Home / Blogs

Policy Failure Enables Mass Malware: Part II (ICANN and OnlineNIC)

Garth Bruen

On Wednesday September 29th at 1PM there will be a meeting in the Old Executive Building in Washington D.C. with Registries and domain Registrars to discuss illegal Internet sales of prescription drugs. ICANN was originally invited but declined because citing "inappropriateness" . One "U.S." Registrar who definitely will not be in attendance is OnlineNIC (link). It has been known for some time that OnlineNIC's purported Oakland California address is false and that they have been caught directly involved in cyber-squatting and counterfeiting schemes that cost them millions in out-of-court settlements. However, the core issue relates to an illicit pharmacy domain sponsored by OnlineNIC which has been found in thousands of hacked websites infected with a PHP redirection. KnujOn first found this malicious redirection in July, 2010 and discovered the target domain, SECURETABS[DOT]NET, had a false WHOIS record and we appropriately filed a complaint with ICANN on July 18, 2010. Under the ICANN Registrar Accreditation Agreement the domain owner has 15 days to correct WHOIS inaccuracies and the Registrar has 45 days to investigate the complaint. If the registrant fails to respond their domain must be deleted. The Registrar is required to investigate and if they fail to it could be considered a material breach of their contract with ICANN. In this case both deadlines have passed without correction or deletion. OnlineNIC has yet to respond to multiple inquires about this.

The Malicious Intrusions Continue

As with our last report on Malware and Policy Failure single illegal pharmacy shop sites that somehow evade detection and policy enforcement impact thousands or even millions of innocent websites as it provides motivation and opportunity to keep spreading the malware that drives Internet users to illegal transaction sites without their consent. This particular malicious code has been found at Earlham College, the University of Illinois, the University of Delaware, Lord Fairfax Community College, the University of Alaska, and Toccoa Falls College. While public institutions are frequent targets of these attacks because of their typically large networks, multiple access points, and constantly changing student populations private sites are just as vulnerable. We even found one infection on a local Fox News affiliate in Houston. KnujOn currently estimates the number of websites infected with some kind of illicit pharmacy-related redirect to be in the millions.

Policy Enforcement from ICANN?

While ICANN has continuously stated they have no enforcement powers, this type of domain abuse is actually within their mandate. Because OnlineNIC is itself a rogue Registrar they cannot be counted on to follow policy it is ICANN's role to hold the Registrar responsible. In the case of OnlineNIC it should be an easy call considering their history, but ICANN recently renewed OnlineNIC's contract for another five years even though they have failed to comply with RAA 3.16 by not posting their address and may be de-accredited under RAA 5.3.2 because of a judgment against them in a suit filed by Louis Vuitton. Because OnlineNIC is allowed to exist SECURETABS[DOT]NET exists. Because SECURETABS[DOT]NET exists the Internet is being flooded with silent intrusions and malicious code injections.

Rejection of Registrar Complaint by ICANN

ICANN has a secondary process for filing complaints against Registrars but in this case it failed. KnujOn followed ICANN's instructions for filing a complaint against a Registrar. On September 16, 2010 after OnlineNIC failed to comply with the contracted obligations concerning SECURETABS[DOT]NET. Instead of seeing SECURETABS[DOT]NET suspended and OnlineNIC admonished, our complaint was rejected with the claim we had filed the wrong form. It has now been 73 days since our initial complaint about SECURETABS[DOT]NET, and the site is still active and continues to appear in new website intrusions.

Until ICANN fully grasps the nature of this threat and their ability to thwart it through their normal duties, the problem will grow. Full report.

In Part III a notorious intrusion and malware download traced right to another policy failure at another troubled Registrar.

By Garth Bruen, Internet Fraud Analyst and Policy Developer. More blog posts from Garth Bruen can also be read here.

Related topics: Cyberattack, Cybercrime, Cybersecurity, Cybersquatting, Domain Names, ICANN, Internet Governance, Law, Malware, Policy & Regulation, Registry Services, Spam, Top-Level Domains, Whois


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


Update Garth Bruen  –  Sep 30, 2010 5:11 AM PDT

SECURETABS[DOT]NET is now finally offline after 74 days, but there are still three other malware-redirected domains in this scheme: GENERICTAB.COM (TUCOWS), CHEAPDRUGSNORX.COM (OnlineNIC), BESTGENERICPHARMA.COM (DIRECTNIC). The domain that controls the rotation of these sites: PHARM-TRACKER.COM is also sponsored by OnLineNIC. All described in the full report: http://www.knujon.com/WDPRS_failures_malware_intrusion_securetabsDOTnet_Knujon_september10.pdf

Update to the update Garth Bruen  –  Sep 30, 2010 7:11 AM PDT

SECURETABS[DOT]NET replaced with SECURETABS[DOT]ORG, still at Onlinenic!

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Domain Registrations Reach 331.9 Million, 6.7 Million Growth Year over Year

.brands Spotlight: Banking and Finance Industries

Google Buys Business.Site Domain for 'Google My Business'

Radix Announces Global Web Design Contest, F3.space

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016