censorshipgovernment security

SecurityTrails Blog · Apr 07 · SecurityTrails team

Backpage.com Seizure and What Happens to Seized Domains

What really happens when the FBI seizes a domain?

Earlier today when surfing on HackerNews, we came across this article: Sex marketplace Backpage.com seized by U.S. justice authorities

For those who don't know about it… Until today, Backpage was the second biggest classified advertising service in the US after Craigslist.

According to some media reports, 90% of its revenue came from sex classified ads. The problem with that seems to be that these online ad services were being used to facilitate sex traffic and prostitution activities.

A friend of ours asked an interesting question:

Is there a way that SecurityTrails can alert you when the government does something like this? I'm sure this stuff happens more than you think.

Which got us thinking: what is happening when the FBI is seizing domain names?

So we started digging using SecurityTrails.

First, we notice by going to www.backpage.com that there is a new HTML page:

It’s a single image on the HTML page and all other pages seem to 404. The code is very simple with a single image:

So we keep digging… Where is the FBI keeping these pages?

When first looking it seems like Backpage.com is hosted on Verizon with a redirect coming from DNSMadeEasy (Tiggee, LLC) for the initial redirect from the apex domain of “backpage.com” to “www.backpage.com”. (You can also see all the other subdomains from this view.)

With the “www.backpage.com” record is pointing at:

MCI Communications Services, Inc. d/b/a Verizon Business - 192.16.31.168 - www.backpage.com

And that hasn’t changed in a long time:

So it looks like they just put this page in place on the existing www.backpage.com web server so people can see the FBI splash page while DNS is propagating.

Then, we wanted to check out to see if the WHOIS record is changing so we did a current WHOIS search and found out the contact info has been changed on the admin contact to “United States Postal Inspection Service”:

You can see the last historical record from December 1:

On how it used to look:

Then we did a current WHOIS to see if the site’s nameservers have been changed but if it hasn’t propagated yet (we don’t currently display this in SecurityTrails but will start to do it next week for use cases like this).

Right now I am just doing a WHOIS on my computer:

% whois backpage.com
Domain Name: BACKPAGE.COM
Registry Domain ID: 3112173_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.ascio.com
Registrar URL: http://www.ascio.com
Updated Date: 2018-04-06T17:58:13Z
Creation Date: 1999-01-19T05:00:00Z
Registry Expiry Date: 2025-01-19T05:00:00Z
Registrar: Ascio Technologies, Inc. Danmark - Filial af Ascio technologies, Inc. USA
Registrar IANA ID: 106
Registrar Abuse Contact Email: abuse@ascio.com
Registrar Abuse Contact Phone: +442070159370
Domain Status: ok https://icann.org/epp#ok
**Name Server: NS1.SEIZEDSERVERS.COM**
**Name Server: NS2.SEIZEDSERVERS.COM**
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2018-04-06T20:37:03Z <<<

You can see that there are two name servers that the FBI appears to be using for seized domains:

securitytrails.com/list/ns/NS1.SEIZEDSERVERS.COM

They’re all apparently hosted by a company called Consolidated Communications, Inc once the records propagate:

At this point, we started digging into this seized domain list to see what we were able to discover from the confiscated domains.

Some interesting domains already seized by the FBI found on the same list:

Kickasstorrents.com
Ninjavideo.net
Tntnfl.net

A curious fact: 80% of the total seized domain names from these Name Servers are related to generic online pharmacy websites like:

6pills.com  
alledpills.net  
allneededpills.biz  
allneededpills.net
brandfemaleviagra.com 
buygenericviagraa.com 
buyviagraonline.net 
buyviagraonlinesl.com 
cheapgenericviagras.com 
cheapviagraonlinerd.com
cheapviagraonlinesr.com

Another interesting thing we found, it seems the FBI isn’t only focused on online pharmacies, it also has shut down a lot of online “jersey” stores already, some examples:

100jerseys.net  
17nfljerseys.com
angelsjerseysproshop.com  
bizjerseys.com
buyjerseysworld.com
cardinalsjerseyshop.com 
cheapcanjerseys.com
cheapestjerseysworld.com
googlenfljerseys.com
reebokjerseys.net

As well as illegal online DVD stores:

dvdorderonline.com  
dvdsetonline.com  
dvdshopdvd.com
elementsmediadvds.com
getdvdset.com
nibdvd.com  
wholesalecheapdvd.com

And the list goes on, with around 984 seized domain names.

As you can see we can help you make sense of changes on the Internet for security investigations with the large amount of current and historical information in our databases.

We hope you found this useful! Remember to submit to our Data Bounty program if you found any interesting stories using our domain and IP intelligence platform or automating your apps with a free SecurityTrails API account.