Former FBI web domains were used by crooks to serve porn or spread adware. Some of the sites that were abused by cyber criminals belong to a lot of domains that were seized by popular entrepreneur Kim Dotcom.
Beaware, I’m not talking about common sites but two of the most popular domains of all time, Megaupload.com, and Megavideo.com.
The choice of the fraudsters is not casual, these websites were able to attract a large audience, by using them crooks have maximized the efficiency of their malicious campaign.
The websites weren’t hacked by crooks, instead, they were taken over thanks to the FBI’s forgetfulness to renew them. Once discovered the abuse the authorities have immediately suspended the domains removing any content.
The news was first reported by the news website Torrent Freak, which noticed that the domains that used to be run by Kim Dotcom were redirecting visitors to porn websites, sited offering, adware, bogus special offers, and fake security software.
“The Department of Justice has made a grave error as several seized Megaupload domains are now being exploited for nefarious purposes. A few days ago both Megaupload.com and Megavideo.com began directing visitors to scams and malware, presumably because the FBI’s cybercrime unit lost control of the main nameserver.”
The domains were seized by the FBI three years ago when the US authorities accused Dotcom of piracy and infringement of copyright. Kim Dotcom announced via Twitter the unfortunate episode.
BREAKING: US Govt has lost control of seized Megaupload domain. It’s now linking to porn, drugs, malware & scam ads! http://t.co/OgmiqVsE2Y
— Kim Dotcom (@KimDotcom) 28 Maggio 2015
“BREAKING: US Govt has lost control of seized Megaupload domain. It’s now linking to porn, drugs, malware & scam ads!” wrote Kim Dotcom.
Ars Technica revealed that the domains had become available because the law enforcement had forgotten to renew its ownership of the domain cirfu.net, which belong to the agency’s Cyber Initiative and Resources Fusion Unit control seized domains. Among the websites controlled by the same Agency, there are Mega video domain and several gambling domains.
“Based on evidence collected by Ars, it appears someone at the FBI’s Cyber Division failed to renew the domain registration for CIRFU.NET, the domain which in turn hosted Web and name servers used to redirect traffic headed to seized domains. As soon as they expired, they were snatched up in a GoDaddy auction by a self-described “black hat SEO marketer,” a British ex-pat who calls himself “Earl Grey.”
As of Thursday afternoon, all of the server names associated with the domain no longer resolve to Internet addresses. GoDaddy has apparently suspended the domain registration, and Earl Grey has been ranting about it ever since on Twitter. The CIRFU.NET domain currently remains in limbo.”
The investigators still haven’t discovered who acquired cirfu.net and the seized domains associated, in time I’m writing the unique certainly it that it is now run by Syndk8 Media which is based in Gibraltar.
In the following images are reported the DNS records before and after the takeover.
The FBI has yet to comment on the incident, but if you are interested to know more about Syndk8 you must read the report published by Ars.
(Security Affairs – Kim Dotcom, Megaupload)