What about contacting someone a ICANN? I know it sounds dumb, but someone had to grant HKDNR permission to be a .hk registrar.
-- Steve panic: can't find / On Sun, 18 Mar 2007, Tom wrote: > The only way we had any luck was shutting down the phishing DNSs as > HKDNR will net even send us that "form letter" anymore. > > But now the are using multiple DNS deployed on multiple zombies and > half of those phish are multihomed as well and we have gotten nada > support from comcast, lvel3, etc to deal with zombied residentials. > You can imagine the support to shut down zombied residentials > overseas. However I will say that a number of russian ISP have done > a pretty good job shutting them down. > > The gang doing this even tookover some USG machines for DNS that I > reported late last week. > > I am not sure that HKDNR is ethical. But if anyone finds a contact > point that works let us know. > > Tom > > At 3:49 PM -0500 3/18/07, Gary Warner wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >Friends, > > > >I am ready to declare that we are having a Crisis situation with HKDNR > >and their unwillingness or failure to de-register domain names which > >have been registered for purpose of fraudulent activity. > > > >At CastleCops PIRT Squad we are observing that SEVERAL fraud categories > >are now hosting almost exclusively on ".hk" domains because they are > >realizing there is a pattern of refusal to follow their own guidelines > >and eliminate these domains. > > > >Of the 380 phishing reports that our team has published so far in June, > >58 of these reports were related to a ".hk" domain. Of these, at least > >40 remain "live" at this time. These are the longest-lived rock phish > >we have seen in more than six months, and they will remain live until we > >get cooperation from HKDNR to terminate these domains. > > > >HKDNR sends back nice form letters that say that they are working with > >the HKCERT and HK Police, but they don't actually stop the fraud. > >HKCERT sends back nice form letters saying they have alerted the > >appropriate ISPs, but they also don't do anything to encourage HKDNR to > >deregister the fraudulent domains. > > > >As an anti-phishing group, our primary concern is the Rock Phish group > >has begun hosting almost exclusively on .hk domains, but I want to > >mention that pill spammers and mule recruiters (who may actually be the > >same criminal enterprise) are also hosting there as the perception that > >.hk domains stay live a long time spreads throughout the cybercrime world. > > > >Here are some sample .hk domains used by the rock phisher: > > > >05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk > >05MAR07 - TERMINATED - PIRT#160525 - techid.hk > >05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk > >06MAR07 - LIVE - PIRT#160819 - itdo.hk > >06MAR07 - TERMINATED - PIRT#161109 - trenit.hk > >06MAR07 - TERMINATED - PIRT#161116 - ident2.hk > >06MAR07 - LIVE - PIRT#161130 - ident1.hk > >06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk > >06MAR07 - LIVE - PIRT#160856 - ident.hk > >06MAR07 - LIVE - PIRT#161144 - stackdr.hk > >07MAR07 - TERMINATED - PIRT#161380 - idllc.hk > >07MAR07 - LIVE - PIRT#161837 - jdllid.hk > >07MAR07 - LIVE - PIRT#161835 - tokretweb.hk > >08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk > >08MAR07 - TERMINATED - PIRT#161390 - idname.hk > >08MAR07 - LIVE - PIRT#161625 - idisop.hk > >08MAR07 - LIVE - PIRT#161789 - idissp.hk > >08MAR07 - LIVE - PIRT#161706 - idisor.hk > >08MAR07 - LIVE - PIRT#160842 - idusers.hk > >09MAR07 - TERMINATED - PIRT#160517 - custid.hk > >09MAR07 - LIVE - PIRT#161708 - idisap.hk > >09MAR07 - LIVE - PIRT#161963 - troniekweb.hk > >09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk > >09MAR07 - LIVE - PIRT#162969 - troniek.hk > >09MAR07 - LIVE - PIRT#161855 - idisup.hk > >10MAR07 - LIVE - PIRT#162968 - tokret.hk > >10MAR07 - LIVE - PIRT#161855 - idisup.hk > >10MAR07 - LIVE - PIRT#161824 - toptenret.hk > >10MAR07 - LIVE - PIRT#163165 - idissp.hk (duplicate of 161789) > >10MAR07 - LIVE - PIRT#161354 - hktech.hk > >10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux) > >10MAR07 - TERMINATED - PIRT#161384 - lltco.hk > >11MAR07 - LIVE - PIRT#162545 - techhk.hk > >11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock) > >13MAR07 - LIVE - PIRT#165204 - dllsid.hk > >14MAR07 - LIVE - PIRT#165271 - kletro.hk > >14MAR07 - LIVE - PIRT#165309 - coit.hk > >14MAR07 - LIVE - PIRT#165936 - erw3d.hk > >14MAR07 - LIVE - PIRT#165196 - hkpermanent.hk > >14MAR07 - LIVE - PIRT#165947 - glor.hk > >14MAR07 - LIVE - PIRT#166027 - sjuxu.hk > >15MAR07 - LIVE - PIRT#165195 - dllsdk.hk > >15MAR07 - LIVE - PIRT#166036 - kddrm.hk > >15MAR07 - TERMINATED - PIRT#166064 - vlot.hk > >15MAR07 - LIVE - PIRT#166103 - louf3.hk > >15MAR07 - LIVE - PIRT#166121 - hsa.hk > >15MAR07 - LIVE - PIRT#166127 - ere4.hk > >15MAR07 - LIVE - PIRT#166134 - ddibb.hk (not worked yet) > >16MAR07 - LIVE - PIRT#166596 - tenret.hk > >16MAR07 - LIVE - PIRT#161824 - toptenret.hk (duplicate of 161824) > >16MAR07 - LIVE - PIRT#166079 - seem.hk > >16MAR07 - LIVE - PIRT#165430 - file7.hk > >16MAR07 - LIVE - PIRT#160819 - itdo.hk > >17MAR07 - LIVE - PIRT#166131 - dsjue3.hk > >17MAR07 - LIVE - PIRT#167820 - sdjsa.hk > >17MAR07 - LIVE - PIRT#167581 - themkdu.tw > >17MAR07 - LIVE - PIRT#167581 - xlopec.hk used as nameserver > >18MAR07 - LIVE - PIRT#166078 - serkft.hk > > > > > >In Rock Phish, many brands of phish are all present on each server. We > >can show they are related by replacing the "directory" portion of the > >URL. The current "live" rock phish are: > > > >Fifth Third Bank = /r1/cbdir/ > >Bank of America = /update/default/ > >BB&T = /bbtc > >BB&T = /cbus > >BB&T = /update/K1/sb_login.jsp > >Nordea = /widecarea.aspx > >Sparkasse = /update/banking.cgi/index.html > >US Bank = /client.cfm > > > >If you are aware of others WHICH ARE LIVE please send them back to me. > >Some recently live (but not current) paths include: > > > >Volksbank = /vr > >Sparkasse = /kund.id > >Citibank.de = /anmelden.cgi > > > > > > > >What is MOST IMPORTANT is that HKDNR provide to CastleCops and other > >security professional their preferred channel to receive such alerts, > >and that they ACTUALLY BEGIN TERMINATING FRAUD DOMAINS!!! > > > >Contacts for CastleCops regarding this situation: > > > >#1. PIRT Team Leader - Robin Laudanski - [EMAIL PROTECTED] > >#2. PIRT Handler - Gary Warner - [EMAIL PROTECTED] > > > >One of our other Handlers is leading our rock phish efforts. We will > >make appropriate introductions to parties who can help. > > > >Some of the "Money Mule" domains at .hk include: > > > >radgrup.hk > >radgrp.hk > >radiusgrp.hk > >luxcap.hk > >luxcatl.hk > >luxcaptl.hk > >luxcapi.hk > >luxcapit.hk > >finconsinter.hk > >interfic.hk > >interfinconsult.hk > > > > > >Some of the pillspam domains (International Legal RX in this case) include: > > > >amhhcl.topjujuq.hk > >asdapw.mikia.hk > >svofrt.iizz.hk > >ukfspw.mikia.hk > > > > > > > >========================= > >Sample reply from HKDNR follows: > > > >(I have 28 copies of this form email received between March 5 and March > >12. In most of the 28 cases, the fraudulent domain is still online. > >Apparently after March 12 they decided to stop answering our emails at > >all, since we are no longer even getting the form letter replies. They > >just block the email and let the fraud continue.) > > > >========================= > > > >Dear customer, > > > >Thank you for your email. As we would work together with HKCERT and Hong > >Kong Police to make Hong Kong and the Internet a safe place for > >business, do you mind if we can also forward your email to Hong Kong > >Police and HKCERT for investigation? In the meantime, you can consider > >to report the case to your local law enforcement authority. > > > >Should you have any queries, please feel free to contact us. > > > >Best regards, > > > >Customer Service Department > >Hong Kong Domain Name Registration Company Limited > >Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central, > >Sheung Wan, Hong Kong > >Phone No.: +852 2319 1313 > >Fax No.: +852 2319 2626 > >Email: [EMAIL PROTECTED] > > > >====================================== > >Here is a sample email from HKCERT: > >====================================== > > > >Dear Sir/Madam, > > > >Thank for your report on [ [10368290-553350] Fraudulent Domain Name used > >in Phishing Scheme (ident1.hk)] dated [14Mar > >07]. > > > >Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) > >have passed your case to the corresponding ISP/Parties to follow up. > > > >Please refer to our case no for ongoing follow up. > >HKCERT Case No: 20070274 > >First Report Date: 14 Mar 07 > > > >Regards, > >HKCERT > >Tel: +852-81056060 > >E-mail: [EMAIL PROTECTED] > > > >========================= > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.4.4 (MingW32) > >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > >iD8DBQFF/aXWg79eYCOO6PsRAruXAJ9LZU0eN4nuSOsIukWsbsyBdJMdxQCcC01o > >CimTVB259YyucCE6g3r0PP0= > >=JZDh > >-----END PGP SIGNATURE----- > >_______________________________________________ > >phishing mailing list > >[email protected] > >http://www.whitestar.linuxbox.org/mailman/listinfo/phishing > > > -- > > Tom Shaw - Chief Engineer, OITC > <[EMAIL PROTECTED]>, http://www.oitc.com/ > US Phone Numbers: 321-984-3714, 321-729-6258(fax), > 321-258-2475(cell/voice mail,pager) > Text Paging: http://www.oitc.com/Pager/sendmessage.html > AIM/iChat: [EMAIL PROTECTED] > Google Talk: [EMAIL PROTECTED] > skype: trshaw > _______________________________________________ > phishing mailing list > [email protected] > http://www.whitestar.linuxbox.org/mailman/listinfo/phishing > _______________________________________________ phishing mailing list [email protected] http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
