2016/12/22

Web.com - wrong excuse

Web.com and Consumer Harm


This blog post will illustrate what happens when Network Solutions is made aware of serious issues on their service.

Network Solutions is a leading US based registrar, a member of the Web.com Group, Inc. For any abuse issues with their service, they insist the abuse form at https://abuse.web.com/ be completed. Also for fake domain registration details.

So what happens if this route is followed?

The domain and the scam


Let's first consider the malicious domain hyperchems.com and the website hosted on it to show what was reported.

This domain is abused in the infamous drug scam. Much like non-existent pets are being sold to unsuspecting victims in pet scams emanating from the Cameroon, the drug scam has a much darker side. Typically this scam targets terminally ill cancer patients. The victim is made to believe the fictitious drugs exists, will be shipped once they have been paid for. But the problems quickly crop up.

The first problem will be the secure credit card payment system. Should the victim pay via their credit card, invariably the credit card will be declined. However at this stage the victim has entered their full personal details and credit card details, including the CVV over and insecure connection.

As such the fraudster suggest paying via Western Union or Moneygram - since the card was declined.

Once this money has been paid, the bogus courier enters while the fraudsters merrily empty the victim's credit card.

The bogus courier will now claim to be shipping the discrete package for the victim. But there are problems. Customs inspections and special clearances are required all requiring fees, insurance fees etc. Should the victim try to withdraw from the scam, the fraudsters turns this scam into extortion, threatening to report the victim to the authorities for trying to obtain illegal drugs.

The index Page:



Crack Cocaine:

For the record, we show this fraudulent website selling crack cocaine. There is no such things as "Legal Crack Cocaine" in the USA.


Steroids for Cancer Sufferers:

This is where we cut to the heart of the scam, the actual group being targeted.



Credit Card Details Theft:


Domain Registration Details:

The domain registrant is extremely well known in the anti-fraud community. He has been using these and similar tactics to sell drugs, also non-existent Arowana fish to US consumers, listed endangered under the ESA and in CITES Appendix I and expressly prohibited as per the US Fish and Wildlife Service website.

These are then transported via his equally non-existent couriers. 

Let us look at four of his domain registration details.

Domain Name: HYPERCHEMS.COM
Creation Date: 2015-01-18T05:00:00Z
Updated Date: 2016-02-23T21:35:06Z
Registrant Name: chemical Labs
Registrant Organization: chemical Labs
Registrant Street: 629 N VALLEY RD
Registrant City: PAOLI
Registrant State/Province: PA
Registrant Postal Code: 19301-1006
Registrant Country: US
Registrant Phone: +1.7743148358
Registrant Email: kenjohn05@gmail.com
Domain Name: BESTSALTONLINE.COM (ClientHold)
Creation Date: 2016-03-31T04:27:38Z
Registrant Name: bigge, Daniel
Registrant Organization:
Registrant Street: 702 CHIPPEWA ST
Registrant City: ONTONAGON
Registrant State/Province: MI
Registrant Postal Code: 49953-1014
Registrant Country: US
Registrant Phone: +1.7743148358
Registrant Email: stevesimeu11@gmail.com
Domain Name: EXPRESSDIAMONDLOGISTIC.COM
Creation Date: 2016-09-23T04:00:00Z
Updated Date: 2016-09-23T12:44:34Z
Registrant Name: Dasha Wande
Registrant Organization:
Registrant Street: 929 POTOMAC AVE
Registrant City: PORTSMOUTH
Registrant State/Province: VA
Registrant Postal Code: 23707-1407
Registrant Country: US
Registrant Phone: +1.7743148358
Registrant Email: 92xwt@boun.cr
At another registrar (which we will escalate to them), but evidence
nonetheless that the party is serially creating fake registration details:
Domain Name: GHCWEED.COM
Updated Date: 2016-10-24T01:13:34Z
Creation Date: 2015-07-26T09:56:11Z
Registrant Name: maria baeza
Registrant Organization: Unknown company
Registrant Street: 215 brooklyn ave 
Registrant City: kansas city
Registrant State/Province: MO
Registrant Postal Code: 64124
Registrant Country: US
Registrant Phone: +1.8165476490
Registrant Email: kenjohn05@gmail.com
Looking at these domains:
  • The first three domain have telephone number +1.7743148358 as common and as such are clearly linked.
  • The first three domains are registered with domain registrar NETWORK SOLUTIONS, LLC.
  • NETWORK SOLUTIONS, LLC. has had some experience with this registrant, as seen with BESTSALTONLINE.COM being on clienthold.
  • We see the registrant changing names, addresses, even emails at trying to hide his trail and true identity.

BESTSALTONLINE.COM was used for exactly the same content, we even find the same telephone number + 1-(774) 314-8358 on the websites. For the eagle-eyed, yes, we even find the name www.bestsaltonline.com on the website at HYPERCHEMS.COM.





So are we to believe the registrant has really changed his name numerous time, likewise his address, even his sex?

Even if we were, that would still mean the domain registration details are invalid as he had changed it since his later registrations reflects different details.


From a registrar perspective, this should be very import and of concern. ICANN mandates such details be accurate and reliable. This is not optional.

The ICANN RAA:

Before becoming a registrar,  such a party must agree with ICANN to uphold certain standards. These standards are contained in a document called the Registrar Accreditation Agreement, commonly referred to as the ICANN RAA. This agreement is available online for all to see: https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en

Network Solutions is a signatory thereto and undertook to uphold there minimum standards:
https://www.icann.org/registrar-reports/accredited-list.html 

It is this agreement that is supposed to set minimum standards for domain registrations that should allow for some minimal protection for all parties when a domain is registered:
https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en

Of note are some of the provisions from this document, highlights are that of the author:

Registrar Accreditation Agreement
3.7.7 Registrar shall require all Registered Name Holders to enter into an electronic or paper registration agreement with Registrar including at least the provisions set forth in Subsections 3.7.7.1 through 3.7.7.12, and which agreement shall otherwise set forth the terms and conditions applicable to the registration of a domain name sponsored by Registrar. The Registered Name Holder with whom Registrar enters into a registration agreement must be a person or legal entity other than the Registrar, provided that Registrar may be the Registered Name Holder for domains registered for the purpose of conducting its Registrar Services, in which case the Registrar shall submit to the provisions set forth in Subsections 3.7.7.1 through 3.7.7.12 and shall be responsible to ICANN for compliance with all obligations of the Registered Name Holder as set forth in this Agreement and Specifications and Policies. Registrar shall use commercially reasonable efforts to enforce compliance with the provisions of the registration agreement between Registrar and any Registered Name Holder that relate to implementing the requirements of Subsections 3.7.7.1 through 3.7.7.12 or any Consensus Policy.
3.7.7.1 The Registered Name Holder shall provide to Registrar accurate and reliable contact details and correct and update them within seven (7) days of any change during the term of the Registered Name registration, including: the full name, postal address, e-mail address, voice telephone number, and fax number if available of the Registered Name Holder; name of authorized person for contact purposes in the case of an Registered Name Holder that is an organization, association, or corporation; and the data elements listed in Subsections 3.3.1.2, 3.3.1.7 and 3.3.1.8.
3.7.7.2 A Registered Name Holder's willful provision of inaccurate or unreliable information, its willful failure to update information provided to Registrar within seven (7) days of any change, or its failure to respond for over fifteen (15) days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder's registration shall constitute a material breach of the Registered Name Holder-registrar contract and be a basis for suspension and/or cancellation of the Registered Name registration.
3.7.7.9 The Registered Name Holder shall represent that, to the best of the Registered Name Holder's knowledge and belief, neither the registration of the Registered Name nor the manner in which it is directly or indirectly used infringes the legal rights of any third party.
 3.7.8 Registrar shall comply with the obligations specified in the Whois Accuracy Program Specification. In addition, notwithstanding anything in the Whois Accuracy Program Specification to the contrary, Registrar shall abide by any Consensus Policy requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information associated with a Registered Name sponsored by Registrar or (b) periodic re-verification of such information. Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.
....
3.18 Registrar's Abuse Contact and Duty to Investigate Reports of Abuse.
3.18.1 Registrar shall maintain an abuse contact to receive reports of abuse involving Registered Names sponsored by Registrar, including reports of Illegal Activity. Registrar shall publish an email address to receive such reports on the home page of Registrar's website (or in another standardized place that may be designated by ICANN from time to time). Registrar shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.
WHOIS ACCURACY PROGRAM SPECIFICATION
4. If Registrar has any information suggesting that the contact information specified in Section 1(a) through 1(f) above is incorrect (such as Registrar receiving a bounced email notification or non-delivery notification message in connection with compliance with ICANN's Whois Data Reminder Policy or otherwise) for any Registered Name sponsored by Registrar (whether or not Registrar was previously required to perform the validation and verification requirements set forth in this Specification in respect of such Registered Name), Registrar must verify or re-verify, as applicable, the email address(es) as described in Section 1.f (for example by requiring an affirmative response to a Whois Data Reminder Policy notice). If, within fifteen (15) calendar days after receiving any such information, Registrar does not receive an affirmative response from the Registered Name Holder providing the required verification, Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information. If, within fifteen (15) calendar days after receiving any such information, Registrar does not receive an affirmative response from the customer paying for the Registered Name, if applicable, providing the required verification, Registrar shall verify the applicable contact information manually, but is not required to suspend any registration.

5. Upon the occurrence of a Registered Name Holder's willful provision of inaccurate or unreliable WHOIS information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen (15) calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder's registration, Registrar shall either terminate or suspend the Registered Name Holder's Registered Name or place such registration on clientHold and clientTransferProhibited, until such time as Registrar has validated the information provided by the Registered Name Holder.
Then we have an ICANN advisory dated 03 March 2003 that should act as guidance to Registrars on encountering fake registration details in circumstances as above to evade responsibility for fraud. To this day it still stands, as was verified with ICANN themself earlier in the year. This is well known to exist since that long at least. So nothing of the above is new.

https://www.icann.org/announcements/advisory-03apr03.htm

...
    1. The customer's "willful provision of inaccurate or unreliable information";
    2. The customer's "willful failure promptly to update information provided to" the registrar; or
    3. The customer's "failure to respond for over fifteen calendar days to inquiries by Registrar concerning the accuracy of contact details".
In their registration agreements with registrars, customers promise to provide "accurate and reliable contact details and promptly correct and update them during the term of the . . . registration." (Subsection 3.7.7.1 of the Registrar Accreditation Agreement.) Conditions (1) and (2) above authorize registrars to cancel domain-name registrations for willful breaches of these promises.
Condition (3) above, it should be noted, is only triggered when the customer fails to respond to an inquiry; it is not triggered when the customer responds to the inquiry but does not complete any corrections to inaccurate or out-of-date Whois data within 15 days. Unlike conditions (1) and (2), which require willful transgressions on the part of the customer, condition (3) is triggered without a showing that the customer's failure to respond is willful, in recognition that the ability to prove willfulness can be frustrated by a customer's refusal to engage in dialog with the registrar.
...
Where an inaccuracy is minor (e.g., an incorrect postal code), appears inadvertent (e.g., transposed digits), and harms no third party (e.g., readily available means of contacting and locating the customer are provided by the data that is given), a registrar can appropriately conclude that much more than 15 days should be allowed before the registration is cancelled. In such cases the registrar, which after all seeks to promote good relations with its customer, has no motivation to act precipitously. On the other hand, where a registrar encounters a severe Whois inaccuracy being exploited by a registrant to evade responsibility for fraudulent activity being carried out through use of the domain name, prompt action by the registrar is appropriate. Under the approach of the Registrar Accreditation Agreement, the registrar is given discretion to act as appropriate in light of the particular circumstances of each case.
In determining how long to wait for a customer response to an inquiry about a Whois inaccuracy before canceling the registration, a registrar should take guidance from subsection 3.7.8 of the Registrar Accreditation Agreement. That subsection defines the registrar's obligation to correct inaccurate Whois data:
"Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy."

 What we conclude from the above is that:
  • ICANN mandates registrars to investigate reports of invalid registration details.
  • Such fake registration details linked to fraudulent activity should be investigated promptly, and if found to be so, the registrar can promptly cancel the domain.
This in fact exactly what many registrars do.

So what happened when the fraudulent activity with the domain name hyperchems.com was reported to Web.com? They issued ticket #11470443 hyperchems.com.

Their Abuse & Fraud Specialist 1 at Legal replied thus:
 
Dear (redacted)


We are writing in response to your recent complaint concerning the domain name hyperchems.com.   
We understand that you find the content on the website associated with this domain name abusive, offensive or otherwise objectionable; however, neither Web.com and or its subsidiary registrar brands (collectively, "Web.com") is the registrant of the domain name, nor providing hosting services for the domain name.  Web.com is simply the  registrar of record, providing domain registration services. As such, we are also not in a position to determine whether a particular domain name registration violates a third party's rights. 
 
Web.com will only take action with respect to a particular domain registration pursuant to (i) a request from the current domain name registrant; (ii) the terms of the Uniform Domain Name Dispute Resolution Policy ("UDRP") issued by the Internet Corporation for Assigned Names and Numbers ("ICANN"), the international regulatory body that oversees the administration of domain names; or (iii) an order from a court or arbitral tribunal of competent jurisdiction. 
 
If you would like to file a domain dispute against the registrant of the domain, please visit the following link for more information:  
https://www.icann.org/resources/pages/dispute-resolution-2012-02-25-en  
Please note that under the U.S. Communications and Decency Act, an Internet Service Provider or Web host is immune from liability for the content posted on a website by a customer and therefore, neither Web.com nor its affiliates would be a party to any potential court, arbitral or regulatory proceedings. 
 
We consider the matter closed. 
 
Sincerely,

(redacted)
Abuse & Fraud Specialist 1
Web.com12808 Gran Bay Parkway| Jacksonville Fl. 32258Office: (404)
260-2594|Fax: (571) 434-4634
Hours of Operation: 7 Days a week 5AM - 10PM EST
If you are shocked, so was the reporter at this response.

Suddenly years of negotiation, letters from the FTC, law enforcement, consumer protection groups just got thrown into the dustbin at Web.com. Not to mention the ICANN RAA and ICANN advisories ignored, yet alternative ICANN UDRPs being mentioned.

Wrong tool for the job at hand. A $10 domain trumps a $2500 UDRP each time in the cost of crime. Considering we literally have hundreds of these specific type of malicious domains streaming onto the net from the Cameroon, most with fake registration details, who is supposed to foot the bill? The cancer patient who has already been defrauded?

A few to and fro replies between the reporter and Web.com followed. The author was included at a stage.

Trying to take a step back, thinking a registrar would send a response like this if they fully understood what was at hand, the author logically explained the registrar's obligation as per the ICANN RAA to them. Explained the whois inaccuracies. Supplied them with additional evidence of serial abuse by the registrant. Supplied them with the relevant ICANN advisory.

The author also took time to explain to them why the UDRP would be the wrong tool, even offering them training on abuse issues if they did not understand what they were looking at for free. 

The reply?
The mail system

<(redacted)@web.com>: host mx.myregisteredsite.com[209.17.115.10] said: 554 5.7.1
    The message from (<(redacted)@aa419.org>) with the subject of (Re:
    [tkt:11470443] hyperchems.com) matches a profile the Internet community may
    consider spam. Please revise your message before resending. (in reply to
    end of DATA command)
Eventually the reply had to be converted to PDF to bypass this malicious domain mention, as labelled by the Internet community, from being seen. (Who are they? And why?)
No reply was received. Did the email reach or not reach Web.com?

A day later a new ticket was lodged, ticket 11498767 hyperchems.com

The reply?
Dear (redacted)
We are writing in response to your recent complaint concerning the domain name hyperchems.com.

We understand that you find the content on the website associated with this domain name abusive, offensive or otherwise objectionable; however, neither Web.com and or its subsidiary registrar brands (collectively, “Web.com”) is the registrant of the domain name, nor providing hosting services for the domain name.  Web.com is simply the  registrar of record, providing domain registration services. As such, we are also not in a position to determine whether a particular domain name registration violates a third party's rights.  

Web.com will only take action with respect to a particular domain registration pursuant to (i) a request from the current domain name registrant; (ii) the terms of the Uniform Domain Name Dispute Resolution Policy (“UDRP”) issued by the Internet Corporation for Assigned Names and Numbers (“ICANN”), the international regulatory body that oversees the administration of domain names; or (iii) an order from a court or arbitral tribunal of competent jurisdiction.

If you would like to file a domain dispute against the registrant of the domain, please visit the following link for more information:

https://www.icann.org/resources/pages/dispute-resolution-2012-02-25-en

Please note that under the U.S. Communications and Decency Act, an Internet Service Provider or Web host is immune from liability for the content posted on a website by a customer and therefore, neither Web.com nor its affiliates would be a party to any potential court, arbitral or regulatory proceedings. 

We consider the matter closed.

Sincerely,
Abuse & Fraud Specialist 1
Web.com

12808 Gran Bay Parkway| Jacksonville Fl. 32258
Office: (404) 260-2594|Fax: (571) 434-4634Hours of Operation: 7 Days a week 5AM - 10PM EST

To say the least, such a reply from one of the US largest ICANN accredited registrars does not do the registrar community proud. There is nothing decent in mentioning the U.S. Communications and Decency Act in this context.

What Web.com has done is turned itself into a willing proxy for fraud under the guise of the the U.S. Communications and Decency Act, while ignoring their ICANN commitments. At the same time they have made all internet users a potential piggy bank for West African scammers or anybody choosing to use their services for fraud by adopting this attitude to abuse and fake registration domain details, including their fellow US citizens who are the prime target of the fraudsters in this specific case.

In an one fell swoop, Web.com has turned their own Master Agreement into mere eye-candy tokenism. Some clauses:
You agree to: (1) provide certain true, current, complete and accurate information about you as required by the application process; and (2) maintain and update the information you provided to us
Customer will not provide Content or other materials, or use the Services in any manner that either directly or indirectly infringes any rights of a third party
Customer’s Content, other materials provided in conjunction with the Services, and use of the Services will in all respects conform to all applicable laws and regulations;
Likewise the Acceptable Usage Policy:
utilize the Services to traffic in illegal drugs, illegal gambling, obscene materials, or other anyproducts or services that are prohibited under applicable law;
 At this stage the reader would appreciate the confusion. If crack cocaine was sold (let's assume it were true and believed to be so by Web.com), this would violate this clause since the claimed address is US and selling crack cocaine is illegal in the US . It is were not true (and Web.com also not believed it so), this would be fraud, which would violate.
utilize the Services in any manner that violates any applicable regulation, rule or law
Then we have more eye candy:

utilize the Services in any manner that might subject Company to unfavorable regulatory
action, subject Company to any liability for any reason, or adversely affect Company's public image, reputation or goodwill, including, without limitation, sending, displaying or distributing  sexually explicit, hateful, vulgar, racially, ethnically or otherwise objectionable materials as determined by Company in its sole discretion.
Fraud, especially fraud targeting desperate terminally ill cancer sufferers, will cause consumer pushback. More so any registrar that allows it to happen on their watch. At this stage Web.com needs no fraudster's help to damage their image. Their own legal department "Abuse & Fraud Specialist 1" is doing more than a stellar job.

Web.com has swept all the consumer protections under the rug in a time when it's needed most, when we find their services being abused for fraud to target a specific vulnerable group of the population.

There simply is no decency in this. Then there are the other registrar obligation issues ...