Earlier this week, something suspicious started happening with Web addresses related to sites seized by the FBI from Megaupload and a number of online gambling sites. Instead of directing browsers to a page with an FBI banner, they started dropping Web surfers onto a malicious feed of Web advertisements—some of them laden with malware.
The hijacking of the Megaupload domains wasn't the result of some sophisticated hack. Based on evidence collected by Ars, it appears someone at the FBI's Cyber Division failed to renew the domain registration for CIRFU.NET, the domain which in turn hosted Web and name servers used to redirect traffic headed to seized domains. As soon as they expired, they were snatched up in a GoDaddy auction by a self-described "black hat SEO marketer," a British ex-pat who calls himself "Earl Grey."
As of Thursday afternoon, all of the server names associated with the domain no longer resolve to Internet addresses. GoDaddy has apparently suspended the domain registration, and Earl Grey has been ranting about it ever since on Twitter. The CIRFU.NET domain currently remains in limbo.
Ars attempted to reach the person behind the domain grab, but got no response. Requests for comment from the FBI also went unanswered. But DNS records and details provided by GoDaddy.com's security staff paint a pretty clear picture of what happened—and it's not very pretty.
Whois to blame?
According to historic domain name service records obtained by Ars, the domain CIRFU.NET—maintained by the FBI's Cyber Initiative and Resources Fusion Unit—was registered through GoDaddy.com in 2009 through Domains By Proxy—the domain registration privacy service owned by GoDaddy. When the domain was renewed in 2011, the registration's privacy was dropped—and the "whois" data for the domain showed that it was registered to the Cyber Division of the FBI. The domain name was used for a series of name servers and websites operated by the FBI related to site seizures. The DNS records show that CIRFU.NET was on a two-year renewal cycle and set to expire on April 1, 2015 after an April 2, 2013 renewal.
However, an April 3 retrieval of the Whois record showed that the domain had expired without renewal, and was on lockdown by GoDaddy awaiting either reactivation by the FBI or sale. On May 13 the domain's registration was changed to "Syndk8 Media Limited", a company at an address in Gibraltar. That address is occupied by Form-A-Co Gibraltar Ltd, a company that handles the registration of companies in Gibraltar, mail and phone/fax forwarding services, and yacht registration.
-
The Whois record for CIRFU.NET in early April, after the FBI had failed to renew its registration. Note the status fields indicating the domain is in lockdown awaiting action by GoDaddy.
-
The Whois for the domain as it appeared today, after the domain was suspended for "Terms of Service violations."
According to Earl Grey's Skype profile, he lives in La Zagaleta, a gated community outside Benahavis, 48 miles from Gibraltar on the Spanish coast (where Vladimir Putin recently bought a vineyard with a 10-bedroom mansion). The e-mail address given for the administrative contact in the domain's Whois data is tied to a domain for a site called "Rehab Affiliates"—allegedly a site for an addiction and eating disorder rehabilitation services network. "Syndk8 Media Limited" is also associated with syndk8.com, the host of the members-only Syndk8 BLack Hat SEO Forum Web board ("Pushing the boundaries since 2005").
A call to the phone number associated with the registration was answered with a recording at Form-A-Co: "We're sorry, your call cannot be connected now." There was no response to Skype, Twitter, and e-mail to Earl Grey's e-mail address listed on his Twitter profile. A link in his profile goes to a minimalist homepage.
But Earl Grey's Twitter feed is rich in detail. In addition to detailing his adventure with CIRFU.NET, Earl Grey's Twitter feed document his culinary exploits ("Had no bacon so I made sushi. Had nothing but rice, carrots and seaweed. So I had carrot sushi. Looked like prawns. Tasted like wasabi"); domain speculation ("my stress levels are currently about as high as they get. about to dump all my cash into buying a domain. someone lend me $5 for food"); and hunt for domestic help ("I am looking for an english person to be a cook/maid for a few hours a day in Marbella Center. Anyone you know need work?").
Domain lockdown
Scott Gerlach, a senior security architect at GoDaddy, confirmed that the domain had been sold at auction after it had expired. "Obviously there are people trying to get ahold of domain names when they go into expiry," he said. "The part that's different in this case is there malware going onto those sites, and that this particular domain was providing DNS control for a bunch of other ones. This is the first time we've seen that."
An expired domain goes into hold for 43 days after its expiration—during which it continues to operate as configured by the customer. But many of the seized domains handled by FBI's name servers on CIRFU.NET continued to resolve to seizure banner pages. This is likely because the new owner cloned the FBI's DNS records to his own name server before switching the DNS pointer for CIRFU.NET hosts over. So, when the domain was transferred to Syndk8, it continued to serve up the same banner pages as it did when the FBI owned CIRFU.NET—except for the ones deemed to have the most traffic value. It's likely Earl Grey sold traffic to these domains to clients of his "black hat SEO" consultancy, who in turn aimed visitors at the malware-serving ad pages.
"Once the domain is transferred, DNS records don't move with domain," Gerlach said. "The new domain holder could have scraped all the DNS records, and then recreated them and monkeyed with the ones he wanted to change. He would have had to recreate all the entries; there are some tools out there that allow you to guess DNS entries and scrape the info. He would have had to know what he was doing to make it happen—it's not technically easy to do, but doable."
It was over a week before anyone at the FBI contacted GoDaddy. Early on May 24, Gerlach said, "We got a notice of an ongoing criminal investigation regarding malware distribution, which lead to a Terms of Service violation and domain suspension." The domain was frozen, though its name server continued to route visitors to the malicious advertising page as late as noon today EST.
Earl Grey was, to say the least, not a very happy GoDaddy customer when he found out about the domain suspension—especially as the suspension also revoked his Domains By Proxy coverage and revealed his registration information through the Whois service. And his tweets suggest he was either unaware of what had caused his domain to be suspended, or he was playing it extremely cool. "Hi @GoDaddyHelp, you just suspended a domain of mine you sold me a week ago at auction. What mistake did you make? which of you is to blame?" he posted to Twitter. That was followed by: "Holy poop. Turns out domainsbyproxy by @godaddy is a sham and if they screw up they can disable it. Domain: Please review your cancellation. That was domansbyproxy canceling my privacy. When is privacy not private? When it's with @GoDaddy. I feel like I have been raped by @godaddy over my privacy. I empathize with women and men who have been raped. Violated."
Then, as if realizing what he had gotten himself into, Earl Grey tweeted, "Serves me right for buying expired domains from the FBI. Cirfu.net is the domain in question. Google that bitch."
reader comments
73