This article is the first part of a series of articles I am publishing about my dealings with a cesspool on the internet and my colleagues and my coordinated attempts to bring it to the attention of various network peers, internet policy organizations, law enforcement, and victims of attacks originating from there, as well as raising general awareness. This gets dark quickly, as we will be discussing topics such as local revenge porn in a town near you, child pornography, bank account phishing, and other cyberattacks.
Anon-IB and its Abuse of Women and Teens
Several weeks ago, an old classmate brought to my attention an anonymous image board called Anon-IB. The image board acts as a hub for the sharing of revenge porn and slut-shaming: people from around the country request and share sexually explicit photographs taken of ex-girlfriends, hacked or stolen mobile phones, or other personal caches they have accumulated, which they refer to as ‘wins’.
Revenge porn sites are a thing many are now aware of, but what makes this one different is the website has separate boards dedicated to each state; locals from various cities, my hometown of Jacksonville included, create local threads for their city where they and others can post and request nude images or videos of local young women, without the victims’ knowledge or consent, often by name and including other personally identifiable details.
Underage posts are not allowed, however, Gabrielle Fonrouge of the New York Post wrote in September there are numerous, verifiable cases of images being shared of underage girls and cites specific examples of several women who were 15-17 years old in the images being shared of them on Anon-IB.
It is also a rule on Anon-IB that personally identifiable information is prohibited, however, this author writes that “many users flaunt these rules … [p]articularly in the sections that are done by city.” The Post article also cites its own cases of victims’ full names being included in posts, which often include the victim’s school.
This is disturbing in a number of ways. It is grossly hostile, threatening, and objectifying to women and all of the posters clearly have no respect for them. I feel it promotes stalking and sexually harassing women. I recognized names of people I know being requested and I started considering what I could do about it since the whole thing is pretty ugly, offensive, and, in my legally untrained belief, legally questionable to grossly illegal.
The old classmate that originally brought the site to my attention had told me the site was hosted in Russia, according to co-workers that shared the site with him, and thus it could not be taken down. So, obviously I started investigating who is behind it and what could be done.
Quasi Networks LTD.
According to DNS records, the public-facing web server for the image board is located on a host at 18.104.22.168. I reviewed the IP’s public registration information from the RIPE NCC WHOIS database and learned it is registered to Quasi Networks Ltd., Suite 1, Second Floor, Sound & Vision House, Francis Rachel Street, Victoria, Mahe, Seychelles. Not exactly Russia, but Russians actually are involved in this story, which is discussed in part two of this series.
Seychelles is an archipelago and country, officially known as the Republic of Seychelles, and lies east of mainland East Africa in the Indian Ocean. It has recently had some media attention, e.g. The Washington Post, for being host to new cases of the plague, as travelers to and from nearby Madagascar have contracted it there and brought it back to Seychelles. Travel between Seychelles and Madagascar is common and flights have been suspended as a result of the plague presence in both countries.
When I saw Quasi Networks (from herein QN or Quasi) along with the location, Seychelles, I realized I already knew about them. In the recent past, attacks originating from within QNs AS29073 had caused denial-of-service outages on web servers I lease and manage. Large amounts of failed SSH login attempts and vulnerability probes being executed against WordPress sites would spike usage on the servers and occasionally make services unavailable. It also would also blow up my Amazon Web Services costs.
I had previously sent abuse reports to QN only to never receive a response while the attacks continued. Ultimately, I added a ‘drop’ rule in my systems’ firewalls for every netblock I could find that was assigned to QN, effectively ignoring all communications from their networks. In realizing that Quasi was associated with Anon-IB and these past attacks, I was interested to learn what else was going on behind AS29073 and why no one appeared to do anything about it.
Troy and the Bad Packets Report
Searching online for their AS number made me realize that I was not alone in my experiences with QN. A guy named Troy had written on April 25th, 2017 about his experiences on his website, the Bad Packets Report. Troy was on the receiving end of attacks from a host on a QN IP address, 22.214.171.124, that he referred to as ‘The Master Needler’.
Troy had already contactedRIPE NCC about QN and published the results of his communications with them. He was concerned about QNs apparent lack of attention to abuse complaints being sent to their registered abuse contact address and hoped RIPE could provide guidance.
RIPE suggested Troy contact Novogara Ltd. at their abuse contact, as the particular subnet 126.96.36.199/24 was a ‘PA assignment’ created by that RIPE NCC member without RIPE participation. They also noted that QN also holds AS29073 and that RIPE NCC had validated the abuse email at the time they were assigned the AS number. Knowing RIPE NCC could not be of much further help, Troy wrote he would consider following up with Novogara.
Worth noting, RIPE NCC has since released a new policy proposal on how they handle abuse contact validation, which includes at least an annual validation of the abuse email and following up when an IP owner is unresponsive after two weeks. Under the proposed policy, if an organization is not cooperative, RIPE NCC could close their membership and de-register their IP resources. Whether Troy’s conversation with them helped spur that proposal or not, I like to think it did.
Collaboration with Troy and The Hague Case
At the time, I found no additional follow-up had been published yet by Troy, so I decided to reach out to him via Twitter to see if he had any updates. When he got back to me, he said he had not yet contacted Novogara, but did have important news. There is currently an on-going ‘fishing expedition’ case in The Hague and directors of Ecatel Ltd., Quasi Networks Ltd., Novogara Ltd., and some others are named as co-defendants in it. Merriam-Webster defines a ‘fishing expedition’ as a legal interrogation or examination to discover information for a later proceeding.
According to court documents, which I am reading and quoting via Google Translate since they are entirely in Dutch, an organization named Stichting Brein, or Brein Foundation, “wants to call [the defendants] as witnesses to further clarify the structure and relationship between these companies, where the servers are located and which (right) persons responsible behind Quasi Networks. Stichting Brein is interested in this information in order to be able to judge who she can appeal to and whether it is useful to start a procedure.”
“Stichting Brein wenst daarom [verweerder 1] , [verweerder 2] en [verweerder 3] als getuigen te horen om verdere duidelijkheid te krijgen over de structuur van en de relatie tussen deze ondernemingen, waar de servers zich bevinden en welke (rechts)personen de verantwoordelijken achter Quasi Networks zijn. Stichting Brein heeft belang bij deze informatie om te kunnen beoordelen wie zij kan aanspreken en of het zinvol is een procedure te beginnen.”
Stichting Brein, according to court documents, represents several motion picture and sound associations, producers, and film distributors in combating unauthorized distribution of their clients’ content on the internet. They are essentially a Dutch anti-piracy group representing the film industry in the Netherlands.
Brein alleges they have found infringing content on websites hosted by Ecatel, the first defendant, in the past years and they allege Ecatel has historically been structurally negligent in complying with their statutory obligations by not taking the infringing content or sites offline or by not doing so in a timely manner.
How Are These Entities Associated?
Brein notes Novogara and Ecatel have virtually identical websites and that, until July 2015, the sole shareholder and director of Novogara, the second defendant, was a director of Ecatel. Reba Holding Ltd, of which the director of Novogara is a joint-shareholder, is the shareholder of Ecatel. Another shareholder is the third defendant, the indirect director of Reba Communications, the company which drives a company which manages Dataone, a datacenter in Wormer, North Holland where Brein believes the servers are physically located.
They also note that in late 2015, a bundle of Ecatel IP addresses was taken over by QN and that Novogara’s website is also hosted by QN. Brein also says there are concrete indications that QN uses servers located in the Dataone datacenter in Wormer, which is indirectly owned by Reba.
As a result of all this, Brein believes there is good reason to suspect that Ecatel, Novogara and Reba are affiliated with each other and to Quasi Networks.
What to do Now?
Since Novogara is likely to be as unhelpful as Ecatel and Quasi, additional research on who Quasi, Novogara, and Reba is peering with is forthcoming in part two of this series. My hope is to appeal to their more respectable network peers and make them aware of the shenanigans going on with the hopes they will de-peer with this association of, what appear to be, bad actors.
We have a direct channel to the managing director of Brein Foundation and he has forwarded all relevant communications and research Troy and I obtained in the process of conducting these separate, independent inquiries to the investigations team working on The Hague case.
Still worth investigating is their acquisition of a /14 subnet of abandoned Afrinic IP address space containing 262,144 addresses: 188.8.131.52/14
This is the end of part one of this series on Quasi Networks. Part 2 covers Quasi contacting me out of the blue, discovering worse things behind their AS, opening an abuse complaint, their responses, who their biggest network peers are, bank account phishing and notifying Bank of America, and the latest updates.