Inside Cyber Warfare - Jeffrey Carr [69]
The Accredited Registrar
A person who wants to create an Internet presence for nefarious purposes needs to find an accredited registrar that won’t seek to verify false registration information. This will allow her to enter a pseudonym instead of her real name, as well as false contact information (email and telephone). In the case of StopGeorgia.ru, that registrar was Naunet, a Russian Internet services company that offers domain registration and hosting services.
The Hosting Company
In the case of StopGeorgia.ru, the registrant acquired hosting services through a small Russian company, SteadyHost.ru, which in turn was a reseller for a London company, Innovation IT Solutions Corp, which contracted with a very large data center and hosting company, SoftLayer Technologies.
SoftLayer Technologies and The Planet, both based in Texas, have proven to be attractive options for spam and phishing websites, as had Atrivo/Intercage, based in Northern California. Atrivo was finally shut down in October 2008, resulting in a temporary world-wide plunge in spam levels, according to the Washington Post’s Security Fix column of October 9, 2008.
The Bulletproof Network of StopGeorgia.ru
Figure 7-3 shows linkages between companies that support the StopGeorgia.ru forum.
StopGeorgia.ru
As we discussed in Chapter 2, StopGeorgia.ru was a password-protected forum built with a bulletin board software application (phpBB) and launched within 24 hours after the commencement of Russia’s ground, sea, and air assault on the nation of Georgia on August 8, 2008.
Cyber attacks against Georgian government websites occurred as early as July 21, 2008, but this particular forum was not active until the day after the invasion. It provided hackers of all levels with vetted target lists, links to malware to be used to attack Georgian government websites, and expert advice for novice hackers (of which there were many).
A WHOIS search on the StopGeorgia.ru domain revealed the following information:
Domain
StopGeorgia.ru
Type
CORPORATE
Nserver
ns1.gost.in
Nserver
ns2.gost.in
State
Registered, Delegated
Person
Private Person
Phone
+7 908 3400066
anac109@mail.ru
Registrar
NAUNET-REG-RIPN
Figure 7-3. The StopGeorgia.ru network
NAUNET.RU
NAUNET is a Russian registrar that is blacklisted by the Spamhaus Project for providing cyber crime/spam/phish domains (Spamhaus SBL advisory #SBL67369 01 Dec 2008).
The domain name StopGeorgia.ru was acquired at Naunet.ru. Part of the complaint against Naunet on file at Spamhaus is that it has knowingly accepted false information (specifically related to invalid IP DNS addresses in the WHOIS info), which is in violation of Russian Institute for Public Networks (RIPN) rules.
In the WHOIS info for StopGeorgia.ru, the phone number 7 908 3400066 and email address anac1099@mail.ru are both listed in the registrar information for a variety of websites selling things such as fake passports, adult porn, and ATM skimmers.
Although the domain information for StopGeorgia.ru doesn’t list a person’s name, opting instead for the ubiquitous “private person,” other domains with the same telephone number and email address have been registered under the name Andrej V Uglovatyj.
Andrej V Uglovatyj, however, is most likely a fictitious person. A search on Yandex.com returns only two unique hits for the name. Considering the amount of data being collected online for individuals today, as well as the fact that Andrej V Uglovatyj is purportedly conducting a number of businesses online, receiving so few hits can only be due to this name being a pseudonym used in shady domain registrations. For example, see the one shown in Figure 7-4 for fake passports at a website named Dokim.ru.
Figure 7-4. One of Andrej V Uglovatyj’s shady domains selling forged documents
The tagline under Dokim.ru reads “Creation of passports and driver licenses for Russia and EU countries.”
SteadyHost.ru
Performing a WHOIS on the IP address is an