DNA EXCLUSIVE: US web companies securing JeM websites, boosting online presence

At least two US-based companies, with headquarters in San Francisco and Texas, are hosting and securing the website of proscribed Pakistan-based terror group Jaish-e-Mohammad (JeM), disseminating anti-India propaganda, jihad in Kashmir and violent extremist ideology.

JeM is responsible for daring attacks on India including the one on Parliament in 2001, the Pathankot air force base and the Army's Nagrota camp last year and active in the Kashmir militancy. It has been found to be using the services of a US company CloudFlare Inc to protect its website alqalamonline.com and rangonoor.com from cyber-attacks and accelerate its presence on the web making it easily accessible to its users.

The JeM has enrolled LimeStone Networks for hosting other domains like musalmanbachay.com, fathuljawwad.com and sadaemujahid.com --all part of its online propaganda machinery in the form of articles, videos of fighters hailed as martyrs who died in Kashmir, write-ups from leadership, quranic verses, and poetries on holy war, DNA investigation shows.

These companies have previously been flagged off as favorites of the Islamic State, al Qaeda, Hezbollah and other Islamic extremist groups, but have not been subjected to US law enforcement yet. US companies are prohibited from financial transactions with designated terrorist organisations. Incidentally, JeM is proscribed by the United Nations and the United States since 2001 for its terrorist activities

Following the Pathankot attack, an audio clip was uploaded on rangonoor.com with the voice of Mufti Abdul Rauf Asghar claiming responsibility for the attack and praising its fighters. Four Pakistani terrorists were killed in the air force station. A transcript of the audio was featured on the online magazine alqalamonline.com …the mouthpiece of JeM, the National Investigation Agency (NIA) filed charge sheet on the attack in the Mohali court states.

After these claims appeared on the websites, Pakistani authorities briefly shut down JeM's online publications and put its leader Maulana Masood Azhar under house arrest as pressure from India began to mount. The alqalam website has contents of jihadi thoughts, a weekly newspaper by the group and columns featuring Azhar along with other senior JeM leaders.

In its investigation, the NIA found that these sites are hosted by Bulgaria-based web hosting company SiteGround by a Karachi administrator Muhammad Tariq Siddique.

A quick WHOIS search on myip.ms which provides hosting information, websites and IP database shows the IP address of alQalamonline as 104.18.56.73 and Rangonoor's 104.27.132.179, linked with IP Reverse DNS (Host) company Cloudflare located in California, San Francisco.

In an email query sent by dna, Vanessa Royale from Cloudflare said that the company isn't a host for the two websites. "Our IP addresses may appear in a DNS (Domain Name System) query since we are a reverse proxy, but we are not hosting the sites.''

It means that CloudFlare acts as an intermediary between the user and the parent hosting company of alqalamonline.com and rangonoor.com SiteGround company, thereby ensuring malicious data or DDOS attacks are not directed to the websites. Dna investigation has reconfirmed that both the sites are currently running on IP address 77.104.156.63 hosted by the main company SiteGround on the which was reconfirmed by dna investigation.

"It basically acts as a watchman between the user and the main hosting company by putting the IP address of CloudFlare data centres behind the website. The traffic is routed through CloudFlare while the website is still hosted in its original location, thus making it difficult to carry a DDOS or inject attack,'' said Information Security Analyst Tarun Wig of Innefu labs Pvt Ltd in Delhi, which works on national security surveillance with the government. He added that a lot of malicious domains and websites are usually found hosted in data centers in countries like Bulgaria and Ukraine.

Although CloudFlare refused to comment on customers or customer plans without their approval, Royale skirted the issue on technical grounds that her company was responsible for facilitating terrorist websites. "Terminating a customer would not cause any content to go away. It would simply make it slower and more vulnerable to attacks,'' she said.

JeM has protected its principal websites alqalamonline.com and rangonoor.com, with a daily traffic of at least 200 visitors, against the distributed denial of service (DDoS) or malicious script attacks by placing them in CloudFlare services since March 2014.

When dna tried to access alqalamonline.com, a white screen with a five-second pause appeared and a text, 'checking your browser' before accessing alqalamonline appeared. In the fine blue print, it states DDoS protection by CloudFlare.

CloudFlare's services (some are free) are used by organisations to optimise their website delivery. "Once the service is enabled by a website owner, it will provide security against DDOS and safeguard content, acting as a web application firewall (WAF). The CloudFlare service will cache the website and helps faster delivery (or optimise the website-loading speed),'' said cyber security researcher of Mumbai based Open Security Alliance, Dinesh Bareja.

"It is a paradox to see terror organisations using CloudFlare, which is unwittingly providing them security against web-based attacks and ensuring these sites get loaded fast," he said.

Limestone Networks, based out of Texas, is the parent hosting company of JeM's other websites featuring its monthly magazine for children, Musalman bachay, and Sada-e-mujahid, with information and material regarding Islam, Quran, Jihad, sermons by Azhar and some content with English translation. These domains indulge in soft propaganda and introduces JeM's thoughts to potential recruits: young children and teenagers.

Limestone did not respond to an email from dna. Limestone is also a popular forum favoured by Salafi-Jihadi ideologues.

SECURING TERROR

1. A quick WHOIS search on myip.ms shows the IP address of alQalamonline as 104.18.56.73 and Rangonoor’s IP address as 04.27.132.179
    
2. CloudFlare acts as an intermediary between the user and the parent hosting company of alqalamonline.com and rangonoor.com SiteGround company, thereby ensuring malicious data or DDOS attacks are not directed to the websites.
    
3. US companies are prohibited from financial transactions with designated terrorist organisations. Incidentally, JeM is proscribed by the United Nations and the United States since 2001 for its terrorist activities.