More about 'BlackMattersUS' faux BLM project exposed by Think Progress
2017 October 13
Tweet this Follow @webradius Tweet to @webradius

There is an interesting story out at Think Progress, regarding (yet another) faux Black Lives Matter online project. BlackMattersUS shares many of the elements of other recently-exposed and Russian-linked "BLM" projects that sought to influence the outcome of the 2016 US presidential election.

Common practice
As is common practice, BlackMattersUS has more than one domain name. In this case there are two. Both names were carefully registered via a proxy service to hide the actual registrant. The use of the proxy or "privacy" service to hide the registrant is also common practice, but like many things meant to protect the privacy and identity of honest folks, such services are ripe for abuse by people involved in criminal or other nefarious activities. Finally, BlackMattersUS uses CloudFlare, a service that offers protection from denial of service attacks, but which, like domain name privacy services, is ripe for abuse by people trying to evade responsibility for their online activities. This is because CloudFlare masks the actual location of websites that use the service. Such location information, and related information regarding the server hosting the website, can greatly assist any effort to identify a site's operator(s). Despite all such efforts, the situation is not hopeless, and there is information to be gleaned without a subpoena.

Domain names, plural
As noted above, BlackMattersUS has two domain names. One they use, and one they don't use.

1. blackmattersus.com is the domain used, and the one identified by Think Progress. The domain registration is held by Whois Privacy Corp., Nassau, Bahamas. The domain name points to the a CloudFlare IP address (104.31.86.57), and that is where the trail ends. But that was not always the case. blackmattersus.com was registered in November of 2015. On or about July 15, 2016, the site's operators moved blackmattersus.com to CloudFlare. Prior to that the domain name pointed to a non-CloudFlare IP address (107.181.161.172). The following data is via DomainTools Hosting History for blackmattersus.com

Event Date Action Pre-Action IP Post-Action IP
2016/01/10 New -none-  107.181.161.172
2016/07/15 Change 107.181.161.172 104.31.87.57
2016/07/23 Change 104.31.87.57 104.31.86.57

2. blackmattersusa.com is the domain they don't use. But how do we know it even exists? As seen above, once upon a time blackmattersus.com used the IP address 107.181.161.172. That IP address is associated with a computer that may host any number of websites. Using DomainTools reverse IP address search, we find only one domain is known to currently use 107.181.161.172. And that domain is... blackmattersusa.com

As noted already, this second domain (blackmattersusa.com) is also held by a proxy service. In fact the same service used by the primary domain blackmattersus.com. While we are still no closer to naming the operator of the BlackMattersUS site, we have something to show for the effort, namely we can confirm the connection between the two domains, and those domains' connection to the non-CloudFlare IP address.

The IP address
IP addresses are assigned in large blocks to the operators of datacenters, who in turn assign smaller blocks of addresses to companies that may host websites themselves, or who may again re-assign still smaller blocks, or individual IP addresses, to companies and individuals involved in hosting websites either for themselves or for clients. The non-CloudFlare IP address (107.181.161.172) is part of a large block assigned to Total Server Solutions LLC (TSS), with physical addresses in Atlanta and Los Angeles, but on the basis of 20 years of doing this sort of attribution research, I can say with a high degree of confidence that the actual host of BlackMattersUS is likely a client of TSS, or a client of a client of TSS.

The web server
Servers are computers that generally reside in datacenters and provide a home for websites. In addition to hosting many sites with many different domain names, it is common practice for servers to have their own name. The name of the web server at 107.181.161.172, that currently hosts blackmattersusa.com, and that previously hosted blackmattersus.com, is... sergy.uaservers.net. Now we are getting somewhere.

At this point it is worth remembering that much of what we know about Russian involvement in the election points to Ukrainian allies of the Kremlin. The 'ua' in uaservers.net is a reference to Ukraine. The story of uaservers.net appears to lead back to Kharkiv. Between April and June of 2013 company info changed, and at present everything points to Dmitry Deineka, who is associated with quite a few different business names, all using the address of a UPS Store in Las Vegas, Nevada, and an areacode (505) Nevada Las Vegas, New Mexico, phone number.

Conclusion
While it is possible Mr. Deineka hosts BlackMattersUS, it is at least as likely that the operator(s) of that site are clients of his, or clients of clients. But that said, we are considerably closer to sorting out who is involved in this matter, and the information presented here suggests that Think Progress is correct in attributing BlackMattersUS to 'Russians' involved in 2016 election meddling.

				Addenda

Domain Name: BLACKMATTERSUS.COM
Registry Domain ID: 1983429375_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.internet.bs
Registrar URL: http://www.internetbs.net
Updated Date: 2016-07-13T19:04:28Z
Creation Date: 2015-11-23T08:10:26Z
Registrar Registration Expiration Date: 2017-11-23T08:10:26Z
Registrar: Internet Domain Service BS Corp.
Registrar IANA ID: 2487
Registrar Abuse Contact Email: abuse@internet.bs
Registrar Abuse Contact Phone: +1.5167401179
Reseller: 
Domain Status: ok - http://www.icann.org/epp#ok
Registry Registrant ID: 
Registrant Name: Domain Admin
Registrant Organization: Whois Privacy Corp.
Registrant Street: Ocean Centre, Montagu Foreshore, East Bay Street
Registrant City: Nassau
Registrant State/Province: New Providence
Registrant Postal Code: 
Registrant Country: BS
Registrant Phone: +1.5163872248
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: blackmattersus.com-owner@customers.whoisprivacycorp.com
Registry Admin ID: 
Admin Name: Domain Admin
Admin Organization: Whois Privacy Corp.
Admin Street: Ocean Centre, Montagu Foreshore, East Bay Street
Admin City: Nassau
Admin State/Province: New Providence
Admin Postal Code: 
Admin Country: BS
Admin Phone: +1.5163872248
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: blackmattersus.com-admin@customers.whoisprivacycorp.com
Registry Tech ID: 
Tech Name: Domain Admin
Tech Organization: Whois Privacy Corp.
Tech Street: Ocean Centre, Montagu Foreshore, East Bay Street
Tech City: Nassau
Tech State/Province: New Providence
Tech Postal Code: 
Tech Country: BS
Tech Phone: +1.5163872248
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: blackmattersus.com-tech@customers.whoisprivacycorp.com
Name Server: dom.ns.cloudflare.com
Name Server: tricia.ns.cloudflare.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

===========================

Domain Name: BLACKMATTERSUSA.COM
Registry Domain ID: 1983429558_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.internet.bs
Registrar URL: http://www.internetbs.net
Updated Date: 2016-01-09T07:40:20Z
Creation Date: 2015-11-23T08:12:21Z
Registrar Registration Expiration Date: 2017-11-23T08:12:21Z
Registrar: Internet Domain Service BS Corp.
Registrar IANA ID: 2487
Registrar Abuse Contact Email: abuse@internet.bs
Registrar Abuse Contact Phone: +1.5167401179
Reseller: 
Domain Status: ok - http://www.icann.org/epp#ok
Registry Registrant ID: 
Registrant Name: Domain Admin
Registrant Organization: Whois Privacy Corp.
Registrant Street: Ocean Centre, Montagu Foreshore, East Bay Street
Registrant City: Nassau
Registrant State/Province: New Providence
Registrant Postal Code: 
Registrant Country: BS
Registrant Phone: +1.5163872248
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: blackmattersusa.com-owner@customers.whoisprivacycorp.com
Registry Admin ID: 
Admin Name: Domain Admin
Admin Organization: Whois Privacy Corp.
Admin Street: Ocean Centre, Montagu Foreshore, East Bay Street
Admin City: Nassau
Admin State/Province: New Providence
Admin Postal Code: 
Admin Country: BS
Admin Phone: +1.5163872248
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: blackmattersusa.com-admin@customers.whoisprivacycorp.com
Registry Tech ID: 
Tech Name: Domain Admin
Tech Organization: Whois Privacy Corp.
Tech Street: Ocean Centre, Montagu Foreshore, East Bay Street
Tech City: Nassau
Tech State/Province: New Providence
Tech Postal Code: 
Tech Country: BS
Tech Phone: +1.5163872248
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: blackmattersusa.com-tech@customers.whoisprivacycorp.com
Name Server: ns-canada.topdns.com
Name Server: ns-uk.topdns.com
Name Server: ns-usa.topdns.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

==========================

Domain: uaservers.net
Record Date: 2013-04-15
Registrar: GODADDY.COM, LLC
Server: whois.godaddy.com
Created: 2012-06-15
Updated: 2012-09-03
Expires: 2015-06-15

Record:
   Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
   Domain Name: UASERVERS.NET
      Created on: 15-Jun-12
      Expires on: 15-Jun-15
      Last Updated on: 02-Sep-12

   Registrant:
   Innokenty Sidor4uk
   UA Cloud Lab 61000, Kharkiv, 12 April, 7b Kharkiv, 61000 UKRAINE
   ,  
   
   Administrative Contact:
      ,   mnt-by@uaservers.net
      Innokenty Sidor4uk
      UA Cloud Lab 61000, Kharkiv, 12 April, 7b Kharkiv, 61000 UKRAINE
      ,  
      
      +380.577298800

   Technical Contact:
      ,   mnt-by@uaservers.net
      Innokenty Sidor4uk
      UA Cloud Lab 61000, Kharkiv, 12 April, 7b Kharkiv, 61000 UKRAINE
      ,  
      
      +380.577298800

   Domain servers in listed order:
      NS1.UASERVERS.NET
      NS2.UASERVERS.NET

=========================

Domain: uaservers.net
Record Date: 2013-06-27
Registrar: GODADDY.COM, LLC
Server: whois.godaddy.com
Created: 2012-06-15
Updated: 2013-05-21
Expires: 2015-06-15

Record:
   Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
   Domain Name: UASERVERS.NET
      Created on: 15-Jun-12
      Expires on: 15-Jun-15
      Last Updated on: 21-May-13

   Registrant:
   UAServers.Net
   4616 W Sahara Ave Unit 223
   Las Vegas, Nevada 89102
   United States

   Administrative Contact:
      Deineka, Dmitry  mnt-by@layer6.net
      UAServers.Net
      4616 W Sahara Ave Unit 223
      Las Vegas, Nevada 89102
      United States
      +1.5056524764

   Technical Contact:
      Deineka, Dmitry  mnt-by@layer6.net
      UAServers.Net
      4616 W Sahara Ave Unit 223
      Las Vegas, Nevada 89102
      United States
      +1.5056524764

   Domain servers in listed order:
      NS1.UASERVERS.NET
      NS2.UASERVERS.NET
			

© 2015-2017 Andrew Aaron Weisburd