Hash: SHA1


I am ready to declare that we are having a Crisis situation with HKDNR
and their unwillingness or failure to de-register domain names which
have been registered for purpose of fraudulent activity.

At CastleCops PIRT Squad we are observing that SEVERAL fraud categories
are now hosting almost exclusively on ".hk" domains because they are
realizing there is a pattern of refusal to follow their own guidelines
and eliminate these domains.

Of the 380 phishing reports that our team has published so far in June,
58 of these reports were related to a ".hk" domain.  Of these, at least
40 remain "live" at this time.  These are the longest-lived rock phish
we have seen in more than six months, and they will remain live until we
get cooperation from HKDNR to terminate these domains.

HKDNR sends back nice form letters that say that they are working with
the HKCERT and HK Police, but they don't actually stop the fraud.
HKCERT sends back nice form letters saying they have alerted the
appropriate ISPs, but they also don't do anything to encourage HKDNR to
deregister the fraudulent domains.

As an anti-phishing group, our primary concern is the Rock Phish group
has begun hosting almost exclusively on .hk domains, but I want to
mention that pill spammers and mule recruiters (who may actually be the
same criminal enterprise) are also hosting there as the perception that
.hk domains stay live a long time spreads throughout the cybercrime world.

Here are some sample .hk domains used by the rock phisher:

05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk
05MAR07 - TERMINATED - PIRT#160525 - techid.hk
05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk
06MAR07 - LIVE       - PIRT#160819 - itdo.hk
06MAR07 - TERMINATED - PIRT#161109 - trenit.hk
06MAR07 - TERMINATED - PIRT#161116 - ident2.hk
06MAR07 - LIVE       - PIRT#161130 - ident1.hk
06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk
06MAR07 - LIVE       - PIRT#160856 - ident.hk
06MAR07 - LIVE       - PIRT#161144 - stackdr.hk
07MAR07 - TERMINATED - PIRT#161380 - idllc.hk
07MAR07 - LIVE       - PIRT#161837 - jdllid.hk
07MAR07 - LIVE       - PIRT#161835 - tokretweb.hk
08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk
08MAR07 - TERMINATED - PIRT#161390 - idname.hk
08MAR07 - LIVE       - PIRT#161625 - idisop.hk
08MAR07 - LIVE       - PIRT#161789 - idissp.hk
08MAR07 - LIVE       - PIRT#161706 - idisor.hk
08MAR07 - LIVE       - PIRT#160842 - idusers.hk
09MAR07 - TERMINATED - PIRT#160517 - custid.hk
09MAR07 - LIVE       - PIRT#161708 - idisap.hk
09MAR07 - LIVE       - PIRT#161963 - troniekweb.hk
09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk
09MAR07 - LIVE       - PIRT#162969 - troniek.hk
09MAR07 - LIVE       - PIRT#161855 - idisup.hk
10MAR07 - LIVE       - PIRT#162968 - tokret.hk
10MAR07 - LIVE       - PIRT#161855 - idisup.hk
10MAR07 - LIVE       - PIRT#161824 - toptenret.hk
10MAR07 - LIVE       - PIRT#163165 - idissp.hk (duplicate of 161789)
10MAR07 - LIVE       - PIRT#161354 - hktech.hk
10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux)
10MAR07 - TERMINATED - PIRT#161384 - lltco.hk
11MAR07 - LIVE       - PIRT#162545 - techhk.hk
11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock)
13MAR07 - LIVE       - PIRT#165204 - dllsid.hk
14MAR07 - LIVE       - PIRT#165271 - kletro.hk
14MAR07 - LIVE       - PIRT#165309 - coit.hk
14MAR07 - LIVE       - PIRT#165936 - erw3d.hk
14MAR07 - LIVE       - PIRT#165196 - hkpermanent.hk
14MAR07 - LIVE       - PIRT#165947 - glor.hk
14MAR07 - LIVE       - PIRT#166027 - sjuxu.hk
15MAR07 - LIVE       - PIRT#165195 - dllsdk.hk
15MAR07 - LIVE       - PIRT#166036 - kddrm.hk
15MAR07 - TERMINATED - PIRT#166064 - vlot.hk
15MAR07 - LIVE       - PIRT#166103 - louf3.hk
15MAR07 - LIVE       - PIRT#166121 - hsa.hk
15MAR07 - LIVE       - PIRT#166127 - ere4.hk
15MAR07 - LIVE       - PIRT#166134 - ddibb.hk (not worked yet)
16MAR07 - LIVE       - PIRT#166596 - tenret.hk
16MAR07 - LIVE       - PIRT#161824 - toptenret.hk (duplicate of 161824)
16MAR07 - LIVE       - PIRT#166079 - seem.hk
16MAR07 - LIVE       - PIRT#165430 - file7.hk
16MAR07 - LIVE       - PIRT#160819 - itdo.hk
17MAR07 - LIVE       - PIRT#166131 - dsjue3.hk
17MAR07 - LIVE       - PIRT#167820 - sdjsa.hk
17MAR07 - LIVE       - PIRT#167581 - themkdu.tw
17MAR07 - LIVE       - PIRT#167581 - xlopec.hk used as nameserver
18MAR07 - LIVE       - PIRT#166078 - serkft.hk

In Rock Phish, many brands of phish are all present on each server.  We
can show they are related by replacing the "directory" portion of the
URL.  The current "live" rock phish are:

Fifth Third Bank = /r1/cbdir/
Bank of America = /update/default/
BB&T = /bbtc
BB&T = /cbus
BB&T = /update/K1/sb_login.jsp
Nordea = /widecarea.aspx
Sparkasse = /update/banking.cgi/index.html
US Bank = /client.cfm

If you are aware of others WHICH ARE LIVE please send them back to me.
Some recently live (but not current) paths include:

Volksbank = /vr
Sparkasse = /kund.id
Citibank.de = /anmelden.cgi

What is MOST IMPORTANT is that HKDNR provide to CastleCops and other
security professional their preferred channel to receive such alerts,

Contacts for CastleCops regarding this situation:

#1. PIRT Team Leader - Robin Laudanski - [EMAIL PROTECTED]
#2. PIRT Handler     - Gary Warner     - [EMAIL PROTECTED]

One of our other Handlers is leading our rock phish efforts.  We will
make appropriate introductions to parties who can help.

Some of the "Money Mule" domains at .hk include:


Some of the pillspam domains (International Legal RX in this case) include:


Sample reply from HKDNR follows:

(I have 28 copies of this form email received between March 5 and March
12.  In most of the 28 cases, the fraudulent domain is still online.
Apparently after March 12 they decided to stop answering our emails at
all, since we are no longer even getting the form letter replies.  They
just block the email and let the fraud continue.)


Dear customer,

Thank you for your email. As we would work together with HKCERT and Hong
Kong Police to make Hong Kong and the Internet a safe place for
business, do you mind if we can also forward your email to Hong Kong
Police and HKCERT for investigation? In the meantime, you can consider
to report the case to your local law enforcement authority.

Should you have any queries, please feel free to contact us.

Best regards,

Customer Service Department
Hong Kong Domain Name Registration Company Limited
Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central,
Sheung Wan, Hong Kong
Phone No.: +852 2319 1313
Fax No.: +852 2319 2626

Here is a sample email from HKCERT:

Dear Sir/Madam,

Thank for your report on [ [10368290-553350] Fraudulent Domain Name used
in Phishing Scheme (ident1.hk)] dated [14Mar

Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)
have passed your case to the corresponding ISP/Parties to follow up.

Please refer to our case no for ongoing follow up.
HKCERT Case No: 20070274
First Report Date: 14 Mar 07

Tel: +852-81056060

Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

phishing mailing list

Reply via email to