According to a new report issued by the mighty fine spam-fighting folks over at KnujOn, there are tons of “phantom” registrars — registrars that do not seem to exist other than to distribute URLs to providers of unwanted e-mail and malware — that have gained accreditation from ICANN.
In the report posted by KnujOn Aug. 28, the project identified 48 examples of such registrars, and the experts are willing to bet that this is just the tip of the iceberg.
For, in the case of the questionable registrars outed in this particular piece of research, all of the identified organizations can actually be traced back to one outfit, Directi Group, which controls Directi, PublicDomainsRegistry, Answerable and LogicBoxes, among other operations, and has long been associated with nefarious Web operations.
For starters, Directi itself mysteriously swapped its address from the United States to India once KnujOn started kicking its tires.
“Our attention was first brought to them when we released our report of the Ten Worst Registrars for illicit domains, spam and false registrations,” KnujOn said in its report summary. “At the time, in some records Directi’s address was listed [in Oregon]. Directi has since denied this and now [has] disclosed its address as being in Mumbai, India. This prompted us to take a closer look at all the Registrars in Internic’s (ICANN) directory affiliated with Directi and presenting themselves as being located in the United States.”
At least eight registrars affiliated with Directi continue to use the same Oregon address that the company itself had operated under until being questioned about it, according to the report. The other 40 use a New York address, though they remain listed under a California phone number and the new address still includes details related to Oregon.
And as it turns out, none of the registrars involved actually exist as licensed companies at all!
In particular, Directi is using its registrar power to support a large number of registrars backing online pharmacies. KnujOn’s investigation into such sites backed by one of Directi’s subsidiaries, PrivacyProtect.org, found 1,820 fake pharmacy domains all using the same IP address alone.
However, the IP address serving up the sites is moved around on a near-constant basis to locations around the globe, the report concludes.
Layers of phantom registrars are one of the main protections that allow such shady sites to continue to operate, the anti-spam experts said in their research.
From selling illegal drugs and steroids to distributing malware, phony pharmacy sites are notorious players in the online cyber-crime ecosystem.
“The service that shields ownership of the unlicensed pharmacies, PrivacyProtect.org, is itself a phantom with undisclosed ownership. It was revealed in a Washington Post article that the Directi Group actually owns PrivacyProtect.org, a fact they did not deny when they responded to the article,” noted KnujOn. “In summary, we have thousands of illicit domains cloaked by a company which is also anonymously owned. The domains are all sponsored by the Directi Group which is affiliated with 48 registrars that cannot be proven to be real entities. Clearly there are serious problems with oversight, due diligence and accountability. How can the consumer be protected under these conditions?”
So what’s the deal, ICANN? We realize that you can’t deploy a PI to investigate every company that applies for registrar status, but can’t you do better than this? How many other Directi Groups exist out there? How much of the Web’s criminal activity is operating under the phantom registrar model?
These are questions that all need to be answered.
Otherwise, these problems won’t ever go away.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.