Cyber Crime

An illegal prostitution ring took Kazakhstan offline

On 31st July 2019, internet users within Kazakhstan experienced a show of dismay unseen before. Suddenly, hundreds of website could not be accessed. The first report was seen to be made by Manshuq Media on Facebook where they explained the issue in a post as seen below:

The post translated from Kazakh.

This came forward when two IP address filters implemented by Kazakhstan Telecom were seen in their infrastructure. These were identified as belonging to a client-hosted with a Russian website builder named Tilda Publishing (tilda.cc).

In response, Tilda made an announcement asking their users to point their website to 194.4.58.39 which is the IP address belonging to a commercial hosting provider, namely Hoster.kz.

Then finally on the 1st of August, the reason behind the filter blocking move was revealed. Kazakh Telecom stated that Tilda’s servers hosted a pornographic website named rainbow-spa.kz with 2 IP addresses: 185.165.123.206 and 185.165.123.36.

This was done due to the issuance of a court order to take the site down. As it can be understood, the blocking of the above IP addresses would only result in the blocking of other websites if the above 2 happened to be domain name servers rather than static IPs specifically for the rainbow site.

Hence because a variety of domains point to the same domain name servers on a specific hosting service, all other sites that pointed to the same DNS as the pornographic site also ended up getting banned mistakenly. To consider this a blunder on part of the authorities that implemented the ban would do justice as 2 other ways could have been easily employed comprising of:

  • Notifying the domain registrar – ICPS in this regard – to take control of the domain and change its DNS internally.

Whois information obtained by Qurium, it is not available currently as the website is offline.

  • Notify the host – Tilda in this case – to ban the account of the violator internally and remove all such content from their servers.

Moving on, the recent IP address change announced was shortlived. Users were now informed on 2nd August that they were blocked by a Kazakhstan Telecom Filter and they should once again change their websites to a new IP address – 77.220.207.191. Yet, this wasn’t the end. On the 8th of August, a minimum of 800 domains and subdomains were moved to a new data center – 77.220.207.191 – at Kazteleport which is owned by Halyk Bank. No justification was provided by the move though.

Domains_tilda – a text file containing the moved addresses.

With the investigation continuing, alarming connections were found. The street address used to register the rainbow-spa domain which is Сатпаева, 30а к2 and when translated into English, Satpayev, 30a k2, a business with the name of “R.N.B.W. massage salon” was found there, an abbreviation for RaiNBoW highlighting the link.

 

To add to this, Qurium reports,

We looked for all the domains that re-assemble the blocked site. It is not uncommon to see business of this type running multiple websites. During our search we found two more domains: rnbw.kz and rnbw-spa.kz.

They continue by pointing that several websites offering illegal prostitution services were also found claiming that Rainbow Spa may have been connected to these rings from the above-gathered evidence.

All of this leaves a stain on Kazakh’s national authorities who have failed to take down an illegal network that is discoverable with the use of normal search engines on the surface web, quite far away from what authorities in countries like the USA have to tackle within the realms of the dark web.

To Top

Pin It on Pinterest

Share This