November 17, 2010 2 Comments
I’ve done some more investigating of mysafenet.net and localsafe.org and it looks like I’ve found out who’s behind them.
First of all, localsafe.org, mysafenet.net, and several other servers share the name server ns1.finishlinehosting.com:
SAMPLE OF DOMAINS USING NS1.FINISHLINEHOSTING.COM
|Domain||Registrar||Create Date||Expire Date||More Information|
|localsafe.org||Internet.bs Corp. (R1601-LROR)||2010-03-18 04:31:32||2011-03-18 04:31:32||DNS|
|mail4time.org||Internet.bs Corp. (R1601-LROR)||2010-10-29 04:42:25||2011-10-29 04:42:25||DNS|
Safe-local.net is another server that is used for the scam. It redirects to craigslistsafe.localsafe.org. Mail4now.net and mail4time.org are servers that are used for for sending spam for mysafenet.net and safe-local.net. Since these sites all share the same name server and they were all used for the scam, it’s a good bet that they are all owned by the same person.
A useful piece of information about a website is its SOA record. This record contains the e-mail address of the person responsible for administering the domain’s zone. The SOA record for mysafenet.net is this:
MYSAFENET.NET SOA RECORD
|Expiry||41 days 16 hours|
The e-mail address of the zone administrator is an address at cli-us.com, which is a website for Christopher Lawell, Inc.
Given its name, we’d assume that finishlinehosting.com would be the website for the hosting company used by these sites, but instead it’s a blank website. Let’s look at the SOA record for finishlinehosting.com:
FINISHLINEHOSTING.COM SOA RECORD
|Expiry||41 days 16 hours|
The e-mail address of the zone administrator for this site is also an address at cli-us.com. So who is this Christopher Lawell?
Googling “Christopher Lawell” brings up a number of interesting pages. For instance there’s the LinkedIn profile of a Christopher Lawell in the Las Vegas, NV area who is a partner at Clearline Media and president of both http://www.350dollarwebsites.com and Christopher Lawell, Inc. When we Google
“Christopher Lawell” craigslist
we find some articles where he gives tips on spamming Craigslist. For instance:
Doing some more searching for his name shows that it has been linked to other verification scam sites. For instance, there is this thread on broadbandreports.com:
The Christopher Lawell discussed in this thread had an address in Henderson, NV, which is a suburb of Las Vegas, and he was listed as the owner of craigslistsafe.safeandlocal.org, a verification scam site that is no longer active:
Created On:21-Nov-2009 16:02:05 UTC
Last Updated On:21-Nov-2009 16:02:08 UTC
Expiration Date:21-Nov-2010 16:02:05 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant Name:Christopher Lawell
Registrant Street1:318 Canyon River Court
Registrant Postal Code:89012
(The current registration information is different because the registrant acquired whois privacy protection to hide his identity.)
Not only is the name of this site very similar to craigslistsafe.localsafe.org, but SafeAndLocal.org is what is shown for the title of the page on craigslistsafe.localsafe.org:
(Click the image to see it in full size). This could be because when the current site was created, the person who set it up used a copy of the HTML for the old site and forgot to change the page’s title.
When we look at all of this evidence, though it hasn’t been proven for certain, it does appear that this Christopher Lawell is the owner of the current scam sites, too.