On Sun, 18 Mar 2007, Steve Pirk wrote: > What about contacting someone a ICANN? I know it sounds dumb, > but someone had to grant HKDNR permission to be a .hk registrar.
Contacting ICANN is not likely to help with the US cases, it is not currently what ICANN is after as far as I understand it. .hk.. not really. > > -- > Steve > panic: can't find / > > On Sun, 18 Mar 2007, Tom wrote: > > > The only way we had any luck was shutting down the phishing DNSs as > > HKDNR will net even send us that "form letter" anymore. > > > > But now the are using multiple DNS deployed on multiple zombies and > > half of those phish are multihomed as well and we have gotten nada > > support from comcast, lvel3, etc to deal with zombied residentials. > > You can imagine the support to shut down zombied residentials > > overseas. However I will say that a number of russian ISP have done > > a pretty good job shutting them down. > > > > The gang doing this even tookover some USG machines for DNS that I > > reported late last week. > > > > I am not sure that HKDNR is ethical. But if anyone finds a contact > > point that works let us know. > > > > Tom > > > > At 3:49 PM -0500 3/18/07, Gary Warner wrote: > > >-----BEGIN PGP SIGNED MESSAGE----- > > >Hash: SHA1 > > > > > >Friends, > > > > > >I am ready to declare that we are having a Crisis situation with HKDNR > > >and their unwillingness or failure to de-register domain names which > > >have been registered for purpose of fraudulent activity. > > > > > >At CastleCops PIRT Squad we are observing that SEVERAL fraud categories > > >are now hosting almost exclusively on ".hk" domains because they are > > >realizing there is a pattern of refusal to follow their own guidelines > > >and eliminate these domains. > > > > > >Of the 380 phishing reports that our team has published so far in June, > > >58 of these reports were related to a ".hk" domain. Of these, at least > > >40 remain "live" at this time. These are the longest-lived rock phish > > >we have seen in more than six months, and they will remain live until we > > >get cooperation from HKDNR to terminate these domains. > > > > > >HKDNR sends back nice form letters that say that they are working with > > >the HKCERT and HK Police, but they don't actually stop the fraud. > > >HKCERT sends back nice form letters saying they have alerted the > > >appropriate ISPs, but they also don't do anything to encourage HKDNR to > > >deregister the fraudulent domains. > > > > > >As an anti-phishing group, our primary concern is the Rock Phish group > > >has begun hosting almost exclusively on .hk domains, but I want to > > >mention that pill spammers and mule recruiters (who may actually be the > > >same criminal enterprise) are also hosting there as the perception that > > >.hk domains stay live a long time spreads throughout the cybercrime world. > > > > > >Here are some sample .hk domains used by the rock phisher: > > > > > >05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk > > >05MAR07 - TERMINATED - PIRT#160525 - techid.hk > > >05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk > > >06MAR07 - LIVE - PIRT#160819 - itdo.hk > > >06MAR07 - TERMINATED - PIRT#161109 - trenit.hk > > >06MAR07 - TERMINATED - PIRT#161116 - ident2.hk > > >06MAR07 - LIVE - PIRT#161130 - ident1.hk > > >06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk > > >06MAR07 - LIVE - PIRT#160856 - ident.hk > > >06MAR07 - LIVE - PIRT#161144 - stackdr.hk > > >07MAR07 - TERMINATED - PIRT#161380 - idllc.hk > > >07MAR07 - LIVE - PIRT#161837 - jdllid.hk > > >07MAR07 - LIVE - PIRT#161835 - tokretweb.hk > > >08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk > > >08MAR07 - TERMINATED - PIRT#161390 - idname.hk > > >08MAR07 - LIVE - PIRT#161625 - idisop.hk > > >08MAR07 - LIVE - PIRT#161789 - idissp.hk > > >08MAR07 - LIVE - PIRT#161706 - idisor.hk > > >08MAR07 - LIVE - PIRT#160842 - idusers.hk > > >09MAR07 - TERMINATED - PIRT#160517 - custid.hk > > >09MAR07 - LIVE - PIRT#161708 - idisap.hk > > >09MAR07 - LIVE - PIRT#161963 - troniekweb.hk > > >09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk > > >09MAR07 - LIVE - PIRT#162969 - troniek.hk > > >09MAR07 - LIVE - PIRT#161855 - idisup.hk > > >10MAR07 - LIVE - PIRT#162968 - tokret.hk > > >10MAR07 - LIVE - PIRT#161855 - idisup.hk > > >10MAR07 - LIVE - PIRT#161824 - toptenret.hk > > >10MAR07 - LIVE - PIRT#163165 - idissp.hk (duplicate of 161789) > > >10MAR07 - LIVE - PIRT#161354 - hktech.hk > > >10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux) > > >10MAR07 - TERMINATED - PIRT#161384 - lltco.hk > > >11MAR07 - LIVE - PIRT#162545 - techhk.hk > > >11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock) > > >13MAR07 - LIVE - PIRT#165204 - dllsid.hk > > >14MAR07 - LIVE - PIRT#165271 - kletro.hk > > >14MAR07 - LIVE - PIRT#165309 - coit.hk > > >14MAR07 - LIVE - PIRT#165936 - erw3d.hk > > >14MAR07 - LIVE - PIRT#165196 - hkpermanent.hk > > >14MAR07 - LIVE - PIRT#165947 - glor.hk > > >14MAR07 - LIVE - PIRT#166027 - sjuxu.hk > > >15MAR07 - LIVE - PIRT#165195 - dllsdk.hk > > >15MAR07 - LIVE - PIRT#166036 - kddrm.hk > > >15MAR07 - TERMINATED - PIRT#166064 - vlot.hk > > >15MAR07 - LIVE - PIRT#166103 - louf3.hk > > >15MAR07 - LIVE - PIRT#166121 - hsa.hk > > >15MAR07 - LIVE - PIRT#166127 - ere4.hk > > >15MAR07 - LIVE - PIRT#166134 - ddibb.hk (not worked yet) > > >16MAR07 - LIVE - PIRT#166596 - tenret.hk > > >16MAR07 - LIVE - PIRT#161824 - toptenret.hk (duplicate of 161824) > > >16MAR07 - LIVE - PIRT#166079 - seem.hk > > >16MAR07 - LIVE - PIRT#165430 - file7.hk > > >16MAR07 - LIVE - PIRT#160819 - itdo.hk > > >17MAR07 - LIVE - PIRT#166131 - dsjue3.hk > > >17MAR07 - LIVE - PIRT#167820 - sdjsa.hk > > >17MAR07 - LIVE - PIRT#167581 - themkdu.tw > > >17MAR07 - LIVE - PIRT#167581 - xlopec.hk used as nameserver > > >18MAR07 - LIVE - PIRT#166078 - serkft.hk > > > > > > > > >In Rock Phish, many brands of phish are all present on each server. We > > >can show they are related by replacing the "directory" portion of the > > >URL. The current "live" rock phish are: > > > > > >Fifth Third Bank = /r1/cbdir/ > > >Bank of America = /update/default/ > > >BB&T = /bbtc > > >BB&T = /cbus > > >BB&T = /update/K1/sb_login.jsp > > >Nordea = /widecarea.aspx > > >Sparkasse = /update/banking.cgi/index.html > > >US Bank = /client.cfm > > > > > >If you are aware of others WHICH ARE LIVE please send them back to me. > > >Some recently live (but not current) paths include: > > > > > >Volksbank = /vr > > >Sparkasse = /kund.id > > >Citibank.de = /anmelden.cgi > > > > > > > > > > > >What is MOST IMPORTANT is that HKDNR provide to CastleCops and other > > >security professional their preferred channel to receive such alerts, > > >and that they ACTUALLY BEGIN TERMINATING FRAUD DOMAINS!!! > > > > > >Contacts for CastleCops regarding this situation: > > > > > >#1. PIRT Team Leader - Robin Laudanski - [EMAIL PROTECTED] > > >#2. PIRT Handler - Gary Warner - [EMAIL PROTECTED] > > > > > >One of our other Handlers is leading our rock phish efforts. We will > > >make appropriate introductions to parties who can help. > > > > > >Some of the "Money Mule" domains at .hk include: > > > > > >radgrup.hk > > >radgrp.hk > > >radiusgrp.hk > > >luxcap.hk > > >luxcatl.hk > > >luxcaptl.hk > > >luxcapi.hk > > >luxcapit.hk > > >finconsinter.hk > > >interfic.hk > > >interfinconsult.hk > > > > > > > > >Some of the pillspam domains (International Legal RX in this case) include: > > > > > >amhhcl.topjujuq.hk > > >asdapw.mikia.hk > > >svofrt.iizz.hk > > >ukfspw.mikia.hk > > > > > > > > > > > >========================= > > >Sample reply from HKDNR follows: > > > > > >(I have 28 copies of this form email received between March 5 and March > > >12. In most of the 28 cases, the fraudulent domain is still online. > > >Apparently after March 12 they decided to stop answering our emails at > > >all, since we are no longer even getting the form letter replies. They > > >just block the email and let the fraud continue.) > > > > > >========================= > > > > > >Dear customer, > > > > > >Thank you for your email. As we would work together with HKCERT and Hong > > >Kong Police to make Hong Kong and the Internet a safe place for > > >business, do you mind if we can also forward your email to Hong Kong > > >Police and HKCERT for investigation? In the meantime, you can consider > > >to report the case to your local law enforcement authority. > > > > > >Should you have any queries, please feel free to contact us. > > > > > >Best regards, > > > > > >Customer Service Department > > >Hong Kong Domain Name Registration Company Limited > > >Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central, > > >Sheung Wan, Hong Kong > > >Phone No.: +852 2319 1313 > > >Fax No.: +852 2319 2626 > > >Email: [EMAIL PROTECTED] > > > > > >====================================== > > >Here is a sample email from HKCERT: > > >====================================== > > > > > >Dear Sir/Madam, > > > > > >Thank for your report on [ [10368290-553350] Fraudulent Domain Name used > > >in Phishing Scheme (ident1.hk)] dated [14Mar > > >07]. > > > > > >Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) > > >have passed your case to the corresponding ISP/Parties to follow up. > > > > > >Please refer to our case no for ongoing follow up. > > >HKCERT Case No: 20070274 > > >First Report Date: 14 Mar 07 > > > > > >Regards, > > >HKCERT > > >Tel: +852-81056060 > > >E-mail: [EMAIL PROTECTED] > > > > > >========================= > > >-----BEGIN PGP SIGNATURE----- > > >Version: GnuPG v1.4.4 (MingW32) > > >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > > >iD8DBQFF/aXWg79eYCOO6PsRAruXAJ9LZU0eN4nuSOsIukWsbsyBdJMdxQCcC01o > > >CimTVB259YyucCE6g3r0PP0= > > >=JZDh > > >-----END PGP SIGNATURE----- > > >_______________________________________________ > > >phishing mailing list > > >phishing@whitestar.linuxbox.org > > >http://www.whitestar.linuxbox.org/mailman/listinfo/phishing > > > > > > -- > > > > Tom Shaw - Chief Engineer, OITC > > <[EMAIL PROTECTED]>, http://www.oitc.com/ > > US Phone Numbers: 321-984-3714, 321-729-6258(fax), > > 321-258-2475(cell/voice mail,pager) > > Text Paging: http://www.oitc.com/Pager/sendmessage.html > > AIM/iChat: [EMAIL PROTECTED] > > Google Talk: [EMAIL PROTECTED] > > skype: trshaw > > _______________________________________________ > > phishing mailing list > > phishing@whitestar.linuxbox.org > > http://www.whitestar.linuxbox.org/mailman/listinfo/phishing > > > _______________________________________________ > phishing mailing list > phishing@whitestar.linuxbox.org > http://www.whitestar.linuxbox.org/mailman/listinfo/phishing > _______________________________________________ phishing mailing list phishing@whitestar.linuxbox.org http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
