Directi Internet Solutions strikes again

I ask you – just how obvious does the impersonation of a legitimate company have to be before Directi notices and stops a site from going live *before* it can do harm???

quigley-simpson.net
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website redirects visitors to the legitimate website, quigleysimpson.com

Domain discovered after it was used to fraudulently sell malvertizing, purportedly on behalf of the legitimate Quigley Simpson company:
(http://www.bluetack.co.uk/forums/index.php?s=9fa704b47f52bec51accb4cb17439f29&showtopic=18064&st=210&p=90729&#)

The fraudulent domain shares IP address with several domains that are also a cause for concern, being:

hyundai-inc.com
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website redirects visitors to the legitimate website, hyundai-motor.com

*****

mediavest-corp.com
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website not yet live, but WHOIS refers to support@us-resources.com, which is the same email address as is registered for "mediavest.net".

*****

posnerpromotion.com
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website redirects visitors to the legitimate website, posneradv.com

*****

singlesnet-inc.com
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website redirects visitors to the legitimate website, singlesnet.com

*****

I, for one, am sick to death of Directi letting this stuff through.  Do they *really* believe that a high profile company like Hyundai is going to register a domain through them, and then host the domain in Latvia?  Come on!! 

I don't care that Directi are suspending domains **after the fact**.  The bad guys can do a lot of damage with domains such as those above, even in the space of a few days.

Impersonation of legitimate domains is not the only behavior which leads us to Directi.  Reseller Club (aka Directi) and Directi continue to be involved in the registration of domains used to facilitate the distribution of fraudware - Kimberley has details of a recent incident:

http://www.bluetack.co.uk/forums/index.php?s=9fa704b47f52bec51accb4cb17439f29&showtopic=18064&st=210&p=90729&#

Comments

# re: Directi Internet Solutions strikes again

Monday, January 12, 2009 11:22 PM by Domain Seller

do u really think registrars have a control over the domain names registered through them? How will they come to know about fraudulent activities without someone pointing it out?

# re: Directi Internet Solutions strikes again

Monday, January 12, 2009 11:57 PM by sandi

Domain Seller,

Directi (and before them, Estdomains) have long been a problem, and appear on this blog, and at bluetack (another site devoted to tracking malvertizing, fraudware domains and whatnot) far far too often - this despite their declared intention to "clean up".

Yes I do think registrars have control over the domain names registered through them.  I also expect them to fully investigate malicious incidents and suspend *all* domains associated with a misbehaving registrant.

It takes only basic checks and cross referencing to raise suspicions about the above domains.

Even when Directi do clean up a problem, they do not always clean it up properly.  

For example, let's look at the recent MySpace incident.  Why would they deregister media-drive.com but NOT deregister the domain prolinar.com?  Both are registered via Directi, both are registered to the same person, and prolinar.com has been implicated in multiple fraudware incidents.

Cite: www.bluetack.co.uk/.../index.php

# re: Directi Internet Solutions strikes again

Tuesday, January 13, 2009 6:42 AM by Malekal_morte

still on 94.247.3.17, you have also this domain av10antivir.com; still DIRECTI

sploit (payload not working atm) and new rogue : Spyware Protect 2009

screenshot & url : forum.malekal.com/viewtopic.php

# re: Directi Internet Solutions strikes again

Thursday, January 15, 2009 1:55 AM by Domain Seller

Dear Sandi,

Just out of curiosity, if I register asdasdasd.com and put some trojan on the site and then advertise my domain name or redirect other domain names to this domain name, how will my registrar know at the time of registration that this domain name is bad?

It just people like u and me and our blogs that help the registrars clean up such domain names.

# re: Directi Internet Solutions strikes again

Thursday, January 15, 2009 7:56 AM by sandi

1. You are simplifying the issue far too much.  If I can spot a potential problem from a mile off, simply by examining all the information available about a domain (even without evidence of actual malicious behaviour) then so can Directi.  And yes, if you read my blog for an extended period of time, you will be able to "pick up the signs" too.

2. We are not talking about domain "asdasdasd.com" - we are talking about domains that have been registered that IMPERSONATE OTHER WELL KNOWN DOMAINS.  Even then, to be frank, nonsense domain names such as asdasdasd.com deserve immediate red flagging and in-depth investigation before being accepted.

3.  It was not just one domain impersonating a legitimate site - it was several - AND the impersonating sites were sharing IP with a fraudware (fake security software) site.  I would expect Directi, after seeing the same problem over and over and over and over again would start flagging domains that could be used for fake security software.

4. There is a reason Directi keeps falling victim and other registrars do not - you might want to think about that.  Think about why other registrars do not have such problems, and why Directi does.

# re: Directi Internet Solutions strikes again

Wednesday, February 25, 2009 7:15 PM by Martin Gomez

Mr.Directi Internet Solutions:

Are you a Hosting Provider, What is your web?

Please send me the answer to mgomez@nettperu.com

Thanks,

Martin