Question: Can dead people register domain names?
Answer: Yes, if you run the OzPills Internet pharmacy network.
On the Internet, there aren’t many rules. One of the few, however, is that domain name registration (WHOIS) records are not supposed to be falsified. Engaging in WHOIS falsification to the extreme is ozpills.com, a website classified by LegitScript as a rogue Internet pharmacy. Indeed, our research shows that the person behind the website has hidden behind coverup identities and migrated from registrar to registrar to keep the website afloat, despite LegitScript’s filing of numerous WHOIS inaccuracy complaints about the domain name. Ultimately, the Internet pharmacy operator settled on registrars that are willing to allow the use of anonymization services for domain name registrations.
Why OzPills.com is a Rogue Internet Pharmacy
As the domain name suggests, ozpills.com resolves to a website that has the primary purpose to sell drugs (“pills”) to Australia (“oz”). The drugs offered on the website are not approved for sale in Australia, including “Viagra XL,” “Cialis with Priligy,” and “Viagra Pink,” and are dispensed without a prescription requirement. This practice poses a serious risk to patient safety and violates Australian law, and it’s not possible, given the mix of drugs on the website, that the Internet pharmacy is licensed in Australia (since the drugs aren’t approved for sale there).
In light of these factors, we contacted Misk, the applicable domain name registrar at the time (August 2014) with a request to suspend and lock the domain name ozpills.com based on the outlined violations. Unfortunately, Misk.com whisked us off with the excuse echoed by many uncooperative registrars: “we would need a court order to suspend this domain name.” (That’s wrong, of course. ICANN disagrees with Misk.com, and after we filed a complaint against Misk.com, the company was apparently told that it was wrong, and would have to do something to investigate our claims of illegal activity.)
Anyway, when we notified Misk.com about the rogue Internet pharmacy in August 2014, we noticed something strange in the domain name registration details. At the time, the WHOIS record listed “David Mojos” as the registrant and “Mojo ChaCha” as the registrant organization. Intrigued by this uncommon name, we researched the WHOIS history and discovered a trail of apparently fictitious names used to register the domain name. Since the domain name was created in March 2008, the registration details changed more than several dozen times, with names including Paul Johnson, George W. Bush, David Bier, David Mojos and David Biermann. Yet, all these domain name registrations used similar contact information. For example, the WHOIS records continually used the same email address in combination with a set of three different addresses located in and around Sydney, Australia. The registrant organization typically was “OZPLS” or variations of “Mojo Cha Cha.” Further research established that ozpills.com belongs to a group of 25 domain names that all share the same email addresses and contact details, yet also display similar identity changes in their historic WHOIS records. Some of these domain names resolved to active websites at the time of investigation, and others appeared to be dysfunctional.
Assuming that one person cannot change his name more than 20 times over the course of five years, we filed a WDPRS WHOIS inaccuracy complaint to ICANN for all 25 domain names. Almost a month later, we received an ICANN notice that all WHOIS inaccuracy complaints had been closed because “the registrar” — which in this case was Misk.com — “demonstrated that it has taken reasonable steps to investigate the Whois inaccuracy claim.”
Indeed, after apparent prodding by ICANN, there was some action by the registrar. In a perfect world, that would have resulted in either a correction of all WHOIS records or the termination of all domain names. But it did not. Although the majority of the domain names appeared to have been put on client-hold status or deleted altogether, presumably due to the fictitious Whois data, the four most important domain names within the rogue Internet pharmacy network (ozpills.com and ozplused.com and the name servers mojochacha.net and ozpls.net) simply changed registrars, to France-based Gandi SAS, and continued to function as rogue Internet pharmacies. Completely in keeping with their track record, the website operator or operators changed the registrant name again, this time to “Dennis Jones” and “Linda Smith.”
We decided to follow up with another WHOIS inaccuracy complaint, first to the registrar, Gandi SAS, and then to ICANN, regarding the remaining four domain names. We received a response from ICANN in early January stating once more that our complaint had been closed based on “reasonable steps” on the registrar’s part to investigate the WHOIS inaccuracy claim; the email from ICANN mentioned that the WHOIS record had been updated. Indeed, the registrant name was updated to “David Jones.” At that time, the registrant for several other OzPills domain names (globalviagrapharm.com and genericlevitraaustralia.net) also changed to “David Jones,” with the address 500 Oxford Street, Bondi Junction, NSW, Australia. There is, in fact, a David Jones at that address: the David Jones department store, named after the individual who died more than 100 years ago. (For this to be an accurate Whois record, one of two things has to be true: the David Jones department store, which isn’t licensed as a pharmacy, would have to be illegally importing and selling drugs; or, dead men would have to be able to register domain names.) Although these domain names were eventually put on client-hold status by the registrar, ozpills.com was allowed to continue to operate as “David Jones.” Our research shows that this was likely yet another fictitious name.
Today, the four core OzPills domain names remain fully operational, illegally selling drugs to Australia. They simply changed registrars yet again, and this time, simply used registrars that offer privacy protection. Although we believe we’ll be able to get these domain names offline sooner rather than later, to us, this highlights a wider problem: a cybercriminal can use one falsified name after another, and even after multiple complaints are submitted, they can then just hide behind Whois privacy.
As a result, the four high-profile Internet pharmacy domain names remain functional as of today, and the rogue Internet pharmacy network continues to operate. LegitScript will seek to have these domain names disabled on a public health basis, in light of their criminality. But it’s important to illustrate how ICANN could have prevented these domain names from being active today if the organization had effectively enforced WHOIS accuracy requirements rather than considering the issue resolved at the registrar level, amounting to just another dead end.