WHOIS - U.S.-Based Domain Registration Protection Companies Hide Identities Of Individuals Behind The Most Important Al-Qaeda-Affiliated Websites

July 13, 2012

Introduction

Currently, fewer than 10 major active websites are directly used by Al-Qaeda and other leading jihadi organizations. Like all other websites, these sites have domain names and other identifying information that can be looked up using the WHOIS protocol.[1]

When a new domain name is registered, the domain owner is required to submit information to the WHOIS database; however, some domain owners opt to use domain privacy services offered by registrars. This option leaves them technically compliant but enables them to avoid listing their actual information.

The following report is another example of how terrorist groups have come to depend on American companies for their activities online.

What Is WHOIS?

WHOIS is a protocol used for querying databases that store the registration information of users of an Internet source, such as a domain name. WHOIS originated as a method of obtaining contact information for IP address assignments or domain name administrators. It is now used for other purposes, including determining the registration status of domain names and assisting law enforcement in enforcing national and international laws.

The Internet Corporation for Assigned Names and Numbers (ICANN) exercises control of the WHOIS databases, under the authority of the U.S. Commerce Department.

WHOIS Information On Anwar Al-Awlaki's Website Led To Its Closure

In 2009, when radical Yemeni-American Anwar Al-Awlaki posted an article on his website praising Fort Hood shooter Maj. Nidal Hasan, MEMRI published a report on his website that included WHOIS info.[2] The report stated: "The registration information for his website is as follows: The domain ANWAR-ALAWLAKI.COM is protected by the private domain registration company DomainsByProxy.com. The information listed for DomainsByProxy.com is: Domains by Proxy, Inc., DomainsByProxy.com, 15111 N. Hayden Rd., Ste 160, PMB 353, Scottsdale, Arizona 85260, United States, (480) 624-2599 Fax (480) 624-2598. A trace of the server hosting the website shows that it is hosted by New Dream Network, LLC, 417 Associated Rd., PMB #257, Brea, CA 92821; their Abuse Team can be reached at: +1-714-706-4182, [email protected]"

Within two hours of MEMRI report's publication, the site was removed and shut down, and has not returned.

Domain Privacy Services "Namecheap" and "WhoisGuard" Mask Identity of Domain Owners

Namecheap, a leading ICANN-accredited domain name registrar and web hosting company located in Los Angeles, CA,[3] was founded in 2000; currently, it has over 800,000 clients and over three million domains under its management. Namecheap provides domain names, web hosting, secure SSL certificates, and WhoisGuard domain name privacy.[4]

Among Namecheap's most important products is WhoisGuard Domain Privacy Protection. The product description on Namecheap.com for WhoisGuard provides information on why potential clients might want to use its services - many of which are attractive to jihadis: "The Internet Corporation for Assigned Names and Numbers (ICANN) policy requires you to provide accurate contact information while registering domain name - or you can risk losing it... When you register a domain, you risk exposing your name, address, e-mail and phone number to spammers, marketing firms, and other online fraudsters. Use 'WhoisGuard,' our privacy protection option, and stay worry-free!"[5]

The product description adds: "Namecheap's WhoisGuard domain privacy service is the best global domain privacy option for your domain name. Our WHOIS protection ensures that your private domain name registration always stays private as long as your privacy protection is active. When you purchase and enable WhoisGuard on your domain, we make the following changes in public WHOIS: 1) Replace your postal address with our address; 2) Replace your phone number and fax number with our phone and fax numbers; 3) Replace your email address with a uniquely-generated "[email protected]" email address. Every email that is sent to the WhoisGuard address is forwarded to an email address of your choice."[6]

Namecheap and its WhoisGuard service have long been used by online jihadi groups and Al-Qaeda affiliates. Media reports going back to 2004 have identified this issue, bringing it to the attention of Namecheap founder and CEO Richard Kirkendall.[7] Another 2004 media report noted that Namecheap once hosted Ekhlass, one of the most important Al-Qaeda-affiliated websites, before it was shut down. On this matter also, Kirkendall was contacted by the media, but he never responded to concerns that he was assisting Al-Qaeda.[8]

The Top Two Al-Qaeda-Affiliated Online Forums - And Others - Rely On WhoisGuard

Registration information for the two most important Al-Qaeda-affiliated forums, Al-Shumoukh and Al-Fida', is currently blocked by WhoisGuard. This means that whoever created and registered the sites is paying WhoisGuard to conceal their identity.

The following is the Whois listing from these two forums, showing how registration information is protected by WhoisGuard:

Al-Shumoukh Full WHOIS for SHAMIKH1.INFO: Domain ID: D38010794-LRMS Domain Name: SHAMIKH1.INFO Created On: 14-May-2011 00:22:30 UTC Last Updated On: 23-Apr-2012 17:20:00 UTC Expiration Date: 14-May-2013 00:22:30 UTC Sponsoring Registrar: eNom, Inc. (R126-LRMS) Status: OK Registrant ID: fce7ae13f22aa29d Registrant Name: WhoisGuard Protected Registrant Organization: WhoisGuard Registrant Street1: 11400 W. Olympic Blvd. Suite 200 Registrant City: Los Angeles Registrant State/Province: CA Registrant Postal Code: 90064 Registrant Country: US Registrant Phone: +1.6613102107 Registrant Email: [email protected]hoisguard.com Admin ID: fce7ae13f22aa29d Admin Name: WhoisGuard Protected Admin Organization: WhoisGuard Admin Street1: 11400 W. Olympic Blvd. Suite 200

Al-Fida' Full WHOIS for AL-FIDAA.COM: Registrant Contact: WhoisGuard WhoisGuard Protected 11400 W. Olympic Blvd. Suite 200 Los Angeles, CA 90064 US Administrative Contact: WhoisGuard WhoisGuard Protected ([email protected]) +1.6613102107 Fax: +1.6613102107 11400 W. Olympic Blvd. Suite 200 Los Angeles, CA 90064 US Technical Contact: WhoisGuard WhoisGuard Protected ([email protected]) +1.6613102107 Fax: +1.6613102107 11400 W. Olympic Blvd. Suite 200 Los Angeles, CA 90064, US Creation date: 27 May 2010 21:37:00 Expiration date: 27 May 2012 16:37:00

Other U.S.-Based Domain Privacy Companies Used By Online Jihadis

Network Solutions, Privacypost, Privacyprotect, Register.com, and PrivacyRegContact are other U.S.-based domain privacy services used by online jihadis.

Ansar Al-Mujahideen English Forum Vitally important to Al-Qaeda and its Western supporters and recruits, and aimed at audiences both Muslim and non-Muslim, the Ansar Al-Mujahideen English Forum (AMEF), ansar1.info, is considered the primary English-language jihadi forum, disseminating the majority of Al-Qaeda's propaganda for the English-speaking West. AMEF was established in 2008 in Arabic, and later launched multiple language pages, including English; it has thousands of threads and individual messages.[9] Its Whois information is registered with Privacypost.com.

Full WHOIS for ANSAR1.INFO (using Privacypost.com): Domain ID: D31419025-LRMS Domain Name: ANSAR1.INFO Created On: 04-Feb-2010 16:49:41 UTC Last Updated On: 19-Apr-2012 02:48:14 UTC Expiration Date: 04-Feb-2014 16:49:41 UTC Sponsoring Registrar: Domain.com, LLC (R656-LRMS) Status: OK Registrant ID: DOT-8IB2AOYX9YYN Registrant Name: N/A Registrant Organization: c/o ANSAR1.INFO Registrant Street1: P.O. Box 821650 Registrant City: Vancouver Registrant State/Province: WA Registrant Postal Code: 98682 Registrant Country: US Registrant Phone: +1.3604495933 Registrant Email: [email protected] Admin ID: DOT-49LI2P08AZ8O Admin Name: N/A Admin Organization: c/o ANSAR1.INFO Admin Street1: P.O. Box 821650 Admin City: Vancouver Admin State/Province: WA Admin Postal Code: 98682 Admin Country: US Admin Phone: +1.3604495933 Admin Email: [email protected] Billing ID: DOT-WRBWRC7KYWGD Billing Name: N/A Billing Organization: c/o ANSAR1.INFO Billing Street1: P.O. Box 821650 Billing City: Vancouver Billing State/Province: WA Billing Postal Code: 98682 Billing Country: US Billing Phone: +1.3604495933 Billing Email: [email protected] Tech ID: DOT-SVXV1G32Y6MR Tech Name: N/A Tech Organization: c/o ANSAR1.INFO Tech Street1: P.O. Box 821650 Tech City: Vancouver Tech State/Province: WA Tech Postal Code: 98682 Tech Country: US Tech Phone: +1.3604495933 Tech Email: [email protected] Name Server: NS1.NAMERESOLVE.COM

Tawhed.net Another important jihadi website is tawhed.net. Since 2003, Sheikh Abu Muhammad Al-Maqdisi's website, Minbar Al-Tawhid Wal-Jihad ("The Pulpit of Monotheism and Jihad," henceforth MTJ) has been the main online home for the global Salafi-jihadi movement. Over time, his website became the main platform for disseminating Salafi-jihadi doctrine, publishing extremist texts, and issuing jihad-related fatwas. In addition to Al-Maqdisi himself, the website is overseen by a shari'a committee of radical Salafi-jihadi clerics from various countries.[10] Tawhed.net's WHOIS information is registered with PrivateRegContact.

Full WHOIS for tawhed.net (using PrivateRegContact): [Querying whois.verisign-grs.com] [Redirected to whois.melbourneit.com] [Querying whois.melbourneit.com] [whois.melbourneit.com] Domain Name: tawhed.net Creation Date: 2009-07-19 Registration Date: 2009-07-19 Expiry Date: 2012-07-19 Organisation Name: ESAM ALUTAIBE Organisation Address: PO Box 61359 Sunnyvale 94088 CA, US Admin Name: Admin PrivateRegContact Admin Address: PO Box 61359 registered post accepted only Sunnyvale 94088 CA, US Admin Email: [email protected] Admin Phone: +1.5105952002 Tech Name: TECH PrivateRegContact Tech Address: PO Box 61359 registered post accepted only Sunnyvale 94088 CA, US Tech Email: [email protected] Tech Phone: +1.5105952002 Name Server: ns159.ip-asia.com Name Server: ns160.ip-asia.com

Bab-Ul-Islam.net Bab-Ul-Islam.net is a forum that emerged from the merger (in March 2012) of the Ansarullah website and the Bab-ul-Islam forum. It publishes content consisting of Al-Qaeda and its affiliated media releases in English, Urdu, Arabic, and other languages.[11] Its Whois information is registered with Network Solutions.

Full WHOIS for BAB-UL-ISLAM.NET (using Network Solutions): Administrative Contact: Proxy, Proxy [email protected] ATTN BAB-UL-ISLAM.NET care of Network Solutions PO Box 459 Drums, PA 18222 US Phone: 570-708-8780 Technical Contact: Proxy, Proxy [email protected] ATTN BAB-UL-ISLAM.NET care of Network Solutions PO Box 459 Drums, PA 18222 US Phone: 570-708-8780

Jhuf.net JHUF.NET, or Jamia Hafsa Urdu Forum, is a pro-Taliban, jihadi forum. It draws its name from the name of the women's madrassa in Islamabad - known as Jamia Hafsa - adjacent to the Red Mosque in Islamabad, Pakistan. Both were the site of the 2007 military operation ordered by General Pervez Musharraf. The forum publishes jihadi messages from the Taliban and Al-Qaeda. Its WHOIS information is registered with PrivacyProtect.org.

Full WHOIS for JHUF.NET (using PrivacyProtect.org): Registration Service Provided By: WWW.HOSTING24.COM Contact: +68.67568314 Domain Name: JHUF.NET Registrant: PrivacyProtect.org Domain Admin ([email protected]) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null, QLD 4218 AU Tel. +45.36946676 Creation Date: 18-Sep-2010 Expiration Date: 18-Sep-2012 Domain servers in listed order: dns2.site5.com dns.site5.com Administrative Contact: PrivacyProtect.org Domain Admin ([email protected]) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null, QLD 4218 AU Tel. +45.36946676 Technical Contact: PrivacyProtect.org Domain Admin ([email protected]) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null, QLD 4218 AU Tel. +45.36946676 Billing Contact: PrivacyProtect.org Domain Admin ([email protected]) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null, QLD 4218 AU Tel. +45.36946676

Theunjustmedia.com Theunjustmedia.com is identified as the official website of the Islamic Emirate of Afghanistan, according to the September 2011 issue of the jihadi magazine Nawa-i-Afghan Jihad. Its WHOIS information is registered with register.com.

Full WHOIS for Theunjustmedia.com (using www.Register.com): Information for www.theunjustmedia.com on Host Depot's website. Registrant: REGISTER.COM, INC. Whois Server: whois.register.com Referral URL: http://www.register.com Status: clientTransferProhibited Expiration Date: 2012-10-26 Creation Date: 2001-10-26 Last Update Date: 2011-10-25 Name Servers: ns1.hostdepot.com ns2.hostdepot.com IP: 66.242.136.130 IP Location: Pompano Beach, United States Website Status: active Registrant: Name: Khurram Siddiqi Street Address: PO BOX 90560 Scarborough, CA 55555 Phone: 9543403527 Email: [email protected] Administrative Contact: Name: Khurram Siddiqi Street Address: PO BOX 90560 Markham Eglinton Scarborough, CA 55555 Phone: +1.9543403527 Email: [email protected] Technical Contact: Name: Host Depot, Inc. Street Address: 12524 West Atlantic Boulevard Coral Springs, State: FL 33071 Phone: +1.9543403527 Email: [email protected]

*Note: NetStrategies, a DC Web development company, served as a technical advisor for this report.

*Steven Stalinsky is Executive Director of MEMRI.

Endnotes:

[1] All information in this report was current as of May 15, 2012.
[2] See MEMRI Special Dispatch No. 2638, "U.S.-Born Yemen-Based Imam Anwar Al-Awlaki on His CA-Hosted Websites: Fort Hood Shooter 'Nidal Hassan Is A Hero,'" November 9, 2009, https://www.memri.org/report/en/0/0/0/0/0/0/3737.htm
[3] Namecheap.com, 11400 W. Olympic Blvd. Suite 200, Los Angeles, CA 90064, [email protected]
[7] MensNewsDaily.com, July 22, 2004; also see Dailymail UK, October 17, 2004
[8] Daily Beast, October 2, 2009
[10] See MEMRI Special Dispatch No. 3960, "Minbar Al-Tawhid Wal-Jihad - Major Jihadi Website Inciting Attacks on the U.S. - Hosted in NJ," July 1, 2011, https://www.memri.org/report/en/0/0/0/0/0/0/5423.htm

Jihad and Terrorism Threat Monitor

JTTM subscribers receive daily updates on imminent and potential threats posed by terrorists, extremist organizations, and individuals worldwide.
For subscription information, click here

Share this Post: