Two of the most popular domains of ever, that were seized by the FBI from Kim Dotcom three years ago, are now used for illegal activities.
Former FBI web domains were used by crooks to serve porn or spread adware. Some of the sites that were abused by cyber criminals belong to a lot of domains that were seized by popular entrepreneur Kim Dotcom.
Beaware, I’m not talking about common sites but two of the most popular domains of all time, Megaupload.com, and Megavideo.com.
The choice of the fraudsters is not casual, these websites were able to attract a large audience, by using them crooks have maximized the efficiency of their malicious campaign.
The websites weren’t hacked by crooks, instead, they were taken over thanks to the FBI’s forgetfulness to renew them. Once discovered the abuse the authorities have immediately suspended the domains removing any content.
“The Department of Justice has made a grave error as several seized Megaupload domains are now being exploited for nefarious purposes. A few days ago both Megaupload.com and Megavideo.com began directing visitors to scams and malware, presumably because the FBI’s cybercrime unit lost control of the main nameserver.”
The domains were seized by the FBI three years ago when the US authorities accused Dotcom of piracy and infringement of copyright. Kim Dotcom announced via Twitter the unfortunate episode.
BREAKING: US Govt has lost control of seized Megaupload domain. It’s now linking to porn, drugs, malware & scam ads! http://t.co/OgmiqVsE2Y
“BREAKING: US Govt has lost control of seized Megaupload domain. It’s now linking to porn, drugs, malware & scam ads!” wrote Kim Dotcom.
Ars Technica revealed that the domains had become available because the law enforcement had forgotten to renew its ownership of the domain cirfu.net, which belong to the agency’s Cyber Initiative and Resources Fusion Unit control seized domains. Among the websites controlled by the same Agency, there are Mega video domain and several gambling domains.
“Based on evidence collected by Ars, it appears someone at the FBI’s Cyber Division failed to renew the domain registration for CIRFU.NET, the domain which in turn hosted Web and name servers used to redirect traffic headed to seized domains. As soon as they expired, they were snatched up in a GoDaddy auction by a self-described “black hat SEO marketer,” a British ex-pat who calls himself “Earl Grey.”
As of Thursday afternoon, all of the server names associated with the domain no longer resolve to Internet addresses. GoDaddy has apparently suspended the domain registration, and Earl Grey has been ranting about it ever since on Twitter. The CIRFU.NET domain currently remains in limbo.”
The investigators still haven’t discovered who acquired cirfu.net and the seized domains associated, in time I’m writing the unique certainly it that it is now run by Syndk8 Media which is based in Gibraltar.
In the following images are reported the DNS records before and after the takeover.
The FBI has yet to comment on the incident, but if you are interested to know more about Syndk8 you must read the report published by Ars.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.