At 7:21 PM -0500 3/18/07, Gadi Evron wrote: >I realize .hk is a problem, but a few suggestions: >1. Can we have a third party rather than CastleCops try to contactthem and >see if they are willing to cooprate?
Just got another form letter this AM. >2. Is the .hk situation worse than .info or .biz? According to my current DB, absolutely Tom >If both of these have been answered, there is some pressure to be applied, >both privately and publicly. > > Gadi. > >On Sun, 18 Mar 2007, Gary Warner wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Friends, >> >> I am ready to declare that we are having a Crisis situation with HKDNR >> and their unwillingness or failure to de-register domain names which >> have been registered for purpose of fraudulent activity. >> >> At CastleCops PIRT Squad we are observing that SEVERAL fraud categories >> are now hosting almost exclusively on ".hk" domains because they are >> realizing there is a pattern of refusal to follow their own guidelines >> and eliminate these domains. >> >> Of the 380 phishing reports that our team has published so far in June, >> 58 of these reports were related to a ".hk" domain. Of these, at least >> 40 remain "live" at this time. These are the longest-lived rock phish >> we have seen in more than six months, and they will remain live until we >> get cooperation from HKDNR to terminate these domains. >> >> HKDNR sends back nice form letters that say that they are working with >> the HKCERT and HK Police, but they don't actually stop the fraud. >> HKCERT sends back nice form letters saying they have alerted the >> appropriate ISPs, but they also don't do anything to encourage HKDNR to >> deregister the fraudulent domains. >> >> As an anti-phishing group, our primary concern is the Rock Phish group >> has begun hosting almost exclusively on .hk domains, but I want to >> mention that pill spammers and mule recruiters (who may actually be the >> same criminal enterprise) are also hosting there as the perception that >> .hk domains stay live a long time spreads throughout the cybercrime world. >> >> Here are some sample .hk domains used by the rock phisher: >> >> 05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk >> 05MAR07 - TERMINATED - PIRT#160525 - techid.hk >> 05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk >> 06MAR07 - LIVE - PIRT#160819 - itdo.hk >> 06MAR07 - TERMINATED - PIRT#161109 - trenit.hk >> 06MAR07 - TERMINATED - PIRT#161116 - ident2.hk >> 06MAR07 - LIVE - PIRT#161130 - ident1.hk >> 06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk >> 06MAR07 - LIVE - PIRT#160856 - ident.hk >> 06MAR07 - LIVE - PIRT#161144 - stackdr.hk >> 07MAR07 - TERMINATED - PIRT#161380 - idllc.hk >> 07MAR07 - LIVE - PIRT#161837 - jdllid.hk >> 07MAR07 - LIVE - PIRT#161835 - tokretweb.hk >> 08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk >> 08MAR07 - TERMINATED - PIRT#161390 - idname.hk >> 08MAR07 - LIVE - PIRT#161625 - idisop.hk >> 08MAR07 - LIVE - PIRT#161789 - idissp.hk >> 08MAR07 - LIVE - PIRT#161706 - idisor.hk >> 08MAR07 - LIVE - PIRT#160842 - idusers.hk >> 09MAR07 - TERMINATED - PIRT#160517 - custid.hk >> 09MAR07 - LIVE - PIRT#161708 - idisap.hk >> 09MAR07 - LIVE - PIRT#161963 - troniekweb.hk >> 09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk >> 09MAR07 - LIVE - PIRT#162969 - troniek.hk >> 09MAR07 - LIVE - PIRT#161855 - idisup.hk >> 10MAR07 - LIVE - PIRT#162968 - tokret.hk >> 10MAR07 - LIVE - PIRT#161855 - idisup.hk >> 10MAR07 - LIVE - PIRT#161824 - toptenret.hk >> 10MAR07 - LIVE - PIRT#163165 - idissp.hk (duplicate of 161789) >> 10MAR07 - LIVE - PIRT#161354 - hktech.hk >> 10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux) >> 10MAR07 - TERMINATED - PIRT#161384 - lltco.hk >> 11MAR07 - LIVE - PIRT#162545 - techhk.hk >> 11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock) >> 13MAR07 - LIVE - PIRT#165204 - dllsid.hk > > 14MAR07 - LIVE - PIRT#165271 - kletro.hk >> 14MAR07 - LIVE - PIRT#165309 - coit.hk >> 14MAR07 - LIVE - PIRT#165936 - erw3d.hk >> 14MAR07 - LIVE - PIRT#165196 - hkpermanent.hk >> 14MAR07 - LIVE - PIRT#165947 - glor.hk >> 14MAR07 - LIVE - PIRT#166027 - sjuxu.hk >> 15MAR07 - LIVE - PIRT#165195 - dllsdk.hk >> 15MAR07 - LIVE - PIRT#166036 - kddrm.hk >> 15MAR07 - TERMINATED - PIRT#166064 - vlot.hk >> 15MAR07 - LIVE - PIRT#166103 - louf3.hk >> 15MAR07 - LIVE - PIRT#166121 - hsa.hk >> 15MAR07 - LIVE - PIRT#166127 - ere4.hk >> 15MAR07 - LIVE - PIRT#166134 - ddibb.hk (not worked yet) >> 16MAR07 - LIVE - PIRT#166596 - tenret.hk >> 16MAR07 - LIVE - PIRT#161824 - toptenret.hk (duplicate of 161824) >> 16MAR07 - LIVE - PIRT#166079 - seem.hk >> 16MAR07 - LIVE - PIRT#165430 - file7.hk >> 16MAR07 - LIVE - PIRT#160819 - itdo.hk >> 17MAR07 - LIVE - PIRT#166131 - dsjue3.hk >> 17MAR07 - LIVE - PIRT#167820 - sdjsa.hk >> 17MAR07 - LIVE - PIRT#167581 - themkdu.tw >> 17MAR07 - LIVE - PIRT#167581 - xlopec.hk used as nameserver >> 18MAR07 - LIVE - PIRT#166078 - serkft.hk >> >> >> In Rock Phish, many brands of phish are all present on each server. We >> can show they are related by replacing the "directory" portion of the >> URL. The current "live" rock phish are: >> > > Fifth Third Bank = /r1/cbdir/ >> Bank of America = /update/default/ >> BB&T = /bbtc >> BB&T = /cbus >> BB&T = /update/K1/sb_login.jsp >> Nordea = /widecarea.aspx >> Sparkasse = /update/banking.cgi/index.html >> US Bank = /client.cfm >> >> If you are aware of others WHICH ARE LIVE please send them back to me. >> Some recently live (but not current) paths include: >> >> Volksbank = /vr >> Sparkasse = /kund.id >> Citibank.de = /anmelden.cgi >> >> >> >> What is MOST IMPORTANT is that HKDNR provide to CastleCops and other >> security professional their preferred channel to receive such alerts, >> and that they ACTUALLY BEGIN TERMINATING FRAUD DOMAINS!!! >> >> Contacts for CastleCops regarding this situation: >> >> #1. PIRT Team Leader - Robin Laudanski - [EMAIL PROTECTED] >> #2. PIRT Handler - Gary Warner - [EMAIL PROTECTED] >> >> One of our other Handlers is leading our rock phish efforts. We will >> make appropriate introductions to parties who can help. >> >> Some of the "Money Mule" domains at .hk include: >> >> radgrup.hk >> radgrp.hk >> radiusgrp.hk >> luxcap.hk >> luxcatl.hk >> luxcaptl.hk >> luxcapi.hk >> luxcapit.hk >> finconsinter.hk >> interfic.hk >> interfinconsult.hk >> >> >> Some of the pillspam domains (International Legal RX in this case) include: >> >> amhhcl.topjujuq.hk >> asdapw.mikia.hk >> svofrt.iizz.hk >> ukfspw.mikia.hk >> >> >> >> ========================= >> Sample reply from HKDNR follows: >> >> (I have 28 copies of this form email received between March 5 and March >> 12. In most of the 28 cases, the fraudulent domain is still online. >> Apparently after March 12 they decided to stop answering our emails at >> all, since we are no longer even getting the form letter replies. They >> just block the email and let the fraud continue.) >> >> ========================= >> >> Dear customer, >> >> Thank you for your email. As we would work together with HKCERT and Hong >> Kong Police to make Hong Kong and the Internet a safe place for >> business, do you mind if we can also forward your email to Hong Kong >> Police and HKCERT for investigation? In the meantime, you can consider >> to report the case to your local law enforcement authority. >> >> Should you have any queries, please feel free to contact us. >> >> Best regards, >> >> Customer Service Department >> Hong Kong Domain Name Registration Company Limited >> Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central, >> Sheung Wan, Hong Kong >> Phone No.: +852 2319 1313 >> Fax No.: +852 2319 2626 >> Email: [EMAIL PROTECTED] >> >> ====================================== >> Here is a sample email from HKCERT: >> ====================================== >> >> Dear Sir/Madam, >> >> Thank for your report on [ [10368290-553350] Fraudulent Domain Name used >> in Phishing Scheme (ident1.hk)] dated [14Mar > > 07]. >> >> Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) >> have passed your case to the corresponding ISP/Parties to follow up. >> >> Please refer to our case no for ongoing follow up. >> HKCERT Case No: 20070274 >> First Report Date: 14 Mar 07 >> >> Regards, >> HKCERT >> Tel: +852-81056060 >> E-mail: [EMAIL PROTECTED] >> >> ========================= >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.4 (MingW32) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> >> iD8DBQFF/aXWg79eYCOO6PsRAruXAJ9LZU0eN4nuSOsIukWsbsyBdJMdxQCcC01o >> CimTVB259YyucCE6g3r0PP0= >> =JZDh >> -----END PGP SIGNATURE----- >> _______________________________________________ >> phishing mailing list >> phishing@whitestar.linuxbox.org >> http://www.whitestar.linuxbox.org/mailman/listinfo/phishing >> > >_______________________________________________ >phishing mailing list >phishing@whitestar.linuxbox.org >http://www.whitestar.linuxbox.org/mailman/listinfo/phishing -- Tom Shaw - Chief Engineer, OITC <[EMAIL PROTECTED]>, http://www.oitc.com/ US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475(cell/voice mail,pager) Text Paging: http://www.oitc.com/Pager/sendmessage.html AIM/iChat: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] skype: trshaw _______________________________________________ phishing mailing list phishing@whitestar.linuxbox.org http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
