Comments on: DoItQuick: Fast Domains for Dirty Deeds

By: John

John — Tue, 14 Aug 2012 22:24:46 +0000

They might not be carded. Registrars have the ability to test domains for a couple days. Domain squatters use this frequently to test out new domains for traffic.

By: C

Mon, 13 Aug 2012 22:04:56 +0000

FWIW, WHOIS for doitquick.net now leads to

Registrant:
N/A
Dmitry Kunickiy (javofasta@gmail.com)
ul podlesnaya d.29
Perm
,614097
RU
Tel. +7.9656018062

By: PC.Tech

PC.Tech — Mon, 13 Aug 2012 19:56:25 +0000

FYI…

Something evil on 178.63.195.128/26
- http://blog.dynamoo.com/2012/08/something-evil-on-1786319512826.html
“…A look at the 178.63.195.128/26 range (178.63.195.128 – 178.63.195.191) shows several suspicious websites with domains apparently generated by -DoItQuick- … quite a lot of suspect sites have recently been moved from this range to point at 127.0.0.1 instead, a common trick when malcious domains needs to be pointed somewhere else quickly.
The registrant for this block is:
inetnum: 178.63.195.128 – 178.63.195.191
address: RUSSIAN FEDERATION
178.63.195.163…
178.63.195.167…
178.63.195.168…
178.63.195.170…
178.63.195.171…”
.

By: Adam

Adam — Fri, 03 Aug 2012 12:51:15 +0000

But why would they just not by domains the normal way, through godaddy or something?

And also what on earth to card thieves do anyway, they cant buy anything because the bank tracks them, its not like they send stuff to their house do they, that would be madness.

Awesome job with the blog Brian.

By: Dave

Dave — Wed, 25 Jul 2012 01:21:03 +0000

DoltQuick? So it’s a service targeting ricers?

By: SeymourB

SeymourB — Tue, 24 Jul 2012 17:24:38 +0000

A carded domain, I believe, means they use a stolen credit card to register the domain name, which get revoked in short order when the stolen credit card’s charges get reversed.

Since (as Brian has previously reported) credit cards are available in bulk for less than $5 each, a portion (large portion?) of the “registration fee” is going straight into the scammer’s pocket.

By: Nic

Nic — Tue, 24 Jul 2012 16:43:16 +0000

Exactly. As noted, it’s running on 127.0.0.1. (But I enjoyed the attempted dig at my competence!)

That said, I do believe almost everyone should block .su (the Soviet Union) in their resolvers, which is recommended by abuse.ch, one of the most respected sites in abuse. It’s an illegitimate TLD and an abuse factory.

http://www.abuse.ch/?p=3581

Small businesses would probably do well blocking all of .ru as well depending on their users and customer base. Not possible for universities and other large networks.

I’ve been blocking all of .ru since yesterday. No bad interactions so far.

By: Michele

Michele — Tue, 24 Jul 2012 12:38:37 +0000

$5 is way below the price charged by the registry, so I’m not 100% sure how they could charge so little.. While it would be possible to use the AGP to get a refund on *some* domains, you couldn’t use it that extensively

By: BrianKrebs

BrianKrebs — Tue, 24 Jul 2012 12:31:44 +0000

About double that. I believe the previous commenter is right: The black domains are carded; there really isn’t any other explanation for domains that would be revoked in 2 days.

By: Neej

Neej — Tue, 24 Jul 2012 08:10:43 +0000

$5 is a pretty decent price for a .org domain. Just out of curiosity how much were the “white” domains going for?