Re: [phishing] Crisis in Hong Kong (rock phish on .hk)
* Steve Pirk: > What about contacting someone a ICANN? I know it sounds dumb, > but someone had to grant HKDNR permission to be a .hk registrar. I think .hk is too old a ccTLD that ICANN has any control over it. ___ phishing mailing list phishing@whitestar.linuxbox.org http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
Re: [phishing] Crisis in Hong Kong (rock phish on .hk)
At 7:21 PM -0500 3/18/07, Gadi Evron wrote: >I realize .hk is a problem, but a few suggestions: >1. Can we have a third party rather than CastleCops try to contactthem and >see if they are willing to cooprate? Just got another form letter this AM. >2. Is the .hk situation worse than .info or .biz? According to my current DB, absolutely Tom >If both of these have been answered, there is some pressure to be applied, >both privately and publicly. > > Gadi. > >On Sun, 18 Mar 2007, Gary Warner wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Friends, >> >> I am ready to declare that we are having a Crisis situation with HKDNR >> and their unwillingness or failure to de-register domain names which >> have been registered for purpose of fraudulent activity. >> >> At CastleCops PIRT Squad we are observing that SEVERAL fraud categories >> are now hosting almost exclusively on ".hk" domains because they are >> realizing there is a pattern of refusal to follow their own guidelines >> and eliminate these domains. >> >> Of the 380 phishing reports that our team has published so far in June, >> 58 of these reports were related to a ".hk" domain. Of these, at least >> 40 remain "live" at this time. These are the longest-lived rock phish >> we have seen in more than six months, and they will remain live until we >> get cooperation from HKDNR to terminate these domains. >> >> HKDNR sends back nice form letters that say that they are working with >> the HKCERT and HK Police, but they don't actually stop the fraud. >> HKCERT sends back nice form letters saying they have alerted the >> appropriate ISPs, but they also don't do anything to encourage HKDNR to >> deregister the fraudulent domains. >> >> As an anti-phishing group, our primary concern is the Rock Phish group >> has begun hosting almost exclusively on .hk domains, but I want to >> mention that pill spammers and mule recruiters (who may actually be the >> same criminal enterprise) are also hosting there as the perception that >> .hk domains stay live a long time spreads throughout the cybercrime world. >> >> Here are some sample .hk domains used by the rock phisher: >> >> 05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk >> 05MAR07 - TERMINATED - PIRT#160525 - techid.hk >> 05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk >> 06MAR07 - LIVE - PIRT#160819 - itdo.hk >> 06MAR07 - TERMINATED - PIRT#161109 - trenit.hk >> 06MAR07 - TERMINATED - PIRT#161116 - ident2.hk >> 06MAR07 - LIVE - PIRT#161130 - ident1.hk >> 06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk >> 06MAR07 - LIVE - PIRT#160856 - ident.hk >> 06MAR07 - LIVE - PIRT#161144 - stackdr.hk >> 07MAR07 - TERMINATED - PIRT#161380 - idllc.hk >> 07MAR07 - LIVE - PIRT#161837 - jdllid.hk >> 07MAR07 - LIVE - PIRT#161835 - tokretweb.hk >> 08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk >> 08MAR07 - TERMINATED - PIRT#161390 - idname.hk >> 08MAR07 - LIVE - PIRT#161625 - idisop.hk >> 08MAR07 - LIVE - PIRT#161789 - idissp.hk >> 08MAR07 - LIVE - PIRT#161706 - idisor.hk >> 08MAR07 - LIVE - PIRT#160842 - idusers.hk >> 09MAR07 - TERMINATED - PIRT#160517 - custid.hk >> 09MAR07 - LIVE - PIRT#161708 - idisap.hk >> 09MAR07 - LIVE - PIRT#161963 - troniekweb.hk >> 09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk >> 09MAR07 - LIVE - PIRT#162969 - troniek.hk >> 09MAR07 - LIVE - PIRT#161855 - idisup.hk >> 10MAR07 - LIVE - PIRT#162968 - tokret.hk >> 10MAR07 - LIVE - PIRT#161855 - idisup.hk >> 10MAR07 - LIVE - PIRT#161824 - toptenret.hk >> 10MAR07 - LIVE - PIRT#163165 - idissp.hk (duplicate of 161789) >> 10MAR07 - LIVE - PIRT#161354 - hktech.hk >> 10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux) >> 10MAR07 - TERMINATED - PIRT#161384 - lltco.hk >> 11MAR07 - LIVE - PIRT#162545 - techhk.hk >> 11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock) >> 13MAR07 - LIVE - PIRT#165204 - dllsid.hk > > 14MAR07 - LIVE - PIRT#165271 - kletro.hk >> 14MAR07 - LIVE - PIRT#165309 - coit.hk >> 14MAR07 - LIVE - PIRT#165936 - erw3d.hk >> 14MAR07 - LIVE - PIRT#165196 - hkpermanent.hk >> 14MAR07 - LIVE - PIRT#165947 - glor.hk >> 14MAR07 - LIVE - PIRT#166027 - sjuxu.hk >> 15MAR07 - LIVE - PIRT#165195 - dllsdk.hk >> 15MAR07 - LIVE - PIRT#166036 - kddrm.hk >> 15MAR07 - TERMINATED - PIRT#166064 - vlot.hk >> 15MAR07 - LIVE - PIRT#166103 - louf3.hk >> 15MAR07 - LIVE - PIRT#166121 - hsa.hk >> 15MAR07 - LIVE - PIRT#166127 - ere4.hk >> 15MAR07 - LIVE - PIRT#166134 - ddibb.hk (not worked yet) >> 16MAR07 - LIVE - PIRT#166596 - tenret.hk >> 16MAR07 - LIVE - PIRT#161824 - toptenret.hk (duplicate of 161824) >> 16MAR07 - LIVE - PIRT#166079 - seem.hk >> 16MAR07 - LIVE - PIRT#165430 - file7.hk >> 16MAR07 - LIVE - PIRT#160819 - itdo
Re: [phishing] Crisis in Hong Kong (rock phish on .hk)
I sent a nice email friday to them and got the exact same form letter. By sunday morning they were no longer responding at all. Tom At 7:21 PM -0500 3/18/07, Gadi Evron wrote: >I realize .hk is a problem, but a few suggestions: >1. Can we have a third party rather than CastleCops try to contactthem and >see if they are willing to cooprate? > >2. Is the .hk situation worse than .info or .biz? > >If both of these have been answered, there is some pressure to be applied, >both privately and publicly. > > Gadi. > >On Sun, 18 Mar 2007, Gary Warner wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Friends, >> >> I am ready to declare that we are having a Crisis situation with HKDNR >> and their unwillingness or failure to de-register domain names which >> have been registered for purpose of fraudulent activity. >> >> At CastleCops PIRT Squad we are observing that SEVERAL fraud categories >> are now hosting almost exclusively on ".hk" domains because they are >> realizing there is a pattern of refusal to follow their own guidelines >> and eliminate these domains. >> >> Of the 380 phishing reports that our team has published so far in June, >> 58 of these reports were related to a ".hk" domain. Of these, at least >> 40 remain "live" at this time. These are the longest-lived rock phish >> we have seen in more than six months, and they will remain live until we >> get cooperation from HKDNR to terminate these domains. >> >> HKDNR sends back nice form letters that say that they are working with >> the HKCERT and HK Police, but they don't actually stop the fraud. >> HKCERT sends back nice form letters saying they have alerted the >> appropriate ISPs, but they also don't do anything to encourage HKDNR to >> deregister the fraudulent domains. >> >> As an anti-phishing group, our primary concern is the Rock Phish group >> has begun hosting almost exclusively on .hk domains, but I want to >> mention that pill spammers and mule recruiters (who may actually be the >> same criminal enterprise) are also hosting there as the perception that >> .hk domains stay live a long time spreads throughout the cybercrime world. >> >> Here are some sample .hk domains used by the rock phisher: >> >> 05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk >> 05MAR07 - TERMINATED - PIRT#160525 - techid.hk >> 05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk >> 06MAR07 - LIVE - PIRT#160819 - itdo.hk >> 06MAR07 - TERMINATED - PIRT#161109 - trenit.hk >> 06MAR07 - TERMINATED - PIRT#161116 - ident2.hk >> 06MAR07 - LIVE - PIRT#161130 - ident1.hk >> 06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk >> 06MAR07 - LIVE - PIRT#160856 - ident.hk >> 06MAR07 - LIVE - PIRT#161144 - stackdr.hk >> 07MAR07 - TERMINATED - PIRT#161380 - idllc.hk >> 07MAR07 - LIVE - PIRT#161837 - jdllid.hk >> 07MAR07 - LIVE - PIRT#161835 - tokretweb.hk >> 08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk >> 08MAR07 - TERMINATED - PIRT#161390 - idname.hk >> 08MAR07 - LIVE - PIRT#161625 - idisop.hk >> 08MAR07 - LIVE - PIRT#161789 - idissp.hk >> 08MAR07 - LIVE - PIRT#161706 - idisor.hk >> 08MAR07 - LIVE - PIRT#160842 - idusers.hk >> 09MAR07 - TERMINATED - PIRT#160517 - custid.hk >> 09MAR07 - LIVE - PIRT#161708 - idisap.hk >> 09MAR07 - LIVE - PIRT#161963 - troniekweb.hk >> 09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk >> 09MAR07 - LIVE - PIRT#162969 - troniek.hk >> 09MAR07 - LIVE - PIRT#161855 - idisup.hk >> 10MAR07 - LIVE - PIRT#162968 - tokret.hk >> 10MAR07 - LIVE - PIRT#161855 - idisup.hk >> 10MAR07 - LIVE - PIRT#161824 - toptenret.hk >> 10MAR07 - LIVE - PIRT#163165 - idissp.hk (duplicate of 161789) >> 10MAR07 - LIVE - PIRT#161354 - hktech.hk >> 10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux) >> 10MAR07 - TERMINATED - PIRT#161384 - lltco.hk >> 11MAR07 - LIVE - PIRT#162545 - techhk.hk >> 11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock) > > 13MAR07 - LIVE - PIRT#165204 - dllsid.hk >> 14MAR07 - LIVE - PIRT#165271 - kletro.hk >> 14MAR07 - LIVE - PIRT#165309 - coit.hk >> 14MAR07 - LIVE - PIRT#165936 - erw3d.hk >> 14MAR07 - LIVE - PIRT#165196 - hkpermanent.hk >> 14MAR07 - LIVE - PIRT#165947 - glor.hk >> 14MAR07 - LIVE - PIRT#166027 - sjuxu.hk >> 15MAR07 - LIVE - PIRT#165195 - dllsdk.hk >> 15MAR07 - LIVE - PIRT#166036 - kddrm.hk >> 15MAR07 - TERMINATED - PIRT#166064 - vlot.hk >> 15MAR07 - LIVE - PIRT#166103 - louf3.hk >> 15MAR07 - LIVE - PIRT#166121 - hsa.hk >> 15MAR07 - LIVE - PIRT#166127 - ere4.hk >> 15MAR07 - LIVE - PIRT#166134 - ddibb.hk (not worked yet) >> 16MAR07 - LIVE - PIRT#166596 - tenret.hk >> 16MAR07 - LIVE - PIRT#161824 - toptenret.hk (duplicate of 161824) >> 16MAR07 - LIVE - PIRT#166079 - seem.hk >> 16MAR07 - LIVE - PIRT#165430 - f
Re: [phishing] Crisis in Hong Kong (rock phish on .hk)
On Sun, 18 Mar 2007, Steve Pirk wrote: > What about contacting someone a ICANN? I know it sounds dumb, > but someone had to grant HKDNR permission to be a .hk registrar. Contacting ICANN is not likely to help with the US cases, it is not currently what ICANN is after as far as I understand it. .hk.. not really. > > -- > Steve > panic: can't find / > > On Sun, 18 Mar 2007, Tom wrote: > > > The only way we had any luck was shutting down the phishing DNSs as > > HKDNR will net even send us that "form letter" anymore. > > > > But now the are using multiple DNS deployed on multiple zombies and > > half of those phish are multihomed as well and we have gotten nada > > support from comcast, lvel3, etc to deal with zombied residentials. > > You can imagine the support to shut down zombied residentials > > overseas. However I will say that a number of russian ISP have done > > a pretty good job shutting them down. > > > > The gang doing this even tookover some USG machines for DNS that I > > reported late last week. > > > > I am not sure that HKDNR is ethical. But if anyone finds a contact > > point that works let us know. > > > > Tom > > > > At 3:49 PM -0500 3/18/07, Gary Warner wrote: > > >-BEGIN PGP SIGNED MESSAGE- > > >Hash: SHA1 > > > > > >Friends, > > > > > >I am ready to declare that we are having a Crisis situation with HKDNR > > >and their unwillingness or failure to de-register domain names which > > >have been registered for purpose of fraudulent activity. > > > > > >At CastleCops PIRT Squad we are observing that SEVERAL fraud categories > > >are now hosting almost exclusively on ".hk" domains because they are > > >realizing there is a pattern of refusal to follow their own guidelines > > >and eliminate these domains. > > > > > >Of the 380 phishing reports that our team has published so far in June, > > >58 of these reports were related to a ".hk" domain. Of these, at least > > >40 remain "live" at this time. These are the longest-lived rock phish > > >we have seen in more than six months, and they will remain live until we > > >get cooperation from HKDNR to terminate these domains. > > > > > >HKDNR sends back nice form letters that say that they are working with > > >the HKCERT and HK Police, but they don't actually stop the fraud. > > >HKCERT sends back nice form letters saying they have alerted the > > >appropriate ISPs, but they also don't do anything to encourage HKDNR to > > >deregister the fraudulent domains. > > > > > >As an anti-phishing group, our primary concern is the Rock Phish group > > >has begun hosting almost exclusively on .hk domains, but I want to > > >mention that pill spammers and mule recruiters (who may actually be the > > >same criminal enterprise) are also hosting there as the perception that > > >.hk domains stay live a long time spreads throughout the cybercrime world. > > > > > >Here are some sample .hk domains used by the rock phisher: > > > > > >05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk > > >05MAR07 - TERMINATED - PIRT#160525 - techid.hk > > >05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk > > >06MAR07 - LIVE - PIRT#160819 - itdo.hk > > >06MAR07 - TERMINATED - PIRT#161109 - trenit.hk > > >06MAR07 - TERMINATED - PIRT#161116 - ident2.hk > > >06MAR07 - LIVE - PIRT#161130 - ident1.hk > > >06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk > > >06MAR07 - LIVE - PIRT#160856 - ident.hk > > >06MAR07 - LIVE - PIRT#161144 - stackdr.hk > > >07MAR07 - TERMINATED - PIRT#161380 - idllc.hk > > >07MAR07 - LIVE - PIRT#161837 - jdllid.hk > > >07MAR07 - LIVE - PIRT#161835 - tokretweb.hk > > >08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk > > >08MAR07 - TERMINATED - PIRT#161390 - idname.hk > > >08MAR07 - LIVE - PIRT#161625 - idisop.hk > > >08MAR07 - LIVE - PIRT#161789 - idissp.hk > > >08MAR07 - LIVE - PIRT#161706 - idisor.hk > > >08MAR07 - LIVE - PIRT#160842 - idusers.hk > > >09MAR07 - TERMINATED - PIRT#160517 - custid.hk > > >09MAR07 - LIVE - PIRT#161708 - idisap.hk > > >09MAR07 - LIVE - PIRT#161963 - troniekweb.hk > > >09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk > > >09MAR07 - LIVE - PIRT#162969 - troniek.hk > > >09MAR07 - LIVE - PIRT#161855 - idisup.hk > > >10MAR07 - LIVE - PIRT#162968 - tokret.hk > > >10MAR07 - LIVE - PIRT#161855 - idisup.hk > > >10MAR07 - LIVE - PIRT#161824 - toptenret.hk > > >10MAR07 - LIVE - PIRT#163165 - idissp.hk (duplicate of 161789) > > >10MAR07 - LIVE - PIRT#161354 - hktech.hk > > >10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux) > > >10MAR07 - TERMINATED - PIRT#161384 - lltco.hk > > >11MAR07 - LIVE - PIRT#162545 - techhk.hk > > >11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock) > > >13MAR07 - LIVE - PIRT#165204 - dllsid.hk > > >14MAR07 - LIVE - PIRT#165271 - kletro.hk > > >14MAR07 - LIVE - PIRT#165309 - coit.hk > > >14MAR07 - LIVE - PIRT#165936 - erw3d.hk > > >14MAR07 -
Re: [phishing] Crisis in Hong Kong (rock phish on .hk)
I realize .hk is a problem, but a few suggestions: 1. Can we have a third party rather than CastleCops try to contactthem and see if they are willing to cooprate? 2. Is the .hk situation worse than .info or .biz? If both of these have been answered, there is some pressure to be applied, both privately and publicly. Gadi. On Sun, 18 Mar 2007, Gary Warner wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Friends, > > I am ready to declare that we are having a Crisis situation with HKDNR > and their unwillingness or failure to de-register domain names which > have been registered for purpose of fraudulent activity. > > At CastleCops PIRT Squad we are observing that SEVERAL fraud categories > are now hosting almost exclusively on ".hk" domains because they are > realizing there is a pattern of refusal to follow their own guidelines > and eliminate these domains. > > Of the 380 phishing reports that our team has published so far in June, > 58 of these reports were related to a ".hk" domain. Of these, at least > 40 remain "live" at this time. These are the longest-lived rock phish > we have seen in more than six months, and they will remain live until we > get cooperation from HKDNR to terminate these domains. > > HKDNR sends back nice form letters that say that they are working with > the HKCERT and HK Police, but they don't actually stop the fraud. > HKCERT sends back nice form letters saying they have alerted the > appropriate ISPs, but they also don't do anything to encourage HKDNR to > deregister the fraudulent domains. > > As an anti-phishing group, our primary concern is the Rock Phish group > has begun hosting almost exclusively on .hk domains, but I want to > mention that pill spammers and mule recruiters (who may actually be the > same criminal enterprise) are also hosting there as the perception that > .hk domains stay live a long time spreads throughout the cybercrime world. > > Here are some sample .hk domains used by the rock phisher: > > 05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk > 05MAR07 - TERMINATED - PIRT#160525 - techid.hk > 05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk > 06MAR07 - LIVE - PIRT#160819 - itdo.hk > 06MAR07 - TERMINATED - PIRT#161109 - trenit.hk > 06MAR07 - TERMINATED - PIRT#161116 - ident2.hk > 06MAR07 - LIVE - PIRT#161130 - ident1.hk > 06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk > 06MAR07 - LIVE - PIRT#160856 - ident.hk > 06MAR07 - LIVE - PIRT#161144 - stackdr.hk > 07MAR07 - TERMINATED - PIRT#161380 - idllc.hk > 07MAR07 - LIVE - PIRT#161837 - jdllid.hk > 07MAR07 - LIVE - PIRT#161835 - tokretweb.hk > 08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk > 08MAR07 - TERMINATED - PIRT#161390 - idname.hk > 08MAR07 - LIVE - PIRT#161625 - idisop.hk > 08MAR07 - LIVE - PIRT#161789 - idissp.hk > 08MAR07 - LIVE - PIRT#161706 - idisor.hk > 08MAR07 - LIVE - PIRT#160842 - idusers.hk > 09MAR07 - TERMINATED - PIRT#160517 - custid.hk > 09MAR07 - LIVE - PIRT#161708 - idisap.hk > 09MAR07 - LIVE - PIRT#161963 - troniekweb.hk > 09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk > 09MAR07 - LIVE - PIRT#162969 - troniek.hk > 09MAR07 - LIVE - PIRT#161855 - idisup.hk > 10MAR07 - LIVE - PIRT#162968 - tokret.hk > 10MAR07 - LIVE - PIRT#161855 - idisup.hk > 10MAR07 - LIVE - PIRT#161824 - toptenret.hk > 10MAR07 - LIVE - PIRT#163165 - idissp.hk (duplicate of 161789) > 10MAR07 - LIVE - PIRT#161354 - hktech.hk > 10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux) > 10MAR07 - TERMINATED - PIRT#161384 - lltco.hk > 11MAR07 - LIVE - PIRT#162545 - techhk.hk > 11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock) > 13MAR07 - LIVE - PIRT#165204 - dllsid.hk > 14MAR07 - LIVE - PIRT#165271 - kletro.hk > 14MAR07 - LIVE - PIRT#165309 - coit.hk > 14MAR07 - LIVE - PIRT#165936 - erw3d.hk > 14MAR07 - LIVE - PIRT#165196 - hkpermanent.hk > 14MAR07 - LIVE - PIRT#165947 - glor.hk > 14MAR07 - LIVE - PIRT#166027 - sjuxu.hk > 15MAR07 - LIVE - PIRT#165195 - dllsdk.hk > 15MAR07 - LIVE - PIRT#166036 - kddrm.hk > 15MAR07 - TERMINATED - PIRT#166064 - vlot.hk > 15MAR07 - LIVE - PIRT#166103 - louf3.hk > 15MAR07 - LIVE - PIRT#166121 - hsa.hk > 15MAR07 - LIVE - PIRT#166127 - ere4.hk > 15MAR07 - LIVE - PIRT#166134 - ddibb.hk (not worked yet) > 16MAR07 - LIVE - PIRT#166596 - tenret.hk > 16MAR07 - LIVE - PIRT#161824 - toptenret.hk (duplicate of 161824) > 16MAR07 - LIVE - PIRT#166079 - seem.hk > 16MAR07 - LIVE - PIRT#165430 - file7.hk > 16MAR07 - LIVE - PIRT#160819 - itdo.hk > 17MAR07 - LIVE - PIRT#166131 - dsjue3.hk > 17MAR07 - LIVE - PIRT#167820 - sdjsa.hk > 17MAR07 - LIVE - PIRT#167581 - themkdu.tw > 17MAR07 - LIVE - PIRT#167581 - xlopec.hk used as nameserver > 18MAR07 - LIVE - PIRT#166078 - serkft.hk > > > In Rock Phish, many b
Re: [phishing] Crisis in Hong Kong (rock phish on .hk)
At 10:42 AM +1200 3/19/07, Nick FitzGerald wrote: >Gary Warner wrote: > ><> >> Sample reply from HKDNR follows: >> >> (I have 28 copies of this form email received between March 5 and March >> 12. In most of the 28 cases, the fraudulent domain is still online. >> Apparently after March 12 they decided to stop answering our emails at >> all, since we are no longer even getting the form letter replies. They >> just block the email and let the fraud continue.) > >Excellent! > >Solid evidence that HKDNR is actively complicit in assisting the >fraudsters and actively complicit in resisting the anti-fraud efforts >of recognized, well-established anti-fraud efforts. > >Report this to ICANN and the HK Police. > >Sounds like HKDNR is heading the way of YESnic from a while back, whose >almost exact same tactics led them dangerously close to being de-listed >as a registrar... Nick, I reported them to HK police friday with no response. Tom -- Tom Shaw - Chief Engineer, OITC <[EMAIL PROTECTED]>, http://www.oitc.com/ US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475(cell/voice mail,pager) Text Paging: http://www.oitc.com/Pager/sendmessage.html AIM/iChat: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] skype: trshaw ___ phishing mailing list phishing@whitestar.linuxbox.org http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
Re: [phishing] Crisis in Hong Kong (rock phish on .hk)
Gary Warner wrote: <> > Sample reply from HKDNR follows: > > (I have 28 copies of this form email received between March 5 and March > 12. In most of the 28 cases, the fraudulent domain is still online. > Apparently after March 12 they decided to stop answering our emails at > all, since we are no longer even getting the form letter replies. They > just block the email and let the fraud continue.) Excellent! Solid evidence that HKDNR is actively complicit in assisting the fraudsters and actively complicit in resisting the anti-fraud efforts of recognized, well-established anti-fraud efforts. Report this to ICANN and the HK Police. Sounds like HKDNR is heading the way of YESnic from a while back, whose almost exact same tactics led them dangerously close to being de-listed as a registrar... Regards, Nick FitzGerald ___ phishing mailing list phishing@whitestar.linuxbox.org http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
Re: [phishing] Crisis in Hong Kong (rock phish on .hk)
What about contacting someone a ICANN? I know it sounds dumb, but someone had to grant HKDNR permission to be a .hk registrar. -- Steve panic: can't find / On Sun, 18 Mar 2007, Tom wrote: > The only way we had any luck was shutting down the phishing DNSs as > HKDNR will net even send us that "form letter" anymore. > > But now the are using multiple DNS deployed on multiple zombies and > half of those phish are multihomed as well and we have gotten nada > support from comcast, lvel3, etc to deal with zombied residentials. > You can imagine the support to shut down zombied residentials > overseas. However I will say that a number of russian ISP have done > a pretty good job shutting them down. > > The gang doing this even tookover some USG machines for DNS that I > reported late last week. > > I am not sure that HKDNR is ethical. But if anyone finds a contact > point that works let us know. > > Tom > > At 3:49 PM -0500 3/18/07, Gary Warner wrote: > >-BEGIN PGP SIGNED MESSAGE- > >Hash: SHA1 > > > >Friends, > > > >I am ready to declare that we are having a Crisis situation with HKDNR > >and their unwillingness or failure to de-register domain names which > >have been registered for purpose of fraudulent activity. > > > >At CastleCops PIRT Squad we are observing that SEVERAL fraud categories > >are now hosting almost exclusively on ".hk" domains because they are > >realizing there is a pattern of refusal to follow their own guidelines > >and eliminate these domains. > > > >Of the 380 phishing reports that our team has published so far in June, > >58 of these reports were related to a ".hk" domain. Of these, at least > >40 remain "live" at this time. These are the longest-lived rock phish > >we have seen in more than six months, and they will remain live until we > >get cooperation from HKDNR to terminate these domains. > > > >HKDNR sends back nice form letters that say that they are working with > >the HKCERT and HK Police, but they don't actually stop the fraud. > >HKCERT sends back nice form letters saying they have alerted the > >appropriate ISPs, but they also don't do anything to encourage HKDNR to > >deregister the fraudulent domains. > > > >As an anti-phishing group, our primary concern is the Rock Phish group > >has begun hosting almost exclusively on .hk domains, but I want to > >mention that pill spammers and mule recruiters (who may actually be the > >same criminal enterprise) are also hosting there as the perception that > >.hk domains stay live a long time spreads throughout the cybercrime world. > > > >Here are some sample .hk domains used by the rock phisher: > > > >05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk > >05MAR07 - TERMINATED - PIRT#160525 - techid.hk > >05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk > >06MAR07 - LIVE - PIRT#160819 - itdo.hk > >06MAR07 - TERMINATED - PIRT#161109 - trenit.hk > >06MAR07 - TERMINATED - PIRT#161116 - ident2.hk > >06MAR07 - LIVE - PIRT#161130 - ident1.hk > >06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk > >06MAR07 - LIVE - PIRT#160856 - ident.hk > >06MAR07 - LIVE - PIRT#161144 - stackdr.hk > >07MAR07 - TERMINATED - PIRT#161380 - idllc.hk > >07MAR07 - LIVE - PIRT#161837 - jdllid.hk > >07MAR07 - LIVE - PIRT#161835 - tokretweb.hk > >08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk > >08MAR07 - TERMINATED - PIRT#161390 - idname.hk > >08MAR07 - LIVE - PIRT#161625 - idisop.hk > >08MAR07 - LIVE - PIRT#161789 - idissp.hk > >08MAR07 - LIVE - PIRT#161706 - idisor.hk > >08MAR07 - LIVE - PIRT#160842 - idusers.hk > >09MAR07 - TERMINATED - PIRT#160517 - custid.hk > >09MAR07 - LIVE - PIRT#161708 - idisap.hk > >09MAR07 - LIVE - PIRT#161963 - troniekweb.hk > >09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk > >09MAR07 - LIVE - PIRT#162969 - troniek.hk > >09MAR07 - LIVE - PIRT#161855 - idisup.hk > >10MAR07 - LIVE - PIRT#162968 - tokret.hk > >10MAR07 - LIVE - PIRT#161855 - idisup.hk > >10MAR07 - LIVE - PIRT#161824 - toptenret.hk > >10MAR07 - LIVE - PIRT#163165 - idissp.hk (duplicate of 161789) > >10MAR07 - LIVE - PIRT#161354 - hktech.hk > >10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux) > >10MAR07 - TERMINATED - PIRT#161384 - lltco.hk > >11MAR07 - LIVE - PIRT#162545 - techhk.hk > >11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock) > >13MAR07 - LIVE - PIRT#165204 - dllsid.hk > >14MAR07 - LIVE - PIRT#165271 - kletro.hk > >14MAR07 - LIVE - PIRT#165309 - coit.hk > >14MAR07 - LIVE - PIRT#165936 - erw3d.hk > >14MAR07 - LIVE - PIRT#165196 - hkpermanent.hk > >14MAR07 - LIVE - PIRT#165947 - glor.hk > >14MAR07 - LIVE - PIRT#166027 - sjuxu.hk > >15MAR07 - LIVE - PIRT#165195 - dllsdk.hk > >15MAR07 - LIVE - PIRT#166036 - kddrm.hk > >15MAR07 - TERMINATED - PIRT#166064 - vlot.hk > >15MAR07 - LIVE - PIRT#166103 - louf3.hk > >15MAR07 - LIVE - PIRT#166121 - hsa.hk > >
Re: [phishing] Crisis in Hong Kong (rock phish on .hk)
The only way we had any luck was shutting down the phishing DNSs as HKDNR will net even send us that "form letter" anymore. But now the are using multiple DNS deployed on multiple zombies and half of those phish are multihomed as well and we have gotten nada support from comcast, lvel3, etc to deal with zombied residentials. You can imagine the support to shut down zombied residentials overseas. However I will say that a number of russian ISP have done a pretty good job shutting them down. The gang doing this even tookover some USG machines for DNS that I reported late last week. I am not sure that HKDNR is ethical. But if anyone finds a contact point that works let us know. Tom At 3:49 PM -0500 3/18/07, Gary Warner wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >Friends, > >I am ready to declare that we are having a Crisis situation with HKDNR >and their unwillingness or failure to de-register domain names which >have been registered for purpose of fraudulent activity. > >At CastleCops PIRT Squad we are observing that SEVERAL fraud categories >are now hosting almost exclusively on ".hk" domains because they are >realizing there is a pattern of refusal to follow their own guidelines >and eliminate these domains. > >Of the 380 phishing reports that our team has published so far in June, >58 of these reports were related to a ".hk" domain. Of these, at least >40 remain "live" at this time. These are the longest-lived rock phish >we have seen in more than six months, and they will remain live until we >get cooperation from HKDNR to terminate these domains. > >HKDNR sends back nice form letters that say that they are working with >the HKCERT and HK Police, but they don't actually stop the fraud. >HKCERT sends back nice form letters saying they have alerted the >appropriate ISPs, but they also don't do anything to encourage HKDNR to >deregister the fraudulent domains. > >As an anti-phishing group, our primary concern is the Rock Phish group >has begun hosting almost exclusively on .hk domains, but I want to >mention that pill spammers and mule recruiters (who may actually be the >same criminal enterprise) are also hosting there as the perception that >.hk domains stay live a long time spreads throughout the cybercrime world. > >Here are some sample .hk domains used by the rock phisher: > >05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk >05MAR07 - TERMINATED - PIRT#160525 - techid.hk >05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk >06MAR07 - LIVE - PIRT#160819 - itdo.hk >06MAR07 - TERMINATED - PIRT#161109 - trenit.hk >06MAR07 - TERMINATED - PIRT#161116 - ident2.hk >06MAR07 - LIVE - PIRT#161130 - ident1.hk >06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk >06MAR07 - LIVE - PIRT#160856 - ident.hk >06MAR07 - LIVE - PIRT#161144 - stackdr.hk >07MAR07 - TERMINATED - PIRT#161380 - idllc.hk >07MAR07 - LIVE - PIRT#161837 - jdllid.hk >07MAR07 - LIVE - PIRT#161835 - tokretweb.hk >08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk >08MAR07 - TERMINATED - PIRT#161390 - idname.hk >08MAR07 - LIVE - PIRT#161625 - idisop.hk >08MAR07 - LIVE - PIRT#161789 - idissp.hk >08MAR07 - LIVE - PIRT#161706 - idisor.hk >08MAR07 - LIVE - PIRT#160842 - idusers.hk >09MAR07 - TERMINATED - PIRT#160517 - custid.hk >09MAR07 - LIVE - PIRT#161708 - idisap.hk >09MAR07 - LIVE - PIRT#161963 - troniekweb.hk >09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk >09MAR07 - LIVE - PIRT#162969 - troniek.hk >09MAR07 - LIVE - PIRT#161855 - idisup.hk >10MAR07 - LIVE - PIRT#162968 - tokret.hk >10MAR07 - LIVE - PIRT#161855 - idisup.hk >10MAR07 - LIVE - PIRT#161824 - toptenret.hk >10MAR07 - LIVE - PIRT#163165 - idissp.hk (duplicate of 161789) >10MAR07 - LIVE - PIRT#161354 - hktech.hk >10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux) >10MAR07 - TERMINATED - PIRT#161384 - lltco.hk >11MAR07 - LIVE - PIRT#162545 - techhk.hk >11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock) >13MAR07 - LIVE - PIRT#165204 - dllsid.hk >14MAR07 - LIVE - PIRT#165271 - kletro.hk >14MAR07 - LIVE - PIRT#165309 - coit.hk >14MAR07 - LIVE - PIRT#165936 - erw3d.hk >14MAR07 - LIVE - PIRT#165196 - hkpermanent.hk >14MAR07 - LIVE - PIRT#165947 - glor.hk >14MAR07 - LIVE - PIRT#166027 - sjuxu.hk >15MAR07 - LIVE - PIRT#165195 - dllsdk.hk >15MAR07 - LIVE - PIRT#166036 - kddrm.hk >15MAR07 - TERMINATED - PIRT#166064 - vlot.hk >15MAR07 - LIVE - PIRT#166103 - louf3.hk >15MAR07 - LIVE - PIRT#166121 - hsa.hk >15MAR07 - LIVE - PIRT#166127 - ere4.hk >15MAR07 - LIVE - PIRT#166134 - ddibb.hk (not worked yet) >16MAR07 - LIVE - PIRT#166596 - tenret.hk >16MAR07 - LIVE - PIRT#161824 - toptenret.hk (duplicate of 161824) >16MAR07 - LIVE - PIRT#166079 - seem.hk >16MAR07 - LIVE - PIRT#165430 - file7.hk >16MAR07 - LIVE - PIRT#160819 - itdo.hk >17MAR07
