SecurityTrails Blog · Apr 07 · by Esteban Borges

Backpage.com Seizure and What Happens to Seized Domains

Reading time: 5 minutes

What really happens when the FBI seizes a domain?

Earlier today when surfing on HackerNews, we came across this article: Sex marketplace Backpage.com seized by U.S. justice authorities

For those who don't know about it… Until today, Backpage was the second biggest classified advertising service in the US after Craigslist.

img1

According to some media reports, 90% of its revenue came from sex classified ads. The problem with that seems to be that these online ad services were being used to facilitate sex traffic and prostitution activities.

A friend of ours asked an interesting question:

Is there a way that SecurityTrails can alert you when the government does something like this? I'm sure this stuff happens more than you think.

Which got us thinking: what is happening when the FBI is seizing domain names?

So we started digging using SecurityTrails.

First, we notice by going to www.backpage.com that there is a new HTML page:

img2

It’s a single image on the HTML page and all other pages seem to 404. The code is very simple with a single image:

img3

So we keep digging… Where is the FBI keeping these pages?

When first looking it seems like Backpage.com is hosted on Verizon with a redirect coming from DNSMadeEasy (Tiggee, LLC) for the initial redirect from the apex domain of “backpage.com” to “www.backpage.com”. (You can also see all the other subdomains from this view.)

img4

With the “www.backpage.com” record is pointing at:

MCI Communications Services, Inc. d/b/a Verizon Business - 192.16.31.168 - www.backpage.com

And that hasn’t changed in a long time:

img5

So it looks like they just put this page in place on the existing www.backpage.com web server so people can see the FBI splash page while DNS is propagating.

Then, we wanted to check out to see if the WHOIS record is changing so we did a current WHOIS search and found out the contact info has been changed on the admin contact to “United States Postal Inspection Service”:

img6

You can see the last historical record from December 1:

img7

On how it used to look:

img8

Then we did a current WHOIS to see if the site’s nameservers have been changed but if it hasn’t propagated yet (we don’t currently display this in SecurityTrails but will start to do it next week for use cases like this).

Right now I am just doing a WHOIS on my computer:

% whois backpage.com
Domain Name: BACKPAGE.COM
Registry Domain ID: 3112173_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.ascio.com
Registrar URL: http://www.ascio.com
Updated Date: 2018-04-06T17:58:13Z
Creation Date: 1999-01-19T05:00:00Z
Registry Expiry Date: 2025-01-19T05:00:00Z
Registrar: Ascio Technologies, Inc. Danmark - Filial af Ascio technologies, Inc. USA
Registrar IANA ID: 106
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +442070159370
Domain Status: ok https://icann.org/epp#ok
**Name Server: NS1.SEIZEDSERVERS.COM**
**Name Server: NS2.SEIZEDSERVERS.COM**
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2018-04-06T20:37:03Z <<<

You can see that there are two name servers that the FBI appears to be using for seized domains:

securitytrails.com/list/ns/NS1.SEIZEDSERVERS.COM

img9

They’re all apparently hosted by a company called Consolidated Communications, Inc once the records propagate:

img10

At this point, we started digging into this seized domain list to see what we were able to discover from the confiscated domains.

Some interesting domains already seized by the FBI found on the same list:

Kickasstorrents.com
Ninjavideo.net
Tntnfl.net

A curious fact: 80% of the total seized domain names from these Name Servers are related to generic online pharmacy websites like:

6pills.com
alledpills.net
allneededpills.biz
allneededpills.net
brandfemaleviagra.com
buygenericviagraa.com
buyviagraonline.net
buyviagraonlinesl.com
cheapgenericviagras.com
cheapviagraonlinerd.com
cheapviagraonlinesr.com

Another interesting thing we found, it seems the FBI isn’t only focused on online pharmacies, it also has shut down a lot of online “jersey” stores already, some examples:

100jerseys.net
17nfljerseys.com
angelsjerseysproshop.com
bizjerseys.com
buyjerseysworld.com
cardinalsjerseyshop.com
cheapcanjerseys.com
cheapestjerseysworld.com
googlenfljerseys.com
reebokjerseys.net

As well as illegal online DVD stores:

dvdorderonline.com
dvdsetonline.com
dvdshopdvd.com
elementsmediadvds.com
getdvdset.com
nibdvd.com
wholesalecheapdvd.com

And the list goes on, with around 984 seized domain names.

As you can see we can help you make sense of changes on the Internet for security investigations with the large amount of current and historical information in our databases.

We hope you found this useful! Remember to submit to our [Data Bounty program][bounty] if you found any interesting stories using our domain and IP intelligence platform or automating your apps with a free SecurityTrails API account.

Esteban Borges Blog Author
ESTEBAN BORGES

Esteban is a seasoned cybersecurity specialist, and marketing manager with nearly 20 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.

Subscribe to the SecurityTrails newsletter
Sign up for our newsletter today!

Get the best cybersec research, news, tools,
and interviews with industry leaders

×