EpikFail: Cybersquatting
On September 13th Anonymous released 180 gigabytes-worth of private data from Epik, the American alt-right’s favorite web hosting company. This internet service provider has been accused of facilitating the organization of the January 6th attacks on the Capitol by hosting platforms such as Gab, Parler or TheDonald.
The leak revealed 1.8 million domains and personal information of the registrants. Whilst that includes an important section of the American far-right internet presence, many of these domains are ordinary websites. The Washington Post thus lists domains devoted to real estate, home improvement, vegan cooking, various types of spirituality, pornography, gaming, cryptocurrency…
Moreover, although the overwhelming majority of domains are registered by American residents, registrants of all horizons are represented in this leak. Predicta Lab thus took on to explore the 2951 Epik domains registered to addresses in France.
To do so we started out by ingesting the original file with the following steps. Firstly, we converted the whois database from a sql format to a JSON file. Secondly, we uploaded the data to an ElasticSearch on which the data is easily visualized.
This process revealed that like the data at large, the sample of domains registered to French residents is highly heterogenous. For instance it includes domains for small businesses, mangas, pornographic websites, fora, cryptography websites, etc. No over-arching pattern appears from this preliminary assessment, therefore we decided to focus on the three individuals with the most Epik domains. The result of this selection can be found below (Figure 1).
In first position with 1122 domains registered to its name is “domain admin”. Of course this is not an individual but the product of the anonymization system of Epik (or the part of this system that was successful). We will thus put these aside to consider the following three individuals.
First we have Amour Media who registered 414 domains on Epik (Figure 2). An advertising company based in Nantes was registered to the same address as these domains. This enterprise was only active between 2007 and 2018 but the domains created under this name were bought from March 2000 to October 2020. Throughout all the domains owned by Amour Media, two addresses were informed: the address in Nantes and a second in Chambéry where another advertising company called Olyon is registered. Olyon is owned by the same person as Amour Media and has been active since June 2018. Interestingly the domain olyon.com, also owned by Amour Media, redirects to an active website for a fast food restaurant held once again by the same person. Hence, this individual uses his domains to promote his business. But not only.
Out of the 414 domains registered to Amour Media, more than half (252) have names related to lesbianism and to dating. It seems these names are intended to disguise pornography websites (Figure 3).
*”Shaadi” is the name of an Indian matrimony service.
Some of these domains found a second buyer: 14 domains in the format [city]dating.com redirect to the art blog of a North Macedonian lady, 11 redirect to a North Macedonian electronics online shop and 48 redirect towards various pornography websites.
Likewise we can find a theme in the domains registered by the second French individual with the most Epik registrations. Out of the 378 domains bought by Fabien D., 376 include the term “padel” in their name, a sport he practices himself (Figure 4). These domains were bought between February 2000 and November 2019. This extensive variation of padel domains also show an attempt to own all domain names for this activity and to profit from their sale.
The third French resident with the most Epik domains is Mustafa C. and unlike the other two, his 189 domains are extremely heteroclite. They concern all kind of fields such as health care, cars, news and electronics. Most of them are in Turkish language, Mustafa’s mother-tongue. It seems his strategy is to buy domains for very common businesses with the assumption that they have more chances to be in demand than niche domains. Five of his domains were bought by a Turkish IT consulting company and now redirect to the enterprise’s website. Another 10 domains are on sale for bold prices from $5000 (USD) to $50000.
The practice of registering another’s trademark in a domain name, generally in bad faith, has different names: cybersquatting, domain name grabbing, domain squatting (ICANN, 2021). The objective of domain squatting is usually to block the owner or legitimate user of the trademark used in the domain name from accessing it in order to subsequently sell them the domain for a profitable price.
Exactly how profitable is this practice? That depends, in the case of Epik invoices have shown that some domains are worth thousands of dollars. Nevertheless in 2019 half the domains were sold for less than a dollar and only about 2 percent went for more than $10. Thus domain squatting is only significantly profitable if the person engaging in it owns domains that buyers are willing to pay a lot for or if he owns many domains.
Domain squatting is punished by law in both French and American jurisdictions.
Under the United States the Anticybersquatting Consumer Protection Act (ACPA), 15 U.S.C. § 1125(d), a domain registrant may be sued with two conditions. First, if he acted in bad faith or with the intent to profit from a trademark. Second, if he registered, traffics in, or uses a domain name that is identical or confusingly similar to a distinctive, famous or protected mark that he doesn’t own. Hence, domain squatting can be sued in federal court under the ACPA. It can also be pursued in administrative proceedings under the Uniform Domain Name Dispute Resolution Policy (UDRP) upheld by the Internet Corporation for Assigned Names and Numbers (ICANN) .
In France, the Association française pour le nommage internet en coopération (AFNIC) carries out the legal procedures to settle disputes over .fr and .re domain names, according to the procédures alternatives de résolution de litiges (PARL).
Follow @PredictaLabOff on Twitter for more OSINT investigations.
This article is available on Medium predictalab.medium.com and on our website blog.predictalab.fr
Bibliography
- @Padel_Prodotcom. (2021). Twitter. https://twitter.com/Padel_Prodotcom
- AFNIC. (2021). PARL : Procédures Alternatives de Résolution de Litiges. AFNIC Internet Made in France. https://www.afnic.fr/noms-de-domaine/resoudre-un-litige/parl/
- Ajans Mention. (2021). Anasayfa. Ajans Mention.
- ANSSI. (2021). Glossaire. Agence Nationale de La Sécurité Des Systèmes d’Information. https://www.ssi.gouv.fr/particulier/glossaire/a/#accaparement-de-noms-de-domaine-cybersquatting-domain-name-grabbing
- Brandpa. (2021). The domain OHBE.com is for sale. Brandpa.com. https://brandpa.com/names/ohbe
- Brandpa. (2021). The domain ewlx.com is for sale. Brandpa.com. https://brandpa.com/names/ewlx
- Cvetnovska, V. (2021). VALENTINA CVETANOVSKA. WordPress. https://tinaart.mk
e-pick. (2021). e-pick Store. https://galamino.mk/en/ - Harwell, D., Allam, H., Merrill, J. B., & Timberg, C. (2021, September 25). Fallout begins for far-right trolls who trusted Epik to keep their identities secret. The Washington Post. https://www.washingtonpost.com/technology/2021/09/25/epik-hack-fallout/
- ICANN. (2021). About Cybersquatting. Internet Corporation for Assigned Names and Numbers. https://www.icann.org/resources/pages/cybersquatting-2013-05-03-en
- Societe.com. (2021a). AMOUR MEDIA — 44000. Société. https://www.societe.com/etablissement/amour-media-49331479300016.html
- Societe.com. (2021b). OLYON — 73000. Société. https://www.societe.com/etablissement/olyon-49331479300024.html
- U.S. Code. (2021). 15 U.S. Code § 1125 — False designations of origin, false descriptions, and dilution forbidden. Legal Information Institute. https://www.law.cornell.edu/uscode/text/15/1125
