Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Directi has taken over Estdomains’ Registrar operations

November 25th 2008 in Uncategorized




It is important to note that Estdomains designated Directi as its successor.  This is despite the fact that Directi apparently dumped Estdomains as a client a while back (see “Historical Stuff” below).

It will be very interesting to watch developments going forward.  What Registrar will the fraudsters use from now on?  Will Directi audit the domains that have been passed on to them?  How fast (or slow) will takedowns be?  Will they red flag and audit domains associated with email addresses which use multiple pseudonyms, or pseudonyms that use multiple email addresses (like these?) (btw, don’t assume that these are used for Estdomain/Directi registered domains – they’re examples of what the bad guys do):





Historical stuff:

28 August 2008
Washington Post – Hostexploit – Report slams US host as major source of badware (Atrivo) – mentions Directi

3 September 2008
The Register – Anonymous domain registration nixed amid fraud complaints

6 September 2008
Hostexploit – Atrivo – Cyber Crime US Report – update 090608 – Directi take action

7 September 2008
Hostexploit – Joint statement from Directi, HostExploit and Kunujon

8 September 2008
A Superlative Scam and Spam Site Registrar – includes a section entitled “The Role of Directi”

Domains registered at Directi that have been listed in URIBL – URIBL lists domains that appear in spam (Note: 830 domains have been listed in my URIBL RSS Feed of Directi domains that have appeared in spam since the afternoon of 18 September 2008)

18 October 2008
Directi blog – Action against registry services abuses

Various dates
Mention of Directi at rbn.blogspot.com

Various dates
Mention of Directi at knujon.com

Comments are closed.

Expedia have been alerted. Details here:http://www.mikeonads.com/2008/11/23/malvertisement-on-expediacom/ It looks identical to the malvert at allrecipes.com discussed here:http://www.bluetack.co.uk/forums/index.php?s=6152c183e90c1f780588775106ba8be6&showtopic=18064&st=180&p=89945&# Some of the same domains are used, prolinar.com and clicksoverview.com.  The fraudware domain is also the same, antivirusdefense.com. prolinar.com ICANN Registrar: ESTDOMAINSCreated: 18 November 2008NS57.1AND1.COMNS58.1AND1.COM IP: – United States – 1&1 Internet […]

Previous Entry

Those of us who are regular readers of my blog will know that newstat.net has been associated with malvertizing in the past.  Its WHOIS details have recently been changed. Old details: SergMoonmoon.serg@gmail.comKrokus str.AmsterdamNL31 334558757 New details: John Brisbone  (larsonown@gmail.com)Active Solutions8255 S Michigan Ave  Chicago, IL  60608US5676876812 John Brisbone is associated with 3 […]

Next Entry