Brian Krebs, investigative journalist and publisher of the infosec blog Krebs On Security, uses DomainTools to research rogue domain owners.
In a recent article, Krebs shared news of how Bitcanal – a Portuguese network – has been aiding spammers by hijacking millions of IP addresses.
According to Krebs, security researchers have tracked the suspected theft of millions of IPv4 Internet addresses back to Bitcanal.
Shortly after obtaining a group of IP addresses, Bitcanal would sell or lease the space to spammers, who would then begin sending junk email from those addresses, evading blocklists.
Brian Krebs used DomainTools and its historic WHOIS research tool to identify the scam:
“Another business tied to Mr. Silveira suggests that Bitcanal/Ebony Horizon has long been actively involved in obtaining sizable chunks of Internet address space on behalf of its clients. The same contact phone number that once existed on the (now unreachable) home page of Bitcanal.com also appears on the homepage of ip4transfer.net, a company that advertises the ability to lease large chunks of Internet address space.
The current WHOIS registration records for ip4transfer.net are mostly redacted by domain registrar GoDaddy, but the name Ebony Horizon appears as the current business name, and Mr. Silveira’s name is on the original domain registration records from 2016, according to historic WHOIS records maintained by DomainTools.”
Cross-linking such vital WHOIS data ended on May 25th as the GDPR took effect; at the time, Brian Krebs noted how this will negatively impact the work of researchers of online crime.
For the full article, click here.