New child porn paymentprocessor - Russian Business Network?
August 19, 2008 - 11:47 — Rune
I earlier briefly mentioned that I was following some child porn trails (http://www.matchent.com/wpress/?q=node/355 - Google is your friend?).
I did follow the trail, but I hate this kind of stuff. Angry and sad are a couple of words I could use to describe my own feelings when I stumble over it. But those words are not strong enough, I'm not good with words.
This is a relatively short description of what I found.
I will not mention specific child porn domains, only some facts about the paymentprocessor.
Avalonpay Inc. is the name of (one of) the new child porn paymentprocessor.
I will start with the whois for avalonpay.com, not that the info is useful in itself.
Domain Name: AVALONPAY.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.35.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.AVALONPAY.COM
Name Server: NS2.AVALONPAY.COM
Status: ok
Updated Date: 24-jul-2008
Creation Date: 20-jun-2008
Expiration Date: 20-jun-2010
>>> Last update of whois database: Tue, 12 Aug 2008 16:28:31 EDT <<<
Domain Name:avalonpay.com
Record created:2008/6/20
Record expired:2010/6/20
Domain servers in listed order:
ns1.avalonpay.com ns2.avalonpay.com
Administrat:
name-- DNS MANAGER
org-- ABSOLUTEE CORP. LTD.
country-- CN
province-- Hongkong
city-- Hongkong
address-- FLAT/RM B 8/F CHONG MING BUILDING 72 CHEUNG SHA WAN RD KL
postalcode-- 999077
telephone-- +00.85223192933
fax-- +00.85223195168
E-mail-- av3314260412301@absolutee.com
Technical Contact:
name-- DNS MANAGER
org-- ABSOLUTEE CORP. LTD.
country-- CN
province-- Hongkong
city-- Hongkong
address-- FLAT/RM B 8/F CHONG MING BUILDING 72 CHEUNG SHA WAN RD KL
postalcode-- 999077
telephone-- +00.85223192933
fax-- +00.85223195168
E-mail-- av3314260412302@absolutee.com
Billing Contact:
name-- DNS MANAGER
org-- ABSOLUTEE CORP. LTD.
country-- CN
province-- Hongkong
city-- Hongkong
address-- FLAT/RM B 8/F CHONG MING BUILDING 72 CHEUNG SHA WAN RD KL
postalcode-- 999077
telephone-- +00.85223192933
fax-- +00.85223195168
E-mail-- av3314260283503@absolutee.com
Registrant Contact:
name-- DNS MANAGER
org-- ABSOLUTEE CORP. LTD.
country-- CN
province-- Hongkong
city-- Hongkong
address-- FLAT/RM B 8/F CHONG MING BUILDING 72 CHEUNG SHA WAN RD KL
postalcode-- 999077
telephone-- +00.85223192933
fax-- +00.85223195168
E-mail-- av3314260602704@absolutee.com
Note the company name used, ABSOLUTEE CORP. LTD.
Compare with an article in Wired News, http://www.wired.com/politics/security/news/2007/10/russian_network , about the Russian Business Network from October 2007, quote:
Jaret [note: speaking on behalf of RBN] also says there's no mystery about the company's ownership. According to Jaret, an offshore company called First Connect Telecom Limited Inc. owns RBN, though the company's principals remain anonymous. The registration information for the company's website lists a company called Absolutee Corp. LTD as the owner of the domain name.
The article also mentioned that the whois info for RBN was changed later. And it has now expired.
For the old whois info for rbnnetwork.com, see http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7465 .
It's also a bit suspicious that "First Connect Telecom Limited Inc" (and variations of the name) only results in hits related to the noise about RBN in connection to their Spamhaus listings.
Two facts:
- Absolutee Corp. Ltd is the owner of the domain avalonpay.com, a child porn payment processor.
- Absolutee Corp. Ltd was earlier registered as the domain owner for rbnnetwork.com.
I relate to the two facts above.
And conclude that avalonpay.com is the Russian Business Network's payment processor for child porn.
Lines of communication
I start with a usual dig:
; <<>> DiG 9.3.4-P1 <<>> avalonpay.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48635 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;avalonpay.com. IN A ;; ANSWER SECTION: avalonpay.com. 360 IN A 62.149.23.191 ;; AUTHORITY SECTION: avalonpay.com. 360 IN NS ns2.avalonpay.com. avalonpay.com. 360 IN NS ns1.avalonpay.com. ;; Query time: 116 msec ;; SERVER: 217.13.7.140#53(217.13.7.140) ;; WHEN: Tue Aug 12 22:48:38 2008 ;; MSG SIZE rcvd: 83
Which tells me that the hosting is at 62.149.23.191, located at Colocall Ltd in Ucraine.
But since I have been told that I should use other ways to dig, I did a couple:
; <<>> DiG 9.3.4-P1 <<>> mail.avalonpay.com any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65221 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.avalonpay.com. IN ANY ;; ANSWER SECTION: mail.avalonpay.com. 360 IN A 193.200.193.209 mail.avalonpay.com. 360 IN TXT "v=spf1 a mx include:smtp-server.com include:monthly.smtp.com include:smtp2go.com ~all" ;; AUTHORITY SECTION: avalonpay.com. 166 IN NS ns1.avalonpay.com. avalonpay.com. 166 IN NS ns2.avalonpay.com. ;; Query time: 114 msec ;; SERVER: 217.13.7.140#53(217.13.7.140) ;; WHEN: Tue Aug 12 22:51:52 2008 ;; MSG SIZE rcvd: 186
and
; <<>> DiG 9.3.4-P1 <<>> avalonpay.com any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14815 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;avalonpay.com. IN ANY ;; ANSWER SECTION: avalonpay.com. 225 IN TXT "v=spf1 a mx include:smtp-server.com include:monthly.smtp.com include:smtp2go.com ~all" avalonpay.com. 225 IN TXT "v=spf1 a mx include:smtp-server.com include:monthly.smtp.com include:207.58.142.213 ~all" avalonpay.com. 216 IN SOA ns1.avalonpay.com. root\@avalonpay.com. 73 10800 900 604800 86400 avalonpay.com. 162 IN A 62.149.23.191 avalonpay.com. 162 IN NS ns1.avalonpay.com. avalonpay.com. 162 IN NS ns2.avalonpay.com. ;; AUTHORITY SECTION: avalonpay.com. 162 IN NS ns2.avalonpay.com. avalonpay.com. 162 IN NS ns1.avalonpay.com. ;; Query time: 83 msec ;; SERVER: 217.13.7.140#53(217.13.7.140) ;; WHEN: Tue Aug 12 23:20:16 2008 ;; MSG SIZE rcvd: 361
But hang on, here is another one:
; <<>> DiG 9.3.4-P1 <<>> mail2.avalonpay.com any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43332 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail2.avalonpay.com. IN ANY ;; ANSWER SECTION: mail2.avalonpay.com. 360 IN A 79.143.180.6 mail2.avalonpay.com. 360 IN TXT "v=spf1 a mx include:smtp-server.com include:monthly.smtp.com include:smtp2go.com ~all" ;; AUTHORITY SECTION: avalonpay.com. 360 IN NS ns1.avalonpay.com. avalonpay.com. 360 IN NS ns2.avalonpay.com. ;; Query time: 398 msec ;; SERVER: 217.13.7.140#53(217.13.7.140) ;; WHEN: Tue Aug 12 22:56:53 2008 ;; MSG SIZE rcvd: 187
This tells me that they have one mailserver at 193.200.193.209, Funke Internet Services Ltd in Germany.
And another sitting at 79.143.180.6, Cronos IT, LLC Netherland IPs, but Cronos is apparently a Latvian company.
The next line confuses me (the "v=spf1" one), well I have heard about SPF, something about trusted email or whatever, but I really have no idea what it is. I hope that does not matter or bother you.
Leaving out some details, using one practical example, crossing my fingers and hoping I am correct in general too:
Communication in the form of email first comes from 193.200.193.209 or 79.143.180.6.
If the criminals choose so, the email then goes via smtp-server.com, monthly.smtp.com or smtp2go.com before reaching the pedophile customer. monthly.smtp.com is at 67.205.78.62 which is something called Emumail in the US, IPaddress is in Montreal, Canada.
smtp2go.com is at 207.58.142.213 which is ServInt Corp in the US, IPaddress is in Toronto, Canada.
smtp-server.com is at 216.13.78.11, Allstream Corp in Canada.
Now I have to reveal my lack of knowledge again.
In my head it would be technically possible to get that info if you had access to the mailservers at smtp-server.com, monthly.smtp.com or smtp2go.com. That would be something for the feds.
I guess that would require some kind of legal document, maybe a court order?
If both of the above are correct, the feds could have a nice and relatively easy harvest before starting what I assume is the hard legal work.
If they were interested.
Another question is whether the Russian Business Network is running the child porn sites themselves or if RBN only runs the payment processor. Some of the domains are registered to Absolutee Corp, others not. So if I stick to the registration info, RBN is at least abusing children sexually through the distribution on websites and as payment collector. On their own behalf and on behalf of others.
Who is physically sexually abusing the children? I have no idea, but RBN is responsible for the distribution. I would not be surprised if they were behind the actual abuse too.
There are other sites taking care of the payment too. doquickbuy.ws and darkbill.ws are two that is apparently down. But a closer look reveals that flashbill.net has replaced those. flashbill.net lives at 208.72.170.149, McColo in the US.
And yes, I am aware that some child porn sites are set up with the sole intention of getting the creditcard numbers of pedophiles. They would hardly complain about the "fraud". "Dear officer, they charged my creditcard, but I am getting no lolitas".
Somehow I have a feeling that the Russian Business Network actually is delivering pictures and movies of abused children to the pedophiles.
Sick people.
Syndicate
Recent comments
11 weeks 1 day ago
11 weeks 5 days ago
12 weeks 1 day ago
12 weeks 1 day ago
13 weeks 4 days ago
44 weeks 3 days ago
44 weeks 3 days ago
46 weeks 6 days ago
46 weeks 6 days ago
48 weeks 1 day ago