-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Friends,
I am ready to declare that we are having a Crisis situation with HKDNR and their unwillingness or failure to de-register domain names which have been registered for purpose of fraudulent activity. At CastleCops PIRT Squad we are observing that SEVERAL fraud categories are now hosting almost exclusively on ".hk" domains because they are realizing there is a pattern of refusal to follow their own guidelines and eliminate these domains. Of the 380 phishing reports that our team has published so far in June, 58 of these reports were related to a ".hk" domain. Of these, at least 40 remain "live" at this time. These are the longest-lived rock phish we have seen in more than six months, and they will remain live until we get cooperation from HKDNR to terminate these domains. HKDNR sends back nice form letters that say that they are working with the HKCERT and HK Police, but they don't actually stop the fraud. HKCERT sends back nice form letters saying they have alerted the appropriate ISPs, but they also don't do anything to encourage HKDNR to deregister the fraudulent domains. As an anti-phishing group, our primary concern is the Rock Phish group has begun hosting almost exclusively on .hk domains, but I want to mention that pill spammers and mule recruiters (who may actually be the same criminal enterprise) are also hosting there as the perception that .hk domains stay live a long time spreads throughout the cybercrime world. Here are some sample .hk domains used by the rock phisher: 05MAR07 - TERMINATED - PIRT#160518 - ti2l.hk 05MAR07 - TERMINATED - PIRT#160525 - techid.hk 05MAR07 - TERMINATED - PIRT#160420 - dllisap.hk 06MAR07 - LIVE - PIRT#160819 - itdo.hk 06MAR07 - TERMINATED - PIRT#161109 - trenit.hk 06MAR07 - TERMINATED - PIRT#161116 - ident2.hk 06MAR07 - LIVE - PIRT#161130 - ident1.hk 06MAR07 - TERMINATED - PIRT#161138 - it-cl.hk 06MAR07 - LIVE - PIRT#160856 - ident.hk 06MAR07 - LIVE - PIRT#161144 - stackdr.hk 07MAR07 - TERMINATED - PIRT#161380 - idllc.hk 07MAR07 - LIVE - PIRT#161837 - jdllid.hk 07MAR07 - LIVE - PIRT#161835 - tokretweb.hk 08MAR07 - TERMINATED - PIRT#161371 - itprodll.hk 08MAR07 - TERMINATED - PIRT#161390 - idname.hk 08MAR07 - LIVE - PIRT#161625 - idisop.hk 08MAR07 - LIVE - PIRT#161789 - idissp.hk 08MAR07 - LIVE - PIRT#161706 - idisor.hk 08MAR07 - LIVE - PIRT#160842 - idusers.hk 09MAR07 - TERMINATED - PIRT#160517 - custid.hk 09MAR07 - LIVE - PIRT#161708 - idisap.hk 09MAR07 - LIVE - PIRT#161963 - troniekweb.hk 09MAR07 - TERMINATED - PIRT#161310 - userdtt.hk 09MAR07 - LIVE - PIRT#162969 - troniek.hk 09MAR07 - LIVE - PIRT#161855 - idisup.hk 10MAR07 - LIVE - PIRT#162968 - tokret.hk 10MAR07 - LIVE - PIRT#161855 - idisup.hk 10MAR07 - LIVE - PIRT#161824 - toptenret.hk 10MAR07 - LIVE - PIRT#163165 - idissp.hk (duplicate of 161789) 10MAR07 - LIVE - PIRT#161354 - hktech.hk 10MAR07 - TERMINATED - PIRT#162663 - lloydslsb.hk (not rock. Fast Flux) 10MAR07 - TERMINATED - PIRT#161384 - lltco.hk 11MAR07 - LIVE - PIRT#162545 - techhk.hk 11MAR07 - TERMINATED - PIRT#163995 - lloydstsd.hk (not Rock) 13MAR07 - LIVE - PIRT#165204 - dllsid.hk 14MAR07 - LIVE - PIRT#165271 - kletro.hk 14MAR07 - LIVE - PIRT#165309 - coit.hk 14MAR07 - LIVE - PIRT#165936 - erw3d.hk 14MAR07 - LIVE - PIRT#165196 - hkpermanent.hk 14MAR07 - LIVE - PIRT#165947 - glor.hk 14MAR07 - LIVE - PIRT#166027 - sjuxu.hk 15MAR07 - LIVE - PIRT#165195 - dllsdk.hk 15MAR07 - LIVE - PIRT#166036 - kddrm.hk 15MAR07 - TERMINATED - PIRT#166064 - vlot.hk 15MAR07 - LIVE - PIRT#166103 - louf3.hk 15MAR07 - LIVE - PIRT#166121 - hsa.hk 15MAR07 - LIVE - PIRT#166127 - ere4.hk 15MAR07 - LIVE - PIRT#166134 - ddibb.hk (not worked yet) 16MAR07 - LIVE - PIRT#166596 - tenret.hk 16MAR07 - LIVE - PIRT#161824 - toptenret.hk (duplicate of 161824) 16MAR07 - LIVE - PIRT#166079 - seem.hk 16MAR07 - LIVE - PIRT#165430 - file7.hk 16MAR07 - LIVE - PIRT#160819 - itdo.hk 17MAR07 - LIVE - PIRT#166131 - dsjue3.hk 17MAR07 - LIVE - PIRT#167820 - sdjsa.hk 17MAR07 - LIVE - PIRT#167581 - themkdu.tw 17MAR07 - LIVE - PIRT#167581 - xlopec.hk used as nameserver 18MAR07 - LIVE - PIRT#166078 - serkft.hk In Rock Phish, many brands of phish are all present on each server. We can show they are related by replacing the "directory" portion of the URL. The current "live" rock phish are: Fifth Third Bank = /r1/cbdir/ Bank of America = /update/default/ BB&T = /bbtc BB&T = /cbus BB&T = /update/K1/sb_login.jsp Nordea = /widecarea.aspx Sparkasse = /update/banking.cgi/index.html US Bank = /client.cfm If you are aware of others WHICH ARE LIVE please send them back to me. Some recently live (but not current) paths include: Volksbank = /vr Sparkasse = /kund.id Citibank.de = /anmelden.cgi What is MOST IMPORTANT is that HKDNR provide to CastleCops and other security professional their preferred channel to receive such alerts, and that they ACTUALLY BEGIN TERMINATING FRAUD DOMAINS!!! Contacts for CastleCops regarding this situation: #1. PIRT Team Leader - Robin Laudanski - [EMAIL PROTECTED] #2. PIRT Handler - Gary Warner - [EMAIL PROTECTED] One of our other Handlers is leading our rock phish efforts. We will make appropriate introductions to parties who can help. Some of the "Money Mule" domains at .hk include: radgrup.hk radgrp.hk radiusgrp.hk luxcap.hk luxcatl.hk luxcaptl.hk luxcapi.hk luxcapit.hk finconsinter.hk interfic.hk interfinconsult.hk Some of the pillspam domains (International Legal RX in this case) include: amhhcl.topjujuq.hk asdapw.mikia.hk svofrt.iizz.hk ukfspw.mikia.hk ========================= Sample reply from HKDNR follows: (I have 28 copies of this form email received between March 5 and March 12. In most of the 28 cases, the fraudulent domain is still online. Apparently after March 12 they decided to stop answering our emails at all, since we are no longer even getting the form letter replies. They just block the email and let the fraud continue.) ========================= Dear customer, Thank you for your email. As we would work together with HKCERT and Hong Kong Police to make Hong Kong and the Internet a safe place for business, do you mind if we can also forward your email to Hong Kong Police and HKCERT for investigation? In the meantime, you can consider to report the case to your local law enforcement authority. Should you have any queries, please feel free to contact us. Best regards, Customer Service Department Hong Kong Domain Name Registration Company Limited Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central, Sheung Wan, Hong Kong Phone No.: +852 2319 1313 Fax No.: +852 2319 2626 Email: [EMAIL PROTECTED] ====================================== Here is a sample email from HKCERT: ====================================== Dear Sir/Madam, Thank for your report on [ [10368290-553350] Fraudulent Domain Name used in Phishing Scheme (ident1.hk)] dated [14Mar 07]. Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) have passed your case to the corresponding ISP/Parties to follow up. Please refer to our case no for ongoing follow up. HKCERT Case No: 20070274 First Report Date: 14 Mar 07 Regards, HKCERT Tel: +852-81056060 E-mail: [EMAIL PROTECTED] ========================= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF/aXWg79eYCOO6PsRAruXAJ9LZU0eN4nuSOsIukWsbsyBdJMdxQCcC01o CimTVB259YyucCE6g3r0PP0= =JZDh -----END PGP SIGNATURE----- _______________________________________________ phishing mailing list phishing@whitestar.linuxbox.org http://www.whitestar.linuxbox.org/mailman/listinfo/phishing