What really happens when the FBI seizes a domain?
Earlier today when surfing on HackerNews, we came across this article: Sex marketplace Backpage.com seized by U.S. justice authorities
For those who don't know about it… Until today, Backpage was the second biggest classified advertising service in the US after Craigslist.
According to some media reports, 90% of its revenue came from sex classified ads. The problem with that seems to be that these online ad services were being used to facilitate sex traffic and prostitution activities.
A friend of ours asked an interesting question:
Is there a way that SecurityTrails can alert you when the government does something like this? I'm sure this stuff happens more than you think.
Which got us thinking: what is happening when the FBI is seizing domain names?
So we started digging using SecurityTrails.
First, we notice by going to www.backpage.com that there is a new HTML page:
It’s a single image on the HTML page and all other pages seem to 404. The code is very simple with a single image:
So we keep digging… Where is the FBI keeping these pages?
When first looking it seems like Backpage.com is hosted on Verizon with a redirect coming from DNSMadeEasy (Tiggee, LLC) for the initial redirect from the apex domain of “backpage.com” to “www.backpage.com”. (You can also see all the other subdomains from this view.)
With the “www.backpage.com” record is pointing at:
MCI Communications Services, Inc. d/b/a Verizon Business - 22.214.171.124 - www.backpage.com
And that hasn’t changed in a long time:
So it looks like they just put this page in place on the existing www.backpage.com web server so people can see the FBI splash page while DNS is propagating.
Then, we wanted to check out to see if the WHOIS record is changing so we did a current WHOIS search and found out the contact info has been changed on the admin contact to “United States Postal Inspection Service”:
You can see the last historical record from December 1:
On how it used to look:
Then we did a current WHOIS to see if the site’s nameservers have been changed but if it hasn’t propagated yet (we don’t currently display this in SecurityTrails but will start to do it next week for use cases like this).
Right now I am just doing a WHOIS on my computer:
% whois backpage.com Domain Name: BACKPAGE.COM Registry Domain ID: 3112173_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.ascio.com Registrar URL: http://www.ascio.com Updated Date: 2018-04-06T17:58:13Z Creation Date: 1999-01-19T05:00:00Z Registry Expiry Date: 2025-01-19T05:00:00Z Registrar: Ascio Technologies, Inc. Danmark - Filial af Ascio technologies, Inc. USA Registrar IANA ID: 106 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +442070159370 Domain Status: ok https://icann.org/epp#ok **Name Server: NS1.SEIZEDSERVERS.COM** **Name Server: NS2.SEIZEDSERVERS.COM** DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2018-04-06T20:37:03Z <<<
You can see that there are two name servers that the FBI appears to be using for seized domains:
They’re all apparently hosted by a company called Consolidated Communications, Inc once the records propagate:
At this point, we started digging into this seized domain list to see what we were able to discover from the confiscated domains.
Some interesting domains already seized by the FBI found on the same list:
Kickasstorrents.com Ninjavideo.net Tntnfl.net
A curious fact: 80% of the total seized domain names from these Name Servers are related to generic online pharmacy websites like:
6pills.com alledpills.net allneededpills.biz allneededpills.net brandfemaleviagra.com buygenericviagraa.com buyviagraonline.net buyviagraonlinesl.com cheapgenericviagras.com cheapviagraonlinerd.com cheapviagraonlinesr.com
Another interesting thing we found, it seems the FBI isn’t only focused on online pharmacies, it also has shut down a lot of online “jersey” stores already, some examples:
100jerseys.net 17nfljerseys.com angelsjerseysproshop.com bizjerseys.com buyjerseysworld.com cardinalsjerseyshop.com cheapcanjerseys.com cheapestjerseysworld.com googlenfljerseys.com reebokjerseys.net
As well as illegal online DVD stores:
dvdorderonline.com dvdsetonline.com dvdshopdvd.com elementsmediadvds.com getdvdset.com nibdvd.com wholesalecheapdvd.com
And the list goes on, with around 984 seized domain names.
As you can see we can help you make sense of changes on the Internet for security investigations with the large amount of current and historical information in our databases.
We hope you found this useful! Remember to submit to our [Data Bounty program][bounty] if you found any interesting stories using our domain and IP intelligence platform or automating your apps with a free SecurityTrails API account.