Online fraud - the GoDaddy way

I send a lot of abuse reports to hosts and registrars, but normally never receive any kind of response from +GoDaddy, sometimes they remove the fake site I'm reporting, sometimes they don't.

But this reply, eventually received is nonsensical at best.

"Dear Sir/Madam,

Thank you for contacting GoDaddy's Domain Name Abuse department.

Unfortunately we cannot assist with this issue through this department.

GoDaddy does not allow illegal content on our customer's websites. However, as a Registrar/Hosting provider, it is not our place to determine if the site you have mentioned is actually engaging in illegal activities. GoDaddy suggests reporting your issue to IC3 via their File a Complaint page. The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) who accepts online Internet crime complaints filed by a person who believes they were defrauded.

GoDaddy regularly works with courts and law enforcement from the local to the international level and has a long-standing history of cooperation with these groups. Should we receive notification from these groups in regards to this issue we will be able to work with them on the matter.

Sincerely,

Domain Name Abuse
GoDaddy"

If it's not your place to determine whether sites you register and host are abusing your services in order to commit fraud, then how do you know you don't allow it?

Because GoDaddy apparently can't recognise a fake bank when they see one on their own servers.

http://frdbk.com/

Or even two, because it has a clone at http://www.meshraqbank.com/.

What makes this a fake bank? Well, lets have a closer look and see.

It claims to be a bank in the UAE, but is not registered there according to the Emirates Central Bank.

On the home page we can see that while the logo is for FRD bank, in the text on the page it refers to itself as FGD bank! Which is it? Incidentally, FGD Bank isn't registered in the UAE either.

And here's the unsecured login page, shared by both sites:

http://frdbk.com/bank/index.php

And, if that wasn't enough, should you, and I would most definitely advise against it, still wish to register as a 'customer' of this fake bank here's the form.

http://frdbk.com/bank/registration.php

Everything needed to commit ID theft, on one unsecured page...

But GoDaddy doesn't allow illegal content on their customers websites right?
Then how do they explain this site, registered with them and still remaining on their servers, after first being informed of it's abuse of their services in April?

http://milton-laboratories.com/

Black Money chemicals brought to you courtesy of GoDaddy

Yes, it's another Black Money Chemical site registered and hosted with Godaddy.
Offering a range of weird and wonderful chemicals, all of which are guaranteed to 'solve' your Black Money problems!

The Black Money Scam is probably the most obvious of the 419 Advance Fee Fraud sites, but GoDaddy can't see the problem with this site either.

Fake banks, Black Money Chemical sites and others. GoDaddy allows it's customers to create and maintain fraudulent websites, despite it's claims to the contrary.

A fake bank with SSL - amanahsahammalayanbank.com

A previous entry also dealt with this topic, but this fake bank deserves it's own entry, if only because it highlights issues which have allowed this fraudulent bank to continue in being able to defraud the public long after it should have been suspended.

http://amanahsahammalayanbank.com/

From the whois:

Queried whois.internic.net with "dom amanahsahammalayanbank.com"...

   Domain Name: AMANAHSAHAMMALAYANBANK.COM
   Registrar: EVERYONES INTERNET, LTD. DBA SOFTLAYER
   Sponsoring Registrar IANA ID: 925
   Whois Server: whois.softlayer.com
   Referral URL: http://www.softlayer.com
   Name Server: BETH.NS.CLOUDFLARE.COM
   Name Server: WILL.NS.CLOUDFLARE.COM
   Status: ok http://www.icann.org/epp#OK
   Updated Date: 18-feb-2015
   Creation Date: 16-feb-2011
   Expiration Date: 16-feb-2016

We can see that this alleged bank site has been in operation for four years, which is highly unusual for a fake bank site. In fact, at first glance this appears to be a legitimate bank site, it even has an SSL certificate on it's login page, again highly unusual for a fake bank site.

 https://ebank.amanahsahammalayanbank.com/logon/

However, the SSL certificate issued to this bank is not the Extended Validation Certificate a legitimate bank would have, but just a normal SSL certificate that any domain owner can obtain, which is suspicious, but not conclusive evidence of this site being fake, so lets examine this site a little bit closer.

Many fake banks impersonate or copy legitimate banks, and this site is no different in that regard. It's copying the legitimate Kumari bank in Nepal, although this site claims to be a bank in Malaysia.

http://amanahsahammalayanbank.com/Contact.html

However a search of the Central Bank of Malaysia's list of licensed banking institutions reveals that this bank is not licensed in Malaysia.

There is also a SWIFT code on this page which it's claimed belongs to this bank, well those can be checked too, and in this case, it doesn't exist.

So it's now clear that this a fake bank site, and it should be a simple matter to inform the host and registrar of this abuse of their services.

Well, its a little more complicated than that, if we look again at the whois record for this domain:

Name Server: BETH.NS.CLOUDFLARE.COM
Name Server: WILL.NS.CLOUDFLARE.COM

This fake bank uses Cloudflare, a pass through service, so while the whois lists Cloudflare as the hosting provider, they actually don't host the domain.

So we can inform CloudFlare, and hope that they remove their support for this fraudulent domain or at least pass the information back to the real hosting company.

When it comes to informing the registrar, again things are not as simple as it seems. While SoftLayer is listed as the Registrar according to the whois info, the domain was registered through a reseller, UKCheapest.

Here we have a clear example of a fake site using an SSL certificate to provide it's victims with a false sense of reassurance that this is a legitimate bank and using a pass through service to hide it's true location on the internet, and all attempts to inform the companies responsible for allowing this site the freedom to scam over the past year have resulted in exactly nothing.

+SoftLayer, despite being the Registrar, continue to claim that as the site is not on their network they can't do anything.

UKCheapest, the reseller, at one point said they had escalated the matter, but nothing came of it.

+CloudFlare, Inc. claim that as they are not the true hosts they can't do anything.

In fact, the only companies that have taken any action, so far, have been the Certificate Authorities who have revoked their SSL Certificates after being informed of what their certificate is securing.

While the host, reseller and Registrar fail to act, the scammers behind this fake site are free to obtain yet another SSL Certificate to continue their scam.

SSL Certificates and Fake Banks

For a long time people have been relying on SSL certificates to tell whether a bank site is genuine or not. It seems pretty straight-forward, the majority of fake bank sites don't bother, mainly because it's an extra expense and hassle for a site that probably won't be around for the length of it's short registration.

Due to recent events, specifically revelations over the extent of various Governments internet surveillance, efforts are under way to encrypt more and more sites to https standard, but it's important to realise the limitations of this increase in security. Https only guarantees that the connection between your computer and site it is communicating with is encrypted, and it can be undermined in various ways, for example if your computer is infected with a virus or other malware, or if the site itself is not a legitimate site.

It is, of course, this last one that I'll be focusing on here.

So lets look at an example of a fake bank with an SSL Certificate:

http://www.wealth-dib.com/ 

You'll note that the homepage itself is not secured, not unusual even for legitimate banks. However, when we attempt to login to this bank, we're redirected to a different domain:

https://banking.dubai-international-bank.com/

Encryption..........

Which is secured, but choose either corporate or personal banking and the next page is:

http://banking.dubai-international-bank.com/?lg=1

...you're doing it wrong!

Your choice of personal or corporate banking is safe, but entering any credentials isn't!

This site only uses the basic SSL Certificate that any site owner can get themselves, not the Extended Verification Certificate that major online sites have, which requires more than just evidence that you own the domain name, it also requires that the domain is linked to the actual business, to guarantee that you are at the correct site and not a fake site. Most browsers will differentiate between the two, so if you are unsure of being able to tell the two apart it may be time to learn, as more of the internet switches to https as standard, so too will the fake sites.

Update: Both sites have been suspended.

Staminus and a fake company continued

Today’s response from Staminus:

""I can only ask you to investigate because there are serious doubts this is a legitimate website."

Investigator : a person, persons or entity who is qualified to and tasked with investigation. e.g. Policeman or law enforcement.

Law Enforcement: a body that can investigate and gather evidence to be used in a court of law for prosecutions.

ISP : a company that provides internet services and is generally is unqualified and unlicensed to conduct legal investigations or provide chain of custody for evidence necessary for a trial.

**

Therein lies the source of your problem. Now that I understand, I can probably be of some assistance to you.

Not dissimilar to grabbing a random used car salesman and putting them in charge of designing and building nuclear bombs, you have been focusing on getting the wrong group/individual(s) to do your investigation for you.

I encourage you to contact your local law enforcement office. They are qualified, licensed and certified to conduct legal investigations, collect legal evidence, track chain of custody for said evidence, and then provide said evidence to a prosecutor. If they determine that they require additional information, they will contact us directly via established channels.

By following this procedure, criminals can be investigated, charged, tried and convicted.

By following your procedure, at best, criminals would have their services briefly interrupted while they relocate to another host - possibly even within the same data center / ISP.

I'm glad we were finally able to clarify the challenge you were experiencing and get it resolved for you.

If you need the numbers to any law enforcement, FBI, Homeland security or secret service, please do not hesitate to ask. We will be happy to provide you with appropriate contact information.

Abuse Department
Staminus Communications "

"Dear Staminus,

While I can understand your position, I do disagree with you.

I note that you still have not provided a link to, or copy of your TOS, but I guess that fraud is against your TOS. It generally is for most hosting companies.

I can only ask you to investigate, look into or at least re-examine your side of things, specifically the arrangement that your company has with your customer.

I am asking because you are in a much better position to do so than I am. I can only point to the website and raise with you the doubts over the validity of the statements and claims made on the website that are claimed to be facts. Where I can refute those I have provided sources for my information. You may not choose to recognise the sources I linked to, that is your right, just as it is my right to inform you of abuse that I believe is occurring that is utilising your resources.

In this case as the site claims to be a company in 6 different countries, is hosted in a seventh and the registrant claims to be in an eighth, just which countries Law Enforcement would you suggest I contact? All of them? When I have serious doubts that it would fall under any of their jurisdictions? As I said previously, I am not a victim. Or do you think Law Enforcement would be more willing to hear from yourselves, as after all, you have a financial relationship with your customer and can provide much more information and, in general, be of more assistance to them than I can as an ordinary citizen?

I am all for having getting the police and courts involved in investigating these matters, but the sad fact is that unless they have victims, ie. evidence of a crime having been committed, there is little for them to do. Who exactly is in the better position here to provide this? Myself an ordinary citizen, or the hosting company?

Or, just perhaps, it may be better for everyone for the hosting company to step in before people are defrauded and turned into victims.

Most hosting companies have abuse teams that can recognise fraudulent sites, and suspend them. As you say, briefly interrupting their criminal activity, but it does prevent people falling victim to these fraudsters while they relocate their site.
It also sends a message to the fraudsters to stay away from that hosting company, in effect the more sites hosts suspend the fewer they will have to in future. After all, no hosting company wants to have a reputation for hosting fraudulent sites, do they?

At this point it seems only fair to inform you that I happen to maintain a blog - http://419fraudtoleranthosts.blogspot.com/ and I have posted our exchanges so far.

Kind regards

Rob"

 Staminus' reply:

"but I guess that fraud is against your TOS"

You have not proven fraud. You have implied some form of deception and suggested that I obtain sufficient evidence on my own.

Will you be funding the investigation?

"I can only ask you to investigate"

You can, indeed, ask. But that is not the "only" thing you can do. You could also perform the investigation yourself and obtain proof beyond circumstantial evidence of a violation of our TOS or criminal activity.

"I am asking because you are in a much better position to do so than I am"

By what method do you arrive at that conclusion? I have the same internet access as you do. And, if you are suggesting that I access the server, drives or data, then you also have the same access to hack the server that you are suggesting I do.

"but the sad fact is that unless they have victims, ie. evidence of a crime having been committed"

That damned US Constitution gets in the way every time, doesn't it. Let's throw out the 'search and seizure' laws. Let's throw out 'innocent until proven guilty'. Let's throw out 'wire tapping' laws. While we're at it, let's just take anyone you suggest behind the barn and shoot them - unless you'd prefer hanging.

In fact, we require the same proof/evidence that law enforcement requires.

You aren't really supporting the notion that services be terminated based on suspicion, are you?

You'd be okay with having someone report a suspicion to your ISP and having them terminate your services based on that suspicion? Really? Or will you, perhaps, suggest that your ISP should spend money investigating you? Will they be looking for evidence to convict or evidence to clear you? Who will pay for that investigation? Will you be okay with them reviewing all of your emails and phone calls? Just how much of an ISP police state are you advocating?

"Who exactly is in the better position here to provide this? Myself an ordinary citizen, or the hosting company?"

None of the above. Law Enforcement is in the best position to investigate and collect information that leads to a conviction.

"Most hosting companies have abuse teams that can recognise fraudulent sites"

We are not a hosting company. We do not provide web hosting services.

We are an ISP

"At this point it seems only fair to inform you that I happen to maintain a blog"

Email communications are private and copyrighted. Publishing them is a criminal offense and can be prosecuted. You have not requested and I have not granted permission to republish my copyrighted and private communications.

Clearly you have now established that you are a criminal.

No further communication is necessary.

Have a great day.

 As Staminus has asked me to stop emailing them on this issue, I will. However, this would have been my response to them.

"Dear Staminus,

In answer to your email,

"You have not proven fraud. You have implied some form of deception and suggested that I obtain sufficient evidence on my own.
Will you be funding the investigation?"

The definition of fraud:
"Fraud is a type of criminal activity, defined as:
'abuse of position, or false representation, or prejudicing someone's rights for personal gain'.
Put simply, fraud is an act of deception intended for personal gain or to cause a loss to another party.

The general criminal offence of fraud can include:

deception whereby someone knowingly makes false representation
or they fail to disclose information
or they abuse a position."

Site claims to be an international company head quartered in the UK. The contact address listed for these headquarters is another countries Embassy. No company has any office in an Embassy. They can afford their own offices.

The company is not registered with Companies House in the UK, despite claiming to be a 150 year old company.

The telephone number for the headquarters is a mobile number, would a long established company really not have a geographic number in their own offices for potential customers to call?

The email address listed for the headquarters is for a suspended domain. The email address used to register this suspended domain does not exist. A whois violation.

"By what method do you arrive at that conclusion? I have the same internet access as you do. And, if you are suggesting that I access the server, drives or data, then you also have the same access to hack the server that you are suggesting I do."

You are at the abuse desk of an ISP. You are providing services for this website, and as such, I would imagine, have better contacts with Law Enforcement and the hosting company for this website than I as an ordinary citizen would have access to. You could simply pass my email to them for them to look at and make a decision on. They may decide that it warrants investigation, although you have made it abundantly clear that you do not.

"That damned US Constitution gets in the way every time, doesn't it. Let's throw out the 'search and seizure' laws. Let's throw out 'innocent until proven guilty'. Let's throw out 'wire tapping' laws. While we're at it, let's just take anyone you suggest behind the barn and shoot them - unless you'd prefer hanging.
In fact, we require the same proof/evidence that law enforcement requires.
You aren't really supporting the notion that services be terminated based on suspicion, are you?
You'd be okay with having someone report a suspicion to your ISP and having them terminate your services based on that suspicion? Really? Or will you, perhaps, suggest that your ISP should spend money investigating you? Will they be looking for evidence to convict or evidence to clear you? Who will pay for that investigation? Will you be okay with them reviewing all of your emails and phone calls? Just how much of an ISP police state are you advocating?"

Not at all. I think you misunderstand me. I am saying please look at the website in question, look at the links I have provided and come to your own conclusion as to whether this is a website that you want your company associated with. If it is, fine. Feel free to ignore me. I am asking if what I have said has raised no doubts in your mind as whether you would be happy to engage this companies services or not.

""Who exactly is in the better position here to provide this? Myself an ordinary citizen, or the hosting company?"None of the above. Law Enforcement is in the best position to investigate and collect information that leads to a conviction."

Again, you misunderstand me. I agree LE is in the best position to investigate, however I also believe that you would be able to provide them with better leads than I could.

""Most hosting companies have abuse teams that can recognise fraudulent sites"

We are not a hosting company. We do not provide web hosting services.

We are an ISP"

Again, you could simply pass my email to the hosting company and let them make their own decision.

""At this point it seems only fair to inform you that I happen to maintain a blog"

Email communications are private and copyrighted. Publishing them is a criminal offense and can be prosecuted. You have not requested and I have not granted permission to republish my copyrighted and private communications.

Clearly you have now established that you are a criminal."

Actually, I believe that I would be covered by fair use. You are sending emails in your capacity as a representative of Staminus, who I am conversing with over their providing services to a domain I believe to be fraudulent, I am attempting to demonstrate why and your responses to my emails, it is for those reading to make up their own minds. If you didn't want these emails made public, perhaps you should reconsider what you are saying before you send them."

Update 09/05/15: panwestafricasec.net is currently offline, hopefully for good.

Namecheap, eNom and their strange approach to fraudulent sites

Namecheap's approach to fraudulent sites is novel to say the least. A fraudulent site that they host or register themselves is suspended quickly, for which they are to be rightly commended, but when acting as a reseller for eNom, which is how they began their business, any email reporting abuse to eNom as the listed Registrar on the domain whois, is quickly forwarded to Namecheap who will, most often, just as quickly deny any and all responsibility for the fraudulent domain, with the following email:

"Hello,

Thank you for your email regarding the domain name (insert fraudulent site name). While the domain name does have Namecheap.com as the registrar, we do not have the ability to oversee what data are being transmitted through its site. We do not own the domain name mentioned in your complaint, we are simply the registrar that the registrant purchased the domain name from.

The issue would need to be addressed through the hosting provider to see if their terms of service have been violated, and would need to be addressed through the domain registrant as they should be the individual that would control what particular content is being exchanged. We have no way to police these issues as we do not control the hosting company in this instance.

While I understand your issue, we are not in a position where we can make determination of validity of your statements. If you believe you are the victim of an internet crime, or if you are aware of an attempted crime, you can file a complaint through Internet Crime Complaint Center at https://complaint.ic3.gov. You also may contact either your lawyer(s) or the local authorities in order get the issue resolved. We will assist them any way we can."

Lets pick this reply apart.

"While the domain name does have Namecheap.com as the registrar,"

Well the domain might not, if Namecheap is acting as reseller for eNom. But Namecheap is an accredited Registrar, and this is just a form letter, so this part of the May 2013 RAA with ICANN, that both eNom and Namecheap have, applies.

"3.12 Obligations Related to Provision of Registrar Services by Third Parties. Registrar is responsible for the provision of Registrar Services for all Registered Names that Registrar sponsors being performed in compliance with this Agreement, regardless of whether the Registrar Services are provided by Registrar or a third party, including a Reseller. Registrar must enter into written agreements with all of its Resellers that enable Registrar to comply with and perform all of its obligations under this Agreement."

So when Namecheap is listed as reseller for the domain and eNom is listed as the Registrar, under the RAA eNom is still responsible, even though Namecheap is an accredited Registrar themselves.

"we do not have the ability to oversee what data are being transmitted through its site."

I understand that abuse teams are busy, but they could just take a minute to look at the site that has been reported to them as being fraudulent, couldn't they?
After all, their RAA with ICANN also includes the following:

"3.18 Registrar's Abuse Contact and Duty to Investigate Reports of Abuse.
3.18.1 Registrar shall maintain an abuse contact to receive reports of abuse involving Registered Names sponsored by Registrar, including reports of Illegal Activity. Registrar shall publish an email address to receive such reports on the home page of Registrar's website (or in another standardized place that may be designated by ICANN from time to time). Registrar shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse."

From the FAQ's about the 2013 RAA:

"26. Section 3.18.2 provides that well-founded reports of Illegal Activity submitted to the registrar must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report. In responding to any such reports, Registrar will not be required to take any action in contravention of applicable law. What does "well-founded" mean?

ICANN will consider this on a case-by-case basis, taking into account factors such as substantiation, demonstration, corroboration or evidence of Illegal Activity, but cannot specify in any particular circumstance what qualifies as "well-founded" as that may vary based upon the situation. If the registrar believes the request is not "well-founded," it should document the reasons for this decision."

Which seems pretty clear. Registrars have a responsibility to investigate any reports of abuse, so long as those claims can be backed up. With that in mind, lets look at an example.

http://www.unexdc.com/en

Seems legit, right?

I think anyone can see the problem with this site at first glance.

The UN does not run any companies of any sort, let alone 'Express Delivery Companies'. So to say that:

"The issue would need to be addressed through the hosting provider to see if their terms of service have been violated,"

in this case is ducking responsibility. Also, while fraud is generally against most hosting companies Terms of Service, even if some need to be gently reminded of that, that doesn't mean that registrars, Registrars and resellers get to pass the buck fully on to them. In an ideal world the hosting company would suspend the site while the Registrar places the fraudulent domain into ClientHold, to prevent the registrant simply taking his fake site to another hosting company, who may not be as responsive.

"and would need to be addressed through the domain registrant as they should be the individual that would control what particular content is being exchanged."

This is just particularly ill informed. A registrant who registers a clearly  fraudulent site should not be contacted about his content, he is already fully aware of what he's doing, and that it's illegal hasn't stopped him from doing it. Why would he suddenly decide to take it down because I send him an email? There is no telling what his response would be. An attempt to scam me, spamming my email account or attempting to hack my email account, these are all possible options I'd rather avoid.

"While I understand your issue, we are not in a position where we can make determination of validity of your statements."

Again, you could actually read the email, look at the site in question, and see if the claims are valid or not, like the agreement with ICANN states. 

"If you believe you are the victim of an internet crime, or if you are aware of an attempted crime, you can file a complaint through Internet Crime Complaint Center at https://complaint.ic3.gov.You also may contact either your lawyer(s) or the local authorities in order get the issue resolved. We will assist them any way we can"

As I'm not a victim, and the police tend to need victims to prove a crime took place, this is well intentioned, but also pretty useless. Also, I'm sure they have many other more pressing calls on their limited resources than investigating every fraudulent site for registrars and hosting companies, many of which will inevitably fall outside their jurisdiction, such is the nature of the internet, especially when all it often takes is a quick look.