KnujOn (nûj-ôn)

Tech Security Feeds:
cnn| fox| msnbc| zdnet| bbc| gcn| reuters| theregister|
KnujOn Press| techworld| computerworld| securityblog.itproportal| castlecops| apwg| wp securityfix| spamhaus|
first| mcafee avert labs| bankinfosecurity| dhs| cnet| contrarisk| ddanchev.blogspot| ben edelman| jonathan zdziarski|
Knujon Archives: 2007| 2006| 2005|

News - 2008 Archive

Archived 2008 News, for current news click here

Scareware Mongers Fined

December 31, 2008

A federal judge has fined a Belize-based company $8,000 for each day it continues to flout his order to halt a major internet operation alleged to have duped more than 1 million computer users into buying bogus malware protection. US District Judge Richard D. Bennett wrote in a ruling late last week that Innovative Marketing is in civil contempt for failing to comply with a temporary restraining order to stop its scareware campaign and turn over financial records. The judge imposed the fines after Sam Jain, the company's chief executive, and four other defendants failed to appear at a hearing. (

CastleCops shuts up shop

December 30, 2008

For six years CastleCops campaigned against internet fraud by running malware and phishing scam investigations and take-downs. CastleCops also ran volunteer training programs, as well as maintaining other services including computer virus clean-up assistance to ordinary punters. (

CastleCops Shuts Down

December 29, 2008

In a blow to anti-phishing efforts, the famed CastleCops organization dedicated to fighting spam and phishing quietly shuttered its site last week. The all-volunteer organization investigated phishing and malware scams, and was credited with successfully derailing many of these attacks and phishing sites. CastleCops itself was also a constant target of distributed denial-of-service attacks and other scams. (

'Boom year' for hi-tech criminals

December 28, 2008

If 2007 was witness to the rise of the professional hi-tech criminal, then 2008 was the year they got down to work. "The underground economy is flourishing," said Dan Hubbard, chief technology officer at security company Websense. "They are not just more organised," said Mr Hubbard, "they are co-operating more and showing more business savvy in how they monetise what they do." Statistics gathered by firms combating the rising tide of computer crime reveal just how busy professional cyber thieves have been over the last twelve months. Sophos said it was now seeing more than 20,000 new malicious programs every day. 2008 was also the year in which Symantec revealed that its anti (

US to ICANN: plan to sell new gTLDs is a real stinker

December 27, 2008

The United States government has issued its own response and evaluation of ICANN's impending plan to open between 200-800 gTLDs for sale at $185,000 per domain and $60,000 per year. Many of the government's concerns (the report contains statements from both Merideth Baker, Acting Assistant Secretary for Communications and Information and Deborah A. Garza, Acting Assistant Attorney General) mirror those we raised last week. (

Nine in ten emails now spam

December 26, 2008

Nine in ten emails are now spam with an estimated 200bn junk mail messages a day clogging up the internet, according to a new report by networking and security giant Cisco. Drive-by download attacks - planting redirection scripts on legitimate sites that lead onto hacker controlled websites full of exploits - have become a popular method for spreading all forms of malware, including botnet clients that turn PCs into spam-churning zombies. The US is the single biggest source of spam, accounting for 17.2 per cent of junk mail. Other big offenders include Turkey (9.2 per cent), Russia (8 per cent), Canada (4.7 per cent), Brazil (4.1 per cent), India (3.5 per cent), South Korea (3.3 per cent), Germany and the UK (2.9 per cent each).

Prolific penis-pill pusher gets slap on the wrist

December 25, 2008

A New Zealand man said to be at the helm of one of the world's most prolific spam enterprises has agreed to pay fines totalling $92,715 (about US $63,400) after admitting his role in an operation that spewed billions of junk messages in recent years. Lance Atkinson, 26, paid the paltry amount "because of his co-operation and candour with authorities at an early stage" according to The Sydney Morning Herald. He could have been forced to pay double that amount. (

So Long CastleCops, and Thanks

December 24, 2008

You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created. (

USB storage devices containing malicious software

December 23, 2008

Commonwealth Security and Risk Management staff have been reviewing multiple reports of newly purchased Universal Serial Bus (USB) storage devices containing malicious software. Our recommendations are included below as some of the vulnerabilities may have significant impact for the Commonwealth Information Security community. USB storage devices are being contaminated with malicious software prior to delivery to the customer (i.e.. Somewhere during the time period of manufacturing through distribution). The types of USB storage devices containing malicious software include USB flash/thumb drives, USB portable hard drives, USB digital photo frames, USB flash based MP3 players, and USB memory cards. The malicious software installed on the USB storage device could be virus or Trojan applications that may allow a malicious individual to steal information from the computer or expose the computer to additional malicious software. Please be particularly careful during this holiday season due to the high volume of USB storage devices purchased during this time. (

Google Users Request KnujOn Forwarding Function

December 22, 2008

" several people have already asked for an app that will let you forward your spam folder to Knujon, SpamCop and the like and there is still nothing to seriously handle spam. Google has a great filter, but filters are an ineffective way of stopping spam (90%+ of all email is spam). The only way to really stop spam is to attack it upstream. I am going to ask for this until a solution arrives." (

Spammers – Best wishes for 2009!

December 21, 2008

" While many bloggers and mainstream tech pundits are pulling together their legitimate “Best of 2008” column or “Trends for 2009” predictions, I thought I’d take a different approach this holiday season. I’d like to send best holiday wishes to those tireless workers (and their army of 24/7 zombie computers) who craft the spam that fills up our in-boxes.
10) (And last but seriously) Kudos to the folks at Knujon for doing a great job of reducing spam for all of us!

Illicit e-pharmacy bolstered by ISPs?

December 19, 2008

"Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of $150 million per year."
-Patrick Peterson, vice president of technology at IronPort

IronPort's research revealed that more than 80 percent of Storm botnet spam advertises online pharmacy brands. This spam is sent by millions of consumers' personal computers, which have been infected by the Storm worm via a multitude of sophisticated social engineering tricks and web-based exploits. Further investigation revealed that spam templates, "spamvertized" URLs, website designs, credit card processing, product fulfillment and customer support were being provided by a Russian criminal organization that operates in conjunction with Storm.

Online pharmacy. What is it? How to buy? And how to protect yourself against it?

December 18, 2008

In most cases pharmacies offering drugs without a prescription or a doctor’s review are fraudulent and illegal and which is more they may have nothing to do with the medicine industry at all and represent spam or malware agents. (

Security Flaw In IE Allows Criminals To Take Control Of Computer

December 17, 2008

Until Microsoft finds a fix for a security flaw in Internet Explorer that could allow criminals to take control of computers and steal passwords experts are warning people to use a different browser. Microsoft said at least seven versions of its popular Internet Explorer web browser, which is used by most of the world's computers, are vulnerable to this security flaw. About 10,000 websites have been compromised so far as Microsoft races to find a security patch. (

Microsoft: Big Security Hole in All IE Versions (

2009 Predictions - Bank on More Attacks

December 16, 2008

The big picture, according to [ScanSafe], is that we'll see more of the same, in particular greater volumes of Web-borne malware, over the next year -- with much of the more finitely-targeted varieties expected to arrive, specifically campaigns aimed at companies handling real money, such as banks and credit card processors. ScanSafe predicted that customized threats targeted at publicly-held companies will likely continue to rise in '09, though it said that many of those attacks will actually be aimed at stealing valuable intellectual property, versus personal data. A full range of threats including everything from rootkits to password stealers will be enlisted to that end, the researchers said. Overall, users will likely be exposed to a rising rate of 6 percent more Web-based attacks per month across 2009, the experts said. That equates to a 16 percent increase in attacks over the course of the entire twelve months. (

Major International Child Porn Bust

December 15, 2008

Attorney General Michael Mukasey said the long-running and far-reaching case began with a single lead from Australian police in what became known as Operation Koala in Europe and Operation Joint Hammer in the United States. "From that initial horrible discovery, the investigation grew to reveal connections in nearly 30 countries around the world," Mukasey said.

19 arrested over 'worst ever' internet child porn bust (
23 Australians caught in global child porn ring bust (

McColo Corp. offline situation caused the retail fraud decrease

December 14, 2008

It was observed that one month after McColo went offline, spam volumes were nearly back to the levels seen prior to the company’s take down by its upstream Internet providers. However, as one fraud expert noted spam wasn’t the only issue held by McColo Corp. More evidence proved that retail fraud dropped significantly on the same day start to appear. In fact Ori Eisen, founder of 41st Parameter observed that about a quarter of a million dollars worth of fraudulent charges the company faced everyday came to a halt. (

Thieves Winning Online War, Maybe in Your PC

December 13, 2008

Internet security is broken, and nobody seems to know quite how to fix it. Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught. (

Massive Ice Storm Knocks Out

December 12, 2008

Power has been shutdown to by an ice storm. may be down for the weekend. Junk samples can still be uploaded to

Spam and the Sex Trade

December 8, 2008

Anyone who has actually taken the time to look at their junk email may notice many spams in Russian or other Cyrillic alphabet languages. The non-Russian speaking spam victim probably wonders what they are looking for. Well, in many cases they are recruiting spammers to advertise the human traffic trade. wants to hire affiliates to push, paying them for the numeber of clicks they deliver. offers “virtual sex”, but directs visitors to which has “galleries” of girls asking 13000-30000 Rubles for an hour (about $500-$1100).

While this appears to be an Eastern European operation, is sponsored by INTERCOSMOS MEDIA GROUP in the United States, the other two .NU sites are as as far from the Volga as possible. The tiny island of Niue (.nu) is no stranger to international intrigue, allowing owners of cooperate trusts to remain secret, a frequent tool of money launderers. However, the owners of these sites purport to be in another island nation, Cyprus with the sites actually being hosted in the Netherlands. Confused yet? That's the point.

The breakup of the old Soviet Union, lawlessness in 1990's and booming economy have made human sexual traffic fairly common in the former Soviet republics. Prostitution is now big business in Russia and they are looking for spammers to promote the illicit traffic.

10 Worst ISPs

December 5, 2008

Spam continues to plague the Internet because a small number of large Internet Service Providers sell service knowingly to professional spammers for profit, or do nothing to prevent spammers operating from their networks. Although all networks claim to be anti-spam, some network executives factor revenue made from hosting known spam gangs into corporate policy decisions to continue to sell services to spam operations. Others simply decide that closing the holes in their end-user broadband systems that allow spammers access would be too costly to their bottom lines. The majority of the world's service providers succeed in keeping spammers off their networks and work to maintain a positive anti-spam reputation, but their work is undermined daily by the few networks who, out of corporate greed or mismanagement, choose to be part of the problem. The world's worst spam problem networks today are: (

Berlusconi plans to use G8 presidency to 'regulate the internet'

December 4, 2008

Italian president and media baron Silvio Berlusconi said today that he would use his country's imminent presidency of the G8 group to push for an international agreement to "regulate the internet". Speaking to Italian postal workers, Reuters reports Berlusconi said: "The G8 has as its task the regulation of financial markets... I think the next G8 can bring to the table a proposal for a regulation of the internet." (

Hack of Transaction Site Highlights Registrar Problems

December 3, 2008

Banks and online payment systems have been hacked before, but not quite like this. Rather than an attack on a website or corporate network, this was a intrusion of the payment site's Registrar account at Network Solutions. The intruder changed where the website would resolve to and instead of customers logging into the real location they were handing their credentials to a server in the Ukraine which attempted to deploy malware on the visitor’s computer. As we have discussed before, Registrars have an enormous power and control over the Internet but questions about their duties and responsibilities are open. Registrars will often claim they simply sell domain names have no control over their use, but the creation of a domain name opens unlimited access and this must be viewed with a note of caution.

Online payment site hijacked by notorious crime gang (
Hackers Hijacked Large E-Bill Payment Site (

KnujOn Discussed at SpamCop

December 2, 2008

SpamCop & KnujOn Complement One Another The aged may remember that in posts long ago I had mistakenly been attempting to use SpamCop to perform the services of KnujOn. KnujOn appears interested in illicit spam, preventing the stealing of identities (and USD 600 million per annum, and lives taken by counterfeit medicines). However, the wheels of justice grind slowly (if at all). Reports of KnujOn's becoming personae non grata at ICANN are most encouraging, however. (Jon Postel is likely rolling in his grave at ICANN's choice to ignore crime.) SpamCop blocks spam, quickly: as a side-effect, it reports the site's activities (to everyone up to ICANN, I wish) in a letter. I don't know whether it places the illicit store's site on the SCBL before it can claim more victims; but I hope it does. Both KnujOn's and SpamCop's services are important for me to use. (

Fake "KnujOn" News Sites Spread Malware

December 1, 2008

In what can only be an act of angry revenge, websites are popping up with text from various news articles about KnujOn that redirect the user's browser to sites spreading malware. The sites are either using fake anti-virus scareware or fake media updaters. --> --> -->

Srizbi spam botnet in failed resurrection

November 30, 2008

After being stranded for weeks, a monster botnet responsible for an estimated 40 percent of the world's spam was able to briefly reconnect to its mothership in a tense international duel playing out online that could have a dramatic effect on the amount of junkmail flowing into inboxes everywhere. The rogue network dubbed Srizbi was able to establish ties to a new master control channel using an emergency mechanism built into the 500,000 or so machines infected by the bot. Botherders designed the pseudo random domain name generator in the event their network got disconnected from the previous channel. That's precisely what happened earlier this month, when a network provider known as McColo was yanked offline. (

Facebook Wins $873 Million Lawsuit Against Spammer

November 29, 2008

Social networking site Facebook today won an $873 million court judgment against a spammer who has been routinely deluging the site with sales pitches and sexually explicit messages. According to an Associated Press report, the judgment against Adam Guerbuez of Montreal is the largest ever awarded under the U.S. CAN-SPAM Act. The award is more than three times as much as Facebook will gross in revenue this year. Facebook doesn't expect to collect the money; the report states that Guerbuez has been "difficult to find" since he was sued in August. But social networking sites are hoping that such a large judgment will deter other spammers from abusing their sites. (

Study on a more Western version of the Russian Business Network

November 28, 2008

Since all the publicity, their operations split up and went to several other parts of the world like China or Turkey. But apparently, this kind of hosting is also present in some more Western parts of the world. A research paper was released and describes some of the activities located at a California based ISP. (

Spammers Trying To Regain Control Over Cut Off Spam Bots

November 27, 2008

Last week, there was a lot of attention over the shutdown of McColo, a hosting company that was apparently used by a huge number of spammers to control some of the largest zombie botnets out there. While we were initially skeptical of just how big an impact this had (the press and some antispammers have "cried wolf" way too many times in the past on the impact of shutting down certain spam operations), the evidence in the days that followed suggested, indeed, that an awful lot of the world's spam was controlled via McColo. The Washington Post, which kicked off the shutdown by presenting evidence of McColo's spam connections to its upstream providers, is now digging deeper into how the whole operation worked. (

EstDomains Officially Terminated

November 26, 2008

We have received official notice that EstDomains Accreditation was terminated November 24 and all domains held by EstDomais will be transferred to Directi by no later than December 2nd.

281,000 Domains to be Transferred from EstDomains to Directi (
ResellerClub to Take Over EstDomains-Sponsored Domain Names (
Termination of Registrar EstDomains to Go Ahead (
EstDomains Termination Delayed (
ICANN Termination Letter 12 November 2008 (
ICANN De-Accredits EstDomains for CEO's Fraud Convictions (
ICANN Terminates Accreditation of Notorious Malware Hosting Domain Registrar EstDomains (
Three cheers for ICANN! (
RBN Farewell To Estdomains (
One criminal Internet registrar down... (
USA Internet community fighting against botnet purveyors
Phishing and Fraud - ICANN Heeds Call to Ban Abusive Registrars
InterCage Back Up - Blames EstDomains for Their Woes Calls on Internet Community to End the Fake Pharmacy Menace
More Follow-up And Fallout
EstDomains Continues to Deny Real Location
EstDomains: A Sordid History and a Storied CEO
Atrivo and ESTDomains
Directi Responds to KnujOn Report - Dumps Controversial Service
EstDomains Controversy Continues
SpamHaus Backs-Up HostExploit Report/Wash Post Article
Examining the Role of Registrars in Illicit Activity
Underground Steroid Websites Flourish at U.S. Registrars
Steroid Sites Registered Through EstDomains

Spam Volumes Continue to Fall

November 24, 2008


ResellerClub to Take Over EstDomains-Sponsored Domain Names

November 22, 2008

Many of the domains maintained by EstDomains are used in illegal operations. Following their decision to terminate the registrar accreditation agreement for EstDomains, ICANN (Internet Corporation for Assigned Names and Numbers) was looking for registrars interested in receiving a bulk transfer of all the domains maintained by the Estonian company. It looks like that registrar will be Directi-owned ResellerClub, which already started sending notification e-mails regarding the upcoming change to EstDomains customers.

EstDomains is a company that up to this point functioned as an ICANN-accredited domain name registrar. Originally founded in Estonia, the company is also incorporated in Delaware, US, and managed to become the work subject of many security groups because it provided domain registration services to numerous cybercriminal gangs. The company was named in multiple reports from the anti-spam group KnujOn or in HostExploit's extensive Atrivo – Cyber Crime USA report.

Dodgy Domains Dumped by ISPs (

LegitScript shuts down nearly 500 rogue Internet pharmacy websites

November 19, 2008

LegitScript is pleased to announce that in the last month, and mostly in the last week, LegitScript has been able to effectuate the shut-down of nearly 500 "rogue" Internet pharmacies. All of the websites were no-prescription-required online pharmacies. All violated several laws and/or accepted medical or pharmaceutical safety standards. For example:

Until recently, domain name registrars have declined to terminate a website unless it was engaged in spam or sending out viruses, or unless there was a court order to do so, sometimes arguing that it is outside of their ability to do so. The point of what we've done is to show that registrars have the technical, contractual and legal ability to shut down these websites. And, we're pleased to report that we have had success in shutting down some of these rogue Internet pharmacies even when the registrar and the website registrant are both located outside of the United States.

We also want to acknowledge the hard work and assistance of in this endeavor. The websites that have been shut down are a small portion of those actively operating. As the threat of prescription drug abuse and counterfeit drugs continues, LegitScript looks forward to continuing to work with your organization to reduce prescription drug abuse, enhance prescription drug safety and integrity, and improve Internet security.

McColo dials Russia as world sleeps

November 18, 2008

McColo, a network provider that was yanked offline following reports it enabled more than half the world's spam, briefly returned from the dead over the weekend so it could hand-off command and control channels to a new source, security researchers said. The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to Paul Ferguson, a security researcher for anti-virus software maker Trend Micro. The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware. Researchers from FireEye saw PCs infected by the Rustock botnet being updated so they'd report to a new server located at for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last. (

KnujOn at VirusBuster (

McColo takedown: Vigilantism or Neighborhood Watch?

November 17, 2008

What's remarkable about the McColo and Intercage shutdowns is that they weren't initiated by law enforcement officials or via court order. Neither did they happen because either company was forced into bankruptcy or had other financial problems. Instead, both companies were forced offline when their upstream ISPs, acting upon information provided by security researchers, simply disconnected them and their customers from the Internet.

Others, though, say that the only people really opposed to the efforts of antispam and anti-malware groups are the cybercriminals themselves and those who support them for financial gain -- such as service providers that host spam sites. In addition, in the cases of both the McColo and Intercage shutdowns, the only role the security community played was to collect evidence showing conclusively that the two companies were hosting clients involved in all sorts of criminal activity, said Garth Bruen, founder of the antispam group KnujOn. The actual decisions to pull the plug on the hosting companies was made by their service providers, not by the security researchers, Bruen said. "That was their choice to do it," he noted. "We just gave them the information to help them make up their mind." Such cooperation between security researchers, ISPs and hosting companies can be very useful, according to Bruen. He pointed to a "very long dialogue" that KnujOn and had with a large India-based hosting company named Directi that resulted in the latter agreeing to suspend "thousands and thousands" of domains that were allegedly being used to send spam or sell counterfeit drugs.

Ragtag team ends 75% of all spam (
Get Your KnujOn - On (

7 Million Records "too many" for Registrars to verify

November 16, 2008

During a presentation by Dr. Robert Bruen at ICANN's Cairo meeting, in which he was discussing the need for more due diligence and better accounting in the Domain Name System, a Registrar representative complained it was impossible for them verify the accuracy of all domain registrations. Some Registrars have as many a 7 million records and that is just "too many" to check. At KnujOn we find this statement laughable for several reasons. Banks and credit card companies process verifications on this scale regularly and KnujOn has calculated that we could verify the entire record set within a week. Shame on the Registrars for throwing out such a weak dismissal. Unfortunately, this was in line with the general response to KnujOn by the Registrars at this meeting.

Top501 IT: McColo shutdown won’t stop spam, malware, warn security experts (

Spam traffic plunges after report blames server hosting company

November 15, 2008

Microsoft Corp. founder Bill Gates' 2004 proclamation that the spam problem would be solved within two years has proved a bitter joke, with unsolicited messages doubling yearly to make up about 90% of mail transmitted on the Internet.

But this week, the tide turned. The number of unwanted, offensive and misleading e-mails sent across the globe plummeted by about two-thirds, to a mere 60 billion or so a day by Thursday, according to spam filtering companies.

The surprising respite had very little to do with the hundreds of millions of dollars that corporations and consumers have spent on anti-spam software or with the lawsuits and criminal cases brought against spammers in the last decade.

Instead, a ragtag band of researchers pulled off the unprecedented coup of drastically cutting the spam volume by adopting a new strategy: going after mainstream U.S. companies that can unknowingly help spammers, identity thieves and child porn purveyors by carrying their traffic on the Internet.

Spam plummets as gang leaves net The closure of a web hosting firm that is believed to have had spam gangs as clients has led to a drastic reduction in junk mail.(

Web Provider Busted, Spam Drops

November 14, 2008

"There are a dozen other shady pieces still out there that are not yet "active,'" said Bruen."The spammers are mercenaries. They get paid to promote a product, an illicit product. The people who pay them are going to demand better results or a refund, and the people paying them aren't very nice people, they're people with guns." Bruen said that he and others are currently working on more research projects that will further unveil shady ISPs that host fraudulent and other illegal Web sites. And contrary to popular conceptions, numerous Internet providers hosting spam are actually located on U.S. shores, as opposed to being off-shore cyber criminals, Bruen said. "We've been following a twisty road for several years and it did not necessarily lead us to dead ends and mysterious players. It led us to major Internet players and many in the United States," he said. "The next round [of research] may be even more shocking." (

Rogue and Fraudulent Security Software and Websites a Growing Threat In my opinion the problem of rogue and fraudulent security software is quickly approaching epidemic proportions. I have seen a dramatic rise in the number of fraudulent applications and websites in the past few months to where there isn't a day that goes by where I don't come in contact with one or see one pop up. It used to be maybe once a month or so. And everybody is getting infected: my friends, relatives, co-workers, everyone is falling victim. Trend Micro says that 10 percent of all infections they see are caused by rogue software.(

Termination of Registrar EstDomains to Go Ahead

November 13, 2008

The termination of ICANN-accredited registrar EstDomains is to go ahead, effective 24 November 2008. On 28 October 2008, ICANN sent a notice of termination to EstDomains, Inc. (EstDomains) based on an Estonian Court record reflecting the conviction of EstDomains' then president, Vladimir Tsastsin, of credit card fraud, money laundering and document forgery. Pursuant to Section 5.3 of the Registrar Accreditation Agreement (RAA), ICANN may terminate the RAA before its expiration when, "Any officer or director of [a] Registrar is convicted of a felony or of a misdemeanor related to financial activities, or is adjudged by a court to have committed fraud or breach of fiduciary duty, or is the subject of judicial determination that ICANN deems as the substantive equivalent of any of these; provided such officer or director is not removed in such circumstances." ICANN received a response from EstDomains on 29 October in which it indicated that the Estonian Court record on which ICANN relied was not final and had been appealed. ICANN pended the termination of EstDomains' RAA to analyze the claims made by EstDomains and to obtain independent information regarding the status of the alleged appeal. On 7 November 2008, EstDomains was informed that, based on ICANN's findings, ICANN was proceeding with the termination of EstDomains' RAA, effective 24 November 2008. (

Spam Volumes Drop by Two-Thirds After Firm Goes Offline(

McColo - Cyber Crime USA

November 12, 2008

[Knujon contributed to this report]
HostExploit presents the second CYBER CRIME USA report which highlights those Internet players that currently host the world’s major spam botnets (an estimated 50% of spam worldwide), malware, rogue PC security products, cybercrime affiliate payment systems, and child pornography. This study from is based on tracking and documenting ongoing cyber criminal activity. As a result of the first report focusing on Atrivo / Intercage and subsequent community actions, there was a quantitative drop of 10% of spam and malware worldwide. While temporary, it does clearly demonstrate that with a concerted and consistent effort by concerned commercial Internet network operators, a safer Internet can ensue.

On this occasion we focus on McColo and others that, like Atrivo / Intercage, actually operate from servers and depend on US transit peers. This open source security study sets out to quantify and continuously track cyber crime using numerous methods of measurement. In addition to original quantitative research and analysis, the study draws upon and welcomes the findings of other research efforts. What emerges is a picture of a front for cyber criminals who specifically target consumers in the United States and elsewhere. It provides hard data regarding specific current activity within McColo and associated networks, explains how consumers are targeted, and describes McColo's virtual network structure.

The philosophy behind the study is that we as an Internet community act in accordance with the ACM (Association of Computing Machinery) code of ethics, e.g. avoiding harm to others."Harm" means injury or negative consequences, such as undesirable loss of information, loss of property, property damage, or unwanted environmental impacts. This principle prohibits use of computing technology in ways that result in harm Internet users and the general public. It is the Internet security community’s responsibility to blow the whistle. While we do not take the actions to ‘stop’ the cyber criminals, we do urge those who provide connectivity or peering to consider this report and their role.

Web Hosting Firm Shuttered After Connection to Spammers is Exposed
The gleaming, state-of-the-art, 30-story office tower in downtown San Jose, Calif., hardly looks like the staging ground for a full-scale cyber crime offensive against America. But security experts say a relatively small Web hosting firm at that location is home to servers that help manage the distribution of the majority of the world's junk e-mail.

The servers are owned by McColo Corp, a Web hosting company that has emerged as a major U.S. base of operations for a host of international cyber-crime syndicates, involved in everything from the remote management of millions of compromised PCs to the sale of counterfeit pharmaceuticals and designer goods, fake security products and child pornography.

Multiple security researchers have recently published data naming McColo as a mother ship for all of the top robot networks or "botnets," which are vast collections of hacked computers that are networked together to blast out spam or attack others online.

Joe Stewart, director of malware research for Atlanta based SecureWorks, said that these known criminal botnets: "Mega-D," "Srizbi," "Pushdo,""Rustock" and "Warezov," have their master servers hosted at McColo

Officials from McColo did not respond to multiple e-mails, phone calls and instant messages left at the contact points listed on the company's Web site. But within hours of being presented with evidence from the security community about illegal activity coming from McColo's network, the two largest Internet providers for the company decided to pull the plug on McColo late Tuesday.

Global Crossing, a Bermuda-based company with U.S. operations in New Jersey, declined to discuss the matter, except to say that Global Crossing communicates and cooperates fully with law enforcement, their peers, and security researchers to address malicious activity.

Major Source of Online Scams and Spams Knocked Offline

November 11, 2008

A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about criminal activity emanating from the network. For the past four months, Security Fix has been gathering data from the security industry about McColo Corp., a San Jose, Calif., based Web hosting service whose client list experts say includes some of the most disreputable cyber-criminal gangs in business today ( Restored

November 10, 2008

We're back in business, thanks for hanging in there folks!

Power Outage at

November 9, 2008

Our apologies if your submissions are being rejected, it should be resolved shortly.

KnujOn Censored at ICANN Session

November 5, 2008

In an unusual and shocking move Dr. Robert Bruen was interrupted and silenced at an open, cross-function ICANN meeting in Cairo Monday. At a meeting entitled: " Open Joint Session (GNSO, ccNSO, GAC, ALAC): Domain Name Space” Dr. Bruen was handed the microphone in the question and answer portion. As he began speaking about the problems of compliance and the need for better controls within the expanding Internet, specifically in relation to criminal infiltration of the Domain Name space, Patrick Sharry (ICANN ccNSO Consultant) stopped Dr. Bruen and said: "I don't want to pursue it any more in this forum." Chris Disspain (CEO of Australian Domain Administration) followed this rare dismissal by saying: “[if] it turns into an open microphone, then I, for one, won't be supporting it again.” Meaning he would no longer support question and answer portions at ICANN sessions.

This was quite a shock after several other attendees were able ask lengthy questions uninterrupted. However, Dr. Bruen should have known he was walking on thin ice. Once he introduced himself as a KnujOn representative Patrick Sharry told him to “keep it brief.”

This is somewhat reminiscent of Peter Dengate-Thrush’s response to questions from KnujOn’s Garth Bruen at the Washington D.C. ICANN Session entitled: “Improving Institutional Confidence consultation” KnujOn brought up issues of criminality, contract violations, and exclusion of the Internet consumer. Dengate-Thrush admonished Bruen that “this was not relevant to institutional confidence.” Later at this same session Dengate-Thrush told the audience that he did not “want to hear from any more angry IP lawyers.” Many of the attendees were attorneys representing brand holders being exploited by cyber-squatters and counterfeiters. The Intellectual Property community expressed its feeling of being marginalized by ICANN in favor of shadowy criminal interests.

So, as at the Cairo meeting, open forums only seem open if the panel wants to hear the question. The summary dismissal of Dr. Bruen can only be seen as prejudiced as it violates Sharry’s own ground rules for the session:

…our joint SO and AC meeting is focusing on new gTLDs, IDN ccTLDs, and issues that run across that space.

Dr. Bruen’s unasked and unanswered question concerned the fact that since the existing compliance structure is inadequate, how can ICANN ensure contractual compliance is enforced in a rapidly expanded Internet? Furthermore, Sharry opened the session with this commitment:

We will try, as we do that, on the way through, to involve a little bit of at least conversation, if not a little bit of conflict or argument or heated debate or discussion or something like that is(sic) well. And we will see how we go then, bringing the audience into that conversation.

But, as we can see no debate or discussion was allowed. Since the serious issue has emerged of Registrar Secrecy, we simply want to know if this will be allowed to continue within the new Doamin Registrar space or will common-sense policy be implemented. If the issues of contract violations, criminality in the Registrar community, and exclusion of the consumer are not relevant to improving institutional confidence, then what is?

KnujOn will be contacting Sharry and Disspain directly, as well as ICANN’s Ombudsman, to get a better explanation. We are speaking on behalf of the consumer and wont be silenced

Should Internet registrars be transparent? Let ICANN know! (
Where Are the Registrars? (
ICANN De Facto Sanctioning of Domain Registrar Secrecy? (

KnujOn Public Appearances
November 2-7 ICANN Meeting (

ICANN touts WHOIS compliance rules, but not for registrars

November 3, 2008

Last Friday, ICANN listed six steps being taken to ensure that the provisions of the RAA with regard to WHOIS information are followed correctly. And in nearly every article we have published here at The Industry Standard about ICANN policy, we are reminded that the public can recommend changes to the RAA, which is currently undergoing revision. What is most interesting about the ICANN WHOIS focus, is that the registrars themselves are not subject to the same strict information regulation. One of the easiest ways to spot spammers, malware distributors, or other illegal activity associated with domains online has been the ability to check a registrant's WHOIS information. Falsified or missing information is often an indicator of a fly-by-night registrant, or one unwilling to provide real information due to their unscrupulous activities. As a result, false information is one of the biggest complaints concerning ICANN's registrar enforcement; the Registrar Accreditation Agreement (RAA) requires that registrars get complete and verifiable information from the customers they register. (

Where Are the Registrars? (
ICANN De Facto Sanctioning of Domain Registrar Secrecy? (

KnujOn Public Appearances
November 2-7 ICANN Meeting (

End Registrar Secrecy - You Can Help!

November 2, 2008

So many of the problems we are experiencing on the Internet (spam, phishing, counterfeit product traffic, malware distribution, network intrusions, online fraud, etc.) are enabled by secrecy within the service provider community, specifically among certain Registrars. Note some of the following recent issues:

In any other industry, this would be intolerable. Unfortunately, there is no provision in the Registrar Accreditation Agreement(RAA) that requires a Registrar to disclose their location. Several unscrupulous companies have taken advantage of this fact by deeply burying their location information and misdirecting the public to dead ends and red herrings. Consumers who complain to Registrars often find themselves ignored or even abused by Registrar staff.

You Can Help
The RAA is being re-written at this very moment. YOU as an Internet user and consumer have an opportunity close a huge loophole that allows an unaccountable atmosphere to fester. In order to assist ICANN achieve its stated goal of transparency and accountability, we propose a modification to the Registrar Accreditation Agreement (RAA), the core contract ICANN uses to issue certifications to Registrars. A review of the RAA is currently underway and KnujOn is seeking that the following language (or equivalent) be added to the RAA:
"All Accredited Registrars must submit main office location, including country, to be publicly disclosed in ICANN web directory. Post Office boxes, Incorporation addresses, and mail-forwarding locations will not be acceptable. Registrars must also provide for public display the name of CEO or President. ICANN must be notified within 30 days of a location or presiding officer change.”

This is suggested language. Any version that addresses the issues discussed above and meets the requirements of public disclosure.

If you wish to support this proposal, please write a brief and polite email as an Internet user to expressing your concern about the lack of public Registrar disclosure and request that the new version of the RAA include a section requiring owner and location disclosure. You may use the suggested language above, your own version, or simply a personal statement of concern over the issue. Anyone uncomfortable with contacting ICANN directly can forward their comments KnujOn at: and we will include your comments anonymously in a letter from KnujOn.

Suggested Letter

Subject: Ending Registrar Secrecy in RAA

Dear ICANN RAA Consultation Staff,

I am writing to you to request a change in the Registrar Accreditation Agreement that will improve transparency and accountability. It has come to my attention as an Internet user that there is no requirement in the standard Registrar contract to that requires public disclosure of Registrar ownership or location. I am concerned that this loophole in the agreement opens the door to fraud, secrecy and consumer abuse. Please consider adding the following language or equivalent to the RAA:

"All Accredited Registrars must submit main office location, including country, to be publicly disclosed in ICANN web directory. Post Office boxes, Incorporation addresses, and mail-forwarding locations will not be acceptable. Registrars must also provide for public display the name of CEO or President. ICANN must be notified within 30 days of a location or presiding officer change.”

Without public disclosure there cannot be true transparency, accountability or trust. I appreciate your consideration.

Sincerely, YOUR NAME
You may also send these comments to the RAA Working Group here: OR

Submit comments through the ICANN contact form: OR

Paper letters may also be sent to: Internet Corporation for Assigned Names and Numbers (ICANN), 4676 Admiralty Way, Suite 330, Marina del Rey, CA 90292-6601. OR 1875 I (EYE) Street, NW, Suite 501, Washington DC, 20006. OR 6 Rond Point Schuman Bt. 5 Brussels B-1040 Belgium.

*Please note that the dedicated mail address for the RAA ( is no longer accepting email, they have been notified of this but we have no further information at this time.

More Information

KnujOn Public Appearances
November 2-7 ICANN Meeting (

Trojan Caught Stealing Data From Hundreds of Thousands

November 1, 2008

Researchers at RSA report that a Trojan has quietly stolen login credentials from approximately 300,000 online bank accounts, a similar number of credit and debit cards, and an uncounted number of email and FTP accounts. The Sinowal Trojan, also known as Torpig and Mebroot, has been stealing data for almost three years, RSA says. The new findings suggest that Sinowal "may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters," the researchers say in a blog published today. Little is known about Sinowal's source, RSA says. Some have alleged that it was owned and operated by a Russian online gang with past ties to the infamous Russian Business Network (RBN). "Our data confirms the Sinowal Trojan has had strong ties to the RBN in the past, but our research indicates that the current hosting facilities of Sinowal may have changed and are no longer connected to the RBN," the researchers say. (

Virtual Heist Nets 500,000+ Bank, Credit Accounts (

KnujOn Public Appearances
November 2-7 ICANN Meeting (

Wrap-up Of The 2008 Information Security Summit

October 31, 2008

Thanks for having KnujOn at this venue. It was great to meet more professionals in the industry who are concerned about these issues.

KnujOn Public Appearances
November 2-7 ICANN Meeting (

EstDomains Termination Delayed

October 30, 2008

On 28 October 2008, ICANN sent a notice of termination to EstDomains. Based on an Estonian Court record, ICANN has reason to believe that the president of EstDomains, Vladimir Tsastsin, was convicted of credit card fraud, money laundering and document forgery on 6 February 2008. ICANN received a response from EstDomains regarding the notice of termination. To assess the merits of the claims made in EstDomains’ response, ICANN has stayed the termination process as ICANN analyzes these claims. (
ICANN does a quick about-face on EstDomains' de-accreditation (

KnujOn Public Appearances
October 30-31 Information Security Summit (
November 2-7 ICANN Meeting (

EstDomains Accreditation Terminated By ICANN

October 29, 2008 - Extra!

Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for EstDomains, Inc. (Customer No. 919,IANA No. 832) is terminated. Consistent with subsection 5.3.3 of the RAA, this termination is based on your status as President of EstDomains and your credit card fraud, money laundering and document forgery conviction. This termination shall be effective within fifteen calendar days from the date of this letter, on 12 November 2008... (

ICANN De-Accredits EstDomains for CEO's Fraud Convictions: The entity responsible for overseeing the Internet's domain name system said Tuesday that it was revoking the right of registrar to process new domain names, citing the company CEO's recent conviction on cyber crime charges... Kudos to ICANN, and to others -- particularly and Knujon -- who contributed to shining a light on EstDomains' storied history and practices. (

ICANN Terminates Accreditation of Notorious Malware Hosting Domain Registrar EstDomains: The EstDomain company was founded in Tartu, the second largest Estonian city, but it has also been registered as a company in Delaware, US. In a report from KnujOn regarding EstDomain’s activity, it is noted that “Delaware is a tiny state that earns its keep by being very business-friendly. Typically, any business incorporated in Delaware is not actually there”. This prompted several security professionals to question the ICANN practices of accrediting companies that don't really exist where they were incorporated. (

Three cheers for ICANN! (

RBN Farewell To Estdomains (

One criminal Internet registrar down... (

USA Internet community fighting against botnet purveyors
Phishing and Fraud - ICANN Heeds Call to Ban Abusive Registrars
InterCage Back Up - Blames EstDomains for Their Woes Calls on Internet Community to End the Fake Pharmacy Menace
More Follow-up And Fallout
EstDomains Continues to Deny Real Location
EstDomains: A Sordid History and a Storied CEO
Atrivo and ESTDomains
Directi Responds to KnujOn Report - Dumps Controversial Service
EstDomains Controversy Continues
SpamHaus Backs-Up HostExploit Report/Wash Post Article
Examining the Role of Registrars in Illicit Activity
Underground Steroid Websites Flourish at U.S. Registrars
Steroid Sites Registered Through EstDomains

KnujOn Public Appearances
October 30-31 Information Security Summit (

Questions and Answers on LegitScript's Termination of Steroids Websites

October 29, 2008, a steroid law reform website, emailed us with some questions about our request to GoDaddy and other US-based registrars to terminate some steroids websites. Most, but not all, of the websites were terminated. Mesomorphosis asked some great questions, and we’re happy to answer them... (

KnujOn Public Appearances
October 30-31 Information Security Summit (

Illicit Drug Sites and Spam on the Net - Yes, money is the motivation

October 28, 2008

The "Internet Dark Arts" panel on Thursday at the WebbyConnect conference featured a former affiliate marketing player named Mike Geiger, who used to have what sounded like a thriving side business setting up sites that sent affiliate traffic to illicit pharmaceutical sites. These are the sites that offer Viagra and other drugs to customers without a doctor's prescription. The affiliate programs are responsible for an avalanche of spam, but what's really scary is the potential for injury to people who shouldn't be consuming the drugs in the first place, or only under the dosages prescribed by a physician or pharmacist. Geiger was unrepentant about his role in the trade. Affiliate marketing is a "completely legit business," he said, and went on to describe himself as a mere middleman uninvolved with the actual distribution of the drugs. Cash was the obvious reason for getting into affiliate marketing, and Geiger revealed the rewards for pharmaceutical sites were particularly good. "Why did I choose pharmaceuticals? It was very simple," he said. "[It was] because I would get up to 45% of whatever I sold." This compares to retail affiliate programs offered by and others, where the cut is usually in the low single digits. (

KnujOn Public Appearances
October 30-31 Information Security Summit (

Has Storm stopped sending spam?

October 27, 2008

"There isn't too much to figure out what's happening here. There are several reasons responsible for this as well as other victories in the war against spam and other Internet abuses, one of them being the shutdown of rogue registrars. One of the major soldiers in the trenches can be found at which also does a pretty good job of posting up all the news and reports from the battle field." (

KnujOn Public Appearances
October 30-31 Information Security Summit (

GoDaddy Starts Shutting Down Steroid-Related
Websites Under Pressure from

October 26, 2008

The internet domain registrar GoDaddy has started shutting down anabolic steroid-related websites under increasing pressure from a pharmacy special interest group called is an internet pharmacy verification service that approves pharmacies that conform to United States federal and state laws. GoDaddy recently shutdown the following steroid pharmacy websites ominously listing the nameservers as NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM and NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM: (

KnujOn Public Appearances
October 30-31 Information Security Summit (

New GMAIL Advanced IMAP Allows Easy KnujOn Reporting

October 25, 2008

One thing Google has really done a good job of is implementing a few unique features into Gmail that other mainstream email services don’t offer. To give you an example, IMAP support. Of course some services do offer it, but many, especially those that are free, do not. Not only does Google offer IMAP support for free, they recently “Turbo Charged” it and have gone above and beyond what many ever expected them to do when they requested such a feature. To access these advanced IMAP features, you’ll first have to enable “Advanced IMAP Controls” from the Labs section in Gmail. This is the same place you may have gone to enable those Google Goggles we talked about the other day. Once it is enabled, you’ll be able to go to your settings and configure everything the way you would like it to be. (

"Great! now i can download all my gmail spam and forward it to Knujon with ease. Die evil Spammers (or at least go to jail)." (

From the team that brought you Mail Goggles, here comes...Advanced IMAP Controls, a Labs feature that lets you fine-tune your Gmail IMAP experience. You can choose which labels to sync in IMAP -- useful if you find your mail client choking on a big [Gmail]/All Mail folder. After enabling this Lab, just go to the Labels tab under Settings. You'll see a new 'Show in IMAP' checkbox next to each of your labels. Uncheck the box and the corresponding folder will disappear from IMAP. (


KnujOn Public Appearances
October 30-31 Information Security Summit (

175,547 Illicit Domains Dumped by Directi

October 24, 2008

The final tallys of HostExploit's and KnujOn's push against illicit sites at Directi in August. Over 175 thousand domains have been suspended by Directi.

Directi Domain Abuse Actions - Report Oct 09 (

FBI, FTC Take Down Scammers & Spammers (

KnujOn Public Appearances
October 30-31 Information Security Summit (

Domain Registrars Identified Web Addresses Referred in Spam

October 23, 2008

The Internet's main governing body, ICANN (The Internet Corporation for Assigned Names and Numbers) said on October 15, 2008 that a German organization, and a Chinese organization, are selling domain addresses connected to spam mails. Anti-spam site stated that spammers appear to prefer Websites registered through and After exhaustively analyzing junk e-mails for six months, Knujon discovered that 3.3% of Websites registered with, over 10,000 in total, referred in spam mails. And over 9,000 Websites registered with, 1.42% in total were also linked to spam mails. (

KnujOn Public Appearances
October 30-31 Information Security Summit (

Shady Internet registrars could get the boot

October 21, 2008

ICANN had sent enforcement notices to several domain registrars identified by KnujOn, an anti-spam organization, as having registered the majority of illicit Web sites using spam to generate traffic. KnujOn said 90 percent of Web sites are clustered on just 20 registrars. That represents only 2.5 percent of the 800 registrars accredited by ICANN. (

KnujOn Public Appearances
October 30-31 Information Security Summit (

'Net Guru Tells ICANN to "Hire KnujOn"

October 20, 2008

John Levine, author of The Internet For Dummies, Fighting Spam for Dummies and a dozen other technical books, got into a heated public discussion with ICANN's Kieren McCarthy about Registrar compliance in which Levine ponders: "Perhaps you should hire the Knujon guys "[to fix the whois compliance issues].

" ICANN can't audit the WHOIS data, so it's my job to do so? Aw, come on. WDPRS is a useful band-aid to help with the enormous backlog of bogus WHOIS, but if the compliance process worked, ICANN would find the bad stuff themselves rather than expecting unpaid volunteers to do their work for them. Perhaps you should hire the Knujon guys. And, as I've pointed out, the compliance issues only begin with bogus WHOIS. There's registrars with no WHOIS at all, and lots of other egregious violations that I know that [ICANN] knows about. " (

Cluck, Cluck… ICANN and Contract Compliance Enforcement(

KnujOn Public Appearances
October 30-31 Information Security Summit (

Sarkozy's bank account hacked by thieves

October 19, 2008

The French Cabinet's spokesman says "swindlers" have broken into the personal bank account of President Nicolas Sarkozy. Spokesman Luc Chatel told France's Radio-J an investigation is under way and insists the incident "proves that this system of checking (bank accounts) via the Internet isn't infallible." He did not elaborate. (

KnujOn Public Appearances
October 30-31 Information Security Summit (

Atrivo Shutdown Hastened Demise of Storm Worm

October 17, 2008

The infamous Storm worm, which powered a network of thousands of compromised PCs once responsible for sending more than 20 percent of all spam, appears to have died off. Security experts say Storm's death knell was sounded by the recent shutdown of Atrivo, a California based ISP that was home to a number of criminal cyber crime operations, including at least three of the master servers used to control the Storm network (

KnujOn Public Appearances
October 30-31 Information Security Summit (

Registrars linked to spam warned, but continue to sell Web addresses

October 16, 2008

The Internet Corporation for Assigned Names and Numbers (ICANN) said the Chinese company,, hadn't properly investigated who owns several of the Web addresses it sold. ICANN also said it had investigated similar problems at a German company,, but found the site's owners had properly investigated similar complaints. (

KnujOn Public Appearances
October 30-31 Information Security Summit (

FTC Shuts Down, Freezes Assets of "Herbal King" Network

October 15, 2008

A U.S. district court has ordered a halt to the operations of a vast international spam network that peddled prescription drugs and bogus male-enhancement products. The network has been identified as the largest “spam gang” in the world by the anti-spam organization Spamhaus. The Federal Trade Commission has received more than three million complaints about spam messages connected to this operation, and estimates that it may be responsible for sending billions of illegal spam messages. At the request of the FTC, the court has issued a temporary injunction prohibiting defendants from spamming and making false product claims, and has frozen the defendants’ assets to preserve them for consumer redress pending trial. Authorities in New Zealand also have taken legal action, working in tandem with the FTC. According to papers filed with the court, the defendants deceptively marketed a variety of products through spam messages, including a male-enhancement pill, prescription drugs, and a weight-loss pill. One product called “VPXL” was touted as an herbal male-enhancement pill. Advertised as “100% herbal and safe,” it supposedly caused a permanent increase in the size of a user’s penis. The agency alleged that not only did the pills not work, but they were neither “100% herbal” nor “safe,” because they contained sildenafil – the active ingredient in Viagra. At the FTC’s request, the pills were tested by the FDA. According to medical experts, men taking nitrate-containing drugs – which are commonly prescribed to treat diabetes, high blood pressure, high cholesterol, or heart disease – can experience an unsafe drop in their blood pressure when they also take sildenafil. (

Herbal King gang sent billions of spam messages pushing prescription drugs and phony male-enhancement products: Garth Bruen, creator of KnujOn, which fights email abuse and online fraud, says the shutdown of Herbal King is “awesome.” “The feds are waking from their slumber,” Bruen says. “CastleCops, Spamhaus and others have done remarkable work. It's been years in the making, [and] these VPXL sleazebags have been raking the money in.” (

ICANN Warns Domain Registrars over Compliance (
Measurable Drop In Nefarious UCE Activity After Atrivo Demise(
Intercage demise causes spam levels to fall(
Atrivo ISP shutdown sends ripples through the spam deluge(

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

USA Internet community fighting against botnet purveyors

October 14, 2008

It’s been for some time so far that a number of independent and volunteer online security research groups have been releasing reports on criminal activities supported by such ISPs as Intercage, a network provider based in California and EstDomains, a domain name registrar allegedly located in Delaware. Researches conducted by HostExploit,, Spamhaus and Knujon divulged the facts about the involvement of Intercage also known as Atrivo and EstDomains into the cyber crime business including malware download to unsuspecting users, porno products and steroids distribution and spyware installation to rob users of their financial data. An independent study was also initiated by Brian Krebs that leads Security Fix section at Washington Post. The latter was turned into a kind of a forum where disgraced firms posted their confutation to the information presented by the security researchers while their customers, obviously Russians, touched on the raw expressed their despite towards American consolidated efforts directed to weaken adverse impact of criminal syndicates on Internet subscribers in the US. (

Cluck, Cluck… ICANN and Contract Compliance Enforcement(

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Inside the hackers' den

October 13, 2008

HUNCHED over a computer terminal in his pyjamas, "Frank" makes more money than a small-time drug dealer without ever having to worry about being caught or even leaving the house. Constantly covering his tracks via a complex web of internet servers, he is part of a global network of cyber thieves who together fleece billions of dollars from unsuspecting internet users every year - using little more than an internet connection, free software and some spare time. Speaking to the Herald on the condition of anonymity, he and other experienced hackers say banks' attempts to stamp out credit card theft are doomed due to the ease with which clients' computers can be compromised. (

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Phishers, Virus Writers Exploit Global Financial Crisis

October 12, 2008

Security experts and the federal government are warning that scam artists are leveraging public concern over the global financial crisis to steal sensitive financial data and spread malicious software. In an alert posted Thursday, the Federal Trade Commission urged Internet users to be on guard against e-mails that look as if they come from a financial institution that recently acquired a consumer's bank, savings and loan, or mortgage. (

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

World Bank Under Cyber Siege in 'Unprecedented Crisis'

October 11, 2008

The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned. It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month. (

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Spam Volumes Plummet After Atrivo Shutdown

October 10, 2008

Security Fix has spilled quite a bit of digital ink chronicling the demise of Atrivo (a.k.a. "Intercage"), a now-defunct Northern Calif. based Internet service provider that served as home base for a large number of cyber criminal operations. Happily, data released this week about a short-lived but precipitous decline in the level of badness online after Atrivo was shut down illustrates just how bad Atrivo was.

Internet security firm MessageLabs said it observed a significant drop in the level of spam and botnet activity after Atrivo's upstream Internet providers pulled the plug on the company last month. The graphic to the right shows a collapse in the level of spam emanating from computers infected with the some of the nastiest spam-enabling malware, including the Storm worm, Cutwail, Srizbi and MegaD. MessageLabs said the decline was due to the fact that a large number of command and control networks used to control these distributed malware spam systems were located on servers on Atrivo's network. (

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Replacing Downed Phishing Pages With Education

October 9, 2008

The APWG’s Internet Policy Committee (APWG-IPC) and Carnegie Mellon University’s Supporting Trust Decisions Project (STDP) have joined forces to educate consumers about phishing and, in doing so, have established the AWPG/CMU Phishing Education Landing Page Program. The goal of this initiative is to instruct consumers on online safety at the “most teachable moment”: when they have just clicked on a link in a phishing communication. (

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

ICANN slaps wrists and sends emails to spammers' registrars

October 8, 2008

ICANN may wonder why organizations like KnujOn exist and regularly publish reports about registrars who fail to comply with even the regulations ICANN can enforce, and so much criticism is directed at the organization for being "toothless." Looking at a year-long process to levy what is essentially wrist-slap for allowing spammers to register domains with false or missing information and then backing down might be a good place to start. A year is far too long to deal with the problem of spammers, who have usually moved on well before ICANN even begins their process to register other domains. (

Spammers Favor Obama Over McCain 7 to 1 (
Palin E-Mail Hacker Indicted (

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Phantom Calls From 626-273-8207 - The Car Warranty Scam

October 7, 2008

The phone rang. It was from 626-273-8207. I answered. It was the infamous "car warranty" call. Most folks hang up, and should, but for us it was a chance to get into the inner workings on the telephone scam world. The automated message said: "Press 2 to continue." After pressing 2 we were on hold for a very long time. Finally, a very gruff and tired voice answered:

Gruff Scam Man: Car warranty department, may I have the make and model of your car?

KnujOn: Actually, can I have the name of your company?

Gruff Scam Man: No.

KnujOn: Why not?

Gruff Scam Man hung up.

The carrier of this number is Digitcom Services, Inc. Alhambra, CA, somewhat irrelevant because they dump these numbers frequently and get new ones as they are blocked. The real issue is who benefits from this?

The bulk of the companies doing this are located near St. Louis. The Better Business Bureau of Eastern Missouri and Southern Illinois lists 92 extended warranty companies in that area. They are responsible for a huge number of complaints from across the country. (

Auto One is located in Irvine, Calif., and is a subsidiary of Credexx, a loan consolidator. It caught the attention of the Better Business Bureau last year due to the high number of complaints about its warranty expiration notices and difficulty processing claims. The Bureau rated the company an F. According to Bureau records, the president of Auto One is David Tabb, 41, a man with a history of dicey consumer practices. Another of Tabb's companies, Hollywood Dreams, was listed at an address next door to Auto One. Hollywood Dreams was a company used as a front for selling sports and Hollywood memorabilia with forged signatures. In 2002 Tabb pleaded guilty to one count of conspiracy to commit mail fraud and one count of tax evasion for his part in a scam to sell the forged merchandise. According to the indictment filed in U.S. District Court, Tabb arranged to meet an undercover federal agent at a Chevron gas station in Irvine to sell him basketballs and other sporting items with forged signatures and fake certificates of authenticity. He continued to sell undercover feds forged merchandise, usually in parking lots, over the next year. Tabb did not respond to messages left at his last known home number or Auto One offices. (

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Kentucky Gambling Domain Seizure Raises More ICANN Questions

October 6, 2008

A member of the European Parliament, William Newton-Dunn, has recently been addressing questions to the European Commission which asks whether ICANN is engaging in restraint of European free trade laws by imposing restrictions on who can operate a TLD and sell domain names. Some restrictions are considered insurmountable by many small business owners and individuals, such as the non-refundable $50,000 application fee. (

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Phishing and Fraud - ICANN Heeds Call to Ban Abusive Registrars

October 5, 2008

ICANN had actually sent initial "Notices of Concern" regarding the same issue to both firms in May after an initial report listing abusive registrars was published by KnujOn, which recently pushed another major registrar, Directi, to mend its own ways and another, EstDomains, to promise to do the same. "Both (, and subsequently assured ICANN that they were investigating Whois inaccuracy claims and had suitable processes in place to do so. However, ICANN found compelling evidence leading to a conclusion that both and do not appear to be taking reasonable steps to investigate these claims as required," ICANN said in a statement. To avoid the commencement of the termination process, and must now "cure the cited breaches within 15 days." If not, ICANN said it will "pursue all remedies available under the terms of the RAA, including possible termination." (

Analysis: Bringing law to the Internet (

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Domain registrars warned on oversight

October 4, 2008

The Internet Corporation for Assigned Names and Numbers, known as ICANN, sent formal breach notices Tuesday to two of the registrars that it accredits, giving them 15 days to fix the problem or lose their accreditation. The registrars - Swiss-based and Beijing Innovative Linkage Technology Ltd., doing business as - lease out about 900,000 Internet addresses, known as domain names.
"We are sending a message in public ... that everyone needs to be vigilant," said Paul Levins, ICANN's vice president for corporate affairs.
"There are some domain registrars who facilitate criminal activities on the Web by turning a blind eye" to registrants who deliberately provide false or incomplete Whois information, said Garth Bruen of the anti-spam advocacy group KnujOn - "no junk" spelled backward.

He says a hard core of registrars rent most of the domain names that contain the Web sites advertised in spam e-mails — billions of unsolicited messages sent every year, mostly by so-called botnets of personal computers that, unbeknown to their owners, have been taken over by hackers and other cybercriminals.

Earlier this year, Mr. Bruen analyzed millions of spam e-mail messages forwarded by members of the public. He concluded that 90 percent of the Web addresses the spam advertised had been leased by just 20 registrars.

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Two of KnujOn's "Ten Worst Registrars" Issued Breach Notices

October 3, 2008

Two days ago ICANN issued breach notices to Joker and Beijing Innovative Linkage Technology Ltd ( which should lead to their de-accreditation by October 14th. Beijing Innovative and Joker were numbers 2 and 4 on KnujOn's 10 Worst List, respectively. Every KnujOn participant and supporter needs to give themselves a big pat on the back tonight because YOU made this happen. KnujOn processed your submissions and filed thousands of complaints and tracked them continuously to ensure contracts were observed and the public trust was not broken. In May of this year ICANN responded to KnujOn's report by issuing enforcement notices against the rogue Registrars. Some of these Registrars have made amazing improvements since the report was released, but the two being issued breach notices this week did little or nothing and are now paying the price for policy failure. More to come soon.

Internet body cracking down on shady Web sites (

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Breach Notices Sent to and

October 2, 2008

ICANN has sent breach notices to two ICANN-accredited registrars, Beijing Innovative Linkage Technology Ltd., doing business as and, on 30 September 2008.

These registrars failed to comply with Section 3.7.8 of the Registrar Accreditation Agreement (RAA) which requires registrars to take "reasonable steps to investigate" Whois inaccuracy claims.

Section 3.7.8 of the RAA requires registrars, "…upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate the claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy."

In November 2007, ICANN audited registrar compliance with the investigation of Whois inaccuracy claims filed through ICANN's Whois Data Problem Report System (WDPRS). The audit analyzes the complaints as well as complainant follow-up correspondence indicating "no change" to Whois data 45 days after the claim is filed. Registrars that appear to take no action in response to a significant percentage of WDPRS complaints are sent a Notice of Concern that request they provide ICANN with details regarding the steps taken to investigate the claimed Whois inaccuracies - as required by Section 3.7.8 of the RAA.

On 29 May 2008, ICANN sent and Notices of Concern. Both subsequently assured ICANN that they were investigating Whois inaccuracy claims and had suitable processes in place to do so. However, ICANN found compelling evidence leading to a conclusion that both and do not appear to be taking reasonable steps to investigate these claims as required.

Accordingly, on 30 September 2008 ICANN sent and notices of breach of contract. To avoid the commencement of the termination process, and must cure the cited breaches within 15 days. ICANN will pursue all remedies available under the terms of the RAA, including possible termination, if and fail to cure the cited breaches. has over 300,000 domain names under management and has over 600,000 domain names under management.

ICANN's efforts to improve Whois accuracy are ongoing and registrars are advised to investigate every claim of Whois inaccuracy received as required by Section 3.7.8 of the RAA to avoid compliance action by ICANN.


KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Lots of Tough Questions, No Answers

October 1, 2008

KnujOn's Garth Bruen attended and spoke at the Improving Institutional Confidence in ICANN public session at the National Press Club in Washington, D.C. This was a very intense and insightful meeting. The details will be discussed here extensively in the next week.

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Congress takes up online threats to children

September 27, 2008

The House of Representatives on Tuesday passed the Ryan Haight Online Pharmacy Consumer Protection Act, a bill that would would ban the sale or distribution of prescription drugs over the Internet without a valid prescription. Matching legislation passed in the Senate in April, but the House sent its version back to the Senate with amendments on Thursday. Under the proposed law, online pharmacies would have to comply with pharmacy licensing laws in each state in which they do business and register with the relevant state attorneys general. Some congressmen questioned the impact of the bill, given that so many online pharmacies that distribute drugs without prescriptions are based outside the U.S. (

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

KnujOn Wins Best Presentation at MAAWG

September 26, 2008

KnujOn received a standing ovation at the closing session of The Messaging Anti-Abuse Working Group ( meeting in Fort Lauderdale, Florida. The community has expressed its appreciation of our work and has taken steps to continue supporing us.

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

OWASP Presentation a Success

September 25, 2008

KnujOn has presented to many law enforcement, investigative, and anti-abuse groups. This was our first presentation to a group specifically dedicated to security software development. In one of the largest conferences of its kind, The Open Web Application Security Project ( brought together an unprecedented number of experts in the field to discuss the state of software security. KnujOn effectively delivered the message that good software needs good policy (and vice-versa). KnujOn wants to thank Tom Brennan specifically for inviting us.

KnujOn Public Appearances
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

InterCage Back Up - Blames EstDomains for Their Woes

September 24, 2008

A day after security experts celebrated the death of a network provider accused of hosting a large concentration of the world's cybercrime, California-based Intercage appeared to be among the living again. IP transit provider UnitedLayer agreed to provide upstream service to Intercage about 36 hours after its last transit provider pulled the plug. UnitedLayer's move, which is sure to prove unpopular in some circles, came after Intercage agreed to completely sever ties with Esthost, the Eastern European web host believed by many to be responsible for the lion's share of abusive traffic carried by Intercage. (

Controversial ISP Intercage Now Back Online
Pressure from computer security researchers may have knocked ISP (Internet service provider) Intercage offline, but not for long. The San Francisco company, accused of being a haven to online criminals, is now back, just days after its last upstream network provider, Pacific Internet Exchange, dropped it as a customer. Pacific had been Intercage's point of contact with the Internet's backbone, but it had dropped Intercage's service late Saturday night, knocking the controversial Internet service provider offline. (

KnujOn Public Appearances
September 23-25 Open Web Application Security Project "OWASP" (
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit ( Calls on Internet Community to End the Fake Pharmacy Menace

September 23, 2008

Recent public disclosures and positive activity within the Internet security community have provided encouraging news for long-suffering spam and malware victims. The demise of Atrivo/Intercage and recent revelations about EstDomains boost our belief that aggressive policy enforcement, efficient data collection, and industry cooperation can make a huge difference in creating a new, safer Internet. However, there is still quite a bit of work to be done.

KnujOn is calling on all the Domain Name Registrars and other concerned parties to help develop policy and methods to specifically put a stop to the fake pharmacy menace.
The Directi Group has lead the way by making a commitment to end the easy flow of counterfeit and hijacked pharmaceuticals on the Internet. KnujOn invites all companies in the ICANN-Accredited community to make the same public pledge.

To this end KnujOn will be presenting a plan and series of proposals at several events in the near future. Our Three-Point plan (Fixing the Broken Policy Structure, Eradicating Illicit Internet Traffic, and Enfranchising the Consumer) will be discussed at the Messaging Anti-Abuse Working Group (MAAWG) General Meeting September 23rd, the Open Web Application Security Project (OWASP) Conference September 24th, Anti-Phishing Working Group (APWG) eCrime Researchers Summit October 15th, and the Information Security Summit October 31st. Details about each event are listed on One of our proposals to the security community could be a "game-changer" in terms of dealing with malware and other security threats. KnujOn looks forward to the community's support in this endeavor.

InterCage/Atrivo Close

September 22, 2008

California-based network provider Intercage has gone completely offline following weeks of scathing criticism that it hosts an inordinate number of sites engaged in phishing, malware propagation, and other illegal activities. Pacific Internet Exchange, which only began providing upstream service to Intercage in the last week or so, pulled the plug on Saturday night. It's a safe bet that PIE's move was in response to recent efforts to isolate Intercage following a report that it enables a rogue's gallery of customers to punt spam, malware, and online (illegal) pharmaceuticals. The report so tarnished Intercage's already struggling reputation that both of its longterm providers canceled service. According to an email sent last week by Intercage president and owner Emil Kacperski, PIE was immediately punished for its actions. Within a few days, a block of IP addresses issued to PIE were included on the Spamhaus block list, according to Brian at PIE. Spamhaus officials were not immediately available to comment. An outgoing message on Kacperski's voice mail apologized for the outage and said company officials were "trying to get this resolved as soon as possible." Volunteers active in ridding the internet of abusive sites celebrated the take down of Intercage, which has also gone under the name Atrivo. (

Internet Shuns U.S. Based ISP Amid Fraud, Abuse Allegations
Atrivo, a.k.a "Intercage," of Northern California, ceased to be reachable from any points on the Internet early Sunday morning when the ISP's sole remaining provider - Pacific Internet Exchange (PIE) - stopped routing traffic for the troubled company. The final blow comes just weeks after Security Fix joined several researchers in publishing evidence that major portions of Atrivo's network were being used to foist fake security software, Trojan horse programs, and other nastiness. As a result of those reports, several of Atrivo's upstream providers dropped the company as a client. (

Russian Business Network (RBN) Atrivo Goes Dark
It is pleasing to report the last remaining peer routing Atrivo (AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE) see Spamhaus ref below, was withdrawn at 2:35am EST Sunday Sept 21st 2008. (

KnujOn Public Appearances
September 23rd Messaging Anti-Abuse Working Group "MAAWG" (
September 23-25 Open Web Application Security Project "OWASP" (
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

FBI Searches College Student's Home In Sarah Palin E-Mail-Hack

September 21, 2008

The FBI has served a search warrant against a 20-year-old college student in connection with the hacking of Sarah Palin’s personal e-mail account. A witness told WBIR-TV that FBI agents served the warrant at the college residence of David Kernell, a student at the University of Tennessee-Knoxville. Kernell is the son of Mike Kernell, a Democratic state representative from Memphis.
The hacker who compromised Palin’s account used, an Internet proxy site, which renders Web users anonymous, to get into Palin’s e-mail. The site is run by Gabriel Ramuglia, 25, a Web developer from Athens, Ga., who said the hacker left behind revealing clues after posting screen grabs of Palin’s inbox.

Palin's Email Hacked By Anonymous (

KnujOn Public Appearances
September 23rd Messaging Anti-Abuse Working Group "MAAWG" (
September 23-25 Open Web Application Security Project "OWASP" (
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Upcoming KnujOn Events

September 20, 2008

KnujOn will be presenting at several venues between now and November. These critical meetings will allow us to discuss our plans in the near future:

September 22-24 Messaging Anti-Abuse Working Group "MAAWG" (
September 23-25 Open Web Application Security Project "OWASP" (
October 14-16 Anti-Phishing Working Group eCrime Researchers Summit "APWG" (
October 30-31 Information Security Summit (

Industry Still Wary Of ICANN Plan For New Top-Level Internet Domains

September 18, 2008

The Internet Corporation for Assigned Names and Numbers (ICANN) has not adequately explained to the world the need for more generic top-level domains (gTLDs - such as .com), industry representatives said last week. As the time nears for ICANN, the internet’s technical oversight body, to publish draft guidelines (request for proposals) in the fourth quarter of 2008 for the gTLD applications, the chorus of criticism against the new domains is getting louder, with some saying it is merely a way for the global domain-name body to make money. (

More Follow-up And Fallout

September 17, 2008

Washington Post Coverage on Nefarious Domain Name Activities
Over the last few months Brian Krebs of the Washington Post has been covering stories about domain name resellers and registrars who are in one way or another tied in to nefarious online activities such as spamming, spyware and malware. A noticeable trend in these articles is that the activity of these scammers is consistently showing them to be using registrar reseller accounts and privacy protection to cover their tracks. Krebs’ stories are worth reading as they highlight the issues in the domain name system, ICANN and registrars which continue to provide a means for these scammers to operate. (

Registrar Bends to Pressure from Researchers
The lesson of this story? If you believe in the quality of your work, don't let anyone try to move you off your spot. Over a week after anti-spam research house KnujOn first called out India-based registrar Directi for allowing its business partners to support illegal online pharmacies, the registrar has sought a truce with the experts after cutting ties with the questionable domain owners. As you may have followed via a pair of posts in this space last week and the subsequent comments filed by the involved parties, KnujOn and Directi, along with some other researchers who got into the debate, had partaken in some heated exchanges, with the registrar questioning the KnujOn report, which it initially labeled as "baseless," and KnujOn refusing to submit to the company's demands to retract its claims. For, after questioning everything from the quality of the KnujOn conclusions to the journalistic integrity of those (ahem) who chose to cover the paper on "phantom registrars" that fail to vet their customers properly, Directi has moved to quell the issue and suspend the accounts of the illegal pharmacies that apparently have indeed been using its services. (

Ad hoc malware police besiege net neutrality
Analysis Over the past couple of weeks, white hat netizens have scored two important victories in their tireless quest to clean up some of the internet's darkest recesses. While the events are encouraging, forgive us if we don't jump for joy. (

Should OxyContin, Vicodin, Lortab, Xanax, and Additional Addictive and Deadly Drugs Continue to be Easily Available to our Children on the Internet?

September 16, 2008

The unscrupulous distribution of addictive and dangerous prescription drugs continues to be a major problem on the internet in our country," according to Larry Golbom, host of The Prescription Addiction Radio Show. This week the topic will be to challenge the head of the Judiciary Committee, John Conyers, and our congressional leaders, in helping us stop the growing narcotic prescription internet sites. Listen to The Prescription Addiction Radio Show on WGUL 860 AM ( on Sunday night, September 21 - 9:05 p.m. Eastern. (

Phishers Moving to Less-Obvious Targets

September 15, 2008

Rather than directly assaulting banks or credit cards, phishers are now targetting online services that use credit cards:

EstDomains Continues to Deny Real Location

September 14, 2008

In a rambling press release EstDomains' Konstantin Poltev professes the Registrar's innocence and tries to rally everyone in the fight against cybercrime. How original. However, the entire premise of this release is flawed since they are still claiming to be located in the United States when everyone knows they are not.

" Wilmington, DE (PRWEB) September 14, 2008 -- EstDomains, Inc, a US-based domain name Registrar, officially declares opposition to malware mongers... " (

If they want us to believe them, they should start be completely coming out of the shadows and tell everyone where they really are. Until we know the first level of truth, every other claim is suspect.

If RBN is dead, their customers are still alive

September 13, 2008

This year, the posts and white papers circulating on the web portray new protagonists like AbdAllah, Atrivo, Directi or EstDomains. Like their RBN senior branch, these Internet network providers are strongly suspected to protect many actors in the malware/phishing/fraud world. In February 2008, a ShadowServer foundation document explained that many domains had moved from RBN to AIH (AbdAllah Internet Hizmetleri). Like me, many researchers saw here a revival of RBN. But as it is assumed by some French bloggers, it was only a migration from customers, from one bulletproof hoster to another. (

Virginia Anti-Spam Law Overturned, Spammer Walks

September 12, 2008

The Virginia Supreme Court today struck down a state anti-spam law, saying the statute violated the First Amendment right to free and anonymous speech. The decision also tossed out the conviction of a North Carolina man once described as one of the most prolific spammers. (

Fake Antispyware Purveyor Doubles as Domain Registrar

September 11, 2008

A cyber gang known for aggressively spreading fake anti-spyware programs through hijacked and malicious Web sites has become an authorized reseller of domain names. Security Fix has learned that this gang is using its access as a registrar to ease the process of creating new Web sites used to push their invasive software. (

Court of public opinion replacing ICANN?

September 10, 2008

The global fight against spammy websites saw a bizarre episode unfold over the past week, involving two Internet hosting companies, an anti-spam and anti-phishing organization, and the ghost of ICANN hovering in the background. For those who missed it, KnujOn, a company whose product fights junk email, including spam and phishing, published a report alleging certain domain resellers and hosting providers were complicit with organizations using spam email to lure unsuspecting users into using illegal online pharmacies.

when it comes to situations like this one, where the governing body -- ICANN -- seems either unable or unwilling to deal with the situation, it's often the court of public opinion that reveals the extent of the problem and forces some participants to change their ways. The KnujOn-Directi-HostExploit situation only reinforces the need for more oversight of domain registration and hosting, stiff penalties that are actually enforced, and a less complicated hierarchy of accredited registrars and resellers.

EstDomains: A Sordid History and a Storied CEO

September 9, 2008

We have been asking questions about EstDomains for sometime, and now we are finally getting some answers thanks to Brian Krebs and a number of security researchers.

The "Est" in EstDomains is a nod to the company's origins: It was founded in Tartu, the second largest city in Estonia (although the corporation is officially registered in Delaware). The chief executive of EstDomains is 27-year-old Vladimir Tsastsin. It seems Mr. Tsastsin has a rather colorful past, and is no stranger to organized crime. According to the local court and news media, he was recently sentenced to three years in an Estonian prison after being found guilty of credit card fraud, document forgery, and money laundering. (

The accredidation of EstDomains should and must be terminated under ICANN's Registrar Accredidation Agreement

" 5.3 Termination of Agreement by ICANN. This Agreement may be terminated before its expiration by ICANN in any of the following circumstances:

5.3.2 Registrar: is convicted by a court of competent jurisdiction of a felony or other serious offense related to financial activities, or is judged by a court of competent jurisdiction to have committed fraud or breach of fiduciary duty, or is the subject of a judicial determination that ICANN reasonably deems as the substantive equivalent of those offenses; or is disciplined by the government of its domicile for conduct involving dishonesty or misuse of funds of others.

5.3.3 Any officer or director of Registrar is convicted of a felony or of a misdemeanor related to financial activities, or is judged by a court to have committed fraud or breach of fiduciary duty, or is the subject of a judicial determination that ICANN deems as the substantive equivalent of any of these; provided, such officer or director is not removed in such circumstances. " (

It's time for ICANN to remove the criminal registrars.

Atrivo and ESTDomains

September 8, 2008

Update, Monday, Sept 8, 12:00 p.m. ET: Todd Braning, vice president of BandCon, just e-mailed me to say that BandCon also has stopped providing connectivity to Atrivo/Intercage. From his e-mail: "Intercage, a new customer, was connected to the BandCon Network for total of about a week. Once we recognized and issue with Intercage, BandCon took immediate action and terminated services. We are no longer providing services to AS27595. This can be confirmed here." WVFiber is the only company still providing direct connectivity to Atrivo, and as stated before they plan to pull the plug by Thursday at the latest, so it appears that Atrivo will have to find another network provider or it will very soon cease to be reachable on the Internet. All good news. Atrivo/Intercage have been a huge malware problem for a long time. This takes a good chunk of bad out of the Internet. Not a major chunk, there are many other hosts like Atrivo, but this is a step in the right direction. I'm VERY reassured to see some positive action by the responsible bandwidth providers and by nLayer who've discontinued business with a known bad entity, and in nLayer's case taken back their IP space. We CAN make a difference, and it doesn't have to be via law enforcement action, which as we all know can be difficult to initiate in the light of how this kind of crime works across global jurisdiction. (

Joint statement from Directi, HostExploit and KnujOn

September 7, 2008

In light of recent developments, Jart Armin of Bhavin Turakhia, CEO of Directi and Garth Bruen of Knujon have had an open dialogue and mutually agreed to release this joint statement clearing any previous misconceptions and reaffirming their common goal to combat abuse on the Internet. Here are few of the points they would like to jointly make -

* Directi, HostExploit, Knujon recognize and confirm that they share the common goal of continuing to combat spam and abuse on the Internet through cooperation, collaboration and proactive action. In conversation yesterday, Directi, HostExploit and Knujon agreed to publish this statement to clarify any misconceptions and affirm their mutual commitment to work closely to combat abuse.

* Directi clarified to HostExploit that, LogicBoxes (a Directi business) is not hosting any of Atrivo's websites. Atrivo runs its web infrastructure under the name of which is not affiliated with Directi in any manner.

* Directi also confirmed that ESTDomains is not a Directi company, and Directi does not control the actions or clients of ESTDomains, a fact that HostExploit was already aware of.

* HostExploit confirms that its report was not meant to allege that LogicBoxes is directly sponsoring Internet abuse, rather its report was meant, in good faith, only to provide relevant parties with all information and data which can be used to clean up websites that were violating principles of ethical behavior. HostExploit hopes that other Internet news sites which may have taken the data in the HostExploit report out of context in assuming that LogicBoxes is directly affiliated with Atrivo rectify this misconception. Directi confirms that LogicBoxes is simply a software provider to various ICANN Accredited Registrars, and its only role was providing software for domain registration and DNS management.

* HostExploit and Knujon did share with Directi a separate list of additional web sites known for badware that belong to Atrivo, enabling Directi's abuse team to swiftly suspend them. Directi HostExploit and Knujon intend to continue this information exchange to speedily resolve abuse issues, and to further demonstrate transparency the community can contact either Directi or / and HostExploit to ensure action is taken.

* Directi has clarified that is merely a privacy protection service used by many of Directi's legitimate clients, not unlike the privacy protection services offered by other Registrars. Directi further confirmed that privacy protection had already been disabled on a large percentage of Atrivo's domain names over a month ago. Since Directi offers privacy protection free of cost, there are miscreants who use it to cloak their malicious activities. However Directi reaffirmed that its abuse team will suspend privacy protection on any domain for which they receive a genuine complaint in less than 24 hours. In fact a few months ago, based on reports and data obtained from the antispam community, Directi ceased to offer its privacy protection services to all customers of ESTDomains and to tens of thousands of other domains obtained through the community. Currently over half a million genuine customers of Directi use privacy protection services to prevent their whois data from being harvested.

* Directi affirms they are in no way supporting illicit online pharmacies. KnujOn has sent a list of newly populated fake pharmacy domains that Directi suspended. Directi and KnujOn now jointly call on the Internet community, private industry, and government to help develop policy and methods to put a stop to the fake pharmacy menace since Registrars cannot do this alone.

* Knujon acknowledges that the 48 Registrars that it thought were phantom are actually in existence as Delaware incorporated legitimate companies with a valid ICANN Accreditation and accurate contact information. Knujon's confusion stemmed from the fact that ICANN does not require these companies to publically report their incorporation details.

* Directi and HostExploit have discussed further ways to enhance their cooperative collaboration to clamp down spam and other forms of abuse on the Internet as rapidly as possible. Directi acknowledges and applauds HostExploit continuous efforts in tracking down miscreants. HostExploit confirms that they are pleased to work directly with the Directi abuse desk in helping Directi identify any miscreants that maybe using Directi's services. The partnership includes sharing investigative processes and intelligence data on an ongoing basis.

Together with the community we hope to continue taking steps to make the Internet a better and safer place.

Behind the Making of the Atrivo Takedown

September 6, 2008

As early as November 2007, Armin and I (McQuaid) had corresponded regarding the presence of former customers of the Russian Business Network ISP operating in Atrivo IP space. Over the next several months, as a part of our normal malware investigations, we noted the disproportionate amount of malware within Atrivo. During this time, I was publishing a list of RBN IPs at Matt Jonkman's, and also a blackhole DNS file for Smoothwall. To that end, in March 2008 I completed a survey of all class C networks within Atrivo and incorporated those domains into the Smoothwall blackhole DNS file. I also added all of Atrivo's IP space to the blacklist of RBN IP addresses. (

Controversy Continues

September 5, 2008

A different angle on SPAM and malware
Two websites have recently published reports on Internet security and the spread of malware across the web, and both documents examine the problem from a new perspective. Most online security coverage tends to focus on the perpetual war between the antimalware industry and the companies that earn an illicit living from selling botnets and developing new exploits. The reports from HostExploit and Knujon, however, focus on the registrars and ISPs that actually provide hosting to the black hats, and explore the various connections between the organizations. (

Spammers Find a Friend (

Where is the promised Comprehensive Review of ICANN Accreditation Processes? (

More fallout on the suspended malware sites (

Spam at the Highest Levels (

Scammer-Heavy U.S. ISP Grows More Isolated
Last week, Security Fix published an analysis of Atrivo, a California based Internet service provider, also known as Intercage, that has proven to be a virtual magnet for cyber-criminal operations. Since that time, Atrivo's biggest network backbone provider decided it could no longer support the company, and stopped offering it direct connectivity. (

Directi Responds to KnujOn Report - Dumps Controversial Service

September 4, 2008

Directi has vigorously responded to KnujOn's report, rejecting many of the claims in it. Directi has provided us with some commentary and we will discuss it in the context of our report.

Directi is now severing ties with Estdomains amid complaints that the Eastern European company makes it too easy to register sites that are used by spammers and scammers. "Just the reputation loss and the confusion because of these linkups has been more detrimental to us than the commercial gain from that one-off sale," said Directi CEO Bhavin Turakhia. "We felt it was the right move morally."

The link with EstDomains was one of our biggest concerns, and we have to applaud Directi for taking this step. EstDomains has not responded to requests to disclose their real location in Eastern Europe. Turakhia says he looks forward to the day when he can completely sever ties with Estdomains. "I would really love to detach ourselves from that organization," he said. Awesome.

Phantom Registrars
In investigating the 48 Directi-owned Registrars with questionable locations, we reported facts. The address used by many of these Registrars: "14525 SW Millikan Way Beaverton, OR 97005-2343" is the address of a mail forwarding service called Earthclassmail. According to Directi, the listed companies are registered in Delaware, but not in Oregon or New York as listed in the ICANN Directory. Directi is headquartered in Mumbai, India. KnujOn feels that any company given so much responsibility over the Internet should fully disclose where they are located, but this is apparently not an ICANN requirement.

Indeed, Stacy Burnette, director of contractual compliance at ICANN, said the organization is satisfied the registrars are incorporated in the location listed in their application. Telephone numbers in the contact information need not correspond to the location of incorporation, she said. ICANN doesn't require registrars to publicly disclose their place of incorporation.

To which KnujOn says: Huh? So, as the expression goes, don't hate the player hate the game. Directi merely acquired these accreditations by ICANN's own rules. Summary: One address in the application, a second address disclosed to the public. Read this line again: "ICANN doesn't require registrars to publicly disclose their place of incorporation." How does this figure into ICANN's mission to be an open and transparent organization? "Telephone numbers in the contact information need not correspond to the location of incorporation". How can there be any accountability? This situation is upside-down. Registrants are required to list their valid contact information, but the Registrars who sponsor their domains are not.
Directi has informed us they no longer use PrivacyProtect. This is encouraging news, and we applaud them.

Un-suspended Domains
Directi says that a technical error caused some fake pharmacies to reappear. We'll have to take their word on it.

Illicit Sites
Most importantly, Directi has accepted KnujOn's challenge to dump illicit sites and become an example in the industry. We have offered them our assistance in this endeavor.

And now a word for our (illegal online pharmacy) sponsor

September 3, 2008

Two recently issued reports portray the Internet Corporation for Assigned Names and Numbers (ICANN) as a bureaucracy that enables cyber criminals. In one report (PDF), researchers Jart Armin, James McQuaid and Matt Jonkman detail how a one of ICANN's prized sponsors has ties to one of the net's more prolific sources of malware and illegal online pharmacies. It's called LogicBoxes, and over the past two years, ICANN has listed it as a sponsor for meetings that took place in Los Angeles and Delhi, India. (

"Phantom Registrar" Problem Predicted in 2007
" There are times when loopholes seem to be the only source of true innovation in the DNS – it was a loophole in the RAA that allowed for the marketing of proxy registration services; it was loopholes in the accreditation process that allowed for the creation of “phantom registrars” that only exist as a device to gain access to the deleted names pool...Loopholes can become the bane of our community… and they are not easy to spot." (

...oops, predicted in 2006
"Most of the affected doamins seem to be registered by cyberwarehousing operation Ovidio Limited. Ovidio Limited has been registering thousands of generic keywords as .eu domains since the landrush in April. It also has a Cyprus address in the WHOIS data for all .eu domains checked. Even Ovidio's own .eu domain ( is on hold. Perhaps EURid has been shamed into doing something about the bogus registrar problem?
The magnitude of EURid’s decision to sue 400 phantom registrars for breach of contract is only just becoming apparent... other phantom registrars still exist and action has not been taken against them yet."

...oops, predicted in 2004
"You might not recognize the name Jennifer Ross-Carriere, but Jennifer is listed as the contact for (98) ninety-eight newly accredited ICANN registrars. Each one of these "accredited registrars" seems to have a website that forwards to (although truthfully I didn't inspect all 98) All this just for the purpose of commandeering the batch pool? Just my view, but I think this fully qualifies as gaming the system." (

ICANN At-Large Committee Demands Answers on 48 Phantom Registrars

September 2, 2008

The issues of Phantom Registrars and Registrar Criminality have become a source of outrage at ICANN's At-Large Committee.

"We cannot allow ICANN to get off the hook so easily. We cannot put through yet another tame comment while consumer protections are falling by the wayside with increased regularity.
Who anywhere would stand for accreditations being provided to non-existent companies and shell corporations?
ICANN has long been captured by the registries and registrars that exclusively feed its coffers. Whatever they want, they get and the public usually gets screwed.
The spam mitigation firm Knujon pointed to the nefarious activities of a single registrar associated with illicit pharmaceuticals that has sponsored 48 phantom accreditations. Extending accreditations to these shell/paper companies that are formed for the express purpose of gaming the system must stop. These phantom registrars are currently being used to game the aftermarket...This is simply not acceptable.
As a community, we are aware of accredited registrars in North America with officers that have been convicted of mail fraud, that continue to be associated with the deceptive marketing practices employed by the notorious Domain Registry of America. We are not happy about this.
We are aware of registrars that now stand as defendents in courts of law accused of cybersquatting, and yet ICANN lacks the will to suspend their accreditations."

A request has been made of ICANN's Tim Cole to explain this situation.

EstDomains Controversy Continues

September 1, 2008

In KnujOn's report Phantom Registrars, Fake Pharmacies, and the Secret Infrastructure we detail issues with EstDomains. The Washington Post has covered more issues on EstDomains in connection to Atrivo. EstDomains now claims to be trying to clean up their act, but there are three issues that need to be addressed before we can take them seriously. We have made these challenges here and within the comments section of the Washington Post story:

  1. EstDomains needs to drop usage of They claim they already have but we will monitor to make sure.
  2. Disclose EstDomains Real Location

    According to EstDomains and Internic, they are located in Delaware. We know this is not true. We know they are located outside of the United States and want them to do the right thing and disclose their real location to the public.
  3. Address Steroid Site Complaint from July

    Two months ago LegitScript and KnujOn sent a letter to EstDomains requesting they terminate an unlicensed steroid site being sponsored at EstDomains. EstDomains never responded and the site is sill active. EstDomains now claims they never got the letter (could have something do with the issue above), even though we also sent it to all of their contact emails.
    EstDomains Sponsored

KnujOn Report to be discussed on Prescription Addiction Radio

August 31, 2008

KnujOn will be discussed tonight, along with other topics, on Larry Golbom's radio program Prescription Addiction Radio at 9PM EST. Those in the Florida area can listen on 860 AM WGUL. Listeners elsewhere may may stream over the Internet here, here, or here.

The Prescription Addiction Radio Show is dedicated to the thousands of families who are being or have been affected by the misuse of prescription drugs. The Prescription Addiction Radio Show is here to explore some of the challenges we face in trying to turn the explosion in the misuse of prescription drugs around. (

SpamHaus Backs-Up HostExploit Report/Wash Post Article

August 30, 2008

The Brian Kreb's posting, Report Slams U.S. Host as Major Source of Badware, about hostexploit's report on Atrivo and their apparent connection to a rogues gallery of cybercrooks. This article has generated considerable backlash from Atrivo, Hostfresh, Intercage, and EstDomains. These groups have posted many, many comments to to the Washington Post article slamming the slam report. However, the results have been verified by other groups like SpamHaus:

Without exception, all of the major security organizations on the Internet agree that the 'Home' of cybercrime in the western world is a place known as Atrivo/Intercage. We ourselves have not come to this conclusion lightly but from many years of dealing with criminal operations hosted by Atrivo/Intercage, gangs of cybercriminals - mostly Russian and East European but with several US online crime gangs as well - whose activities always lead back to servers run by Atrivo/Intercage. We have lost count of the times we have tracked a major virus botnet's "command and control" to Atrivo/Intercage servers, readers can view here some of the current and historic SBL records for Atrivo for a taste of what has been happening in this network. At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage. (

Atrivo Cybercrime Report

August 29, 2008

Knujon coordinated with to develop a parallel report to the one exposing ATRIVO and their connection to the Directi Group. A summary of the report, ATRIVO – CYBER CRIME USA is below:

In a new study entitled "Atrivo - Cyber Crime USA", the authors have extensively tracked and documented ongoing cyber criminal activity from within the Internet servers controlled by the California-based Atrivo, and other associated entities. Atrivo is one of the Internet's Autonomous Systems and controls a large number of IP addresses, which web sites must use to reach consumers.

Produced by cyber crime researcher Jart Armin, in association with Matt Jonkman and James McQuaid, the first of its kind Open Source Security study set out to quantify and continuously track cyber crime using numerous methods of measurement. It focuses specifically on the notorious Atrivo, which has been seen by many over several years as a main conduit for financial scams, identity theft, spam and malware. This study although fully self contained is the first of a series of reports, on a monthly basis there will be a follow up to report on the community response, the efforts of the cyber criminals to evade exposure, listings to assist in blocking the risks to Internet users, and hopefully efforts to stop them.

In addition to original quantitative research conducted by Armin, Jonkman and McQuaid, the study draws upon the findings of other research efforts, including StopBadware, EmergingThreats, Knujon, Sunbelt, CastleCops, Spamhaus, and many others. What emerges is a picture of a front for ruthless cyber criminals, who have specifically targeted consumers in the United States and elsewhere. The study provides hard data regarding specific current activity within Atrivo, explains how consumers are targeted, describes Atrivo's virtual network structure, organizational modeling, and cites Atrivo's collusive failure to respond to abuse complaints from 2004 to the present. The study includes three dimensional charts, diagrams, and a YouTube video which make it easy to grasp the statistics or processes discussed.

Get the report here: Atrivo - Cyber Crime USA

Additional details are available at

Jart Armin, community volunteer and intrepid security researcher, released a report today that concludes that Intercage and Atrivo, a California-based family of companies that operate web hosting, domain registration, and other online services, are a hub of badware activity: Atrivo is a major hub of cyber crime based within the USA, and has been known as such within the Internet community for many years. Within this study we provide detailed evidence not only for public and community awareness but also to provide evidence for action. Atrivo’s reach in the cyber crime community and the Internet as a whole runs deep. From their partners in crime, to the domain registration and hosting services it has to be remembered this is deliberately misleading to avoid detection. Some of the companies included in the report have built a reputation in the security community as being havens for this type of activity, and Jart’s extensive research raises questions about the degree to which these companies are aware of, and turn a blind eye to, badware activity on their systems.

...and from the Washington post:

Report Slams U.S. Host as Major Source of Badware: Several noted security researchers are releasing a report today that stems from many months of investigating malicious activity emanating from Atrivo's customers. Security experts say that Atrivo, also known as "Intercage," has long been a major source of spyware, adware, viruses and fake anti-virus products.

The report is an exhaustive and well-researched analysis of Atrivo and its operations. Some of the statistics on active exploits cited in that report come from data sets I commissioned during my own investigation of Atrivo and later shared with Jart Armin, the principal author of the report and curator of the blog

Looking back several years, Atrivo's various networks were used heavily by the Russian Business Network, an ISP formerly based in St. Petersburg, Russia. RBN had gained notoriety for providing Web hosting services catering exclusively to cyber criminals. But after increased media attention, RBN dispersed its operations to other, less conspicuous corners of the Internet.

Examining the Role of Registrars in Illicit Activity

August 28, 2008

In examining what is driving and enabling Internet criminality KnujOn has taken a critical look at the Registrar community. Some have wondered why, noting that a Registrar simply holds domains names and resolves them to IP addresses. But that is the simple point. Registrars have been given an enormous public trust. KnujOn has noted serious flaws in the system that is supposed to monitor Registrar compliance and the failure of the industry to police itself. KnujOn has noted Registrars refusing to terminate illicit domains even after receiving detailed information about the illegal nature of these sites.

Even more telling we have two recent cases of Registrars being directly involved in fraud, spamming and other questionable activities.

In 2002 Peter Kuryliw pleaded guilty to fraud in a Canadian court and was fined $30,000 for targeting over 40,000 business with fake invoices. Mr. Kuryliw was granted accreditation for an Internet Registration business by ICANN ( and may have part ownership in several other Internet companies. And it continues, in 2003 a court ordered a Kuryliw-affiliated Registrar to stop using deceptive emails. is still operating.

Example two. Scott Richter paid $7 million to Microsoft in 2006 in a settlement arising out of a lawsuit alleging illegal spam activities. He also settled another spam case with New York Attorney General for $50,000 in 2004. In 2008 MySpace was awarded $ 4.8 million in damages and $ 1.2 million in attorney's fees in a judgment against Richter’s company for sending spam to MySpace members through compromised MySpace accounts. Scott Richter owns Registrar Dynamic Dolphin, which until recently was the largest user of the service.

Registrars will often refer spam victims to the "upstream ISP" or website operators to file abuse complaints. However, when the content is hosted on zombie botnets and the owners are anonymously hidden by, there is no one else to direct a complaint to but the Registrar. And it is the Registrar who has ultimate control over terminating a domain.


EstDomains is a Registrar that also makes heavy use of the service for masking the ownership of fake pharmacy domains. EstDomains is incorporated in Delaware. For those not familiar with U.S. geography, Delaware is a tiny state that earns its keep by being very business-friendly. Typically, any business incorporated in Delaware is not actually there. This means there are scant details publicly available for who owns EstDomains.

EstDomains Sponsored

It is also important to note that this site claims it is "FDA Approved" and "Trusted by VeriSign." The depth of misrepresentation at these sites is profound and seems to exist with absolute impunity.

So, we have an ICANN Registrar with undisclosed ownership who sponsors unlicensed Internet pharmacy domains (advertised with spam from zombie botnets) with anonymous ownership through an anonymously owned privacy registration service. How is the consumer being protected?

Drugs, Pornography, and Malware

Using pornography to lure unsuspecting Internet users into unknowingly downloading malware is an old trick, but one that continues to work. However, KnujOn has found an array of EstDomains sponsored, shielded domains that combine drugs, porn and malware. Several former steroids EstDomains sites have metadata that appears to offer Schedule 3 substances like Morphine, Testosterone, and Vicodin but redirects the user's browser to (also sponsored by EstDomains), a porn site that attempts download malware in the guise of a "player update." The scripting vigorously prevents the user from navigating away from the page or closing it. The content of is served from (also sponsored by EstDomains), another porn site that has links to another fake pharmacy: (also sponsored by EstDomains).

This EstDomains sponsored and PrivacyProtected domain rotates different sites the user is redirected to. One site,, seems to feature films that depict rape scenes as well as attempting to download malware from (also sponsored by EstDomains).

EstDomains Sponsored

Another redirect landing launched from links to fake virus/spyware scan site: This particular fake security software is actually one of the most insidious PC infections to date. It blocks access to the Control Panel, Registry Editor, hard drive, removable media, Task Manager, Run, and just about any utility someone might use to fix their PC or remove the malware. It also blocks installation and running of legitimate anti-virus packages. Once infected your PC can only be used as a botnet node or a doorstop.

It is unclear whether this simply an attempt to expand the botnets or a trap for anyone trying to investigate these sites.

US firms fighting China's golf fakes

August 21, 2008

SHANGHAI - Jason Yao lives a dangerous life for a guy in the golf business. He gets death threats. He raids factories and markets. He shakes down informants and hangs out with private investigators. He has 10 aliases. China is the focus of the worldwide war against counterfeit golf products, and Yao is on the front lines. His employer, Acushnet, located 7,000 miles away in Fairhaven, Mass., makes the world's most popular - and most copied - golf ball, the Titleist Pro V1, along with clubs, accessories, and shoes that counterfeiters mimic for sales around the globe. (

FEMA phones hacked; calls made to Mideast, Asia

August 20, 2008

WASHINGTON - (AP) A hacker broke into a Homeland Security Department telephone system over the weekend and racked up about $12,000 in calls to the Middle East and Asia. The hacker made more than 400 calls on a Federal Emergency Management Agency voicemail system in Emmitsburg, Md., on Saturday and Sunday, according to FEMA spokesman Tom Olshanski. FEMA is part of Homeland Security, which in 2003 put out a warning about this very vulnerability. (

Consumer Reports gives tips, data for online safety

August 19, 2008

Several major online threats—spam, spyware, and virus infections—have declined significantly over the past few years, our new State of the Net survey has found. But online threats are still of great concern, according to our research and national survey of 2,071 online households conducted this past spring by the Consumer Reports National Research Center. (

ID leaks: A surprising source is your government at work(
Insidious new threats(
7 online blunders: These common mistakes can ruin your computer or invite identity theft(
Cyber Insecurity Guide(

4 Companies Control Bulk of U.S. Registrar Accreditations

August 18, 2008

If one were to look at the Internic directory it would appear that there are 529 ICANN accredited registrars in the United States. Having this many different companies would give the appearance that there is diversity and competition in the domain marketplace. However, you would be wrong. Four companies control 318 accreditations: eNom (116), Directi/PDR (47), Dotster (51), and Snapnames (104). Another 122 accreditations are owned by only 23 companies. What is left are 136 registrars that appear independent. So, that would make 163 the realistic count not 529. Considering this data the U.S. Registrar industry looks less like a an open and competitive market and more like a cartel. Full report

Blank Whois Records from Xin Net Conceal Illicit Sites

August 17, 2008

Once again we have recorded a case where a registrar is not returning full Whois records in follow up reports to ICANN. These follow up reports are supposed to contain the current owner information instead Xin Net is returning no data. This seems to be a pattern at some providers and particularly for illicit sites. The domains below include garden variety fake pharmacies, knockoff products sites, and one site selling "marijuana substitutes."

Report from Registrar to ICANN Current Content

WHOIS DATA AS OF 2008/08/06 01:15:01



Whois Server Version 2.0

 Whois Server:
 Referral URL:
 Status: ok
 Updated Date: 07-feb-2008
 Creation Date: 07-feb-2008
 Expiration Date: 07-feb-2009
WHOIS DATA AS OF 2008/07/11 01:15:01


Whois Server Version 2.0

 Whois Server:
 Referral URL:
 Status: ok
 Updated Date: 19-jun-2008
 Creation Date: 30-oct-2007
 Expiration Date: 30-oct-2008
WHOIS DATA AS OF 2008/07/01 01:15:01



Whois Server Version 2.0

 Whois Server:
 Referral URL:
 Name Server: S1.PWRDNSONE.BIZ
 Name Server: S1.PWRDNSTWO.BIZ
 Name Server: S2.PWRDNSONE.BIZ
 Name Server: S2.PWRDNSTWO.BIZ
 Status: ok
 Updated Date: 25-may-2008
 Creation Date: 20-jan-2008
 Expiration Date: 20-jan-2009

Whois Server Version 2.0

 Whois Server:
 Referral URL:
 Status: ok
 Updated Date: 11-mar-2008
 Creation Date: 10-mar-2008
 Expiration Date: 10-mar-2009
WHOIS DATA AS OF 2008/08/06 01:15:01



Whois Server Version 2.0

 Whois Server:
 Referral URL:
 Status: ok
 Updated Date: 07-feb-2008
 Creation Date: 07-feb-2008
 Expiration Date: 07-feb-2009
WHOIS DATA AS OF 2008/08/01 01:15:01



Whois Server Version 2.0

 Whois Server:
 Referral URL:
 Name Server: NS1.VOBIUTE.COM
 Name Server: NS2.VOBIUTE.COM
 Status: ok
 Updated Date: 18-feb-2008
 Creation Date: 18-feb-2008
 Expiration Date: 18-feb-2009

Amid Controversy, Outed Steroid Sites Still Online

August 14, 2008

Remember those Websites sponsored by U.S. Internet domain registrars that were recently exposed for illegally selling steroids? These sites are still pushing the drugs online, according to the anti-fraud watchdog groups that first discovered them. (See Hundreds of Websites Outed for Illegally Selling Steroids.) The domain registrars hosting these sites as well as the Internet Corporation for Assigned Names and Numbers (ICANN), say their hands are tied when it comes to shutting down the steroid-selling sites, which KnujOn and outed and reported to the registrars and ICANN last month. But KnujOn and LegitScript argue that shutting down these sites should be a no-brainer. "In the vast majority of Websites we identified, it was plain that [they] were offering these drugs, and doing so in a way that violates U.S. federal law. Frankly, one doesn't have to be an expert to see what these Websites are doing," says John Horton, president of LegitScript. “We also received -- and in some cases, presented to the registrars -- information from the Website operator with information about the drugs (including photos) and instructions for payment," Horton says. "We think that these sites are fairly straightforward to identify in many cases, and the remedy -- termination -- is equally clear.” (

Prescription drug spammers are bankrolling botnet's growth, IronPort study says (
LegitScript/Knujon Steroids Report

Court blocks MIT students from discussing subway fare security flaws

August 11, 2008

One of the MIT computer hackers who uncovered flaws in the CharlieCard system that would let passengers swipe free rides said he and his classmates offered to show T officials how to fix the problem, but instead were hauled into court and barred from speaking about their work. “We made first contact,” said Zack Anderson, 21, a Los Angeles native, who majors in electronic engineering and computer science. “We wanted to let them know what we found and we wanted to tell them some ideas we had on how they could fix that system ... We felt like the issue was resolved. That was verbally affirmed in a Monday meeting. Then Friday we find out there’s a federal lawsuit against us.” On Saturday morning, federal Judge Douglas Woodlock granted the MBTA a restraining order that blocked Anderson and classmates R.J. Ryan and Alessandro Chiesa from presenting their A-graded paper at DEFCON 16, an annual hackers conference in Las Vegas. (

Malware-infected site detected every five seconds

August 7, 2008

A website infected with malware is detected every five seconds - a dramatic increase over the last 12 months due to the rise in SQL injection attacks. Websites poisoned with malware capable of infecting visitors' machines are being discovered at a rate of 16,173 per day - three times faster than in 2007. (

ID theft ring attacked retailers on multiple levels

August 6, 2008

A ring of identity thieves that targeted U.S. retailers used sophisticated and multifaceted attacks to steal more than 40 million credit and debit card numbers from TJX, OfficeMax, Barnes & Noble and other companies, according to court documents. The attacks cost retailers and credit card companies tens of millions of dollars. Members of the ID theft conspiracy used so-called wardriving techniques to find holes in wireless networks operated by retail stores. Once inside the networks, the thieves located and stole credit card transaction information stored on the retailers' networks, according to court documents. (

"Suspended" Pharmacy Domains Reappear at Same Registrar & Nameserver

August 5, 2008

KnujOn has found at least 19 rogue pharmacy domains, sponsored through DIRECT INFORMATION PVT LTD D/B/A PUBLICDOMAINREGISTRY.COM (PDR), which were reported by the Registrar as Suspended, back in operation with the same content, at the same nameservers. The nameserver:, is also sponsored by PDR and is itself an unlicensed pharmacy site. This is an example of a practice we have seen all too frequently where Internet companies will remove sites temporarily for reported policy violations only to restore them shortly afterwards. In some cases the domains move from one Registrar to another (occasionally two Registrars with the same parent company, however), but this is a situation where the domains went right back where they were before. DIRECT INFO/PUBLICDOMAINREGISTRY was rated the 9th Worst Registrar in terms of sponsoring spam sites previously. Below for each domain is a copy of the suspension report sent by the Registrar to ICANN in May paired with the site content as of August 3, 2008.

Report from Registrar to ICANN Current Content


 Directi False Whois Suspended Account
 Directi False Whois Suspended Account
 This Domain is Suspended
 Due to inaccurate Whois
 Contact Support Desk
 Tel. +00.0000


 Directi False Whois Suspended Account
 Directi False Whois Suspended Account
 This Domain is Suspended
 Due to inaccurate Whois
 Contact Support Desk
 Tel. +00.0000


 Directi False Whois Suspended Account
 Directi False Whois Suspended Account
 This Domain is Suspended
 Due to inaccurate Whois
 Contact Support Desk
 Tel. +00.0000


 Directi False Whois Suspended Account
 Directi False Whois Suspended Account
 This Domain is Suspended
 Due to inaccurate Whois
 Contact Support Desk
 Tel. +00.0000


 Directi False Whois Suspended Account
 Directi False Whois Suspended Account
 This Domain is Suspended
 Due to inaccurate Whois
 Contact Support Desk
 Tel. +00.0000


 Directi False Whois Suspended Account
 Directi False Whois Suspended Account
 This Domain is Suspended
 Due to inaccurate Whois
 Contact Support Desk
 Tel. +00.0000


 Directi False Whois Suspended Account
 Directi False Whois Suspended Account
 This Domain is Suspended
 Due to inaccurate Whois
 Contact Support Desk
 Tel. +00.0000

Full List (opens PDF)

340 domains reported as "Suspended" to ICANN are actually active

August 4, 2008

A KnujOn review of 7900 recent follow up reports found 340 were active after being reported to ICANN as "suspended" or "deleted." Some were still conducting the same illicit commerce uninterrupted while being listed as suspended. While these complaints were driven by false Whois registrations, some registrars went as far as to put "Suspended for spamming" into the status fields, however KnujOn found these domain names were still open for business.

RegistrarCount NOT
afternic, inc   8 llc   1
annulet, inc   9 (i) pvt. ltd.   2
best registration services, inc   1
chocolatecovereddomains, llc   1
computer services langenbach gmbh dba   3
direct information pvt ltd d/b/a   70 llc   2
domaindiscover   91
domainpeople, inc.   2 llc   1 llc   1 llc   1 llc   1 inc.   2
dotarai co,. ltd.   8
dotster, inc.   2
dstr acquisition vii, llc   13 llc   1 pty ltd.   3
gmo internet, inc. dba and   2
hichina web solutions (hong kong) limited   11
innerwise, inc. d/b/a   5
intercosmos media group, inc. d/b/a   1
moniker online services, inc.   9
name perfections, inc.   1 llc   1 llc   1 llc   1 llc   2 llc   1 llc   1 llc   1 llc   2
red register, inc.   2
registration technologies, inc.   53 inc   4 llc   1
wild west domains, inc.   1
yesnic co. ltd.   1 llc   1

FBI vs Facebook Email Thread Has 'Storm Worm' Virus

July 30, 2008

Be on the lookout for spam e-mail spreading malicious software (malware) which mentions “F.B.I. vs. facebook.” The e-mail directs the recipient to click on a link to view an article about the FBI and Facebook. Once the user clicks on the link, the “Storm Worm” malware is downloaded to the Internet-connected device, causing it to become infected with the virus and part of the Storm Worm botnet. A botnet is a network of compromised machines under the control of a single user. Botnets are typically set up to facilitate criminal activity such as spam e-mail, identity theft, denial of service attacks, and spreading malware to other machines on the Internet. The Storm Worm virus has capitalized on various holidays and fictitious world events in the last year by sending millions of e-mails advertising an e-card link within the text of the spam e-mail. (

How to Send Email To 96 Million Recipients Every Month!

July 28, 2008

Safe Mail Services is the leader in email marketing for small businesses. Web based server allows members to blast over 3 Million emails per day. All recipients are double opt-in making Safe Mail Services 100% SPAM law compliant. Recipient database is filled with prospects who have asked to be included in safe-list, so you know your ad will reach real customers. All blasts go out from Safe Mail Services email server which members access through login from this website. You will not be taken to a 3rd party service like many of Safe Mail Services competitors. And since all blasts are done by Safe Mail Services server your ISP will have no idea you are even using an email service. Are you tired of promoting your product with no results? How would you like to wake up each morning only to find your email box filled with orders? That's where we come in. Our email list will allow your business to grow day after day, week after week and month after month without any additional fees or charges. (

Romanian Admits to Phishing, Could Face Five Years

July 27, 2008

A Romanian man pleaded guilty Tuesday to a federal fraud charge for his role in setting up fake Web sites in order to steal credit and debit card details. Ovidiu-Ionut Nicola-Roman, 22, could also face a US$250,000 fine, according to the U.S. Department of Justice (DOJ). Nicola-Roman pleaded guilty to one count of conspiracy to commit fraud. Nicola-Roman is one of 38 people of several nationalities charged in May with running a cybercrime ring centered around spam and phishing. In just one incident, the crew sent 1.3 million spam messages luring people to visit Web sites they had built to collect financial details.(

Report Identifies Rogue Pharmacy Web Sites

July 26, 2008

A new report by two Internet watchdog groups has identified hundreds of Web sites that illegally sell anabolic steroids without prescriptions or verifying the age of customers. The report, Pumped Up on the Internet, was issued by the watchdog groups, which studies online pharmacies, and, which investigates senders of spam e-mail. It focused on 156 sites that have registered their domain names through American companies but send the steroids from abroad. The report said that while federal drug authorities might lack jurisdiction abroad, the eight American domain registry companies used by these sellers had the legal right and obligation to terminate the rogue pharmacy sites. (

Phishing scam causes e-mail meltdown at Carleton

July 25, 2008

OTTAWA - Don't take the bait is the message Carleton University has for campus e-mail users after a "phishing" expedition caused a huge e-mail traffic jam earlier this week. "Phishing" occurs when a person receives an e-mail asking them to hand over personal information, such as passwords for e-mail accounts. If the person responds with the requested information, it can be used for nefarious purposes, such as sending out thousands of spam e-mails. "It's like giving someone the key to your house," said Ralph Michaelis, Carleton's chief information officer. The school discovered on Monday that access had been gained through one student account. That allowed hackers to send out tens of thousands of e-mails, effectively jamming the system. The problem was resolved within hours, but it took until Wednesday for the congestion to clear, Mr. Michaelis said...(

Seattle Spam King Dark Mailer faces 47-month sentence

July 24, 2008

From the penthouse to the Big House(

Steroid Sites Controversy

July 23, 2008

Registrars turn blind eye to sites selling illegal steroids: Next time you see websites brazenly pushing anabolic steroids, thank GoDaddy, Dynadot and a half-dozen other US-based registrars, which allow them to operate even though they're illegal, claims a new report. Released Monday, the report catalogs 156 websites offering steroids without a prescription or verifying that the would-be buyer is over 18 years old. Such practices are a violation of laws in the US and in many other countries and a violation of the terms of service the registrars impose on their customers. All eight of the registrars are, concludes the report, turning a blind eye to the practice. (

Report aims to decrease illegal steroid sales online: At least 156 Web sites selling anabolic steroids without the necessary prescription are run through domain name registrars in the U.S., according to a report released Monday. (

The steroid-selling sites aren’t your typical phony online pharmacies. “With general RX sites, there is a lot of variety. Some are merely stealing credit card numbers, others ship knockoff or counterfeit drugs, and others sell diverted market product which is the real thing but may be expired, under dosage, or rerouted from its original destination. “With the steroid sites, there is much more involvement in the trade. The sites are more personalized and not as cold as the fake pill sites,” Bruen says. “If you look through some of the steroid forums out there, people complain about lots of fake supplements on the Internet. The sites we're looking at claim to offer the real thing and no ‘bad’ versions.” (

Easy for youth to get anabolic steroids (

Steroid sales still flourishing on the Web (

Kids at Risk: Report Identifies 150 Websites Selling Anabolic Steroids (

Report: U.S. registrars won't take down illegal steroid sites (

The report also found that every one of the needle-pushing URLs involved were registered with eight domain name registrars, all of whom are located in the United States. In most cases, the parties behind the sites have used anonymous registration services -- services that many security researchers have named as a root cause of the continued proliferation of online cyber-crime. In all the other cases involved the registered parties are located outside of U.S. borders. (

Nobody Home at Parava Networks

July 22, 2008

Parava Networks, Inc. dba was one of the eight registrars cited in Knujon and LegitScript's Steroid Report and our letter to them was returned by the post office as undeliverable. This is quite shocking in light of the recent scandal involving 67 Registrars that were in undisclosed locations. The directory of Registrar addresses has been updated since the Knujon disclosure. But now we have a new problem, the provided addresses are not real.

So what we have here is a Registrar that sponsors steroid related sites and is also apparently unresponsive and unaccountable. The issue has been referred to ICANN.

Underground Steroid Websites Flourish at U.S. Registrars

July 21, 2008

Networks of steroid dealing domains are sponsored through U.S.-based companies who refuse to shut them down even after being notified. and have worked together to develop a report concerning extensive steroid distribution networks online. Steroids designated by the Department of Justice as “Schedule 3 Substances” were found at the 156 web domains listed in this report. The easy availability of illicit substances through these domains is shocking. Even more shocking is the lack of cooperation from the Registrars that sponsor these sites. On July 1 we issued joint letters to eight registrars: Abacus America, DSTR Acquisition VII,, Everyones Internet, eNom Inc (also cited in the Ten Worst Registrars Report), EstDomains Inc, GoDaddy/Wild West, and Parava Networks Inc. In these letters we listed the websites, described the banned substances offered at each, and detailed how these sites were violating Internet policy, the Registrar’s own terms of service, and the law. Only three Registrars responded, two declining to cooperate, one stating they would look into it after several strong emails. A letter to one Registrar, Parava Networks Inc, was returned by the Postal Service as undeliverable, calling into question the general legitimacy of this particular company.

While no one is accusing any of these Registrars of being actively involved in the illicit distribution, it is a simple fact that none of these sites would exist without the sponsorship of these Internet companies. Some Registrars may feel their first obligation is to their customers, but their real primary obligations are to the law and the stability of the Internet registration system. Everyone who registers an Internet domain is required to affirm that they “are not registering the domain name for an unlawful purpose” and the Registrar is required to ensure that this policy is enforced. For too long there has been a false perception that the Internet is lawless, but it isn’t. The rules are just not enforced and the stakeholders have been unaccountable.

Knujon and LegitScript feel that these Registrars also have a moral and ethical responsibility to the public since the sale and distribution of these illicit substances poses a grave health risk. These websites purport to offer steroids to anyone without prescription or age verification. It is our hope that in releasing this information public awareness of the problem will increase.

The full Steroid Report is available here:

The press release is here:

A list of the Registrars, web domains in question, the substances offered at each, and samples of the site content can be viewed here:

Report: 81.5 percent of all e-mails sent in June were spam

July 19, 2008

Almost everyone hates spam. The only people that don't hate it are the ones that make vast amounts of money from sending it. The profits they turn are so large that regardless of what spam fighters do, the amount of spam keeps increasing. According to web security firm MessageLabs, spam accounted for 81.5 percent of all e-mail traffic in June. (

Site Redirects Abundant, Aid Phishers

July 18, 2008

An examination of nearly 2.5 million Web pages at some of the Internet's most popular and trusted sites turned up at least 128,000 links that could be manipulated by fraudsters and virus writers to make online scams more believable, a study released this month found. Scammers and phishers are taking advantage of commonly used coding used in "redirects" to divert traffic from reputable Web site to sites that could harbor malicious software or phishing schemes... (

Mass Update of Internic Registrar Directory

July 17, 2008

Apparently in response to KnujOn's disclosure of 67 Registrars in Undisclosed Locations, ICANN has completed a mass update of the Internic Registrar address directory. Oddly enough, 20 of the newly updated Registrars are all at the same address:

!!! BB Bulk, Inc. dba My Name Now
A Mountain Domains, Inc.
A. W. B. Trading, Inc.
AO Domains, Incorporated
Black Ice Domains, Inc.
Colorado Names Domains, Inc.
Emily Names Domains, Inc.
Get SLD, Inc.
Jetpack Domains, Inc.
JJH Investments, LLC
Lazy Dog Domains, Inc.
Oil Change Domains, Inc.
Pitchback Domains, Inc.
Slaphappy Domains, Inc.
Snowflake Domains, Inc.
Total Calories, Inc. dba Slim Names
Valley Apples, Inc.
Walela Brook, Inc.
WGB Registry, Inc.
White Socks Domains, Inc.

AOL spammer jailed for 30 months

July 16, 2008

One minute behind bars for every junk mail (

Stolen bank data gets cheaper on Web

July 15, 2008

LONDON (Reuters) - Prices charged by cybercriminals selling hacked bank and credit card details have fallen sharply as the volume of data on offer has soared, forcing them to look elsewhere to boost profit margins, a new report says. Researchers for Finjan, a Web security firm, said the high volumes traded had led to bank and credit card information becoming "commoditised" - account details with PIN codes that once fetched $100 (50 pounds) or more each might now go for $10 or $20. In its latest quarterly survey of Web trends, the California-based company said cybercrime had evolved into "a major shadow economy ruled by business rules and logic that closely mimics the legitimate business world". Finjan's Israel-based chief technology officer, Yuval Ben-Itzhak, said in a telephone interview that new types of stolen data were now commanding a premium, such as patient healthcare information that can be used for insurance fraud or to illicitly acquire and sell medicines. Other premium data includes business information, company personnel files and intercepted commercial emails... (


July 11, 2008

In the first case of its kind in the nation, a Wyoming man has been charged with using modified peer-to-peer software to infect computers and create "botnets" - armies of compromised computers numbering from 5,000 to 15,000 machines - that he exploited to obtain credit card and banking information. (

67 Registrars Still in Undisclosed Locations

July 10, 2008

One month ago KnujOn reported that 70 Registrars were in Mystery locations, that their address, phone numbers and even country were not listed in the Internic/ICANN directory of accredited registrars. We reported this to ICANN and since then we have noted that 8 of the 70 have been updated but 5 NEW registrars have been added with no location or country information, changing the total to 67. 8 Registrars do not have their country of location listed. While it would be possible to research these locations, the consumer should not have to. This is about building public trust and confidence. Full list is below:

!!! BB Bulk, Inc. dba My Name NowNo Change
# 1 DotMobi Registrar, Inc.No Change
10dencehispahard, S.L. (New)No Address, No country
123 Registration, Inc.No Change
35 Technology Co., Ltd. (New)No Address, No country
8068 Registrar, IncNo Change
A Mountain Domains, Inc.No Change
A. W. B. Trading, Inc.No Change
Above, Inc.No Change
Alisoft (Shanghai) Co., Ltd.No Change
Anytime Sites, Inc.No Change
AO Domains, IncorporatedNo Change
Arctic Names, Inc.No Change
Backslap Domains, Inc.No Change
Best Bulk Register, Inc.No Change
Black Ice Domains, Inc.No Change
Bottle Domains, Inc.No Change
China Springboard, Inc. (New)No Address, No country Inc.No Change
Colorado Names Domains, Inc.No Change
Commerce Island, Inc.No Change
Cool Ocean, Inc.No Change
Crisp Names, Inc.No Change
Directi Internet Solutions Pvt. Ltd.
Previously claimed to be in Beaverton, OR,
changed country to India but still has no actual address listed
Domain Jingles, Inc.No Change LLCNo Change
Domerati, Inc.No Change
Dootall, Inc.No Change
Dotregistrar, LLCNo Change
Dotted Ventures, Inc.No Change
Dynamic Dolphin, Inc.No Change
ELB Group IncNo Change
Emily Names Domains, Inc.No Change
European NIC Inc.No Change
FBS Inc.No Change
Freeparking Domain Registrars, Inc.No Change
Get SLD, Inc.No Change
Good Luck Internet Services PVT, LTD.No Change
Hostalia USA, Inc.No Change
Interdominios, Inc.No Change
IPNIC, IncNo Change
Jetpack Domains, Inc.No Change
JJH Investments, LLCNo Change
Lazy Dog Domains, IncNo Change
Naming Web, Inc.No Change
NEEN.IT Inc., d/b/a namesprit.comNo Change
NetraCorp LLC dba Global InternetNo Change
NIC1, IncNo Change
Oil Change Domains, Inc.No Change
Own Identity, Inc.No Change
Pitchback Domains, Inc.No Change
Pointag Technologies, Inc.No Change
Slaphappy Domains, Inc.No Change
Snowflake Domains, Inc.No Change
Thought Convergence, Inc.No Change, No country, Inc.No Change
Total Calories, Inc. dba Slim NamesNo Change
USA Intra Corp. (New)No Address, No country
united-domains AGNo Change, No country
Valley Apples, Inc.No Change
Verelink, Inc.No Change, No country
Walela Brook, Inc.No Change
Website Source, Inc. (New)No Address, No country
Western United Domains, Inc.No Change
WGB Registry, Inc.No Change
White Socks Domains, Inc.No Change

Internet flaw could let hackers take over the Web

July 9, 2008

Computer industry heavyweights are hustling to fix a flaw in the foundation of the Internet that would let hackers control traffic on the World Wide Web. Major software and hardware makers worked in secret for months to create a software "patch" released on Tuesday to repair the problem, which is in the way computers are routed to web page addresses. "It's a very fundamental issue with how the entire addressing scheme of the Internet works," Securosis analyst Rich Mogul said in a media conference call (

ICANN Admits Intrusion

July 8, 2008

The international organization that oversees the Web's top-level domain naming system said that the hijacking last month of several of its domains was due to a security breach at the registrar that manages those URLs. Although it did not name the registrar explicitly, according to WHOIS searches, New York-based manages the domains that were redirected, as well as the primary and domains. Two weeks ago, Turkish hackers rerouted traffic to some of the domains used by ICANN (Internet Corporation for Assigned Names and Numbers) and one of its subsidiary organizations, IANA (Internet Assigned Numbers Authority). (

Waiting for ICANN...

July 7, 2008

Contrary to the current speculation, KnujOn is not totally tying up ICANN. The truth about what is preventing reports from reaching ICANN is much more sinister. While ICANN was meeting in Paris, some of their mirror sites were hacked/vandalized. Since public disclosure of this event was unavoidable, ICANN responded by acknowledging not one, but two attacks:

" In a separate and unrelated incident a few days later, attackers used a very recent exploit in popular blogging software Wordpress to target the ICANN blog. The attack was noticed immediately and the blog taken offline while an analysis was run. That analysis pointed to an automated attack. The blogging software has since been patched and no wider impact (except the disappearance of the blog while the analysis was carried out) was noted. "

Aside from these intrusions, ICANN's very compliance interface appears to be under attack, possibly a denial of service attack, flooding their servers with requests, similar to ones that targeted CastleCops last year. Obviously this is designed to prevent consumers from submitting complaints. This comes after ICANN issued enforcement notices against troublesome registrars. This "front end" assault seems to be paired with a "back end" denial from certain registrars who are blocking access to their registration records. This combination of traffic jam and record denial has made ICANN's compliance system more or less inoperable.

Were this situation unexpected it would be forgivable. Unfortunately, at a June 11, 2007 presentation Knujon warned ICANN about this very event. We expressed serious concern that ICANN's compliance system would be the target of cyber attacks. Sadly, our warnings were not heeded.

Denial of service attacks have moved beyond threats to specific organizations to entire countries like Lithuania and The Marshall Islands. In order to ensure the stability and security of the Internet, ICANN needs to work more proactively on these threats.

Mystery Cals from 425-869-6371

July 6, 2008

Auto Warranty Insurance renewal scam
"a recorded message to my cell phone with an offer to extend the soon expiring warranty of a car that we currently own."

Super Spam Me: a month of living by your inbox

July 5, 2008

In a unique experiment called Super Spam Me, 50 people from around the world surfed the web unprotected for a month, actively engaging with spammers and heading into the parts of the internet most of us avoid, to find out just how much spam they could attract and what the effect would be. (

Cisco Cites KnujOn Study - "IntelliShield Cyber Risk Report"

July 4, 2008

IntelliShield Analysis: Relaxing the rules for domain names and approved character sets could open up new opportunities for Internet adoption, spur business opportunities in an already-crowded domain namespace, and internationalize DNS infrastructure, but there are also many potential pitfalls. According to a recent report from KnujOn, a site devoted to reducing unsolicited commercial e-mail, 90 percent of illicit domains share the same 20 registrars. (

Mystery Calls from 215-579-1035

July 3, 2008

Auto Warranty Insurance renewal scam
"A recorded voice called me on my cell to tell me my vehicle warranty was about to expire"
21 calls reported from this number.According to 4 reports the identity of this caller is Linda Wospil
Telemarketer: Auto Factory Warranty/File Complaint

The new version of the Storm Worm

July 2, 2008

It creates a local copy of itself called c:\windows\msvecurity.exe, which is what gets executed. (

eBay to Pay Nearly $61 Million to Louis Vuitton

July 1, 2008

eBay was ordered to pay nearly 40 million euro to a luxury goods company, because it has allowed the sale of counterfeit goods. According to The Press Association, the online auction site has to pay LVMH, which deals with famous brands like Louis Vuitton, Givenchy, Fendi, Dior, Emilio Pucci and Marc Jacobs, £30 million. eBay was accused of not checking the authenticity of the products and allowed the sale of fake Louis Vuitton handbags and Dior perfumes." (

Anti-Phishing Group Being Sued In Attempt to Silence Criticism

June 30, 2008

Reporting on a Nevada Corporation, VeriResume, PhishBucket pointed out flaws in their job offers, and criticized how they appeared to do business. PhishBucket editor, Tabatha Marshall provided her research findings, suggesting that job seekers do their homework before giving away their personal information to this suspicious company. “VeriResume appeared to send emails in a manner that had all the hallmarks of a classic phishing scheme,” said Marshall.
It turns out that VeriResume is owned by Internet Solutions Corp. (ISC), and Alec Difrawy, who was formerly convicted of and sentenced for fraud. Author Les Henderson recently wrote a book called “Under Investigation,” which discussed Difrawy’s shady criminal past – including similar job agency schemes and allegations of horrific child abuse.

So once again we see an Internet company that seems to be owned by someone previously convited of fraud.
Anonymous Domain Sales: A Spammer's Delight
'Spam King' to pay $6 million to MySpace
Scott Richter is a Registrar?!?!

GoDaddy VP Caught Bidding Against Customers

June 29, 2008

An anonymous reader writes "A GoDaddy Vice President has been caught bidding against customers in their own domain name auctions. The employee Adam Dicker isn't just any GoDaddy employee; he's head of the GoDaddy subsidiary that controls the auctions. Dicker won some of the domains he bid for, and pushed up the bid price on auctions he didn't win. The conflict of interest is unethical (

ICANN Opens Pandora's Box

June 28, 2008

According to new rules unanimously passed by the Internet Corporation for Assigned Names and Numbers, or Icann, at its meeting here, any company, organization or country will soon be able to apply for a new Web address extension, called a top-level domain. The Icann board also passed another less controversial proposal that would allow these domains to be registered in scripts other than Roman characters, like Chinese, Arabic and Cyrillic. Specific countries could receive the equivalent of their two-letter country code, like Bulgarias .bg, in their native alphabet. (

Some folks think this will result in "no change", but the no change we're concerned with is the lack of attention to security issues by ICANN. It's entirely possible that the release of these unique TLDs will not increase the level of criminality on the Internet, but our issue is that the responsibility over the existing structure has been sidestepped.

When a car company builds a new model they smash it into a wall 100 times to see what happens. I don't see this kind of forethought or testing with the 'Net. The ability of the market to produce new technology will always outpace the security structure's ability to defend against abuses. How long did it take the banks to wake up to phishing? How long did it take for law enforcement spread digital forensics? How long did it take for networks to protect against viruses? We're talking about years before efficient standard practices became common place.
ICANN has fumbled the ball on it's two core responsibilities:

  1. Keep the Whois accurate - We all know it isn't
  2. Keep criminals from becoming registrars and registrars from becoming criminals - See above and below
The unique TLD program seems like a diversion, rather than addressing realistic concerns about fraud and abuse they're throwing candy and coins to the crowd like Eva Peron.

Anderson Cooper Covers Rogue Pharamcies

June 27, 2008
OnLine Drug Danger - AC360 Daily Podcast: 06/25/2008 (

ICANN and IANA domains hijacked by Turkish crackers

June 26, 2008

The ICANN and IANA websites were defaced earlier today by a Turkish group called "NetDevilz". ICANN is responsible for the global coordination of the Internet's system of unique identifiers. These include domain names, as well as the addresses used in a variety of Internet protocols. The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. Their domains were redirecting to a hosting space at "" where the defacers left the following message: "You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us?" (

ICANN Asked To Shut Down "Worst" Chinese Registrar
PASSING THE SPAM BUCK - Why one report suggests registrars share the blame
Will ICANN take action against "worst" Chinese registrar?
Anonymous Domain Sales: A Spammer's Delight
70 Registrars are in mystery locations
"Worst Spam Offenders" Notified by ICANN
Most Spam Sites Tied to a Handful of Registrars
90% of the Illicit Sites Tracked by KnujOn Clustered at 20 registrars

Spam DDoS assault cuts off south Pacific state

June 25, 2008

Citizens of the Marshall Islands in the South Pacific have been left without a functioning email systems following a denial of service attack on the country's sole ISP. It could take days to full restore service, the general manager of the Marshall Islands National Telecommunications Authority (NTA) told Radio New Zealand International. Systems at the monopoly carrier were taken offline by a flood of email traffic from compromised PCs. (

Almost half of malicious sites tied to 10 networks

June 24, 2008

The report from also showed a dramatic rise in China's role in the malware epidemic. Six of the 10 networks were internet service providers or backbone providers based in China and hosted more than 41 percent of the malicious websites. The findings come a few weeks after anti-spam outfit Knujon released a separate report that found that almost 75 percent of spam sites were signed up by just 10 registrars. Once again, the three biggest offenders were located in China and included Xinnet Bei Gong Da Software, BEIJINGNN and Todaynic. (

An interview with GAC chairman Janis Klarklins

June 22, 2008
On the eve of a crucial meeting for ICANN, the chairman of its Governmental Advisory Committee tells us what he expects the Paris meeting's main topics of discussion will be. (
La liste noire des registrars

PASSING THE SPAM BUCK - Why one report suggests registrars share the blame

June 21, 2008

[KnujOn] also observed registrars, “not following up quickly when certain complaints are issued, not really engaging the consumer…” and “dismissing [their] concerns about fraud on the internet”. However, he does not lay blame on registrars alone. “ICANN shares some of the blame, he states. “They do have a responsibility/contractual obligation to do certain duties.” And that responsibility reaches farther, in his view, to ISP’s, and even companies victimized by online fraud “for not protecting their brands in an aggressive way.” He also strongly feels government agencies, too should do more—the FBI, the FDA—anybody responsible for overseeing any type of commerce. (

Will ICANN take action against "worst" Chinese registrar?

June 20, 2008

I verified that the samples (knujon) used to make this point --,,,,,,,,,,,,, and -- were indeed spam storefronts for replica watches and online pill merchants. All were registered through Xinnet, although in more than half the cases, there was no WHOIS contact information listed. A few others had obvious fake names and contact information, such as Fallspot's "David Fox," whose listed Chinese phone number ended in seven zeroes and had an email address of "" Among the handful of sites that did include real-looking contact information, most email addresses and phone numbers turned out to be bogus...

When asked for comment, the ICANN spokesperson issued the following statement:
"ICANN has received the document from Knujon, and Xin Net, along with other registrars that have a high percentage of unchanged Whois inaccuracy reports filed through the WDPRS, are being investigated by ICANN. Until the investigation is concluded and determinations are made, it would be inappropriate for ICANN to comment on the details of the matter."

Krebs Article on draws discussion, accusations and spam

June 19, 2008

The recent disclosure of the true ownership of in SecurityFix has drawn praise, rancor and little spam. The comment section of SecurityFix has been loaded up with gibberish messages like: "ktmjnw xdkjbsfmp vnac imsedkrah cmaon mhpeq lfdcenh" and accusations that the Washington Post is run by the CIA. Obviously there are some people who would rather we not discuss the anonymous ownership of anonymous registry services used by fake pharmacies.

Worst registrar Xin Net crackdown requested

June 18, 2008

The gist of the latest KnujOn memo to ICANN is that Xin Net has over the last year

Even better, many of the illicit sites are fake pharmacies, and they are still active. And better than that, these sites were all registered by a handful of customers. And, to add insult to injury, Xin Net is still registering 100 new illicit sites a day. (

'Spam King' to pay $6 million to MySpace

June 17, 2008

Last Saturday, an arbitrator ordered Scott Richter, the president of online advertising and direct marketing firm Media Breakaway, to pay a stiff penalty to MySpace, including $1.2 million in legal fees. The settlement is the second major one for Richter, who previously settled with Microsoft in August 2005 for $7 million. He was once considered one of the most prolific spammers, sending out over 100 million messages per day. (

Anonymous Domain Sales: A Spammer's Delight

June 16, 2008

Spammers routinely register their sites under false names, or hijack someone else's identity to do so. But new research shows they're also paying for premium services when registering domain names to ensure a deeper level of anonymity...
Out of the 15,000 spam-advertised domains we examined, nearly half -- 7,142 names -- were registered through a Broomfield, Colo. company called Dynamic Dolphin. As I noted in my previous story, Dynamic Dolphin is the seventh most-popular registrar among spammers who provide patently false information in their public WHOIS records...
Dynamic Dolphin is owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. The CEO of Media Breakaway is none other than Scott Richter, the once self-avowed "Spam King" who claims to have quit the business. Anti-spam groups also have recently implicated Media Breakaway in the alleged hijacking of more than 65,000 Internet addresses for use in sending e-mail and hosting commercial Web sites...
Dynamic Dolphin is a reseller of registrar services offered by an Indian company called Direct Information PVT Ltd. - also known as Directi and Directi was the second most popular registrar among spammers who used; it handled the registration for nearly 4,000 of those 15,000+ domains that Knujon flagged...

Lost in E-Mail, Tech Firms Face Self-Made Beast

June 14, 2008

SAN FRANCISCO — The onslaught of cellphone calls and e-mail and instant messages is fracturing attention spans and hurting productivity. It is a common complaint. But now the very companies that helped create the flood are trying to mop it up.(

Lawmakers Look To Strike Right Balance With Spyware Bill

June 13, 2008

Senate Commerce Committee members Wednesday stressed the importance of striking the right balance with legislation to help fight secretly installed computer spyware and provide the FTC with the tools the agency needs to prosecute high-tech hackers. (

Registrars Release Suspended Domains to Attackers

June 12, 2008

A new outbreak of SQL attacks began on the 8th. Not that they ever really go away, but new waves replace the old ones. The attackers are using a much larger number of domains than seen in previous months. Just 11 days into June, and already 54 of these domains have been observed. Many of these are previously suspended domains that registrars have released back to the attackers. The end result, some of the domains involved in the late May and early June attacks are now active again. Thus not only newly compromised sites are foisting the malware, but any sites previously compromised that have not cleaned up their pages (and properly parameterized their SQL queries) will now once again be serving as conveyor belts for password stealing trojans.(

Major ISPs Agree To Block Child Porn Newsgroups

June 11, 2008

ALBANY — - Online forums in which thousands of child-porn images have been posted have been stricken from three Internet providers, including two of the nation's five largest, New York Attorney General Andrew Cuomo said Tuesday. (

70 Registrars are in mystery locations

June 10, 2008

As part of our ongoing effort to ensure compliance and improve responsibility on the part of Internet stakeholders KnujOn is posting the results of recent investigation of the public disclosure of the locations of registrar companies. We have found 70 registrars listed on the Internic registrar directory missing street addresses and/or phone numbers. More serious are the following registrars that do not even have the country of location listed: EvoPlus Ltd., Hecta Media, Inc., LLC, OnlineNIC, Inc., Thought Convergence, Inc., and Verelink, Inc.

This may merely be an oversight that can be corrected quickly, and I believe it should be. Full disclosure of this data will help transparency and trust. While registrants are required to disclose full contact data, the registrars should be held to the same standard. This report was sent to ICANN and some of the data has already been corrected. The full list is below.

!!! BB Bulk, Inc. dba My Name Now
# 1 DotMobi Registrar, Inc.
10dencehispahard, S.L.
123 Registration, Inc.
8068 Registrar, Inc
A Mountain Domains, Inc.
A. W. B. Trading, Inc.
About Domain Dot Com Solutions Pvt. Ltd. d/b/a
Above, Inc.
Alibaba (China) Technology Co., Ltd.
Alisoft (Shanghai) Co., Ltd.
Anytime Sites, Inc.
AO Domains, Incorporated
Arctic Names, Inc.
Backslap Domains, Inc.
Best Bulk Register, Inc.
Black Ice Domains, Inc.
Blueweb, Inc.
Bottle Domains, Inc. Inc.
Colorado Names Domains, Inc.
Commerce Island, Inc.
Cool Ocean, Inc.
Crisp Names, Inc.
Directi Internet Solutions Pvt. Ltd. d/b/a
Domain Jingles, Inc. LLC
Domerati, Inc.
Dootall, Inc.
Dotregistrar, LLC
Dotted Ventures, Inc.
Dynamic Dolphin, Inc.
ELB Group Inc
Emily Names Domains, Inc.
European NIC Inc.
EvoPlus Ltd.
Experian Services Corp.
FBS Inc.
Freeparking Domain Registrars, Inc.
Get SLD, Inc.
Good Luck Internet Services PVT, LTD.
Hecta Media, Inc.
Hostalia USA, Inc. LLC
Interdominios, Inc.
JJH Investments, LLC
Lazy Dog Domains, Inc
Naming Web, Inc.
NEEN.IT Inc., d/b/a
NetraCorp LLC dba Global Internet
NIC1, Inc
Oil Change Domains, Inc.
OnlineNIC, Inc.
Own Identity, Inc.
Pitchback Domains, Inc.
Pointag Technologies, Inc.
Slaphappy Domains, Inc.
Snowflake Domains, Inc.
Thought Convergence, Inc., Inc.
Total Calories, Inc. dba Slim Names
united-domains AG
Valley Apples, Inc.
Verelink, Inc.
Walela Brook, Inc.
Western United Domains, Inc.
WGB Registry, Inc.
White Socks Domains, Inc.

Verisign, McAfee and Symantec sites can be used for phishing due to XSS

June 9, 2008

Should they all be trusted at first sight by unsuspecting online users? Yes, unfortunately this is the case with the websites of renowned and respected IT security companies. However, now that are all vulnerable to cross-site scripting, the possibilities to get phished and infected with malware and crimeware are dramatically increased. (

Good Question, Lacking Article

June 6, 2008

Who Will Rule The New Internet?(

While Josh Quittner asks a critical question in this Time article he focuses too much on the technology and misses completely the various political power struggles going on in the background that are pulling and pushing on the Internet. The issues of crime, safety, privacy, espionage and control are going boil up on the Internet in ways that Time has not considered. In the end it may be the lawyers who control the Internet and not programmers.

June 5, 2008

LegitScript Internet pharmacy verification standards have been recognized by the National Association of Boards of Pharmacy (NABP). LegitScript’s mission is to assist consumers and businesses in determining which Internet pharmacy websites operate safely and in compliance with Federal and state laws and regulations, as well as with accepted medical standards and ethics. Over the next several months, will be adding functionality to our website that will give consumers the ability to compare prices for specific prescription drugs from LegitScript-approved Internet pharmacies. (

New report identifies dangerous Web domains

June 4, 2008

SAN JOSE, Calif. -- When surfing the Internet for safe Web sites, not all domains are equal. Companies that assign addresses for Web sites appear to be cutting corners on security more when they assign names in certain domains than in others, according to a report to be released Wednesday by antivirus software vendor McAfee Inc. McAfee found the most dangerous domains to navigate to are ".hk" (Hong Kong), ".cn" (China) and ".info" (information). (

Serious warning released by European Union web security body ENISA

June 3, 2008

ENISA (the European Network and Information Security Agency) presented a report estimating that spam cost Europe €27 billion in 2007, and represents a growing threat with the danger of a 'digital 9/11' on the horizon. The group called on the EU to improve efforts to combat the spam menace, including greater funding for anti-spam initiatives, a more unified approach to tackling spam, and the implementation of mandatory intrusion reporting systems.

Meanwhile the Internet Corporation for Assigned Names and Numbers (ICANN), the body responsibly for maintaining the structure of the internet, had also been raising their efforts to reduce spam. Following the publication of a report suggesting that the vast majority of spamvertised sites are hosted at domains administered by a small number of registrars, the ICANN group responded by contacting the named bodies and threatening to revoke their license to register domain names should they fail to take action to clean up their areas of the web. ICANN has a long-running system for registering complaints against specific domains, and claims to chase up over 75 issues per month with similar enforcement notices. ICANN's announcement, and the KnujOn organisation, who first drew attention to the clustering.

June 1, 2008

To track and investigate suspicious employment-related email offers. To work with law enforcement to stop confirmed scams. To provide help and resources to victims of employment scams. To make the Internet a safer place. (

ICANN Sends Notice of Breach to Red Register

May 30, 2008

ICANN sent a notice of breach to ICANN-accredited registrar Red Register, Inc. based on Red Register, Inc.'s failure to comply with the Uniform Domain Name Dispute Resolution Policy ("UDRP"). Specifically, Red Register failed to comply with UDRP Rule 16(a) and paragraph 4(k) of the UDRP despite repeated requests by ICANN and the National Arbitration Forum (“NAF”). These rules require registrars to communicate plans to implement UDRP Provider decisions and implement those decisions.

Consistent with the breach provisions of the Registrar Accreditation Agreement ("RAA"), ICANN requested that Red Register, Inc. act within 15 days to cure the cited breaches. If Red Register, Inc. fails to cure the breaches cited in ICANN’s notice of breach, ICANN will pursue all remedies available under the terms of the RAA, including termination.

The ICANN Board adopted the UDRP and UDRP Rules on 26 August 1999. In addition, ICANN approved the form of implementation documents on 24 October 1999. The RAA requires all accredited registrars to comply with board adopted Consensus policies.

As part of ICANN’s ongoing work to develop and maintain a tough, but fair, contractual compliance program designed to create an even playing field for registrars and registries, ICANN:

For more information about the Contractual Compliance Program mission and other details, please visit (

Notice to Red Registrar Inc.

Analysis: Crackdown on domain name crooks

May 29, 2008

WASHINGTON, May 29 (UPI) -- The non-profit association that oversees Internet addresses is trying to crack down on shady Web pages used by spammers and hackers... "It's a huge problem," said Burnette, declining to give more detailed figures on the numbers of registrants reported to have submitted inaccurate or incomplete information. "If we find that registrars are not investigating reports (of inaccurate or non-existent WHOIS data) as they are required to, our escalation procedure can ultimately result in their accreditation being terminated," effectively shutting them down, she said. (

ICANN looks to lend a hand in spam fight (

US Politicians Express Concerns on ICANN's Future

May 28, 2008

In early May Representative Edward J. Markey (D-MA), chairman of the House Subcommittee on Telecommunications and the Internet, joined Reps. John D. Dingell (D-MI), chairman of the Energy and Commerce Committee, and 14 other members of the committee in sending a letter to Department of Commerce Secretary Carlos M. Gutierrez regarding possible changes to ICANN. The letter was written over their concerns for a major change in the Department of Commerce's (DOC) relationship with ICANN. (

ICANN slaps registrars who help criminals (
ICANN takes action against spam havens (
ICANN Puts eNom and Moniker “On Notice” (
Top ten worst spam registrars notified by ICANN (

Xin Net's Bottomless Bottle of Pills

May 27, 2008

In an effort to continue highlighting concerns at specific providers we will focus on each company listed in KnujOn top 10 of the worst spam-related registrars. ICANN responded Friday to this list which included Xin Net as #1. Xin Net has been the focus of controversy and efforts at CastleCops recently and is heavily connected to Fast Flux operations as evidenced by this analysis at the Università degli Studi di Milano. Xin Net accounts for 75% of the Fast Flux traffic. The University of Milan Dipartimento di Informatica e Comunicazione has found 10,570 malicious domains at Xin Net connected to Fast Flux. KnujOn's Xin Net illicit domain count is fast approaching 30,000. Much of this traffic and spam advertises "Canadian Pharmacy" type sites as seen below:

E-mail 'bloodbath' threat paralyzes Mexican city

May 26, 2008

Mexico's northern border town of Juarez, infamous for its history of drug-related violence, has gone into lockdown after an e-mail began circulating warning of an unparalleled "bloodbath" in the coming days. Shops, bars and restaurants have shut and soldiers are patrolling the streets, giving a surreal and dangerous tone to this city of 1.4 million people which sits just across the US border from the Texan town of El Paso. Authorities are taking seriously the anonymous e-mail, which menaced "the bloodiest and most violent weekend in the history of Juarez." The place is already reeling from a surge in murders that has claimed around 400 lives so far this year, several of them police officers and members of rival narcotics gangs. The US embassy to Mexico has told US citizens that the message represented a "potential threat" and that public places, nightspots and the main streets in Juarez should all be avoided. (

Iraqi software pirate likes it offshore, where his skills mean good business

May 25, 2008

BAGHDAD - He is everywhere but nowhere, an unseen geek whose skills as a software pirate are so impressive that others are now pirating his work. more stories like this Posters and pamphlets promoting his latest DVD, Anas08, hang in shop windows and flap in the breeze on vendors' tables wherever computer equipment is sold in Baghdad. Looking for a new version of Adobe Photoshop, Microsoft Office, or an online edition of the Koran, complete with English translation and an index to topics and verses? They're all on the Anas08 disc, available for about $3, compared with the thousands of dollars it would cost to buy the 390 programs individually through authorized dealers.

This story reminded me of something. Like many folks I know people serving overseas and send them care packages. I asked one serving in Iraq: "Do you want any DVD movies?" to which he responded: "No, we've got them all, they sell them on the street for pennies and before they are even out in the U.S." Shocked but not surprised I asked him what else to they sell? Everything. Office, Server2007, Dreamweaver. Pirated media and software is bountiful everywhere but it gave me pause to think about soldiers loading them onto their laptops or watching movies on them in a war zone. What else is on those disks?

DHS moves to strengthen domain name servers

May 24, 2008

The Homeland Security Department’s Science and Technology Directorate has awarded a contract to Secure64 Software to increase the security of the Internet’s Domain Name Servers (DNS). DNS is one of the most critical back-end processes on the Internet or any other IP network, but it operates somewhat transparently. DNS alleviates the burden of memorizing a Web site’s IP address, instead allowing the user to type in a simple domain name such as The Internet would not be functional from a practical perspective without DNS. But despite its importance, most DNS implementations are not secured, leaving DNS transactions vulnerable to attacks such as pharming, cache poisoning and DNS redirection. (

"Worst Spam Offenders" Notified by ICANN

May 23, 2008

In order to clarify the system for dealing with incorrect “Whois” domain name registration information, and deal with community concern, ICANN is releasing the following information regarding its compliance work.

MARINA DEL REY, Calif.: ICANN has sent enforcement notices and notices of concern to certain registrars, including those reported this week as being the registrars for the majority of websites advertised in spam emails.

Earlier this week, an investigation by
KnujOn, widely reported online, publicly identified 10 registrars as being the companies used to register the majority of domain names that have since appeared in spam email messages.

More than half of those registrars named had already been contacted by ICANN prior to publication of KnujOn’s report, and the remainder have since been notified following an analysis of other sources of data, including ICANN’s internal database.

With tens of millions of domain names in existence, and tens of thousands changing hands each day, ICANN relies upon the wider Internet community to report and review what it believes to be inaccurate registration data for individual domains. To this end, a dedicated online system called the Whois Data Problem Report System (“WDPRS”) was developed in 2002 to receive and track such complaints.*

"ICANN sends, on average, over 75 enforcement notices per month following complaints from the community. We also conduct compliance audits to determine whether accredited registrars and registries are adhering to their contractual obligations," explained Stacy Burnette, Director of Compliance at ICANN.** "Infringing domain names are locked and websites removed every week through this system."

Although the majority of registrars offer excellent services and contribute to the highly competitive market for domains, ICANN’s compliance department has developed an escalation process to protect registrants and give registrars an opportunity to cure cited violations before ICANN commences the breach process.

However, while registrars are responsible for investigating claims of Whois inaccuracy, it is not fair to assume a registrar that sponsors spam-generating domain names is affiliated with the spam activity. A distinction must be made between registrars and an end user who chooses to use a particular domain name for illegitimate purposes.

"But if those registrars, including those publicly cited, do not investigate and correct alleged inaccuracies reported to ICANN, our escalation procedure can ultimately result in ICANN terminating their accreditation and preventing them from registering domain names," Ms Burnette said.

38 Individuals in U.S. and Romania Charged in Two Related Cases of
Computer Fraud Involving International Organized Crime

May 22, 2008

BUCHAREST, ROMANIA – Thirty-eight individuals with ties to international organized crime have been charged in two separate indictments involving computer and credit card fraud schemes, Deputy Attorney General Mark R. Filip, Romanian Prosecutor General Laura Codruþa Kövesi, U.S. Attorney for the Central District of California Thomas P. O’Brien and Acting U.S. Attorney for the District of Connecticut Nora R. Dannehy announced today. The Deputy Attorney General made the announcement with the Romanian Prosecutor General to highlight the extensive and continued cooperation between the two countries in addressing these types of international crimes. The announcement comes less than one month after U.S. Attorney General Michael B. Mukasey announced the Department’s new Law Enforcement Strategy to Combat International Organized Crime. (

Carpet bombing in cyberspace

May 21, 2008

BY COL. CHARLES W. WILLIAMSON III: The world has abandoned a fortress mentality in the real world, and we need to move beyond it in cyberspace. America needs a network that can project power by building an robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to carpet bomb in cyberspace to create the deterrent we lack. (

The Spam Balloon

May 20, 2008

Knowing that a minority of companies control most of the sites advertised in spam helps put the junk email problem into better perspective. To illustrate this consider a typical spam campaign. The emails are generated by tens of thousands of malware compromised machines and networks on the Internet. They send millions of spam messages to millions of victims. Sounds like a big problem, right? Not exactly. Because the number of actual websites advertised in those millions of messages is rather small in comparison the derivative of a spam campaign is seriously reduced. Reducing the true size even further is the fact that these real websites are held by one or maybe two registrar companies per campaign. Imagine that a spam campaign is a balloon. A balloon is actually made of a very small amount of real material, it only appears bigger because it's full of hot air. The huge volume of sent spam messages is the hot air that pushes the boundaries the Internet's resources, making the problem look bigger than it is. However, the air only stays in the balloon because it is knotted at the bottom. The registrars are this knot.

Discuss the Spam Balloon

Spam domains use small number of registrars (

Most Spam Sites Tied to a Handful of Registrars

May 19, 2008

So who are the top 10 registrars most favored by spammers? You can see the list along with Knujon's methodology here. A few of the names on it are unsurprising simply by virtue of their market share. Number five -- Bellevue, Wash., based eNom -- is the second largest registrar, according to DomainTools's Number six -- Pompano Beach, Fla., based Moniker -- has the eighth largest market share among registrars.

But size doesn't explain most of the names on the list. The registrars that scored the worst overall - Xinnet Bei Gon Da Software, BEIJINGNN, and Todaynic -- are all located in China, and are 18th, 47th and 99th in terms of market share, respectively.

Perhaps the most interesting name on the list is number 7 - a registrar out of Broomfield, Colo., called Dynamic Dolphin. According to Knujon, more than 10 percent of the company's 45,000-plus domains have false WHOIS data, and more than 17 percent of the domains registered through the company have been observed being advertised through spam.

A bit of digging into Dynamic Dolphin revealed that it is owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. Those of you who read
this post a few weeks back will recognize this company: Its CEO is Scott Richter, a notorious, self-avowed spammer who claims to have quit the business. As I noted in that post, anti-spam groups claim that Media Breakaway recently hijacked more than 65,000 IP address for use in sending e-mail and hosting commercial Web sites.

GMER: all your rootkits are belong to us

May 18, 2008

GMER is an application that detects and removes rootkits. It scans for: hidden processes, hidden threads, hidden modules, hidden services, hidden files, hidden Alternate Data Streams, hidden registry keys, drivers hooking SSDT, drivers hooking IDT, drivers hooking IRP calls, inline hooks (

Tech Security Feeds:
cnn| fox| msnbc| zdnet| bbc| gcn|
reuters| theregister| knujon]| techworld| computerworld| securityblog|
castlecops| apwg| securityfix| spamhaus| first| avert labs|
bankinfosecurity| dhs| cnet| contrarisk| ddanchev| edelman| zdziarski|
Knujon Archives: 2007| 2006| 2005|

RootkitRevealer v1.71

May 17, 2008

RootkitRevealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). (

Spam law affects affiliates: FTC chairman William Kovacic
named spam as one of his agency's top priorities

May 16, 2008

The Federal Trade Commission's just-approved new rule provisions for the CAN-SPAM Act largely place the onus on e-mail marketers and their affiliates to take responsibility for clean e-mail lists and clear communication among marketing partners. (

AntiEvilTools Project

May 15, 2008

AntiEvilTools Project is a non-governmental voluntary organizations of the Forum( with the purpose of the open-source security software category. It is built on open-source enthusiasm of the participants on the basis of the study,You may see it as a study exchange the platform. In here , there are Kernel driver development experts, but also familiar algorithm programmer ,more full of learning enthusiasm of students at school.You only need the part which will participate in you by the demo form to submit .Once through the audit, you will see all AntiEvilTools source code. (

Three Charged With Hacking Dave & Buster's Chain

May 14, 2008

Three men have been indicted for hacking into a number of cash registers at Dave & Buster's restaurant locations nationwide to steal data from thousands of credit and debit cards, data that was later sold or used to cause more than $600,000 in losses, the Justice Department said this week. (

Whittling spam down to a manageable level

May 13, 2008

A recent report by security software maker Symantec reveals that spam accounted for an average of 80 percent of traffic hitting e-mail gateways in April, spiking as high as 87 percent at times. That is a daunting figure, but Garth Bruen of KnujOn looks at the problem in a different way. According to a study being presented this week by KnujOn to the High Technology Crime Investigation Association, 90 percent of the illicit Web sites using spam to generate traffic are clustered on just 20 registrars — that is only 2.5 percent of the 800 registrars accredited by the Internet Corporation for Assigned Names and Numbers. That can make the spam problem seem almost manageable. (

Strategic Developer | Martin Heller: "20 registrars control 90% of illicit domains, says Knujon" (

Think a File Has a Virus?

May 12, 2008
Upload your file for testing here:

VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. Specs: Free, independent service, Use of multiple antivirus engines, Real-time automatic updates of virus signatures, Detailed results from each antivirus engine, Real time global statistics (

KnujOn to Present at High Technology Crime Investigation Association
Ohio Spring Training Conference

May 11, 2008

90% of the illicit sites tracked by are clustered at just 20 registrars which is only 2.5% of the entire registrar population. While networks of compromised spam generators, "bot-nets" are large and millions of spam emails are constantly sent, the number of final destination websites is considerably smaller, and the number of sponsors of those domains is even more concentrated. (

This is just one of the issues we will be discussing at the Ohio HTCIA Chapter 2008 Spring Training Conference Monday May 12 at 3:30pm in H-1095 and Tuesday May 13 at 10:30 in H-1095 in the Clocktower building at Lakeland Community College (Full Schedule).

What is the HTCIA?
"The High Technology Crime Investigation Association (HTCIA) is designed to encourage, promote, aid and effect the voluntary interchange of data, information, experience, ideas and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies among its membership." (

Spam Moves to Cellphones and Gets More Invasive

May 10, 2008

Cellphones have become consumers’ most personal technological devices. Some industry executives, along with consumer groups and security experts, are concerned that unwanted text messages on phones will be an even greater headache than unwanted computer messages. Cellphone spam is particularly annoying to its recipients because it is more invasive — announcing itself with a beep — and can be costly. (

90% of the Illicit Sites Tracked by
KnujOn Clustered at 20 registrars

May 8, 2008
There are over 800 ICANN Accredited Registrars and thousands of ISPs. Most providers are playing by the rules. The ones that are not adhering to policy are wreaking the most havoc across the web. Some of these providers merely have poor verification or auditing, others may be active partners to illicit activity and KnujOn is sorting out just which is which. What this means is that all the zombie-bot generated spam is intended to drive your attention to a very small subset of the Internet's infrastructure. The problem looks bigger than it really is. In short, the fake pharmacies, knockoff product websites, pirate software stores, phony lending institutions - the websites where the transactions occur - are generally under the control of a small number of companies.

Products sold on these sites have a sordid history and those behind these operations have helped pushed illicit traffic profits into the hundreds of billions of dollars per year.

To clarify this relationship it is important to understand that the botnets are huge, the smaller population being referred to here are the actual advertised landing sites. It gets confusing when everyone is talking about "sources" and various numbers. Let's take this as an example: A botnet with 100,000 machines sends a 2 million message email blast (example, not real numbers). The spam massages actually only reference 200 - 500 URI links. The URIs are often redirects that boil down to only 100 - 200 real domains, and 90% of these domains are controlled by 2.5% of the registrar population. So, we've got lots of senders, lots of messages, but they are herding victims into a very small corral.

To be part of the solution, send your junk email to:

I forgot my password! (Now what?)

May 7, 2008

There are many approaches to deal with forgotten passwords. All rely either on proving access to some resource (such as a pre-registered email account), or on the long-term memory of the person who needs to restore access to his or her account. Most approaches are not very secure, and many are hard for legitimate users to manage. To make it worse, many approaches are unsuitable for input-constrained devices, such as mobile phones.

It is well known in the cognitive science literature that personal preferences are more stable than long-term memory. A system based on personal preferences is also less vulnerable to data-mining attacks than one that relies on more traditional facts (such as mother's maiden names or childhood address). We propose a system that is secure and practical: It takes less than thirty seconds to authenticate (whether on a computer or a handheld), and has a false negative rate of close to 0% and a false positive rate of less than 1%. For many environments, Blue Moon Authentication may very well be the best approach there is.

MySpace wins lawsuit against Spamford Wallace

May 6, 2008

MySpace has won a lawsuit against notorious spammer Sanford (Spamford) Wallace. The social networking website gained a default judgment against Wallace after he failed to turn over documents or appear in court, CNet reports. (

30 years of Spam - and we ain't finished yet

May 5, 2008

Spam celebrates its 30th birthday on Saturday (3 May). On that day in 1978, 393 Arpanet subscribers were sent what's reckoned to be the first ever spam email1 in history (the message itself was written on 1 May 1978). DEC marketing rep Gary Thuerk came up with the wheeze which produced a fierce backlash from Arpanet (military) administrators, as well as a small number of sales. After first appearing on Arpanet, unsolicited bulk commercial ads moved over to Usenet, email and websites links. Much to the chagrin of Hormel Foods, the term spam was applied to the phenomenon in a pop-culture reference to the spam skit from Monty Python's Flying Circus, where all meals in a restaurant come with spam, spam and more spam. Junk email - not nourishing luncheon meat - has become the principal meaning of the word spam. (

At 30, Spam Going Nowhere Soon - Audio (

Is Nothing Sacred? Cupcakes Used For Information Trolling

May 4, 2008

Internet squatters facing eviction

May 3, 2008

For companies like Microsoft, domain tasting creates the constant headache of chasing after typo-squatters — those who create and register Web sites with misspelled variations of the Microsoft name. For individual users, it means that millions of names are tied up in a constant churn of registering and returning names before fees are charged. Now Icann — the Internet Corporation for Assigned Names and Numbers, the organization based in California that manages domain names — is considering steps to stamp out the practice. The board of Icann will vote in Paris in June on a proposal to severely limit the number of domain names that can be returned without a fee, but the organization is facing resistance from domain name registrars, who are against ending the grace period. These companies, which are licensed to register and sell new domain names, are themselves divided on the issue. Some argue that domain tasting is eroding consumer trust. Others insist that the grace period allows time to correct registrations that were spelled incorrectly. (

Digital Deception

May 2, 2008

Some of the common tests used by Web sites to distinguish between legitimate flesh-and-blood visitors and malicious human-mimicking computers recently appear to have been outwitted. Last month, the human verification tests, which typically require users to identify deformed letters set against a cluttered backdrop, were broken by a computer. The computer then repeatedly created free Hotmail e-mail accounts and sent spam from them, according to Websense, the security firm that detected the hacking. (

Hackers Focus Efforts on Firefox, Safari

May 1, 2008

Many people are switching from Internet Explorer to alternative browsers such as Firefox and Safari. Though that might make them feel more secure, the shift has also opened new doors for bad guys. ... So forget the idea that just because you've switched to a new browser, you're magically safer. You may be for a time, but to stay safe with any software, you need to keep current with fixes. (

Spread of Salvia on Internet Raises Questions About Legality

April 30, 2008

There are dozens of video clips on the Web site YouTube showing teens getting high smoking or chewing salvia, a hallucinogenic herb related to sage and mint. The clips show young people laughing, and claiming to see walls melting before their eyes. The drug is legal in all but six states. According to the National Drug Intelligence Center, users typically experience vivid hallucinations, out-of-body experiences and feelings of merging with inanimate objects. Salvia is not only legal, it is readily available. (

Hallucinogenic Herb Called Salvia Could Be the 'New Marijuana,' and Florida Lawmakers Might Ban It (
Legal status of Salvia divinorum (
Salvia divinorum (

'See ID' phrase on back of credit cards doesn't deter fraud

April 29, 2008

Some customers may think writing the terms on the panel on the back of the cards would deter fraud or forgery. But Visa's rules for merchants say that "In reality, criminals don't take the time to practice signatures: They use cards as quickly as possible after a theft and prior to the accounts being blocked. They are actually counting on you not to look at the back of the card and compare signatures - they may even have access to counterfeit identification with a signature in their own handwriting." (

Even Warren Buffett is Victim of ID Theft

April 28, 2008

According to FORTUNE magazine one of the world's shrewdest and wealthiest investors has a bellow average credit rating. Why? Someone took out a loan in his name at a Nevada HSBC bank and never paid it back. Famous victims of identity theft have included Paul Allen, Steven Spielberg George Lucas, Oprah Winfrey, Ross Perot, and Michael Bloomberg.

Securing the Internet's DNS

April 27, 2008

The Internet is slowly inching closer to ratcheting up the security of its Domain Name System (DNS) server architecture: The Internet Corporation for Assigned Names and Numbers (ICANN ) plans to go operational with the secure DNS technology, DNSSEC, later this year in one of its domains. (

Hackers warn high street chains

April 26, 2008

High street chains will be the next victims of cyber terrorism, some of the world's elite hackers have warned. They claim it is only a "matter of time" before the likes of Tesco and Marks & Spencer are targeted. Criminals could use the kind of tactics which crippled Estonia's government and some firms last year, they warned. (

White House Staffers' BlackBerrys Stolen Five-Finger-Discount Style

April 25, 2008

This story is disturbing. In what was described as a "common practice," White House staff and others attending a meeting with President Bush left their BlackBerrys sitting unattended on a table outside the meeting room. With the meeting in progress, a Mexican press attaché decided to lift six or seven of them and make a run for it. Thankfully, the Secret Service was able to catch him before he got too far. What I want to know is, what are government BlackBerrys doing sitting on an unprotected table? (

Criminals target energy, financial markets, Mukasey says

April 24, 2008

The use of cyberspace to target U.S. victims and infrastructure, jeopardizing the security of personal information, the stability of business and government infrastructures and the security and solvency of financial investment markets.

The manipulation of securities exchanges and engaging in sophisticated fraud schemes that rob U.S. investors, consumers and government agencies of billions of dollars.

Federal Trade Commission Offers New Anti-Phishing
Educational Videos at

April 23, 2008 provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information. (

A partnership between the federal government and the technology industry (APWG is a partner) to help consumers be on guard against Internet fraud, secure their computers, and protect their personal information. The new videos also are featured at and on the FTC site at

Hannaford Data Breach: An Inside Job?

April 22, 2008

The hackers that broke into Hannaford Brothers, a northeast U.S. grocery chain, may have spawned other attacks, including one at Okemo Resorts in Ludlow VT. As law enforcement and forensic experts continue to sift through the evidence of these attacks, the retailer and the ski resort remain mum on further developments. (

Fake Ferraris Sold on Internet are really Pontiacs and Toyotas

April 19, 2008

LONDON, England (CNN) -- If a vintage Ferrari for $30,000 sounds too good to be true, that's probably because it is. But when a counterfeit classic is so good that even the experts are impressed, some buyers just can't resist the object of their desire at a knockdown price. (


Recruiting for the Cyber Wars

April 17, 2008

Uncle Sam wants you—to help defend against Internet threats. But is the military any place for slackers and hackers? (

Larger Prey Are Targets of Phishing

April 16, 2008

SAN FRANCISCO — An e-mail scam aimed squarely at the nation’s top executives is raising new alarms about the ease with which people and companies can be deceived by online criminals. (

Cyber risk 'equals 9/11 impact'

April 15, 2008

The US homeland security chief has made a heartfelt plea to Silicon Valley workers to stand up and be counted in the fight to secure the cyber highway. Michael Chertoff invoked the attacks of 9/11 as he sought to galvanise IT professionals and security experts. (

FTC: We'll take on spyware, spam, and unlabeled DRM

April 14, 2008

In November 2006, the Federal Trade Commission held a huge conference on the challenges that American consumers would face in the next "Tech-Ade." The groan-inducing title aside, the event was a chance for the Commission staff to hear from assorted technology experts about the key issues that the FTC would have to police over the next ten years. Now, a year and a half after the conference, the Commission has finally written up (PDF) the "major trends identified at the hearings." They are old news by now (social networking is hot!), but the document does give us some insight into FTC priorities; hopefully, the Commission can deliver on its goals of ensuring consumer data privacy, monitoring behavioral advertising, and working globally to combat spam and spyware. (

Crimeware: Understanding New Attacks and Defenses On Shelves

April 11, 2008

A new cybercrime book that KnujOn creator Garth Bruen helped edit and review is available. We highly recommend Crimeware: Understanding New Attacks and Defenses, by Markus Jakobsson and Zulfikar Ramzan.
Crimeware: Understanding New Attacks and Defenses
Available at Amazon, Informit, oreilly
Crimeware: Understanding New Attacks and Defenses will help security professionals, technical managers, students, and researchers understand and prevent specific crimeware threats. This book guides you through the essential security principles, techniques, and countermeasures to keep you one step ahead of the criminals, regardless of evolving technology and tactics. Security experts Markus Jakobsson and Zulfikar Ramzan have brought together chapter contributors who are among the best and the brightest in the security industry. Together, they will help you understand how crimeware works, how to identify it, and how to prevent future attacks before your company’s valuable information falls into the wrong hands. In self-contained chapters that go into varying degrees of depth, the book provides a thorough overview of crimeware, including not only concepts prevalent in the wild, but also ideas that so far have only been seen inside the laboratory.

With this book, you will

  • Understand current and emerging security threats including rootkits, bot networks, spyware, adware, and click fraud
  • Recognize the interaction between various crimeware threats
  • Gain awareness of the social, political, and legal implications of these threats
  • Learn valuable countermeasures to stop crimeware in its tracks, now and in the future
  • Acquire insight into future security trends and threats, and create an effective defense plan
With contributions by Gary McGraw, Andrew Tannenbaum, Dave Cole, Oliver Friedrichs, Peter Ferrie, and others.

AG Mukasey Says Counterfeiting, Piracy Increasingly Fund Terror Groups

April 10, 2008

(AP) Attorney General Michael Mukasey warned Friday that the huge profits generated from piracy and counterfeiting are increasingly flowing into the coffers of terrorist groups. In remarks to Silicon Valley executives at the Tech Museum of Innovation, Mukasey said the economy and national security of the United States are increasingly threatened by violations involving copyrighted software code, patented inventions and trademarked properties. Terror groups are taking their cues from organized crime and increasingly funding their operations from counterfeiting and piracy, he said. Mukasey said his department is devoting more resources to prosecuting intellectual property crimes, which led to a 7 percent increase in the number of IP cases filed in 2007 over the year before and a 33 percent increase over 2005. "Criminal syndicates, and in some cases even terrorist groups, view IP crime as a lucrative business and see it as a low-risk way to fund other activities," Mukasey said. "A primary goal of our IP enforcement mission is to show these criminals that they're wrong."... (

How can we win when we are infiltrated by the bad guys?

April 9, 2008

The State Department official in charge of U.S. passport services stepped down yesterday amid investigations into security breaches in the document records and overcharges for blank passports. In the latest blow against the agency, court documents show a State Department employee provided personal information from passport applications for use in a credit-card fraud scheme. Deputy Assistant Secretary for Passport Services Ann Barrett left her post yesterday, a move that State Department Spokesman Tom Casey attributed to management changes. The personnel move comes after The Washington Times first reported last month that three State Department contract employees were being investigated for improperly accessing the passport data of three presidential candidates. The Times also has reported on overcharges for blank passports produced by the U.S. Government Printing Office... (

Email security threats impacting businesses worldwide

April 8, 2008

Webroot estimates over 42,000 spam emails for every single business email account in 2008 (

Internet Providers Quietly Test Expanded Tracking of Web Use to Target Advertising

April 7, 2008

The online behavior of a small but growing number of computer users in the United States is monitored by their Internet service providers, who have access to every click and keystroke that comes down the line. The companies harvest the stream of data for clues to a person's interests, making money from advertisers who use the information to target their online pitches. (

'Illegal' ad system scrutinised

April 6, 2008

Technical analysis of the Phorm online advertising system has reinforced an expert's view that it is "illegal". (

FBI reports internet crime at all-time high

April 5, 2008

Internet crime is at an all time high, according to figures from the FBI, which said that losses totalled $240m last year. The agency's Internet Crime Complaint Center (IC3) received 206,884 complaints of web-based crimes in the US last year, and said that total losses had risen by $40m compared to the previous year. "The internet presents a wealth of opportunity for would-be criminals to prey on unsuspecting victims, and this report shows how extensive these types of crime have become," said FBI Cyber Division assistant director James E. Finch. (

Losses Rise in Online Scams

April 4, 2008

WASHINGTON (AP) — Money lost in Internet-related crimes hit a new high last year, topping about $240 million, according to a government report showing increases in scams involving pets, check-cashing schemes and online dating. The number of reported Internet scams dropped slightly from previous years, but the total lost jumped $40 million, according to the report released Thursday by the FBI and the National White Collar Crime Center. (

Spam blights e-mail 15 years on

April 3, 2008

Spam continues to blight e-mail exactly 15 years after the term was first coined and almost 30 years since the first spam message was sent. The term is thought to have been coined by Joel Furr, an administrator on the net discussion system Usenet, to refer to unsolicited bulk messages. More than 90% of all e-mail is spam, according to anti-spam body Spamhaus. (

TJX settles with MasterCard over data breach

April 2, 2008

Framingham retailer TJX Cos. reached a settlement with MasterCard Inc. in which it will pay up to $24 million to banks and other institutions to cover fraud losses stemming from a massive data breach disclosed last year. TJX, parent of discount retain chains including TJ Maxx and Marshalls, struck a similar deal with rival card network Visa in which it agreed to pay up to $40.9 million. As in that deal, TJX said the costs of its MasterCard settlement are included in the $256 million the company has set aside to pay for computer work and other costs associated with the breach. (

CAN-SPAM Still Gets Mixed Reviews

April 1, 2008

When the U.S. Federal Trade Commission announced a US$2.9 million settlement with online marketing firm ValueClick this month, it was a record monetary settlement under the 4-year-old CAN-SPAM Act... But despite these recent court cases, some critics don't see a lot of value in CAN-SPAM, short for Controlling the Assault of Non-Solicited Pornography and Marketing. "CAN-SPAM has had virtually no impact on the spam problem at large," said Ray Everett-Church, a longtime spam fighter and director of policy and professional services at Habeas, a company that provides e-mail authentication services.

KnujOn Earns Second Place at MIT Spam Conference

March 31, 2008

KnujOn's Policy Enforcement model finished right behind the "best overall paper", Jonathan Zdziarski's research on Reasoning-Based Adaptive Parsing (PDF). Congratulations to Jonathan and special thanks to Bill Yerazunis of the Mitsubishi Electric Research Laboratories (MERL) for running this event.

ORDB anti-spam blacklist lists everything

March 30, 2008

For more than a year the ORDB blacklist, which had previously been in heavy use, has been empty. Every DNS query to the zone would result in the error message, "non-existent". To report a hit, DNS queryable blacklists (DNSBLs) usually respond with an IP address in the 127.x.x.x range and since Tuesday, the name server responsible for the name range under does just that for every query, such as Andreas Plesner Jacobsen, a former ORDB operator, explained to heise online sister publication iX that this measure has been introduced because the zone is still swamped with queries. The intention is to get mail server operators to stop using ORDB. Simply deleting the domain was not a viable alternative, since the load would then merely be directed to the .org name server. Admins should check their mail server and spam filter configurations to make sure that ORDB is not in use. This should be relatively easy to determine in most cases, since positive responses from DNSBLs often result in emails being filtered and in this case would completely stop email traffic. A somewhat more complicated scenario is when DNSBL responses are taken into account as just one of a number of spam criteria. In that case, yesterday's new measure would only gradually become known to postmasters still using ORDB. (

U.S.-Based ISPs Count Known Terror Groups as Clients

March 29, 2008

Herndon, Va.-based Network Solutions said Wednesday that it suspended, an official site of Hezbollah, a Lebanese political and paramilitary group. Turns out, Network Solutions, which was one of the original firms in the domain registration business, was accepting payment for the domain in violation of a U.S. law that bars American companies from doing business with organizations listed by Uncle Sam as terrorist groups. Closer inspection also reveals that Network Solutions and other U.S.-based Internet service providers and domain registrars provide services to other groups on the government's list of terrorist organizations. (

MIT Spam Conference Continues...

March 28, 2008

Knujon was presented Thursday and created considerable discussion. (

Knujon to be presented at MIT Spam Conference

March 27, 2008

Knujon is being presented at the annual MIT Spam Conference ( Dr. Robert Bruen, will be conducting the presentation at 2:15PM Thursday in the Stata center. Our presentation represents a critical shift in the last ten years of anti-spam. The topics usually discussed at this forum are focused on filtering algorithms, smtp protocol design, and spam blacklisting. The presentation of KnujOn's policy enforcement and illicit network termination work will bring a new perspective to the fight against Internet abuse and electronic fraud. Thanks for your support of our mission.

Lots of Spam en Español!

March 26, 2008

It's about time, Spanish is only the most widely spoken language in the world. Some subject lines:

"Construya Indicadores Integrales con el Balanced Scorecard. Publicidad . neszs"
"TE ESPERAMOS. LLAMANOS . 472-8846 . m2pbj"
"LUCE TU MEJOR SONRISA...!!!. Publicidad . pvlp"

¡Knujon lucha spam de tu correo! envíe aquí

KnujOn Outlook Reporting Widget(macro) Posted

March 25, 2008

Automate Outlook for Knujon and make a custom toolbar button

KnujOn to be Presented at MIT SpamConfernce

March 24, 2008

Valid topics for 2008 include not just plain spam, but "other cybercrimes" such as phishing, IM spam, SMS spam, MMORPG spam, blog spam, trackback spam, photo spam, stock pump-and-dumps, email con games, exploit marketing, zombie bots and bot armies, setting up antispam systems, and antispam countermeasures including hardware, software, wetware, and blue-ware. (

FBI Opens Probe of China-Based Hackers

March 23, 2008

The FBI has opened a preliminary investigation of a report that China-based hackers have penetrated the e-mail accounts of leaders and members of the Save Darfur Coalition, a national advocacy group pushing to end the six-year-old conflict in Sudan. (

Be on the lookout for tax return scams

March 22, 2008

Hannaford's Breach Exposes 4.2M Credit, Debit Cards

March 21, 2008

PORTLAND, Maine (AP) — At first, it sounded like another in a long line of credit card breaches: Up to 4.2 million account numbers were stolen by thieves who cracked computers at Hannaford Bros. Co., an Eastern supermarket chain. But the specifics of the crime, revealed this week, included some troubling twists that might expose big holes in the payment industry's security standards. (

Hannaford's Investigating Fraud After Security Breach (
Hannaford fraud linked to pin transactions (
Hannaford logo's disappearing act (

Missing emails dog business users after Xtra's shift to Yahoo

March 20, 2008

Vital business emails are going astray, intercepted and quarantined by YahooXtras spam filters without the knowledge of the sender or the receiver. Wellington-based Graphic Dimensions, which provides IT support and services to architectural design companies, has had problems sending email to addresses since the beginning of February. Email from the company, which is also an Xtra customer, is classified by the YahooXtra mail filter as spam, says Graphic Dimensions technical director, Paul OBrien. This is causing problems for Graphic Dimensions because important messages from its clients, primarily architects, to contractors are going AWOL, OBrien says. (

CAN-SPAM violations cost online ad firm $2.9 million

March 19, 2008

Another company has settled charges today with the Federal Trade Commission over violations of the CAN-SPAM Act, netting the FTC another $2.9 million in civil penalties. Online advertiser ValueClick and its subsidiaries were charged with using deceptive e-mails, banner ads, and pop-ups to drive traffic, as well as a failure to secure customers' financial information. The settlement is the largest in CAN-SPAM's five-year history, says the FTC, and bars the companies from any further violations. (

Men's Health Magazine Hijacked to Sell Fake Pharma

March 18, 2008

Even magazines can be brandjacked...

...diverts users to this site:

Real Men's Health site is here:

Obviously an unwitting victim, but are they liable? " If they don't act soon, frequently-phished companies may be held liable for crimes committed in their names " ( Knujon has notified Men's Health but they have not responded or taken any action against the fake pharmacy website.

Ukrainian CyberCrime Boss Leads Political Party

March 17, 2008

A Ukrainian man once known as one of the top ringleaders in Eastern Europe-based organized cyber crime is now heading up a new political party there. Dmitry Ivanovich Golubov, a 24-year-old from Odessa, is leading the upstart "Internet Party of Ukraine," a party he helped create shortly after parliamentary elections in the country last fall. In 2005, Golubov -- a.k.a. "script" -- was arrested and jailed on charges of trading in credit and debit card credentials stolen via computer viruses and password-snatching Trojan horse programs, thefts that caused millions of dollars in losses to banks over several years. (

Trend Micro hit by massive Web hack

March 16, 2008

Security vendor Trend Micro has fallen victim to a widespread Web attack that splashed malicious software onto hundreds of legitimate Web sites in recent days. (

Man dubbed "spam king" pleads guilty to three charges

March 15, 2008

Robert Soloway, dubbed the "spam king" for having sent millions of unwanted e-mails around the globe, pleaded guilty today to mail fraud, fraud in connection with electronic mail and failing to file a tax return. (

It's not always a virus

March 14, 2008

There’s a common problem in Windows XP that can make network browsing very slow. If the 'My Network Places' folder contains a shortcut to a network share, then each refresh of the explorer window will attempt to read icon information from every file in the remote location, causing the system to slow to a crawl. Removing all shortcuts from 'My Network Places' will return the system response to normal. (

Drugs easy to get at 'rogue' sites online

March 13, 2008

~Video~ (

Chinese hackers: No site is safe

March 12, 2008

ZHOUSHAN, China (CNN) -- They operate from a bare apartment on a Chinese island. They are intelligent 20-somethings who seem harmless. But they are hard-core hackers who claim to have gained access to the world's most sensitive sites, including the Pentagon. (

Mac attack: Vendors mull security software for OS X

March 11, 2008

Russian security vendor Kaspersky Lab has a prototype version of its virus protection software waiting in the wings in case Apple Mac OS X suddenly becomes a target of choice for hackers. (

Porn spammer brought to book, US companies pays up for violations

March 10, 2008

An adult Web site whose affiliates sent pornography-related spam to unsuspecting recipients will pay $413,000 (207,000) to settle a complaint from the US Federal Trade Commission. (

Pxxx peddlers and spammers are upping their assault on Google Groups

March 9, 2008

Many links on the discussion group site link to pxxx aggregators, some of which redirect to malware sites pushing Trojan horse malware (such as VirusHeat) disguised as video codecs. (

More than a million more users were duped by phishing attacks last year, compared to the year before.

March 8, 2008

Rod Rasmussen, president and CTO of anti-phishing vendor, Internet Identity, said the company has primarily focused on the US market, but is now seeing a rapid increase in phishing activity beyond North America and Europe. (

Spammer loses free speech argument

March 7, 2008

A court in Virginia has struck down a spammer's appeal that his conviction violated his rights to free speech. Jeremy Jaynes was named as one of the world's top 10 spammers in 2003 by watchdog Spamhaus, and was estimated by prosecutors to be pumping out 10 million emails a day netting him US$750,000 per month. (

YouTube Gets Slammed for Video Showing British Mom's Gang Rape

March 6, 2008

LONDON — YouTube is facing criticism for making it too easy for people to upload violent or sexually explicit content to the Internet after a 25-year-old mother was filmed while being raped. (

It's Tax time!

March 5, 2008

Most spam comes from just six botnets

March 4, 2008

Six botnets are responsible for 85 per cent of all spam, according to an analysis by net security firm Marshal. (

Virginia court upholds prolific spammer's conviction

March 3, 2008

A divided Virginia Supreme Court affirmed the nation's first felony conviction for illegal spamming on Friday, ruling that Virginia's anti-spamming law does not violate free-speech rights. Jeremy Jaynes of Raleigh, N.C., considered among the world's top 10 spammers in 2003, was convicted of massive distribution of junk e-mail and sentenced to nine years in prison. Almost all 50 states have anti-spamming laws. In the 4-3 ruling, the court rejected Jaynes' claim that the state law violates both the First Amendment and the interstate commerce clause of the U.S. Constitution (

US 'Spam King' faces prison

March 2, 2008

A serial junk-mailer known as the "Spam King" will appear in a Seattle court next month, in a criminal trial being hailed as a major blow in the fight against unsolicited emails. (

Cybersquatters launch 10,000 attacks a week on top brands

March 1, 2008

Top brands face up to 10,000 "brandjacking" incidents a week from cybersquatters who are trying to pass off fake sites as genuine, according to new statistics from researcher MarkMonitor. (

Hotmail Problems Caused Outage Worldwide

February 29, 2008

Hotmail suffered a worldwide outage Tuesday as Microsoft Corp. deals with technical difficulties. Hotmail, one of the world's leading e-mail services, was not working the majority of the day on Tuesday. The outage problems also affected MSN and Microsoft's Windows Live portal. (

Comcast on FCC defense, File-sharing rules roil critics at Harvard

February 28, 2008

Comcast pushed back at a barrage of criticism yesterday that the huge telecom company was deliberately blocking file-sharing by some Internet users. Appearing at a special Federal Communications Commission hearing yesterday at Harvard Law School, representatives from Comcast rejected accusations that it was hassling certain Internet users for competitive reasons. (

Pakistan move knocked out YouTube

February 27, 2008

(CNN) -- An apparent move by the Pakistani government to block YouTube, the popular video-sharing Web site, knocked out access to the site worldwide for more than two hours, Internet analysts say. (

Taliban threatens Afghan mobile telecom companies

February 26, 2008

Kabul: The Taliban on Monday warned mobile telecommunication service companies to shut down at night their booster towers in Taliban-held areas in Afghanistan within three days, a statement released by the militants said. “We are calling on all cellular phone service companies to shut down their activities from 5 pm to 7 am (local time) next day in Taliban-held areas within three days,” the statement read out by the outfit's purported spokesman Zabihullah Mujahid to media outlets in south Afghanistan said. (

Cops Sue Cops over Domain Names

February 25, 2008

CONCORD, N.H.—Attorney General Kelly Ayotte has agreed to mediate a dispute between the New Hampshire Troopers Association and the New Hampshire Highway Patrol Association. In a lawsuit filed in 2006, the troopers union accused the highway patrol group of registering several Internet domain names that either deceived the public into sending money to the wrong group or directed visitors to sites that disparaged the troopers. In a counter claim, the highway patrol group accused state troopers of libel for trying to scuttle a highway patrol speed trap by warning motorists to slow down. (

Hackers Recruit for Local Language Skill

February 24, 2008

SAN FRANCISCO -- Wanted: computer virus writers. Must be fluent in Mandarin. Or Russian. Or Portuguese. These hacker help wanted ads are appearing on underground Internet channels as malicious code designers increasingly want programmers with foreign-language skills to help launch country-specific attacks, security vendor McAfee Inc. said in a report Thursday. (

Increasing trend in underlying criminality for financial gain in the area of cybercrime set to continue throughout 2008.

February 23, 2008

According to research from Trend Micros TrendLabsSM, hackers are intensifying their attacks on legitimate Web sites. It debunks the adage to not visit questionable sites just because a user visits a gambling or adult-content site doesnt necessarily mean Web threats are lurking in the shadows; the site with the latest sports news or links in a search engine result, however, could potentially infect visitors with malware. (

Malicious Advertising (Malvertising) Increasing

February 22, 2008

In the wake of the recent malvertising incidents, it's about time we get to the bottom of the campaigns, define the exact hosts and IPs participating, all of their current campaigns, and who's behind them. Who's been hit at the first place? Expedia, Excite, Rhapsody, MySpace, all major web properties. (

Quebec cops bust massive botnet ring

February 21, 2008

Canadian police have arrested 17 people suspected of running a huge botnet of compromised PCs. Up to one million computers in various countries were allegedly under the control of the suspects, who range in ages from 17 to 26. All but one are male, UPI reports. (

Federal government falling short on cybercrime

February 20, 2008

WASHINGTON The federal government is falling farther and farther behind its fight against cybercrime and, despite an increase in the amount of resources being allocated to address the problem, it will continue to struggle without a lot of help from law enforcement agencies at the state, local and international levels, current and former government security officials say. (

The changed face of cybercrime

February 19, 2008

The past few years has seen a major change in the world of cybercrime. The sheer number of crimes has increased substantially, but thats not the whole story. Merely increasing the amount of money and people that your company throws at the problem is no longer enough to keep pace with the changes. Cybercrimes, and the cybercriminals that perpetrate them, have evolved. To protect your company from the new wave, your methods and attitudes must evolve too. (

Man arrested for sending 2.2 billion spam emails in Tokyo

February 18, 2008

TOKYO Police on Friday said they have arrested a man for sending 2.2 billion spam emails with fake sender information. Yuki Shiina, 25, was arrested for allegedly sending nine spam emails, which were ads for gambling and dating services, with fake sender information on Nov 13, 2007, after an Internet service provider reported to police that he was sending massive amount of emails last September (

RIM's co-CEO downplays BlackBerry outage

February 14, 2008

The BlackBerry outage, the service's second major interruption since April 2007, began at about 3:30 p.m. New York time Monday. Service was restored roughly three hours later, the company said in a statement. No messages were lost. Calling and text-messaging services weren't affected. Research In Motion said in a statement issued late Tuesday afternoon that the outage was caused by "a problem with an internal data routing system within the BlackBerry service infrastructure that had been recently upgraded." The company has been upgrading capacity throughout its server farms to accommodate growing demand for its BlackBerry services. (

Malicious programs hit new high

February 13, 2008

The numbers of malicious programs circulating online is hitting an unprecedented high, say experts. (

Cyberthieves go phishing to rob banks

February 12, 2008

Of the top 20 companies targeted by phishing in 2007, the report says, 19 are in the banking industry. Computer users are often tricked into visiting fraudulent sites because of "danger, danger" e-mail subject lines like "account security measures," "important notice" or "(your bank name) security notice." One sneaky thing some malware (malicious threats) does is to modify a user's server information. For example, a user types into his or her browser. But instead of the computer using the service provider's server, which would take the user to the real Bank of America server, the computer uses a bogus server run by phishers -- and that takes the user to a fake Bank of America server. The phishers take the user's login information and empty the account. (

Russia becomes spam superpower

February 11, 2008

Russia might be a country trying to regain superpower status, but it has already reached it in one less welcome area the amount of spam it sends to the world. (

Spammers Go Old School as Gimmicks Fail

February 10, 2008

For the longest time, it had been botnet-infected (define) computers in the U.S. that pumped out the bulk of offers for mortgages and herbal Viagra, which comprised a staggering 78.5 percent of all e-mail floating around on the Internet according to Symantec. (

Europe still top source of spam

February 9, 2008

European spam networks have pumped out more unsolicited e-mail than those in the U.S. for the third month in a row, according to security vendor Symantec. (

Judge orders end to weight-loss, anti-aging spam operation

February 8, 2008

Judge David Coar of the U.S. District Court for the Northern District of Illinois, Eastern Division, has also ordered Sili Neutraceuticals and owner Brian McDaid to pay nearly US$2.6 million for allegedly making false advertising claims and sending e-mail messages in violation of the FTC Act and the CAN-SPAM (

Prison Sentences for Ringleaders of Global Software Counterfeit Syndicate Sentencing
signals the end of Taiwan-based operation, the largest known producer and distributor of fake Microsoft products in the world from 1997 to 2003.

February 7, 2008

REDMOND, Wash. Feb. 4, 2008 Prison sentences handed down to counterfeiters by a Taipei, Taiwan, court mark the end of a string of successful prosecutions by international law enforcement agencies, bringing a global software counterfeiting ring to a final halt. Between 1997 and 2003, Huang Jer-sheng, owner of the Taipei-based distributor Maximus Technology Inc., and his associates were responsible for the production and distribution of more than 90 percent of the high-quality counterfeit Microsoft software products either seized by law enforcement or test-purchased around the world. (

US Attorney Seizes $1 Billion For Victims

February 6, 2008

NEW YORK -- The U.S. Attorney in Manhattan announced that more than $1 billion in assets were seized last year from companies and individuals accused of fraud and other wrongdoing. -Prosecutors said much of the $1.1 billion in assets included seizures from Wall Street scams, the Oil-For-Food Scandal, public corruption and international drug rings. (

Special Investigation: The Hidden War on Australia

February 5, 2008 takes you inside the secretive online world of Islamic extremists with a special report on how they are using the latest technology to drive propaganda campaigns, cheering Australian troop deaths and mocking our political leaders. (

Do-it-yourself phishing kit targets email, social networks

February 4, 2008

A do-it-yourself phishing kit, which makes it easy for inexperienced scammers to target users of popular social networking websites such as Orkut, MySpace and Facebook and webmail platforms like Yahoo and Hotmail, was found by researchers from FaceTime Communications this week. (

Nigeria's Drug Czarina Risks Death to Take on Counterfeiters

February 3, 2008

Pharmacologist Dora Akunyili is a remarkably honest woman. The trait earned her a job as Nigeria's pharmaceutical industry enforcer. Her campaign against the country's counterfeiters has put her life in danger, but she has no plans to back down. (

Make Your Thunderbird Work Against Spam

February 2, 2008

Thanks to Thunderbird, SecondWheel, CyberTopCops, and SoftPedia we have some great utilities and instructions. SecondWheel has added a number of options to his already excellent KnujOn Thunderbird Extension.

KnujOn Thunderbird Extension (
Transform Your PC Into a Spam Reporting Machine (
Thunderbird extension that Forwards all emails marked Junk (as attachments) to (

Internet Hookers Gear up for Super Bowl

February 1, 2008

Craigslist ads lead police to prostitute ring (
Traveling 'circuit girls' flock to Super Bowl (
"A lot of girls are advertising on the Internet" (

Internet failure hits two continents

January 31, 2008

DUBAI, United Arab Emirates (CNN) -- High-technology services across large tracts of Asia, the Middle East and North Africa were crippled Thursday following a widespread Internet failure which brought many businesses to a standstill and left others struggling to cope. Industry experts are blaming damage to two undersea cables but it is not known what caused the damage. Reports say that Egypt, Saudi Arabia, Qatar, the United Arab Emirates, Kuwait, Bahrain Pakistan and India, are all experiencing severe problems. (

International gang hacks into Texas bank

January 30, 2008

FORT WORTH, Texas -- An international gang of cyber criminals hacked into OmniAmerican Bank's records, the bank's president disclosed Wednesday. (

Free music service hits snag;Songs will play on iPods despite Apple's DRM

January 29, 2008

LOS ANGELES, California (AP) -- A revamped online file-sharing service that promised to offer unlimited, free music downloads from all the major record labels hit an apparent snag Sunday after one denied it had given the service permission. (

MySpace Nightmare: Cyberbullies Hijack Florida Teen's Page

January 28, 2008

A 15-year-old Florida girl's MySpace page has been hijacked and defaced with sexually explicit and hateful content, Tampa Bay affiliate FOX 13 reported, raising questions about security on Internet networking sites and what is being done to improve it. (

Rogue Trader Held in French Bank Scandal

January 27, 2008

PARIS (AP) — Police on Saturday questioned the young trader blamed for a massive fraud that cost France's Societe Generale bank more than $7 billion, as the country's president accused global financial institutions of having "gone haywire" and urged common sense. (

FBI: Craigslist Used In Murder-For-Hire Case

January 26, 2008

A Michigan woman is under arrest after being accused of using Craigslist to find someone to kill a Northern California woman. Federal investigators said 49-year-old Ann Marie Linscott contacted several people through (

Disgruntled Worker Accused of Deleting $2.5 Million of Files

January 25, 2008

JACKSONVILLE, FL -- The target may be high-tech, but the emotion involved is as old as humanity. Spite, anger, and revenge. Police say that's what filled a woman's heart after she picked up the classified ads. (

China shut 44,000 porn Web sites in 2007 - report

January 24, 2008

BEIJING (Reuters) - China shut down 44,000 Web sites and homepages and arrested 868 people last year in a campaign against Internet porn which will continue until the end of this year's Beijing Olympics, Xinhua news agency said on Wednesday. (

Hackers target aspiring Internet scammers

January 23, 2008

A Moroccan group called "Mr. Brain" is offering free phishing kits on a Web site hosted in France, said Paul Mutton, Internet services developer at Netcraft, a security company in Bath, England. The software packages make it easy to quickly set up a fraudulent Web site mimicking a known brand in order to trick people into divulging credit card details or bank account numbers. Templates for spam e-mail are also included, targeting brands such as Bank of America, eBay, PayPal, and HSBC. (

Listing of recent cybercrime related arrests

January 22, 2008

The repercussions for cybercriminals are finally coming in line with the severity of their crimes. With international computer crime authorities joining efforts in a bid to bring down hackers, malware authors and spammers, the past 12 months have seen more arrests and harsher sentencing for criminals involved in high-profile crimes. Below are some of the cases that made the news in just in the second half of 2007. (

Five years in prison for takeover of online bank account

January 21, 2008

Sharon D. Richards, 43, of Sacramento has been sentenced to five years in prison after pleading guilty to hacking an online bank account of another person and writing more than $200,000 in checks on it. The case began when the victim’s purse was stolen. (

Military industrial complex aims to revamp email

January 20, 2008

A consortium of British and US military agencies and defense and aerospace firms have agreed a new standard for secure email. Security experts are watching the developments closely, but are unsure how much of the specification will make it into public use or commercial email security products. (

CIA Says Hackers Have Cut Power Grid

January 19, 2008

Several cities outside the U.S. have sustained attacks on utility systems and extortion demands. Criminals have been able to hack into computer systems via the Internet and cut power to several cities, a U.S. Central Intelligence Agency analyst said this week. Speaking at a conference of security professionals on Wednesday, CIA analyst Tom Donahue disclosed the recently declassified attacks while offering few specifics on what actually went wrong. (

Do Our Courts Understand Cybercrime?

January 18, 2008

North Dakota Judge Gets it Wrong: ...WAY wrong. This is just mind blowing. Ever been prosecuted for tracking spam? Running a traceroute? Doing a zone transfer? Asking a public internet server for public information that it is configured to provide upon demand? No? Well, David Ritz has. And amazingly, he lost the case. Here are just a few of the gems that the court has the audacity to call ”conclusions of law.” Read them while you go donate to David’s legal defense fund. He got screwed here, folks, and needs your help. “Ritz’s behavior in conducting a zone transfer was unauthorized within the meaning of the North Dakota Computer Crime Law.” You might not know what a zone transfer is, but I do. It’s asking a DNS server for all the particular public info it provides about a given domain. This is a common task performed by system administrators for many purposes. The judge is saying that DNS zone transfers are now illegal in North Dakota. (

Yahoo! CAPTCHA Hacked

January 17, 2008

Russian reserchers released program for automated Yahoo! CAPTCHA recognition. (

The Decline of CAPTCHA
Spammers use porn to get unsuspecting users to break CAPTCHA codes
Captcha bypassed

Craftier Trojan Invades 10,000 Web Sites, Stumps Security Pros

January 16, 2008

The "random js toolkit" is a Javascript code that is created dynamically and provides a random filename that can only be accessed once. As a consequence, it changes every time it is accessed. The dynamic embedding, known as "code obfuscation," is done in such a selective manner that once a user has received a page with the embedded malicious code, it will not be referenced again during future visits. (

MySpace, states move to block sex offenders

January 15, 2008

ALBANY, New York (AP) -- MySpace has reached an agreement with more than 45 states to change to help prevent sexual predators and others from misusing it, state officials said Monday. Several states' attorneys general said in a statement that the huge social networking Web site has agreed to add several protections and participate in a working group to develop new technologies, including a way to verify the ages of users. Other social networking sites will be invited to participate (

Mystery Calls from (303) 296-2573

January 14, 2008

Your cell phone rings, you pick up, say "hello" and hear tones. This is a "fax blast." A program calls numbers in a list or at random and attempts to fax an unsolicited advertisement. You can fight back.

(303) 296-2573 Look up numbers calling in fax and cell spam
More on Junk Faxes

Cells, texting give predators secret path to kids

January 13, 2008

The same cell phones that parents buy as safety devices for their children are the gadgets that pedophiles and predators use to prep kids for sexual encounters, experts and police say. (

Facebook hit by adware attack

January 12, 2008

Facebook users are being warned about a new application on the social networking site that contains adware. 'Secret Crush' contains a download of the Zango adware program which automatically sends itself to five friends ( analysis: The malware 'shadow economy'

January 11, 2008

Viruses, malware and online crime are evolving from the realm of geeks into a major shadow economy that closely mimics the real world. Maksym Schipka, a senior architect at security firm MessageLabs, claims to have identified a sophisticated online black market with tens of thousands of participants. (

Phishing attacks slam midmarket

January 10, 2008

"Certainly the criminals have moved downstream to smaller financial institutions," said Avivah Litan, a vice president and research director at Gartner Inc. in Stamford, Conn. "That's been the trend for well over a year, because the larger banks have employed services to take these phishing command and control services down. So criminals would rather use brands that are not going to go after them. It's easier to attack smaller banks that haven't geared up to protect themselves. They can go undetected. And as soon as they are detected, these smaller banks are caught off guard." (

Mey v. Herbalife International, Inc., et al.

January 9, 2008

This is Notice of Class Action Lawsuit and Proposed Settlement ("Notice") of a proposed settlement in a class action lawsuit. The Settlement would resolve a lawsuit brought on behalf of individuals who received phone calls or faxes allegedly made by or on behalf of independent distributors of Herbalife International, Inc. ("Herbalife"). (

More on Junk Faxes

Microsoft’s SkyDrive beta abused by spammers.

January 8, 2008

Our labs(McAfee) trapped many thousands of spam overnight that are abusing the Windows Live SkyDrive Beta service launched in August last year (or rather it’s the new name for Windows Live Folders…). The service allows you to upload up to 1Gb of files and share them with anyone via weblinks. The trapped pill spam promises the usual assurances: (

Computer Forensics Faces Private Eye Competition

January 7, 2008

The Internet is boundless and cybercrime scenes stretch from personal desktops across the fiber networks that circle the globe. Digital forensic investigators like Harold Phipps, vice president of industry relations at Norcross Group in Norcross, Ga., routinely slip across conventional geographic jurisdictions in pursuit of digital evidence and wrongdoers. (

U.S. Gov ID Theft Resource Pages

January 6, 2008

Office of Critical Infrastructure Protection and Compliance Policy ( provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information. (

Alan Ralsky indicted

January 5, 2008

The US Department of Justice went public today with the indictment of Alan Ralsky and 10 others who helped him. Alan Ralsky topped our Top 10 Worst Spammers list for quite some time and was involved in almost any sort of spam activity that's being done. He and his gang frequently sent millions of spam messages per day. In recent years his focus has been on stock spam, and that's a key part of what the US DOJ indicted him for. (

US indicts 11 over pump-and-dump stock spam

January 4, 2008

Eleven people, including one of the top spammers in the world, were indicted on Thursday for allegedly sending millions of unsolicited e-mails intended to inflate the price of Chinese penny stocks. (

Who Is Really Monitoring Your Domain Searches?

January 3, 2008

It's getting more and more difficult to do any kind of domain research without running the risk of losing your domain ideas to unscrupulous domain tasters. (

Example of double spam sent to mailboxes and mailing lists

January 2, 2008

A way of double spamming - combo of spamming email users and mailing lists to get a profit: #1 Spammer sends a spam e-mail to a mailing list that doesn't have rigorous moderating - in this case netbsd-docs. The post is mirrored online. #2 Spammer then sends actual spam e-mails that pass through anti-spam filters (Mail application locally categorizes it as junk) with direct links to a link on a rather well known domain. (

Romanian Authorities Arrest 9 of 22 Defendants Charged in Organized Crime Group

January 1, 2008

On November 13, 2007 Prosecutors from the Directorate for Investigating Organized Crime and Terrorism arrested 9 of the 22 persons who were charged for the crimes of setting up an organized criminal group, computer fraud, fraudulent use of electronic payment instruments, and production and maintenance of equipment needed to counterfeit electronic payment instruments. (

News from 2007 has been archived.
News from 2006 has been archived.
News from 2005 has been archived.
Privacy Policy and Mission Statement
All Content at Copyrighted by KnujOn, LLC.
KnujOn and Coldrain are not responsible for content at external sites