Subject: Phantom Registrars, Fake Pharmacies, and the Secret Infrastructure - KnujOn Reports
In our continuing effort to shed light on the dark corners of the Internet
we have produced this report on the Directi Group, a fairly large player in
the Registrar world. We have highlighted their use of the controversial
service PrivacyProtect.org, their continued sponsorship of fake pharmacy
domains, and their apparent ability to get Registrar accreditations for 48
The full report with documentation, data and links to supporting articles is
http://www.knujon.com/KnujonReport_dire ... 082808.pdf
48 Phantom Registrars
KnujOn has found at least 48 ICANN-accredited Registrars that do not seem to
exist. All of the Registrars in question are affiliated with the Directi
Group (Directi, PublicDomainsRegistry, Answerable, LogicBoxes). Our
attention was first brought to them when we released our report of the Ten
Worst Registrars for illicit domains, spam, and false registrations. At the
time, in some records Directi’s address was listed as: “14525 SW Millikan
#48732 Beaverton Oregon”. Directi has since denied this and now disclosed
its address as being in Mumbai, India. This prompted us to take a closer
look at all the Registrars in Internic’s (ICANN) directory affiliated with
Directi and presenting themselves as being located in the United States. 8
Directi–affiliated Registrars list their address on the Internic Registrar
Directory as: 14525 SW Millikan #48732 Beaverton Oregon.
In examining the directory for the other 40 Direct-affiliated Registrars, we
find an even more confusing address:
15 West 47th Street New York, NY 10036 Oregon
The first line is obviously ambiguous with “Oregon” on the end of a New York
address. An additional layer of confusion is added by the fact that
650-331-0716 is a San Mateo, California phone number. So, where are these
companies? New York, Oregon, California or Mumbai? There is nothing wrong
with having multiple business locations, but this fact is not disclosed on
any their websites or at Internic.
Next, we set out to verify if any of these companies were real. Because of
the confusing addresses we researched the New York, Oregon, California and
India business registries. None of the Directi-affiliated companies listed
in the Internic Registrar Directory are real licensed companies:
Jumbo Name, Inc.
Your Domain King, Inc.
Game For Names, Inc.
Ever Ready Names, Inc.
Find Good Domains, Inc.
Go Full House, Inc.
Instinct Solutions, Inc.
Name Perfections, Inc.
Need Servers, Inc.
Network Savior, Inc.
Power Carrier, Inc.
Power Namers, Inc.
Super Name World, Inc.
Tech Tyrants, Inc.
The Registrar Service, Inc.
Trade Starter, Inc.
Venus Domains, Inc.
Yellow Start, Inc.
Zone Casting, Inc.
Extend Names, Inc.
Extremely Wild Key Registrar, Inc.
Magic Friday, Inc.
Name To Fame, Inc.
Net Juggler, Inc.
Unified Servers, Inc.
Names Bond, Inc.
Specific Name, Inc.
Genuine Names, Inc.
Best Site Names, Inc.
Get Real Names, Inc.
Global Names Online, Inc.
Naming Associate, Inc.
The Names Registration, Inc.
Cool Ocean, Inc.
Names Real, Inc.
Big Domain Shop, Inc.
Colossal Names, Inc.
Click Registrar, Inc.
Cotton Water, Inc.
Crystal Coal, Inc.
Curious Net, Inc.
Domain Band, Inc.
Domain Mantra, Inc.
Platinum Registrar, Inc.
There is an expression that a company can “exist only on paper”, but in this
case we don’t even have that.
The Fake Pharmacies
We have collected content and data for the 19,000 plus domains using the
PrivacyProtect.org service that have been advertised through spam and
narrowed the analysis down to 9,156 domains that are currently active.
What has been found is very interesting and helps explain how a rogue
Registrar can play a big role in supporting massive fake pharmacy networks.
Starting with a list of 1,820 fake pharmacy domains all using
PrivacyProtect.org and all registered through Directi/PublicDomainsRegistry
we find these sites are all served from 22.214.171.124, an IP at the McGill
University (likely a compromised machine, maybe even that of a student).
Half of the content for the sites is served from an IP in Austria, the other
half from an IP in the UK. (See the full list)
We could call McGill today and get this IP closed but it would only be a
temporary obstacle for the criminals. In fact, since KnujOn collected this
data the sites have already moved to 126.96.36.199, which is Donghai
University in China. These networks are very nimble, the content is highly
portable and deployed by scripted kits. This is where the Registrar comes
in. They have to make the sites resolve at a new location quickly. The IP
addresses of the fake pharmacies change, but the Registrar and proxy
registration service are constants. The nameservers for these sites are all
at Directi/PublicDomainsRegistry and also shielded by PrivacyProtect.org.
Their subtle misdirection provides cover. If a consumer complains to
Directi/PublicDomainsRegistry about these sites they simply direct them to
the ISP host that serves the content. If and when the site content is closed
by the ISP host, Directi/PublicDomainsRegistry just helps them set up at a
new IP. The true owners are of course shielded by PrivacyProtect.org. It’s a
cycle they have adapted to, so the fake online pharmacy business continues
with minimal interruptions. (Download full list of Directi/PrivacyProtect Rx
domains with most recent IP)
The service that shields ownership of the unlicensed pharmacies,
PrivacyProtect.org, is itself a phantom with undisclosed ownership. It was
revealed in a Washington Post article that the Directi Group actually owns
PrivacyProtect.org, a fact they did not deny when they responded to the
In summary, we have thousands of illicit domains cloaked by a company which
is also anonymously owned. The domains are all sponsored by the Directi
Group which is affiliated with 48 Registrars that cannot be proven to be
real entities. Clearly there are serious problems with oversight, due
diligence, and accountability. How can the consumer be protected under these
While Directi claims they will suspend illicit domains, KnujOn has found on
many occasions Directi sponsored domains being removed temporarily only to
be restored after a brief period with the same content. The sheer volume of
fake pharmacies at Directi is daunting, and given the fact that they can all
be traced to one source: PrivacyProtect.org, would it not be time for
Directi to reconsider its relationship with PrivacyProtect.org if they are
serious about solving the problem?
As for ICANN, how is it possible that so many companies can be granted
accreditation with unverified credentials?