Since the release of the original article on Arthur Kenzie, I have received a lot of information about Kenzie and his extortion attempts. Additionally, volunteers have sent in a wide variety of information including additional domains Kenzie registered, more observations on his intent, and information about his possible associate in other "scams" (Judy Kenzie). With the publication of the original article, Kenzie also offered HD Moore the domain he squatted for free. Finally, Kenzie contacted me directly after the article and our brief correspondence will be included.
Note: This is FAR from the full list of victims. At some point, Kenzie switched to registrations under DomainsByProxy.com, which could not be matched by domain queries. We are publishing this data to help warn companies that may not have been contacted by Kenzie yet. This list of historical registrations shows interesting patterns, and exposes Kenzie's lies about doing this for "security awareness". Further, we are now aware of at least 3 companies that were approached in which Kenzie demanded $25,000 (or more) for the domain transfer (none paid). No matter what Kenzie says, that is not security research or awareness. That is fraud and extortion.
Around mid-2011, Kenzie started registering domains that could be used in phishing attacks against major companies. This is a completely different angle and vulnerability than the typosquatting one, which he does not warn companies about. This is clear when you consider that many domains he registers use "rn" (R N) instead of "m" (M), or 'vv' instead of 'w'. As previously stated, that is not something a person will 'typo'. Rather, it is visually close to each other which is really only beneficial in phishing attacks. There is no other legitimate use for domains like these except for a targeted phishing campaign against the employees or customers of the organization. Here are a few examples:
Around November 2011, Kenzie switched to typosquatting for a wide variety of companies, both inside of Canada (his residence), the USA, and a few other international domains. Some examples are listed below:
Kenzie's Domain | Legitimate Domain | Sector |
douglasbc.ca | Douglas.BC.CA | College (Canada) |
arnstien.com | Arnstein.com | Law Firm (Canada) |
sullcromm.com | SullCrom.com | Law Firm (New York) |
bombadrier.com | Bombardier.com | Aircraft (Canada) |
canaccrod.com | CanAccord.com | Wealth Management (Canada) |
cdnoilsand.com | CDNOilSands.com | Oil Development (Canada) |
hydroqeubec.com | HydroQuebec.com | Energy Utility (Canada) |
sopohos.com | Sophos.com | Antivirus |
mannignelliott.com | ManningElliot.com | Accounting Firm (Canada) |
bcpacvo.com | BcPavCo.com | Provincial Crown Corporation of the Ministry of Jobs, Tourism and Innovation (Canada) |
cental1.com | Central1.com | Credit Union |
bankofmontrael.com | BankOfMontreal.com | Bank (Canada) |
blakchat.com | BlackHat.com | Security Industry Conference |
digitnotar.com | DigiNotar.com | SSL/CA (Netherlands) |
At some point during his typosquatting compaign, Kenzie decided to start targeting security researchers and security projects for some reason. This is almost as baffling as his desire to target law firms. A few examples:
Kenzie's Domain | Legitimate Domain (Researcher) |
appelbahm.net appelbaume.net |
AppelBaum.net (Jacob Appelbaum) |
kevinmintick.com kevinmitnikc.com |
KevinMitnick.com (Kevin Mitnick) |
scheneier.com schneire.com |
Schneier.com (Bruce Schneier) |
thougthcrime.org | ThoughtCrime.com (Mathew Hennessy) |
tor-porject.org tor-projetc.org |
tor-project.org (The TOR Project) |
Kenzie's move to registering domains via DomainsByProxy is interesting, as it may show his intent to better hide his activity to make it harder to do this kind of reconnaissance against his scams. This makes sense as I know of three companies that received five figure demands for the typosquatted domains, each with threats of going public in some fashion. With HD Moore, it was $295 and a "blog" entry. For some companies, it is $25,000 and "published research in late 2012". For companies that do not reply to the initial demand, Kenzie's follow-up letter states that the lack of reply "is taken as tacit approval for [him] to further study this vulnerability for the purpose of my research and for journalistic purposes".
Now that several companies have come to me with additional information and copies of Kenzie's extortion letters, I hope that more do. I do not need to publish your name or letters, but it would be nice to have a better picture of the scope of Kenzie's scam operation. Fortunately, no company that I have talked to has entertained the idea of paying, let alone actually buying the domains.
Finally, Kenzie mailed me shortly after the first article was published. It was a brief exchange, as I did not see any value continuing the conversation. It is clear to me that he knows exactly what he is doing, and he knows it is not 'legitimate security research'. During the brief exchange, it is also clear he went scouting for domains similar to attrition.org to squat, but noticed someone else beat him to it. For your amusement, you can read the entire exchange.