On Sun, 18 Mar 2007, Steve Pirk wrote:
> What about contacting someone a ICANN? I know it sounds dumb,
> but someone had to grant HKDNR permission to be a .hk registrar.

Contacting ICANN is not likely to help with the US cases, it is not
currently what ICANN is after as far as I understand it. .hk.. not really.

> 
> --
> Steve
> panic: can't find /
> 
> On Sun, 18 Mar 2007, Tom wrote:
> 
> > The only way we had any luck was shutting down the phishing DNSs as
> > HKDNR will net even send us that "form letter" anymore.
> >
> > But now the are using multiple DNS deployed on multiple zombies and
> > half of those phish are multihomed as well and we have gotten nada
> > support from comcast, lvel3, etc to deal with zombied residentials.
> > You can imagine the support to shut down zombied residentials
> > overseas.  However I will say that a number of russian ISP have done
> > a pretty good job shutting them down.
> >
> > The gang doing this even tookover some USG machines for DNS that I
> > reported late last week.
> >
> > I am not sure that HKDNR is ethical. But if anyone finds a contact
> > point that works let us know.
> >
> > Tom
> >
> > At 3:49 PM -0500 3/18/07, Gary Warner wrote:
> > >-----BEGIN PGP SIGNED MESSAGE-----
> > >Hash: SHA1
> > >
> > >Friends,
> > >
> > >I am ready to declare that we are having a Crisis situation with HKDNR
> > >and their unwillingness or failure to de-register domain names which
> > >have been registered for purpose of fraudulent activity.
> > >
> > >At CastleCops PIRT Squad we are observing that SEVERAL fraud categories
> > >are now hosting almost exclusively on ".hk" domains because they are
> > >realizing there is a pattern of refusal to follow their own guidelines
> > >and eliminate these domains.
> > >
> > >Of the 380 phishing reports that our team has published so far in June,
> > >58 of these reports were related to a ".hk" domain.  Of these, at least
> > >40 remain "live" at this time.  These are the longest-lived rock phish
> > >we have seen in more than six months, and they will remain live until we
> > >get cooperation from HKDNR to terminate these domains.
> > >
> > >HKDNR sends back nice form letters that say that they are working with
> > >the HKCERT and HK Police, but they don't actually stop the fraud.
> > >HKCERT sends back nice form letters saying they have alerted the
> > >appropriate ISPs, but they also don't do anything to encourage HKDNR to
> > >deregister the fraudulent domains.
> > >
> > >As an anti-phishing group, our primary concern is the Rock Phish group
> > >has begun hosting almost exclusively on .hk domains, but I want to
> > >mention that pill spammers and mule recruiters (who may actually be the
> > >same criminal enterprise) are also hosting there as the perception that
> > >.hk domains stay live a long time spreads throughout the cybercrime world.
> > >
> > >Here are some sample .hk domains used by the rock phisher:
> > >
> > >05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk
> > >05MAR07 - TERMINATED - PIRT#160525 - techid.hk
> > >05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk
> > >06MAR07 - LIVE       - PIRT#160819 - itdo.hk
> > >06MAR07 - TERMINATED - PIRT#161109 - trenit.hk
> > >06MAR07 - TERMINATED - PIRT#161116 - ident2.hk
> > >06MAR07 - LIVE       - PIRT#161130 - ident1.hk
> > >06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk
> > >06MAR07 - LIVE       - PIRT#160856 - ident.hk
> > >06MAR07 - LIVE       - PIRT#161144 - stackdr.hk
> > >07MAR07 - TERMINATED - PIRT#161380 - idllc.hk
> > >07MAR07 - LIVE       - PIRT#161837 - jdllid.hk
> > >07MAR07 - LIVE       - PIRT#161835 - tokretweb.hk
> > >08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk
> > >08MAR07 - TERMINATED - PIRT#161390 - idname.hk
> > >08MAR07 - LIVE       - PIRT#161625 - idisop.hk
> > >08MAR07 - LIVE       - PIRT#161789 - idissp.hk
> > >08MAR07 - LIVE       - PIRT#161706 - idisor.hk
> > >08MAR07 - LIVE       - PIRT#160842 - idusers.hk
> > >09MAR07 - TERMINATED - PIRT#160517 - custid.hk
> > >09MAR07 - LIVE       - PIRT#161708 - idisap.hk
> > >09MAR07 - LIVE       - PIRT#161963 - troniekweb.hk
> > >09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk
> > >09MAR07 - LIVE       - PIRT#162969 - troniek.hk
> > >09MAR07 - LIVE       - PIRT#161855 - idisup.hk
> > >10MAR07 - LIVE       - PIRT#162968 - tokret.hk
> > >10MAR07 - LIVE       - PIRT#161855 - idisup.hk
> > >10MAR07 - LIVE       - PIRT#161824 - toptenret.hk
> > >10MAR07 - LIVE       - PIRT#163165 - idissp.hk (duplicate of 161789)
> > >10MAR07 - LIVE       - PIRT#161354 - hktech.hk
> > >10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux)
> > >10MAR07 - TERMINATED - PIRT#161384 - lltco.hk
> > >11MAR07 - LIVE       - PIRT#162545 - techhk.hk
> > >11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock)
> > >13MAR07 - LIVE       - PIRT#165204 - dllsid.hk
> > >14MAR07 - LIVE       - PIRT#165271 - kletro.hk
> > >14MAR07 - LIVE       - PIRT#165309 - coit.hk
> > >14MAR07 - LIVE       - PIRT#165936 - erw3d.hk
> > >14MAR07 - LIVE       - PIRT#165196 - hkpermanent.hk
> > >14MAR07 - LIVE       - PIRT#165947 - glor.hk
> > >14MAR07 - LIVE       - PIRT#166027 - sjuxu.hk
> > >15MAR07 - LIVE       - PIRT#165195 - dllsdk.hk
> > >15MAR07 - LIVE       - PIRT#166036 - kddrm.hk
> > >15MAR07 - TERMINATED - PIRT#166064 - vlot.hk
> > >15MAR07 - LIVE       - PIRT#166103 - louf3.hk
> > >15MAR07 - LIVE       - PIRT#166121 - hsa.hk
> > >15MAR07 - LIVE       - PIRT#166127 - ere4.hk
> > >15MAR07 - LIVE       - PIRT#166134 - ddibb.hk (not worked yet)
> > >16MAR07 - LIVE       - PIRT#166596 - tenret.hk
> > >16MAR07 - LIVE       - PIRT#161824 - toptenret.hk (duplicate of 161824)
> > >16MAR07 - LIVE       - PIRT#166079 - seem.hk
> > >16MAR07 - LIVE       - PIRT#165430 - file7.hk
> > >16MAR07 - LIVE       - PIRT#160819 - itdo.hk
> > >17MAR07 - LIVE       - PIRT#166131 - dsjue3.hk
> > >17MAR07 - LIVE       - PIRT#167820 - sdjsa.hk
> > >17MAR07 - LIVE       - PIRT#167581 - themkdu.tw
> > >17MAR07 - LIVE       - PIRT#167581 - xlopec.hk used as nameserver
> > >18MAR07 - LIVE       - PIRT#166078 - serkft.hk
> > >
> > >
> > >In Rock Phish, many brands of phish are all present on each server.  We
> > >can show they are related by replacing the "directory" portion of the
> > >URL.  The current "live" rock phish are:
> > >
> > >Fifth Third Bank = /r1/cbdir/
> > >Bank of America = /update/default/
> > >BB&T = /bbtc
> > >BB&T = /cbus
> > >BB&T = /update/K1/sb_login.jsp
> > >Nordea = /widecarea.aspx
> > >Sparkasse = /update/banking.cgi/index.html
> > >US Bank = /client.cfm
> > >
> > >If you are aware of others WHICH ARE LIVE please send them back to me.
> > >Some recently live (but not current) paths include:
> > >
> > >Volksbank = /vr
> > >Sparkasse = /kund.id
> > >Citibank.de = /anmelden.cgi
> > >
> > >
> > >
> > >What is MOST IMPORTANT is that HKDNR provide to CastleCops and other
> > >security professional their preferred channel to receive such alerts,
> > >and that they ACTUALLY BEGIN TERMINATING FRAUD DOMAINS!!!
> > >
> > >Contacts for CastleCops regarding this situation:
> > >
> > >#1. PIRT Team Leader - Robin Laudanski - [EMAIL PROTECTED]
> > >#2. PIRT Handler     - Gary Warner     - [EMAIL PROTECTED]
> > >
> > >One of our other Handlers is leading our rock phish efforts.  We will
> > >make appropriate introductions to parties who can help.
> > >
> > >Some of the "Money Mule" domains at .hk include:
> > >
> > >radgrup.hk
> > >radgrp.hk
> > >radiusgrp.hk
> > >luxcap.hk
> > >luxcatl.hk
> > >luxcaptl.hk
> > >luxcapi.hk
> > >luxcapit.hk
> > >finconsinter.hk
> > >interfic.hk
> > >interfinconsult.hk
> > >
> > >
> > >Some of the pillspam domains (International Legal RX in this case) include:
> > >
> > >amhhcl.topjujuq.hk
> > >asdapw.mikia.hk
> > >svofrt.iizz.hk
> > >ukfspw.mikia.hk
> > >
> > >
> > >
> > >=========================
> > >Sample reply from HKDNR follows:
> > >
> > >(I have 28 copies of this form email received between March 5 and March
> > >12.  In most of the 28 cases, the fraudulent domain is still online.
> > >Apparently after March 12 they decided to stop answering our emails at
> > >all, since we are no longer even getting the form letter replies.  They
> > >just block the email and let the fraud continue.)
> > >
> > >=========================
> > >
> > >Dear customer,
> > >
> > >Thank you for your email. As we would work together with HKCERT and Hong
> > >Kong Police to make Hong Kong and the Internet a safe place for
> > >business, do you mind if we can also forward your email to Hong Kong
> > >Police and HKCERT for investigation? In the meantime, you can consider
> > >to report the case to your local law enforcement authority.
> > >
> > >Should you have any queries, please feel free to contact us.
> > >
> > >Best regards,
> > >
> > >Customer Service Department
> > >Hong Kong Domain Name Registration Company Limited
> > >Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central,
> > >Sheung Wan, Hong Kong
> > >Phone No.: +852 2319 1313
> > >Fax No.: +852 2319 2626
> > >Email: [EMAIL PROTECTED]
> > >
> > >======================================
> > >Here is a sample email from HKCERT:
> > >======================================
> > >
> > >Dear Sir/Madam,
> > >
> > >Thank for your report on [ [10368290-553350] Fraudulent Domain Name used
> > >in Phishing Scheme (ident1.hk)] dated [14Mar
> > >07].
> > >
> > >Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)
> > >have passed your case to the corresponding ISP/Parties to follow up.
> > >
> > >Please refer to our case no for ongoing follow up.
> > >HKCERT Case No: 20070274
> > >First Report Date: 14 Mar 07
> > >
> > >Regards,
> > >HKCERT
> > >Tel: +852-81056060
> > >E-mail: [EMAIL PROTECTED]
> > >
> > >=========================
> > >-----BEGIN PGP SIGNATURE-----
> > >Version: GnuPG v1.4.4 (MingW32)
> > >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > >
> > >iD8DBQFF/aXWg79eYCOO6PsRAruXAJ9LZU0eN4nuSOsIukWsbsyBdJMdxQCcC01o
> > >CimTVB259YyucCE6g3r0PP0=
> > >=JZDh
> > >-----END PGP SIGNATURE-----
> > >_______________________________________________
> > >phishing mailing list
> > >phishing@whitestar.linuxbox.org
> > >http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
> >
> >
> > --
> >
> > Tom Shaw - Chief Engineer, OITC
> > <[EMAIL PROTECTED]>, http://www.oitc.com/
> > US Phone Numbers: 321-984-3714, 321-729-6258(fax),
> > 321-258-2475(cell/voice mail,pager)
> > Text Paging: http://www.oitc.com/Pager/sendmessage.html
> > AIM/iChat: [EMAIL PROTECTED]
> > Google Talk: [EMAIL PROTECTED]
> > skype: trshaw
> > _______________________________________________
> > phishing mailing list
> > phishing@whitestar.linuxbox.org
> > http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
> >
> _______________________________________________
> phishing mailing list
> phishing@whitestar.linuxbox.org
> http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
> 

_______________________________________________
phishing mailing list
phishing@whitestar.linuxbox.org
http://www.whitestar.linuxbox.org/mailman/listinfo/phishing

Reply via email to