their privacy protection:


Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
Visit: http://www.namecheap.com/
 
Domain name: heihachi.net

Administrative Contact:
   NameCheap.com
   NameCheap.com NameCheap.com (support@NameCheap.com)
   +1.6613102107
   Fax: +1.6613102107
   8939 S. Sepulveda Blvd. #110 - 732
   Westchester, CA 90045
   US
However the domain registrant details is immediately changed back to the invalid address used previously:
Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
Visit: http://www.namecheap.com/
 
Domain name: heihachi.net

Registrant Contact:
   Heihachi.net
   Heihachi Ltd WHOIS PROTECTION ()
   
   Fax: 
   233 Middleton rd
   Apt 1715
   Glenside, State 6037
   NZ

We also now see a bizarre  Heihachi Ltd WHOIS PROTECTION ().

At this stage, reports of invalid whois details and serious issues of criminality are being escalated to law enforcement and the Registrar Enom and reseller Namecheap. 

2010-04-11:
In reaction to continued pressure, the domain name now adopts the proxy services of Namecheap:
Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
 
Domain name: heihachi.net

Registrant Contact:
   WhoisGuard
   WhoisGuard Protected ()
   
   Fax: 
   8939 S. Sepulveda Blvd. #110 - 732
   Westchester, CA 90045
   US
Considering Heihachi themselves are in turn acting as a proxy for their clients that are later arrested,  we need to consider how transparent and desibrable a proxy for a proxy itself is. What message is this sending out to the global internet community? We also need to ask how this situation ever was ever allowed to develop as it make a mockery of the whois requirements in the DNS system. Naturally this decision is questioned and escalated to to Enom and reseller Namecheap. ICANN is also copied on some of the communications.

2010-05-02:
Registration Service Provided By: Heihachi LTD.
Contact: support@heihachi.net
Visit: www.heihachi.net
 
Domain name: heihachi.net

Registrant Contact:
   Heihachi.net
   Heihachi Ltd WHOIS-PROTECTION ()
   
   Fax: 
   Calle 53, Marbella
   Bella Vista
   Panama, PA 00000
   PA

Heihachi now suddenly sports a Panama address. Of note is that Heihachi, despite it's dismal record of ignoring valid whois requirements and in fact being implicated in numerous criminal issues, is now an Enom reseller!

Not unsurprisingly, the registrant address shown here does not bear closer scrutiny. The published address is that of the Panama City World Trade Centre!

It is possible that Heihachi may have an office or post box at this location and the lack of more exact details that would postal message persuant to the domain registration agreement to reach it, is just an honest oversight. Yet numerous telephone calls later to parties linked to the Panama City World Trade Centre, now indication can be found of Heihachi at this address.

Also linked to this address is telephone number +507.8321668. This is a VOIP (Voice over IP) number in Panama, indicating the number need not  be linked to Panama as such, but the recipient may find himself anywhere where the internet reaches. To date no records can be found of anybody calling this number successfully, despite repeated efforts by numerous parties.

ICANN registrar Enom is made aware of these issues.


2010-05-18:
The Heihachi domain now sports Enom's "Whois Privacy Protection Service":
Domain name: heihachi.net

Registrant Contact:
   Whois Privacy Protection Service, Inc.
   Whois Agent ()
   
   Fax: 
   PMB 368, 14150 NE 20th St - F1
   C/O heihachi.net
   Bellevue, WA 98007
   US

Administrative Contact:
   Whois Privacy Protection Service, Inc.
   Whois Agent (prjcxxfb@whoisprivacyprotect.com)
   +1.4252740657
   Fax: +1.4259744730
   PMB 368, 14150 NE 20th St - F1
   C/O heihachi.net
   Bellevue, WA 98007
   US

Technical Contact:
   Whois Privacy Protection Service, Inc.
   Whois Agent (prjcxxfb@whoisprivacyprotect.com)
   +1.4252740657
   Fax: +1.4259744730
   PMB 368, 14150 NE 20th St - F1
   C/O heihachi.net
   Bellevue, WA 98007
   US
The registrant details stays proxied using Enom's privacy services to date, despite Enoms being aware of serious issues linked to this domain.

Heihachi also retains it's Enom reseller status.

Furthermore domains sold via Heihachi all sport "Registration Service Provided By: Heihachi Ltd. WHOIS-Protection" and these domains are regularly linked to fraud. The domains ewe-ewe.com, dress4style.com, elektro-grosshandel24.com mentioned earlier and indicated in the police report is all evidence of this abuse.

Also, Heihachi is implicated in numerous DDoS attacks in this time.

We need to now ask ourselves how we ever got to the stage where millions of dollars/euros were defrauded from internet users? How come one of the top American registrars allows this farce to continue?

The German authorities catching some of the perpetrators is small consolation, but cannot make up for the damage done in terms of financial loss nor loss of trust in the internet, all due to fraud.

Note: The mentioned Lego scams where scamming those that could least afford it over the Christmas period, the financially challenged, and where parents were simply trying to get the best Christmas present possible for the little money they had in a recession that Christmas. Needless to say these children are will grow up to remember a certain Christmas when Santa never came. Money for their presents went to criminals and indirectly American corporates.

There will be no recovery of financial losses for the victims to the fraud, many of them which should and would not have been if Enom and Namecheap followed the rules of their accreditation agreements and had not gamed the requirements of the DNS system.

The recent USA court findings of Tucows not being responsible for abuse of their proxy services since the registrar accreditation allows no third party beneficiaries as per the , lays the foundation for much more similar abuse to the issue illustrated above. In a nutshell the ordinary user has no protection from ICANN either to ensure a healthy internet environment and ICANN can only be considered at best a mutual protection "club" for registrants, registrars and resellers. In the Heihachi saga the costs are being shifted to the authorities in Germany, while the profits are being diverted to criminals, some of who were caught, and unaccountable domains resellers and registrars who it appears chose self blinding.


At this stage I would like to say that Tucows is an excellent domain registrar and I consider them one of the best who proactively takes steps against abuse of their services. As such the Tucows court victory is a small personal consolation, but a sad day for the internet's ICANN unwashed.

Further it also flies directly against the sentiments voiced by President Obama in his document titled

In this document much is said in terms of fostering trust in the internet. We can only but hope that is a precursor to another "Heihachi" never being allowed to develop using American companies and resources to target foreign nationals, DDoS foreign and American infrastructure or any other party.

Heihachi has truly become a can of worms that could be well used by ICANN and it's SSAC as a case study of what not should be happening. We can ask what message this is sending out to the internet community and anyone contemplating using the DNS system for fraud.


It may be argued that perhaps the domain registrars and resellers were simply cooperating with the authorities. However the authorities actually set a date stamp on the initiation of the investigations:
Am 28.09.2009 meldete sich bei der Polizeiinspektion Nördlingen der Mitinhaber eines örtlichen Unternehmens. Der Grund lag in den zahlreichen Anfragen einiger Personen, die angeblich über die Internetseite „ja-kaufen.com“ (nicht mehr online)
Invalid and abuse reports to the sponsoring registrar were initiated well before this date.

2011/01/05

A note to AnonOps about their net provider

On a McAfee blog, "Don’t Confuse ‘Anonymous’ With a Russian Gang", Francois Paget gives a timeline of events leading up to the SpamHaus DDoS attack.

Of note he says: "I am opposed to illegal activity on or off the Internet. I want to alert all hacktivists to be careful of engaging in any virtual demonstration when they cannot verify the launching source. Not only could their actions in fact be detrimental to their causes, they could also expose people to identity theft, financial fraud, and other troubles." (this author's highlight)

Agreed Francois. This sentiment also reflects what I posted a few days ago; "Personally I have no doubt the Wikileaks situation became exploitable when SpamHaus highlighted this serious issue. Immediately Operation Payback became payback for past blacklistings by SpamHaus, using an instant army of unwitting do-gooders protecting freedom of speech, or so the DDoS'ers thought."

Past experience has shown that anyone that uses Heihachi is immediately under suspicion of trying to exploit normal users, this suspicion with a more than high probability of being correct as history has shown time  and again.

So of importance on the McAfee blog as Francois points out:
"As we examine this chronology, it seems to me that something is out of place:

  • The Anonymous group claims to have stopped DDoS attacks
  • The security community sends an alert about a suspicious WikiLeaks mirror site hosted on the dangerous Heihachi.net (a den of criminals)
  • Spamhaus suffers DDoS attacks but says neither LOIC nor LOIC-like tools are involved in the attacks
  • In some semiprivate forums AnonOps members deny responsibility
  • A new Anonymous communication network is created in Russia. Ten or so IRC servers are linked to the same Heihachi.net.
  • One of these IRC servers–irc.anonops.ru–drove #operationBoa (Bank of America, .." 
If we consider what cybercrime is and how it abuses the internet and anonymity to deprive ordinary users of their rights to legal recourse, this is a great injustice being done to these users, on par if not greater than anything Wikileaks may be exposing. Most victims to cybercrime are statistics if they report it, while the majority do not bother. The internet is a place of extremes, extreme good to extreme bad. Heihachi represents the extreme bad end of this spectrum.

As such it may now be argued that AnonOps by using Heihachi, is now supporting a hosting company run by unknown persons and encouraging a class of business that is extremely harmful to ordinary internet users and that has seen many people and their families defrauded. Additionally they are exposing their supporters to these same dangers.

Is this what AnonOps wants and what they support? I very much doubt it.


However it clear that there is a bad core in AnonOps and that any sympathy the public may have with AnonOps could disappear rather rapidly. AnonOps depends on the internet to achieve it's goal. Their most valuable resource is now being driven "on the dangerous Heihachi.net (a den of criminals)" (to borrow Francois's phrase, which many a security researcher can testify to).

This begs the questions:
  • Why despite being warned about the Heihachi issues, does AnonOps  insist on using this infamous provider?
  • Why did a DDoS attack follow on the above warning? (We need to consider SpamHaus protects the ordinary internet user and is not involved in anything Wikileaks related) 
  • Who in AnonOps is giving that group bad advice?
If AnonOps is not to go down in history as a case study of a civil protest that was hijacked for criminal purposes, where volunteers were led like lambs to the slaughter, they had better look into their trusted core and do some thorough introspection, expelling those that would abuse them and ordinary internet users. 

AnonOps: Heihachi has seen enough victims to crime already, please do not be part of this rotten core of the internet. Do not allow your supporters to be unknowing pawns to criminal activity. You owe at least this to your supporters.

2010/12/19

Domains found on Wikileaks.info IP address 92.241.190.202

This summary is not available. Please click here to view the post.

Hehachi, AnonOps, WikiLeaks and SpamHaus

As you may or may not know, somebody has recently hosted a WikiLeaks website, wikileaks.info, on Heihachi.net. Whether the wikileaks.info mirror is under control of Wikileaks or not is debatable and I would truly hope not. However a mirror of a popular website under criminal control does pose many opportunities for a cyber criminal. We need to note that the official list of Wikileaks mirrors does not link to wikileaks.info, whereas wikileaks.info claims affiliation with the official mirrors.

Obviously this may or may not be an attempt evade website take downs of the information they Wikileaks is publishing. However, this author was horrified the choice of hosting provider. Heihachi is all to well known as a resource for scammers and other internet miscreants that uses the anonymity of the net to victimize innocent internet users. In my observations I have found a constant flow of:
  • Phishing kits
  • Infected music downloads
  • Carding forums (Carders.cc also ran to Heihachi after being hacked, though by no means unique)
  • Hacking tools
  • DDoS Tools
  • DDos Command and Control's
  • Hate websites (including one publishing a list of home addresses of police in Germany for victimization)
... and a list of other websites that any self respecting hosting provider would never allow on his servers.

Of concern is the responses of Heihachi to abuse reports and communications, they condone abuse. Only one example response is "we allow botnets.","Yes, sure, we allow. Give us money and we host you and we will **** the german police".

In the light of the recent Wikileaks debacle, when hosting was taken up for a mirror Wikileaks, it directly flew in the face of what Wikileaks is supposed to stand for. Here we have Wikileaks, that defends the rights to know of normal people, being mirrored at a party that specializes in victimizing ordinary people and in effect assists in depriving law enforcement of methods to protecting ordinary citizens. Now matter your view on this Wikileaks issue, any party supporting cyber crime should not be a business partner.

As such I could only nod in silent appreciation of SpamHaus'es warning to Wikileaks. A similar warning was issued by Trend Micro.

However what followed was a bizzare and all to well know pattern of DDoS against anybody that dare mention about anything negative Hehachi related. At the same time at this refute appeared on wikileaks.info:

Spamhaus' False Allegations Against wikileaks.info

Published 15-Dec-2010, 8:00 AM GMT

On Tuesday, 14-Dec-2010 Spamhaus has issued a statement wherein it labels wikileaks.info as "unsafe", as they consider our hosting company as a malware facilitator:

http://www.spamhaus.org/news.lasso?article=665

We find it very disturbing that Spamhaus labels a site as dangerous without even checking if there is any malware on it. We monitor the wikileaks.info site and we can guarantee that there is no malware on it. We do not know who else is hosted with Heihachi Ltd and it is none of our business. They provide reliable hosting to us. That's it.

While we are in favour of "Blacklists", be it for mail servers or web sites, they have to be compiled with care. Just listing whole IP blocks as "bad" may be quick and easy for the blacklist editors, but will harm hosters and web site users.

Wikileaks has been pulled from big hosters like Amazon. That's why we are using a "bulletproof" hoster that does not just kick a site when it gets a letter from government or a big company. Our hoster is giving home to many political sites like castor-schottern.org and should not be blocked just because they might have hosted some malware sites.

Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser, for example), don't list us. We do hope that Spamhaus hasn't issued this statement due to political pressure.

Wikileaks.info will always be safe and clean. Promised:

Google Safe Browsing Check for wikileaks.info

Update (15-Dec-2010 17:00 PM GMT): Spamhaus has updated their statement to say that they don't blacklist us.

The wikileaks.info Team


Nothing of this debacle was mentioned on the officially verified Wikileaks mirrors.

Also of note, the same Google safe browsing link used in retort by wikileaks.info, just serves to confirm what Spamhaus, Trend Micro and a host of other parties know and are saying. From http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info

What happened when Google visited this site?

Of the 13 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-12-19, and suspicious content was never found on this site within the past 90 days.

This site was hosted on 3 network(s) including AS6772 (IMPNET), AS41947 (WEBALTA), AS8473 (BAHNHOF).

Very interesting, but however no guarantee for the future. But let us take a closer look at what Google is telling us:
AS6772 (IMPNET): Hosted 1.82% dangerous sites.
Of the 165 site(s) we tested on this network over the past 90 days, 3 site(s) .... served content that resulted in malicious software being downloaded and installed without user consent.
AS41947 (WEBALTA): Hosted 7.63% dangerous sites.
Of the 37087 site(s) we tested on this network over the past 90 days, 2829 site(s), .... served content that resulted in malicious software being downloaded and installed without user consent.
AS8473 (BAHNHOF): Hosted 1.10% dangerous sites.
Of the 1900 site(s) we tested on this network over the past 90 days, 21 site(s) .... served content that resulted in malicious software being downloaded and installed without user consent.
While it is difficult quantifying those numbers, what is clear is that Webalta, the upstream provider for Heihaci, has a five times more likelihood of infecting your PC or stealing your information than other providers for wikileaks.info. In the global scheme of badness, Webalta ranked 4th worst in the HostExploit reports. While it needs to be noted that Heihachi is one hosting providers on the Webalta network, they have been linked to various groups, I refrain from saying business since we do not know if they really are, on Webalta.

In a separate post I will list on the domains hosted on the same address as Wikileaks.info. Reading through these domain names belies the Wikileaks.info statement.

Now, apparently AnonOps is responsible for the ongoing DDoS. Or is this just what some nefarious party would like you to believe? SpamHaus has done some digging and currently have published piece of information about the ongoing DDoS:
This is not the profile of DDoS traffic from the LOIC and other *OIC tools issued to script kiddies to DDoS "enemies of Anon" with. In fact, at some semi-private forums, the AnonOps members have denied the DDoS and have stated how much they hate spam and would not attack Spamhaus. It would seem some actually read and understood what our warning message was about. Rumors are that they have also distanced themselves from members who were promoting the use of botnets to attack sites.
An IP address lookup done on the 9th of Dec 2010 on irc.anonops.net, also causes more reason for concern:
Non-authoritative answer:
Name: irc.anonops.net
Addresses: 69.60.115.75, 83.169.21.109, 88.198.224.117, 91.121.72.103, 92.241.190.94, 199.19.226.231, 67.23.234.51, 67.220.74.147
Of note is IP address
92.241.190.94
inetnum: 92.241.190.0 - 92.241.190.255
netname: HEIHACHI
descr: Heihachi Ltd
country: RU
admin-c: HEI668-RIPE
tech-c: HEI668-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
Did somebody give AnonOps some bad advice? On this IP address we find the following website: RESISTANCIA.ORG

It was also the IP address for the domains anonops.net. anonops.org and anonops.com, although the DNS has been disabled.

However the Heihachi worm gives another twist upon doing a whois lookup on RESISTANCIA.ORG:
Domain ID:D159346719-LROR
Domain Name:RESISTANCIA.ORG
Created On:04-Jun-2010 20:34:17 UTC
Last Updated On:19-Dec-2010 10:00:05 UTC
Expiration Date:04-Jun-2011 20:34:17 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:917350c3ec1914e0
Registrant Name:Protected-ns.info Whois Protection Registrant Organization:Dinghost Limited Registrant Street1:Calle 53, Marbella Registrant Street2: Registrant Street3: Registrant City:Panama Registrant State/Province:PA Registrant Postal Code:10000 Registrant Country:PA Registrant Phone:+507.8321488 Registrant Phone Ext.: Registrant FAX:+507.8321488
Registrant FAX Ext.:
Registrant Email:abuse@protected-ns.info
Admin ID:917350c3ec1914e0
Admin Name:Protected-ns.info Whois Protection
Admin Organization:Dinghost Limited
Admin Street1:Calle 53, Marbella
Admin Street2:
Admin Street3:
Admin City:Panama
Admin State/Province:PA
Admin Postal Code:10000
Admin Country:PA
Admin Phone:+507.8321488
Admin Phone Ext.:
Admin FAX:+507.8321488
Admin FAX Ext.:
Admin Email:abuse@protected-ns.info
Tech ID:917350c3ec1914e0
Tech Name:Protected-ns.info Whois Protection
Tech Organization:Dinghost Limited
Tech Street1:Calle 53, Marbella
Tech Street2:
Tech Street3:
Tech City:Panama
Tech State/Province:PA
Tech Postal Code:10000
Tech Country:PA
Tech Phone:+507.8321488
Tech Phone Ext.:
Tech FAX:+507.8321488
Tech FAX Ext.:
Tech Email:abuse@protected-ns.info
Name Server:DNS1.NAME-SERVICES.COM
Name Server:DNS2.NAME-SERVICES.COM
Name Server:DNS3.NAME-SERVICES.COM
Name Server:DNS4.NAME-SERVICES.COM
Name Server:DNS5.NAME-SERVICES.COM
As the registrar Enom and a host of other providers for Heihachi have already been informed so many times, Calle 53, Marbella is the address of the World Trade Centre in Panama, an incomplete address not meeting the requirements of whois registration data.

This address has been used all to many times by Heihachi. As an example, on 2010-05-17 the whois record for Heihachi.net reflected:
Registration Service Provided By: Heihachi LTD.
Contact: support@heihachi.net
Visit: www.heihachi.net

Domain name: heihachi.net

Registrant Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION ()

Fax:
Calle 53, Marbella
Bella Vista
Panama, PA 00000
PA

Administrative Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION (abuse@heihachi.net)
+507.8321668
Fax: +507.8321668
Calle 53, Marbella
Bella Vista
Panama, PA 00000
PA

Technical Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION (support@heihachi.net)
+507.8321668
Fax:
Calle 53, Marbella
Bella Vista
Panama, PANAMA 00000
PA

Status: Locked

Name Servers:
NS0.XNAME.ORG
NS1.XNAME.ORG
NS2.XNAME.ORG
Since then Heihachi have availed themselves of Whois Privacy Protection Service.

A search on the given telephone number +507.8321488 yields interesting results:
macbilliger.com with scam alerts
russiansubtitles.com where a Google search says a lot
hardcoremt2.com no explanation needed
It seems Heihachi is related to DingHost in whatever affiliation and in turn resistancia.org used DingHost.

But a quick search on resistancia.org reveals malware issues for this domain. As an example http://support.clean-mx.de/
Likewise http://www.threatexpert.com

So who is behind this SpamHaus attack?

At this stage all I would risk saying is Wikileaks are not part and parcel of the issue at hand. This does beg the question who is though. What is known is that a previously exploit domain resistancia.org shared the same IP address as AnonOps, Wikileaks.info is sharing a very direty IP address that does not belong on any clean IP list by any stretch of imagination.

What is clear is that SpamHaus and WikiLeaks are both victims to something that hatched on Heihachi and whatever it was, it was not good, showing the all to familiar pattern DDoS'ing.

A very big question mark hangs over AnonOps. We have to consider this is a group of loosely associated individuals. If the party arranging the hosting and tools of AnonOps was in the know of what was happening or not on Heihachi's IP's is another question. It does serve as a major red flag for those who merrily follow an unknown Pied Piper in "good causes". Make sure who you associate with.

It is also just another example of bad unaccountable things emanating from Heihachi or touching anything to do with Heihachi.

Personally I have no doubt the Wikileaks situation became exploitable when SpamHaus highlighted this serious issue. Immediately Operation Payback became payback for past blacklistings by SpamHaus, using an instant army of unwitting do-gooders protecting freedom of speech, or so the DDoS'ers thought.

In a separate post I will be posting domains found on the same IP address, 92.241.190.202, as which is used for Wikileaks.info.





2010/05/23

Cans of worms

The recent hacking of carders.cc has really opened up more than a few cans of worms for the hosting and domaining industry. The contents of their forums, thus far hidden, has conclusively linked together suspected groups of cyber crime nests. It also sheds some light on service providers all too willing to make a quiet quick buck and to heck with the consequences and victims.

In this blog we will be publishing some of the rather incriminating posts and happenings, also specifically related to Heihachi.net, 4x2.ru, 133t-crew, Gigalinknetwork.com, Ideal Solution Ltd and their upstream, Webalta.ru

Note that dumps of the hacked forums have been posted all over the net, as such publsihing or using the contents does not constitute a violation of Blogger's
Terms of Service, specifically their Content Policy. This content is now in the public domain.

With that out of the way, let's move on ....

So, carders.cc was hacked, what now? Already this nest of cyber crime is getting ready to attack innocent victims again. Hosting has been unkindly provided by Heihachi.net. In fact the carders crew stated they would be using Heihachi:
Liebe User,
Wie ihr wohl schon alle mitbekommen habt, wurde Carders Opfer einer Hackerattacke. Meiner Meinung nach ein dunkler Tag für
die Szene, auch wenn sich jetzt viele schadensfroh im Keller einen ablachen. Leider wissen, oder verstehen diese Menschen nicht was für Konsequenzen so etwas haben kann.
Wie dem Deface-Text bereits zu entnehmen war, wurden einige IPs geloggt, dies jedoch nicht absichtlich sondern durch einen Fehler des (ehemaligen) Techmins Zagerus. An dieser Stelle ein großes Entschuldigung an
die User, die vom IP Logging betroffen waren. Dieser Vorfall sollte euch jedoch daran erinnern, dass ihr immer mit einem VPN / Socks5 / VicSocks, wie auch immer, unterwegs sein solltet. Alle User sollten natürlich ihre Passwörter ihrer E-Mails, anderen Accounts, ICQ Nummern etc. ändern! Selbst wenn nun mit der gehackten Datenbank gegen uns ermittelt wird, was nach dem deutschen Gesetz eigentlich verboten sind, (aber die wahren Kriminellen sind ja ohnehin die Behörden) haben die größten Teil der User NICHTS zu befürchten. Von diesen Ermittlungen wird größtenteils das Team betroffen sein.

Nachdem KRON0S und ich uns einige Zeit unterhalten haben, ist uns klar geworden, dass wir uns
die Tour von ein paar vorpubertären Hackerkindern die Stimmung nicht nehmen lassen (Es handlet sich hierbei btw. um die gleichen Hacker wie bei 1337-crew), und dass das nicht das Ende von Carders ist. Nein! Wir werden zurück kommen! Dies wird jedoch einige Tage in Anspruch nehmen, da wir 1. auf Heihachi umziehen 2. nach dem Hack verständlicherweise die Boardsoftware wechseln und 3. um zukünfige Hacks zu vermeiden, sehr viele Sicherheitstests durchführen werden. GGF. wird jedoch der Jabberserver schon früher laufen. Desweiteren wurde Zagerus nach der großen Panne bis auf weiteres suspendiert, und die Technik wurde einem erfahrenereren User übergeben. Wir sehen uns in einigen Tagen wieder!

THANAT0S im Namen der Administration

Indeed THANAT0S, how can anybody do what you do, never mind the hack? Shame on you!

So, what was the reception like at Heihachi?
carders.cc [92.241.190.3]
% Information related to '92.241.190.0 - 92.241.190.255'

inetnum: 92.241.190.0 - 92.241.190.255
netname: HEIHACHI
descr: Heihachi Ltd
country: RU
admin-c: HEI668-RIPE
tech-c: HEI668-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered

person: Andreas Mueller
address: Bella Vista, Calle 53, Marbella
address: Ciudad de Panama, Panama
remarks: Visit us under gigalinknetwork.com
remarks: ICQ 7979970
remarks: Dedicated Servers, Webspace, VPS, DDOS protected Webspace
remarks: Send abuse ONLY to: abuse@gigalinknetwork.com
remarks: Technical and sales info: support@gigalinknetwork.com
phone: +5078321458
abuse-mailbox: abuse@gigalinknetwork.com
nic-hdl: hei668-RIPE
mnt-by: WEBALTA-MNT
source: RIPE # Filtered

% Information related to '92.241.160.0/19AS41947'

route: 92.241.160.0/19
descr: Wahome IP's =)
origin: AS41947
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
So who is gigalinknetwork.com?
Domain name: gigalinknetwork.com

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()

Fax:
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (jnrbhcgls@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US

Technical Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (jnrbhcgls@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US

Status: Active

Name Servers:
ns1.heihachi.net
ns2.heihachi.net

Creation date: 26 Feb 2010 23:04:47
Expiration date: 26 Feb 2011 23:04:00
Not much help there.... but we will get back to this later on.

Heihachi gladly accepted carders.cc and in fact even promptly gave them their own rDNS entry:
$ host 92.241.190.3
3.190.241.92.in-addr.arpa domain name pointer carders.heihachi.net
.
Oh so kind of them. In fact a traceroute also clearly showed this:
7 162 162 162 194.186.158.170 cat23.moscow.gldn.net
8 319 201 204 195.239.10.202 te1-1.maxwell.msk.wahome.ru
9 164 164 162 92.241.190.3 carders.heihachi.net
At least Heihachi cannot claim to have no control over what their clients are doing this time, as they so love doing. Here they in fact actively assisted by adding carders to the reverse DNS for heihachi.net. Surely even the dumbest network admin should hear a little alarm bell at the word "carders"?

I also wonder what the reception of the Indian authorities will be upon learning that Carders have a backup domain kindly sponsored by their ccTLD, carders.in (straight from the carders.cc dumps)?
carders.in [92.241.168.154]
% Information related to '92.241.168.0 - 92.241.169.254'

inetnum: 92.241.168.0 - 92.241.169.254
netname: NET-2X4
descr: 2x4.ru network
country: RU
admin-c: UDF667-RIPE
tech-c: UDF667-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered

person: Pavel Ivanov
address: Sound & Vision House, Francis Rachel Str.
address: Victoria, Mahe, Seychelles
remarks: ***************************************
remarks: Virtual and shared hosting, Windows Linux FreeBSD
remarks: Virtual private Servers (VPS/VDS), Dedicated Servers
remarks: Protected managed hosting solutions, DDOS protection systems
remarks: Sattelite CPC/VSAT telecomunications
remarks: Wireless links services.
remarks: English and Russian Sales contact: ICQ 758291
remarks: ***************************************
abuse-mailbox: abuse@2x4.ru
remarks: West Europe customers office & NOC
phone: +44 20 3286 6617
remarks: East Europe customers office & NOC
phone: +7 495 657-90-57
mnt-by: IDEAL-MNT
nic-hdl: UDF667-RIPE
source: RIPE # Filtered

% Information related to '92.241.160.0/19AS41947'

route: 92.241.160.0/19
descr: Wahome IP's =)
origin: AS41947
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
My my, WebAlta is popular!

Domain ID:D3820900-AFIN
Domain Name:CARDERS.IN
Created On:07-Oct-2009 03:25:49 UTC
Last Updated On:23-Dec-2009 23:15:29 UTC
Expiration Date:07-Oct-2010 03:25:49 UTC
Sponsoring Registrar:Online Nic (R8-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:Oln53232178
Registrant Name:Juri Marshinov
Registrant Organization:Technique Ltd.
Registrant Street1:Calle 53, Marbella
Registrant Street2:
Registrant Street3:
Registrant City:Ciudad de Panamá
Registrant State/Province:Panama
Registrant Postal Code:0000
Registrant Country:PA
Registrant Phone:+7.4951476195
Registrant Phone Ext.:
Registrant FAX:+7.4951476195
Registrant FAX Ext.:
Registrant Email:abuse@carders.kz
Admin ID:Oln53232179
Admin Name:Juri Marshinov
Admin Organization:Technique Ltd.
Admin Street1:Calle 53, Marbella
Admin Street2:
Admin Street3:
Admin City:Ciudad de Panamá
Admin State/Province:Panama
Admin Postal Code:0000
Admin Country:PA
Admin Phone:+7.4951476195
Admin Phone Ext.:
Admin FAX:+7.4951476195
Admin FAX Ext.:
Admin Email:abuse@carders.kz
Tech ID:Oln53232180
Tech Name:Juri Marshinov
Tech Organization:Technique Ltd.
Tech Street1:Calle 53, Marbella
Tech Street2:
Tech Street3:
Tech City:Ciudad de Panamá
Tech State/Province:Panama
Tech Postal Code:0000
Tech Country:PA
Tech Phone:+7.4951476195
Tech Phone Ext.:
Tech FAX:+7.4951476195
Tech FAX Ext.:
Tech Email:abuse@carders.kz
Name Server:NS1.NAMESELF.COM
Name Server:NS2.NAMESELF.COM
... and following the bad rabbit:

carders.kz does not currently have an resolving A or MX record, as such no working email or website. Why?

I seems the registar RegTime took an exception to the Carders using their services:
Domain Name............: carders.kz

Organization Using Domain Name
Name...................: Juri Marshinov
Organization Name......: Technique Ltd.
Street Address.........: Calle 53, Marbella
City...................: Ciudad de Panamá
State..................: Panama
Postal Code............: 0000
Country................: PA

Administrative Contact/Agent
NIC Handle.............: CA446803-RT
Name...................: Juri Marshinov
Phone Number...........: +7.4951476195
Fax Number.............:
Email Address..........: abuse@carders.kz

Nameserver in listed order

Primary server.........: ns1.nameself.com
Primary ip address.....: 195.161.113.218

Secondary server.......: ns2.nameself.com
Secondary ip address...: 217.16.27.43

Domain created: 2009-03-04 00:51:35.0
Last modified : 2009-10-05 18:51:22.0
Domain status : clientHold -

Registar created: REGTIME
Current Registar: WEBNAMES
In the next few posts we will be linking all these bits and pieces of information together using the information available from the carders.cc database dump.