US law enforcement lost control of seized Black Friday poker domains

black-friday-domains-malwareOnline poker domains seized by US law enforcement on Black Friday have been exposing visitors to scams and malware.

On Thursday, tech blog Torrentfreak.com reported that online gambling domains seized by US federal authorities on April 15, 2011 – including AbsolutePoker.com and UltimateBet.com – were now directing visitors to a Zero-Click advertising feed, which has been criticized in the past as a conduit for malware installers and other digital cesspools.

Until recently, the domains displayed only a seizure notice from the US Department of Justice. A similar effect greeted visitors to Megaupload.com, the cloud-storage website formerly run by Kim Dotcom, who was indicted by the DOJ on charges relating to illegal file-sharing in January 2012.

The problem arose after the DOJ apparently lost control of the domains’ nameserver, either by letting control expire or by some unknown action by a third party. Domain name ownership service Whois currently lists the sites’ nameserver as a derivative of CIRFU.biz, which appears to be a play on the CIFRU.net domain operated by the FBI’s Cyber Initiative and Resource Fusion Unit. But CIRFU.biz, which is hosted on a server in the Netherlands, isn’t an official CIFRU domain.

Since Megaupload is still a frequently visited site, Kim Dotcom has weighed in on the controversy. Speaking to Torrentfreak, Dotcom wondered why Jay Prabhu, chief of the cybercrime unit at the US Attorney’s Office for the Eastern District of Virginia, “can’t even do the basics like safeguard the domains he has seized.”

Dotcom went on to ask why the DOJ’s Virginia office employed “a guy who doesn’t know the difference between civil & criminal law.” Dotcom said he would like to send Prabhu “back to law school and give him a crash course in ‘how the internet works’.”

Dotcom’s comments appear to have had their desired effect in the hallways of the DOJ, as the aforementioned domains – which carried the Zero-Click feed as late as midday Thursday – are now returning “webpage not available” messages.