I realize .hk is a problem, but a few suggestions: 1. Can we have a third party rather than CastleCops try to contactthem and see if they are willing to cooprate?
2. Is the .hk situation worse than .info or .biz? If both of these have been answered, there is some pressure to be applied, both privately and publicly. Gadi. On Sun, 18 Mar 2007, Gary Warner wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Friends, > > I am ready to declare that we are having a Crisis situation with HKDNR > and their unwillingness or failure to de-register domain names which > have been registered for purpose of fraudulent activity. > > At CastleCops PIRT Squad we are observing that SEVERAL fraud categories > are now hosting almost exclusively on ".hk" domains because they are > realizing there is a pattern of refusal to follow their own guidelines > and eliminate these domains. > > Of the 380 phishing reports that our team has published so far in June, > 58 of these reports were related to a ".hk" domain. Of these, at least > 40 remain "live" at this time. These are the longest-lived rock phish > we have seen in more than six months, and they will remain live until we > get cooperation from HKDNR to terminate these domains. > > HKDNR sends back nice form letters that say that they are working with > the HKCERT and HK Police, but they don't actually stop the fraud. > HKCERT sends back nice form letters saying they have alerted the > appropriate ISPs, but they also don't do anything to encourage HKDNR to > deregister the fraudulent domains. > > As an anti-phishing group, our primary concern is the Rock Phish group > has begun hosting almost exclusively on .hk domains, but I want to > mention that pill spammers and mule recruiters (who may actually be the > same criminal enterprise) are also hosting there as the perception that > .hk domains stay live a long time spreads throughout the cybercrime world. > > Here are some sample .hk domains used by the rock phisher: > > 05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk > 05MAR07 - TERMINATED - PIRT#160525 - techid.hk > 05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk > 06MAR07 - LIVE - PIRT#160819 - itdo.hk > 06MAR07 - TERMINATED - PIRT#161109 - trenit.hk > 06MAR07 - TERMINATED - PIRT#161116 - ident2.hk > 06MAR07 - LIVE - PIRT#161130 - ident1.hk > 06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk > 06MAR07 - LIVE - PIRT#160856 - ident.hk > 06MAR07 - LIVE - PIRT#161144 - stackdr.hk > 07MAR07 - TERMINATED - PIRT#161380 - idllc.hk > 07MAR07 - LIVE - PIRT#161837 - jdllid.hk > 07MAR07 - LIVE - PIRT#161835 - tokretweb.hk > 08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk > 08MAR07 - TERMINATED - PIRT#161390 - idname.hk > 08MAR07 - LIVE - PIRT#161625 - idisop.hk > 08MAR07 - LIVE - PIRT#161789 - idissp.hk > 08MAR07 - LIVE - PIRT#161706 - idisor.hk > 08MAR07 - LIVE - PIRT#160842 - idusers.hk > 09MAR07 - TERMINATED - PIRT#160517 - custid.hk > 09MAR07 - LIVE - PIRT#161708 - idisap.hk > 09MAR07 - LIVE - PIRT#161963 - troniekweb.hk > 09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk > 09MAR07 - LIVE - PIRT#162969 - troniek.hk > 09MAR07 - LIVE - PIRT#161855 - idisup.hk > 10MAR07 - LIVE - PIRT#162968 - tokret.hk > 10MAR07 - LIVE - PIRT#161855 - idisup.hk > 10MAR07 - LIVE - PIRT#161824 - toptenret.hk > 10MAR07 - LIVE - PIRT#163165 - idissp.hk (duplicate of 161789) > 10MAR07 - LIVE - PIRT#161354 - hktech.hk > 10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux) > 10MAR07 - TERMINATED - PIRT#161384 - lltco.hk > 11MAR07 - LIVE - PIRT#162545 - techhk.hk > 11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock) > 13MAR07 - LIVE - PIRT#165204 - dllsid.hk > 14MAR07 - LIVE - PIRT#165271 - kletro.hk > 14MAR07 - LIVE - PIRT#165309 - coit.hk > 14MAR07 - LIVE - PIRT#165936 - erw3d.hk > 14MAR07 - LIVE - PIRT#165196 - hkpermanent.hk > 14MAR07 - LIVE - PIRT#165947 - glor.hk > 14MAR07 - LIVE - PIRT#166027 - sjuxu.hk > 15MAR07 - LIVE - PIRT#165195 - dllsdk.hk > 15MAR07 - LIVE - PIRT#166036 - kddrm.hk > 15MAR07 - TERMINATED - PIRT#166064 - vlot.hk > 15MAR07 - LIVE - PIRT#166103 - louf3.hk > 15MAR07 - LIVE - PIRT#166121 - hsa.hk > 15MAR07 - LIVE - PIRT#166127 - ere4.hk > 15MAR07 - LIVE - PIRT#166134 - ddibb.hk (not worked yet) > 16MAR07 - LIVE - PIRT#166596 - tenret.hk > 16MAR07 - LIVE - PIRT#161824 - toptenret.hk (duplicate of 161824) > 16MAR07 - LIVE - PIRT#166079 - seem.hk > 16MAR07 - LIVE - PIRT#165430 - file7.hk > 16MAR07 - LIVE - PIRT#160819 - itdo.hk > 17MAR07 - LIVE - PIRT#166131 - dsjue3.hk > 17MAR07 - LIVE - PIRT#167820 - sdjsa.hk > 17MAR07 - LIVE - PIRT#167581 - themkdu.tw > 17MAR07 - LIVE - PIRT#167581 - xlopec.hk used as nameserver > 18MAR07 - LIVE - PIRT#166078 - serkft.hk > > > In Rock Phish, many brands of phish are all present on each server. We > can show they are related by replacing the "directory" portion of the > URL. The current "live" rock phish are: > > Fifth Third Bank = /r1/cbdir/ > Bank of America = /update/default/ > BB&T = /bbtc > BB&T = /cbus > BB&T = /update/K1/sb_login.jsp > Nordea = /widecarea.aspx > Sparkasse = /update/banking.cgi/index.html > US Bank = /client.cfm > > If you are aware of others WHICH ARE LIVE please send them back to me. > Some recently live (but not current) paths include: > > Volksbank = /vr > Sparkasse = /kund.id > Citibank.de = /anmelden.cgi > > > > What is MOST IMPORTANT is that HKDNR provide to CastleCops and other > security professional their preferred channel to receive such alerts, > and that they ACTUALLY BEGIN TERMINATING FRAUD DOMAINS!!! > > Contacts for CastleCops regarding this situation: > > #1. PIRT Team Leader - Robin Laudanski - [EMAIL PROTECTED] > #2. PIRT Handler - Gary Warner - [EMAIL PROTECTED] > > One of our other Handlers is leading our rock phish efforts. We will > make appropriate introductions to parties who can help. > > Some of the "Money Mule" domains at .hk include: > > radgrup.hk > radgrp.hk > radiusgrp.hk > luxcap.hk > luxcatl.hk > luxcaptl.hk > luxcapi.hk > luxcapit.hk > finconsinter.hk > interfic.hk > interfinconsult.hk > > > Some of the pillspam domains (International Legal RX in this case) include: > > amhhcl.topjujuq.hk > asdapw.mikia.hk > svofrt.iizz.hk > ukfspw.mikia.hk > > > > ========================= > Sample reply from HKDNR follows: > > (I have 28 copies of this form email received between March 5 and March > 12. In most of the 28 cases, the fraudulent domain is still online. > Apparently after March 12 they decided to stop answering our emails at > all, since we are no longer even getting the form letter replies. They > just block the email and let the fraud continue.) > > ========================= > > Dear customer, > > Thank you for your email. As we would work together with HKCERT and Hong > Kong Police to make Hong Kong and the Internet a safe place for > business, do you mind if we can also forward your email to Hong Kong > Police and HKCERT for investigation? In the meantime, you can consider > to report the case to your local law enforcement authority. > > Should you have any queries, please feel free to contact us. > > Best regards, > > Customer Service Department > Hong Kong Domain Name Registration Company Limited > Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central, > Sheung Wan, Hong Kong > Phone No.: +852 2319 1313 > Fax No.: +852 2319 2626 > Email: [EMAIL PROTECTED] > > ====================================== > Here is a sample email from HKCERT: > ====================================== > > Dear Sir/Madam, > > Thank for your report on [ [10368290-553350] Fraudulent Domain Name used > in Phishing Scheme (ident1.hk)] dated [14Mar > 07]. > > Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) > have passed your case to the corresponding ISP/Parties to follow up. > > Please refer to our case no for ongoing follow up. > HKCERT Case No: 20070274 > First Report Date: 14 Mar 07 > > Regards, > HKCERT > Tel: +852-81056060 > E-mail: [EMAIL PROTECTED] > > ========================= > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.4 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFF/aXWg79eYCOO6PsRAruXAJ9LZU0eN4nuSOsIukWsbsyBdJMdxQCcC01o > CimTVB259YyucCE6g3r0PP0= > =JZDh > -----END PGP SIGNATURE----- > _______________________________________________ > phishing mailing list > firstname.lastname@example.org > http://www.whitestar.linuxbox.org/mailman/listinfo/phishing > _______________________________________________ phishing mailing list email@example.com http://www.whitestar.linuxbox.org/mailman/listinfo/phishing