I sent a nice email friday to them and got the exact same form 
letter. By sunday morning they were no longer responding at all.

Tom

At 7:21 PM -0500 3/18/07, Gadi Evron wrote:
>I realize .hk is a problem, but a few suggestions:
>1. Can we have a third party rather than CastleCops try to contactthem and
>see if they are willing to cooprate?
>
>2. Is the .hk situation worse than .info or .biz?
>
>If both of these have been answered, there is some pressure to be applied,
>both privately and publicly.
>
>       Gadi.
>
>On Sun, 18 Mar 2007, Gary Warner wrote:
>
>>  -----BEGIN PGP SIGNED MESSAGE-----
>>  Hash: SHA1
>>
>>  Friends,
>>
>>  I am ready to declare that we are having a Crisis situation with HKDNR
>>  and their unwillingness or failure to de-register domain names which
>>  have been registered for purpose of fraudulent activity.
>>
>>  At CastleCops PIRT Squad we are observing that SEVERAL fraud categories
>>  are now hosting almost exclusively on ".hk" domains because they are
>>  realizing there is a pattern of refusal to follow their own guidelines
>>  and eliminate these domains.
>>
>>  Of the 380 phishing reports that our team has published so far in June,
>>  58 of these reports were related to a ".hk" domain.  Of these, at least
>>  40 remain "live" at this time.  These are the longest-lived rock phish
>>  we have seen in more than six months, and they will remain live until we
>>  get cooperation from HKDNR to terminate these domains.
>>
>>  HKDNR sends back nice form letters that say that they are working with
>>  the HKCERT and HK Police, but they don't actually stop the fraud.
>>  HKCERT sends back nice form letters saying they have alerted the
>>  appropriate ISPs, but they also don't do anything to encourage HKDNR to
>>  deregister the fraudulent domains.
>>
>>  As an anti-phishing group, our primary concern is the Rock Phish group
>>  has begun hosting almost exclusively on .hk domains, but I want to
>>  mention that pill spammers and mule recruiters (who may actually be the
>>  same criminal enterprise) are also hosting there as the perception that
>>  .hk domains stay live a long time spreads throughout the cybercrime world.
>>
>>  Here are some sample .hk domains used by the rock phisher:
>>
>>  05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk
>>  05MAR07 - TERMINATED - PIRT#160525 - techid.hk
>>  05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk
>>  06MAR07 - LIVE       - PIRT#160819 - itdo.hk
>>  06MAR07 - TERMINATED - PIRT#161109 - trenit.hk
>>  06MAR07 - TERMINATED - PIRT#161116 - ident2.hk
>>  06MAR07 - LIVE       - PIRT#161130 - ident1.hk
>>  06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk
>>  06MAR07 - LIVE       - PIRT#160856 - ident.hk
>>  06MAR07 - LIVE       - PIRT#161144 - stackdr.hk
>>  07MAR07 - TERMINATED - PIRT#161380 - idllc.hk
>>  07MAR07 - LIVE       - PIRT#161837 - jdllid.hk
>>  07MAR07 - LIVE       - PIRT#161835 - tokretweb.hk
>>  08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk
>>  08MAR07 - TERMINATED - PIRT#161390 - idname.hk
>>  08MAR07 - LIVE       - PIRT#161625 - idisop.hk
>>  08MAR07 - LIVE       - PIRT#161789 - idissp.hk
>>  08MAR07 - LIVE       - PIRT#161706 - idisor.hk
>>  08MAR07 - LIVE       - PIRT#160842 - idusers.hk
>>  09MAR07 - TERMINATED - PIRT#160517 - custid.hk
>>  09MAR07 - LIVE       - PIRT#161708 - idisap.hk
>>  09MAR07 - LIVE       - PIRT#161963 - troniekweb.hk
>>  09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk
>>  09MAR07 - LIVE       - PIRT#162969 - troniek.hk
>>  09MAR07 - LIVE       - PIRT#161855 - idisup.hk
>>  10MAR07 - LIVE       - PIRT#162968 - tokret.hk
>>  10MAR07 - LIVE       - PIRT#161855 - idisup.hk
>>  10MAR07 - LIVE       - PIRT#161824 - toptenret.hk
>>  10MAR07 - LIVE       - PIRT#163165 - idissp.hk (duplicate of 161789)
>>  10MAR07 - LIVE       - PIRT#161354 - hktech.hk
>>  10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux)
>>  10MAR07 - TERMINATED - PIRT#161384 - lltco.hk
>>  11MAR07 - LIVE       - PIRT#162545 - techhk.hk
>>  11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock)
>  > 13MAR07 - LIVE       - PIRT#165204 - dllsid.hk
>>  14MAR07 - LIVE       - PIRT#165271 - kletro.hk
>>  14MAR07 - LIVE       - PIRT#165309 - coit.hk
>>  14MAR07 - LIVE       - PIRT#165936 - erw3d.hk
>>  14MAR07 - LIVE       - PIRT#165196 - hkpermanent.hk
>>  14MAR07 - LIVE       - PIRT#165947 - glor.hk
>>  14MAR07 - LIVE       - PIRT#166027 - sjuxu.hk
>>  15MAR07 - LIVE       - PIRT#165195 - dllsdk.hk
>>  15MAR07 - LIVE       - PIRT#166036 - kddrm.hk
>>  15MAR07 - TERMINATED - PIRT#166064 - vlot.hk
>>  15MAR07 - LIVE       - PIRT#166103 - louf3.hk
>>  15MAR07 - LIVE       - PIRT#166121 - hsa.hk
>>  15MAR07 - LIVE       - PIRT#166127 - ere4.hk
>>  15MAR07 - LIVE       - PIRT#166134 - ddibb.hk (not worked yet)
>>  16MAR07 - LIVE       - PIRT#166596 - tenret.hk
>>  16MAR07 - LIVE       - PIRT#161824 - toptenret.hk (duplicate of 161824)
>>  16MAR07 - LIVE       - PIRT#166079 - seem.hk
>>  16MAR07 - LIVE       - PIRT#165430 - file7.hk
>>  16MAR07 - LIVE       - PIRT#160819 - itdo.hk
>>  17MAR07 - LIVE       - PIRT#166131 - dsjue3.hk
>>  17MAR07 - LIVE       - PIRT#167820 - sdjsa.hk
>>  17MAR07 - LIVE       - PIRT#167581 - themkdu.tw
>>  17MAR07 - LIVE       - PIRT#167581 - xlopec.hk used as nameserver
>>  18MAR07 - LIVE       - PIRT#166078 - serkft.hk
>>
>>
>>  In Rock Phish, many brands of phish are all present on each server.  We
>>  can show they are related by replacing the "directory" portion of the
>>  URL.  The current "live" rock phish are:
>>
>>  Fifth Third Bank = /r1/cbdir/
>>  Bank of America = /update/default/
>>  BB&T = /bbtc
>>  BB&T = /cbus
>>  BB&T = /update/K1/sb_login.jsp
>>  Nordea = /widecarea.aspx
>>  Sparkasse = /update/banking.cgi/index.html
>>  US Bank = /client.cfm
>>
>>  If you are aware of others WHICH ARE LIVE please send them back to me.
>>  Some recently live (but not current) paths include:
>>
>>  Volksbank = /vr
>>  Sparkasse = /kund.id
>>  Citibank.de = /anmelden.cgi
>>
>>
>>
>>  What is MOST IMPORTANT is that HKDNR provide to CastleCops and other
>>  security professional their preferred channel to receive such alerts,
>>  and that they ACTUALLY BEGIN TERMINATING FRAUD DOMAINS!!!
>>
>>  Contacts for CastleCops regarding this situation:
>>
>>  #1. PIRT Team Leader - Robin Laudanski - [EMAIL PROTECTED]
>>  #2. PIRT Handler     - Gary Warner     - [EMAIL PROTECTED]
>>
>>  One of our other Handlers is leading our rock phish efforts.  We will
>>  make appropriate introductions to parties who can help.
>>
>>  Some of the "Money Mule" domains at .hk include:
>>
>>  radgrup.hk
>>  radgrp.hk
>>  radiusgrp.hk
>>  luxcap.hk
>>  luxcatl.hk
>>  luxcaptl.hk
>>  luxcapi.hk
>>  luxcapit.hk
>>  finconsinter.hk
>>  interfic.hk
>>  interfinconsult.hk
>>
>>
>>  Some of the pillspam domains (International Legal RX in this case) include:
>>
>>  amhhcl.topjujuq.hk
>>  asdapw.mikia.hk
>>  svofrt.iizz.hk
>>  ukfspw.mikia.hk
>>
>>
>>
>>  =========================
>>  Sample reply from HKDNR follows:
>>
>>  (I have 28 copies of this form email received between March 5 and March
>>  12.  In most of the 28 cases, the fraudulent domain is still online.
>>  Apparently after March 12 they decided to stop answering our emails at
>>  all, since we are no longer even getting the form letter replies.  They
>>  just block the email and let the fraud continue.)
>>
>>  =========================
>>
>>  Dear customer,
>>
>>  Thank you for your email. As we would work together with HKCERT and Hong
>>  Kong Police to make Hong Kong and the Internet a safe place for
>>  business, do you mind if we can also forward your email to Hong Kong
>>  Police and HKCERT for investigation? In the meantime, you can consider
>>  to report the case to your local law enforcement authority.
>>
>>  Should you have any queries, please feel free to contact us.
>>
>>  Best regards,
>>
>>  Customer Service Department
>>  Hong Kong Domain Name Registration Company Limited
>>  Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central,
>>  Sheung Wan, Hong Kong
>>  Phone No.: +852 2319 1313
>>  Fax No.: +852 2319 2626
>>  Email: [EMAIL PROTECTED]
>>
>>  ======================================
>>  Here is a sample email from HKCERT:
>>  ======================================
>>
>>  Dear Sir/Madam,
>>
>>  Thank for your report on [ [10368290-553350] Fraudulent Domain Name used
>  > in Phishing Scheme (ident1.hk)] dated [14Mar
>>  07].
>>
>>  Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)
>>  have passed your case to the corresponding ISP/Parties to follow up.
>>
>>  Please refer to our case no for ongoing follow up.
>>  HKCERT Case No: 20070274
>>  First Report Date: 14 Mar 07
>>
>>  Regards,
>>  HKCERT
>>  Tel: +852-81056060
>>  E-mail: [EMAIL PROTECTED]
>>
>>  =========================
>>  -----BEGIN PGP SIGNATURE-----
>>  Version: GnuPG v1.4.4 (MingW32)
>>  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>>  iD8DBQFF/aXWg79eYCOO6PsRAruXAJ9LZU0eN4nuSOsIukWsbsyBdJMdxQCcC01o
>>  CimTVB259YyucCE6g3r0PP0=
>>  =JZDh
>>  -----END PGP SIGNATURE-----
>>  _______________________________________________
>>  phishing mailing list
>>  phishing@whitestar.linuxbox.org
>>  http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
>>
>
>_______________________________________________
>phishing mailing list
>phishing@whitestar.linuxbox.org
>http://www.whitestar.linuxbox.org/mailman/listinfo/phishing


-- 

Tom Shaw - Chief Engineer, OITC
<[EMAIL PROTECTED]>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: [EMAIL PROTECTED]
Google Talk: [EMAIL PROTECTED]
skype: trshaw
_______________________________________________
phishing mailing list
phishing@whitestar.linuxbox.org
http://www.whitestar.linuxbox.org/mailman/listinfo/phishing

Reply via email to