|Card dumps by:|
Half of the domains below (.org, .biz, .info, .net, .com) are under minimal control by ICANN. A registrar that handles registrations for these domains must provide contact information for abuse complaints. ICANN says (Section 3.18.2): "Well-founded reports of Illegal Activity submitted to these contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report."
Since the sale of stolen credit-card data is a violation of criminal law, and the sites below openly sell this data, it should be a simple matter to notify the ICANN-accredited registrar for these domains and get them disabled. But the registrar in this case is Webnic.cc in Malaysia. Their response is that they are trying to contact their reseller to find out what's going on. It has been more than a month so far, and they have done nothing.
Then we went to the three registries that handle .org, .biz, and .info. A registry, as opposed to a registrar, controls the actual root DNS servers for their domain. These three have their own abuse policies, and they responded by placing these domains on hold. A fourth registry, Verisign, handles .net and .com, but their senior corporate counsel, James Hubler, refused to take any action. At that point we again complained to Webnic.cc about ten of the .net and .com domains shown below. They suspended them, by which time we uncovered another dozen at a different registrar.
The remaining half of the domains shown below are almost all .su and .ru. As far as we can tell, there is no way to complain about those. Of course, CloudFlare could disconnect from everything on this page in a heartbeat. Their partner for SSL, GlobalSign, did respond to our complaints back in December. But CloudFlare itself doesn't even bother to answer abuse complaints. They believe in something called "Internet freedom," which apparently includes the freedom to break criminal laws and screw over other people.
approved1.biz (clientHold, 2014-02-11)
approved1.org (serverHold, 2014-02-11)
bstab.biz (clientHold, 2014-02-11)
bstab.net (clientHold, 2014-03-06)
cardplanet.org (serverHold, 2014-01-27)
ccbases.net (clientHold, 2014-03-06)
ccbases.org (serverHold, 2014-02-11)
ccstore.org (serverHold, 2014-02-11)
cheapdumps.org (SSL disabled by GlobalSign, 2013-12-30; serverHold, 2014-01-21)
cheapdumps.so (direct-connect 22.214.171.124, 2014-03-13)*
consuella.biz (clientHold, 2014-02-11)
crdsu.info (HOLD, 2014-02-12)
dumps44.com (clientHold, 2014-03-06)
feshop.info (HOLD, 2014-02-12)
galaxycvv.com (clientHold, 2014-03-06)
infraud.info (HOLD, 2014-02-12)
justvalid.biz (clientHold, 2014-02-11)
justvalid.org (serverHold, 2014-02-11)
kaddafi.hk (SSL disabled by GlobalSign, 2013-12-26; direct-connect 126.96.36.199, 2014-02-27)*
korovka.info (HOLD, 2014-02-12)
korovka.org (serverHold, 2014-02-11)
logoshopcc.net (clientHold, 2014-03-06)
octavian.su (SSL disabled by GlobalSign, 2013-12-26); direct-connect 188.8.131.52, 2014-02-27)*
rescator.biz (clientHold, 2014-02-11)
rescator.la (SSL disabled by GlobalSign, 2013-12-26; serverHold, 2013-12-27)
rescator.so (SSL disabled by GlobalSign, 2013-12-26; direct-connect 184.108.40.206, 2014-02-27)*
reskator.la (serverHold, 2014-03-10)
slilpp.net (clientHold, 2014-03-06)
swiped.biz (clientHold, 2014-02-11)
thefreshcc.com (clientHold, 2014-03-06)
thefreshdumps.com (clientHold, 2014-03-06)
torcvv.com (clientHold, 2014-03-06)
worldcvv.com (clientHold, 2014-03-06)
zapili.biz (clientHold, 2014-02-11)
* Footnote *
By using curl with the -H Host: option, the IP address 220.127.116.11 bypasses CloudFlare. The domains that handle nearly all of Rescator's traffic are octavian.su, rescator.so, kaddafi.hk, and cheapdumps.so. Even cheapdumps.org, another Rescator domain, responds on this IP address when you don't use DNS (the registry disabled it in January). This address was discovered accidentally on February 27 when rescator.so briefly disabled CloudFlare and we happened by at the right time. The server at this address is probably another pass-through proxy, but the owner of that address block might have a record of who is using it.
UPDATE 2014-04-23: The 18.104.22.168 address was checked daily after it was discovered, and it worked every day until April 22. That's when direct access attempts began timing out, although the sites themselves are still up. Either Rescator is using a different IP address on the same server, or he changed to a different server or different provider, or he is blocking all non-CloudFlare IP addresses that try to access his server directly.
UPDATE 2014-06-03: Rescator's cheapdumps.so and kaddafi.hk are now parked at 22.214.171.124 and 126.96.36.199 in Netherlands. Both redirect to octavian.su, which remains hidden behind CloudFlare, while these two parked domains are now using nameservers at cloudns.net.