Name and Shame Rogue Domain Name Registrars

Congratulations to Delhi police fr busting the “Aysushman Bharat fake website fraud”.

It has been reported (Refer Indian Express article) that four persons were arrested in Delhi for running a fake website by the name ayushman-yojana.org and cheating public by offering jobs in the name of the Government. The fraud was brought to light after a complaint was made by the National Health Authority. The website had advertised 5116 vacancies in six states and received payments for registration of applications.

This fraud is a repeat of the fraud committed several years back when a fake website cgtmse-govt.in was opened to impersonate cgtmse.in (First reported on naavi.org: Loans through SMS ??  and Loans through SMS-Fraud Site confirmed. These articles were written on 16/7/2013 and June 11, 2014 but despite the matter having been brought to the notice of the owners of the genuine domain name, no remedial action was taken. Subsequently, a fraud of Rs 22 lakhs occured to a client of Punjab National Bank on which a complaint was filed. It was then reported (Refer article Chattisgarh Adjudicator passes compensation order for Rs 22 lakhs)  The compensation was awarded on 20/5/2016. (copy of order available here)

In the above case also it was the Delhi Police who had arrested the accused who had set up the fake websites www.cgtmse-govt.in, www.cgtmse-gov.in and www.pmay-gov.in. The name of the accused in this case were Sudipto Chatterji alias K.M.Acharya and Shekh Ibrahim.

The websites were disabled after the adjudication which was 3 years after Naavi.org brought the fraud to the notice of the public. During this time several other persons lost their money and this was evident in the fact that the beneficiary of the adjudication, Mr Mohanty got his money returned because there was money in the PNB account of the fraudster which was actually money collected from subsequent frauds. So, some body else who did not pursue the complaint lost the money and the person who pursued the case got his money back from the proceeds of the other frauds.

What we had pointed out at that time and reiterate now is that this fraud could not have been committed without the assistance of the Registrar of Domain Names and also the Bank (PNB in this case). These two parties should have been the co-accused in the fraud case and had to be punished. If the Adjudicator had exercised his powers under Section 46 of ITA 2000 fully, he could have ordered PNB to check all earlier fraudulent credits in the account and made PNB return all these o the respective victims. The domain name registrars would have also learnt  a lesson that they could have acted in 2013 after the Naavi.org made public the fraud and cancelled the domain name registration which would have been well within the their rights under the domain name registration contracts they would have obtained from the accused.

It is however not considered the duty of the domain name registrars and they continue to be the architects of the kind of frauds  that re-surface again and again. The Ayushman-yojana.org fraud is just another case which has been found now even as many such frauds are being committed even now.

The domain name was registered on 8th March 2020 by the registrar midwestdomains.com. It may be noted from the whois records that this domain name has been registered by an organization named HSIF Company in Uttar Pradesh.

Fortunately since “Privacy protection” was not enabled on the site, a research of other sites showing whois information reveals the following domain name registration details.

Name: HSIF Company

Address: B-7 Sector 64, Gautam Budhdha Nagar, UP, 201301

Phone 1204250001

E Mail: hr.hsifc@gmail.com

In my view it is the negligence of midwestdomains.com  has enabled not only the registration of the fake domain name. The registrar has also profited by such registrations. 

Name and Shame Rogue Domain Name Registrars

The question we should rise is

Should we not make these registrars also responsible for such fraudulent registrations as co-conspirators of the scam?.

Law permits these registrars to be considered as co-conspirators but the fact that these companies are like deep web companies and part of the criminal syndicate themselves makes it difficult in practice to draw them to courts .

But these registrars should be named and shamed and must be put on the “Rogue Registrars” list. ICANN should also be asked to change its current systems of appointing registrars and making them liable for proven cases of domain name frauds arising out of lack of verification of the identity of the registrants.

I request any official of ICANN to respond and let us know what action they take when such rogue registrars are reported and if they have issued any circular earlier that registrars have to identify the registrants and have failed to do so, what action can be taken now at least after a fraud has been reported.

Mr Samiran Gupta the India representative should be made a respondent in all future domain name related phishing and should be questioned on what action is taken at the ICANN level to prevent such frauds.

Mr Samiran Gupta’s LinkedIn profile here

ICANN also has to immediately stop the domain name registrars hiding the registrant’s identity under the privacy excuse since registration of domain name and running a website is a “Public-Business” activity and does not come under any “Personal Data Protection” laws of either GDPR or any other law.

ICANN and the registrars being blind to the cyber crimes being committed out of deliberate registration of fake websites is a bane of the Internet and is also increasing the cost of operation for genuine operators who have to block several related domain names only to prevent frauds of this nature.

In around 2002, Naavi promoted the concept of “Look Alikes Disclosure”  (Presently available at www.lookalikes.in) to enable genuine domain name registrants to at least declare these fraudulent domain names. But this also requires some efforts on the domain name owners to display a link to the lookalikes data base like the following:

This service was proposed but could not be commercialized. May be its time has come now.

I wish Delhi Police check up if the current gang of fraudsters in the case of Ayushman-yojana.org have any connection with the earlier fraud and if so ensure that they get appropriate punishment in the Court for repeated offences.

A Note to honest Registrars in India

This article refers to those registrars who are in the wild west abetting the Cyber Criminals and refuse to be accountable. Other honest registrars may kindly excuse me for using the title as I have done here.

However, even these registrars need to introduce policies and procedures to ensure that proper KYC is done on the domain name registrars so that impersonation frauds are reduced to the extent possible.

If possible look at the proposed Personal Data Protection law in India which has suggested social media intermediaries to introduce a system of verifying the users. Introduce a similar system in domain name registrations and refrain from providing “Privacy Protection of Who is data”. Who is data is not a personal information but is a public business information.

NIXI should also incorporate these guidelines as “Best Practices in Domain Name registration” and be a model to the world. Mr Samiran Gupta can coordinate some of these changes with NIXI which is the policy formulator for Dot IN domains.

Naavi

Print Friendly, PDF & Email

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Crime and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.