nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to MGD
Re: Rock phish report Mar 03, 2007
I just sent a dslr mail report to AIT for phish #8951. I particularly mention domain JUSTNYU.INFO used for DNS for that phish and recently registered at NAME IT CORP. I'm not sure where to send reports for HKDNR, so going after the DNS server looks like an alternative.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to MGD
I know there are several groups including Castlecops who are focusing on that attack vector. The domains are coming down faster than can be accounted for by our reports. I suspect this is CasleCops and perhaps the BB&T bank.
I'll give some credit to the registrars for acting more promptly on these. And it looks as if, when they take down a domain, they take down all from the same customer.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to nwrickert
said by nwrickert  :..... I'm not sure where to send reports for HKDNR, so going after the DNS server looks like an alternative. Not sure if USERDTT.HK is still active, I would begin sending notice to enquiry[at]hkdnr.hk
......it looks as if, when they take down a domain, they take down all from the same customer. Yes, it seems that some of the registrars that have been hit repeatedly are now running the registrant's name and/or email contact through their database and pulling up the list.
MGD |
|
pleekmo
Triptoe Through The Tulips
Premium
join:2001-09-14
Manchester, CT
clubs:
| said by MGD :said by nwrickert :......it looks as if, when they take down a domain, they take down all from the same customer. Yes, it seems that some of the registrars that have been hit repeatedly are now running the registrant's name and/or email contact through their database and pulling up the list. MGD Of course the way around this is to register using different (stolen) identities. I wonder if the phishers have a large enough stockpile of stolen identities to go through a list and use one for each domain registration.
An interesting cost analysis situation here: Ease of use and insecurity of repeated use of a single or few registration identities versus the expense and security of one-time use of a large number of identities.
--
HCN: Because you deserve a rest!
Free Omelas! |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
1 edit | reply to nwrickert
Rock phish report Mar 06, 2007
Info on submissions today:
8962 NXDOMAIN online.bbt.com.onlineservlet_id7932616592.easyniz.info
8964 85.105.190.151 online.bbt.com.onlineservlet_id6502466333.gohns.biz
8965 220.93.85.43 online.bbt.com.onlineservlet_id164181265.trenit.hk
8981 148.245.112.237 online.bbt.com.onlineservlet_id94456504.idusers.hk
8983 220.118.86.56 online.bbt.com.onlineservlet_id746150.trenit.hk
8984 219.251.166.157 online.bbt.com.onlineservlet_id90057462.loksr.biz
Domain registration info
Phish domain Registrar
easyniz.info unknown
gohns.biz REGISTER.COM 3/05/2007
trenit.hk HKDNR 3/05/2007
loksr.biz ADVANCED INTERNET TECHNOLOGIES 3/06/2007
trenit.hk HKDNR 3/05/2007
DNS server domain Registrar
LOKWELT.BIZ ADVANCED INTERNET TECHNOLOGIES 3/06/2007
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
3 edits | reply to nwrickert
Rock phish report Mar 07, 2007
Rock phish info for today:
8988 NXDOMAIN online.bbt.com.onlineservlet_id243003540.knion.info
8990 200.120.67.245 online.bbt.com.onlineservlet_id7673537.adulted.ws
8992 200.120.67.245 online.bbt.com.onlineservlet_id39603970.idname.hk
8993 219.251.166.157 online.bbt.com.onlineservlet_id68582.ident.hk
8994 219.251.166.157 online.bbt.com.onlineservlet_id990036191.lltco.hk
8999 NXDOMAIN online.bbt.com.onlineservlet_id0483246696.efjepar.biz
9000 67.10.14.10 online.bbt.com.onlineservlet_id55336128.idisor.hk
also 67.176.10.207, 70.71.21.15, 72.51.249.79, 84.10.109.180
9006 200.120.67.245 online.bbt.com.onlineservlet_id14151.itprodll.hk
9007 24.181.96.222 online.bbt.com.onlineservlet_id9847523894.idisor.hk
also 68.51.47.161, 68.189.151.79, 69.47.45.64, 71.237.66.30
9008 200.120.67.245 online.bbt.com.onlineservlet_id949458.adulted.ws
9011 200.120.67.245 online.bbt.com.onlineservlet_id240529.adulted.ws
9016 68.43.25.82 online.bbt.com.onlineservlet_id2488930.idisop.hk
also 70.142.225.115, 74.132.173.180, 75.18.132.44, 76.17.117.156
Domain registration info
Phish domain Registrar
adulted.ws WILD WEST DOMAINS 3/06/2007
efjepar.biz unknown
ident.hk HKDNR 3/06/2007
idisop.hk HKDNR 3/07/2007
idisor.hk HKDNR 3/07/2007
idname.hk HKDNR 3/07/2007
itprodll.hk HKDNR 3/07/2007
knion.info unknown
lltco.hk HKDNR 3/07/2007
DNS server domain Registrar
DECPRO.NET WILD WEST DOMAINS 3/06/2007
HKPERMANENT.HK HKDNR 3/06/2007
KOLLENS.NET ESTDOMAINS 3/06/2007 (suspended)
LOKWELT.BIZ ADVANCED INTERNET TECHNOLOGIES 3/06/2007
LOKZENTRALE.ORG ADVANCED INTERNET TECHNOLOGIES 3/06/2007
TRANSFER-BK.COM ENOM 1/30/2007
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.9 |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs:  | reply to nwrickert
Re: Rock phish information
looks like they left 5/3 alone and moved to bbt. you guys get another gold star from me  |
|
s0tet
join:2005-06-08 | efjepar.biz was registered with Neulevel.biz but was swiftly nuked by the time I was going to report it. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Thanks. I have been assuming that the domains I mark as "unknown" were registered, and then taken down. I can sometimes dig up information on them with a google search. But often I cannot find anything.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
1 edit | I DSLR reported 3 domains to the HK registrar, and as I mentioned in this phish comment post »/forum/phish,9···days=999 the mails were all caught in their mail server's phsih trap because of the links for their own hk domains.
The three reported so far were idisor.hk, lltco.hk, and idname.hk
I forwarded them back but disabled the links to pass the filter. Got an interesting, if not canned response. However, it remains to be seen if they promptly revoke them and take additional steps to prevent continued registration.
quote:
Date: Thu, 8 Mar 2007 11:16:16 +0800
From: "Enquiry" enquiry[]hkdnr.net.hk
To: "MGD"
Subject: Re: Phish Report #8992 idname.hk = Bank Phishing
Dear customer,
Thank you for your email. As we would work together with HKCERT and Hong Kong Police to make Hong Kong and the Internet a safe place for business, do you mind if we can also forward your email to Hong Kong Police and HKCERT for investigation? In the meantime, you can consider to report the case to your local law enforcement authority.
Should you have any queries, please feel free to contact us.
Best regards,
Customer Service Department
Hong Kong Domain Name Registration Company Limited
Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central,
Sheung Wan, Hong Kong
Phone No.: +852 2319 1313
Fax No.: +852 2319 2626
Email: enquiry[]hkdnr.hk
The information in this email is confidential and may be legally privileged. If you are not the intended recipient, please notify the sender immediately and then delete this e-mail entirely. You must not retain, copy, distribute or use this e-mail for any other purpose not intended by this email or disclose any of its content to others. The recipient should check the email and attachment for the presence of viruses. The company accepts no liability for any damage cause by any virus transmitted by this email.
----- Original Message -----
From: MGD
To: enquiry[]hkdnr.hk
Sent: Thursday, March 08, 2007 5:48 AM
Subject: Fw: Phish Report #8992 idname.hk = Bank Phishing
----- Original Message -----
From:
To:
Sent: Wednesday, March 07, 2007 3:03 PM
Subject: Phish Report #8992 idname.hk = Bank Phishing
> Please immediately revoke the fraudulent domain registration for idname.hk
You have been targeted by a known criminal syndicate called the Rockphihser.
They have registered numerous .HK domains using stolen credit/financial
data. The registered domains and the DNS are used to direct victims to Bank
phishing sites located on a network of hijacked computers.
>
> Please remove this domain promptly and take steps to prevent being
targeted by this criminal organization.
> Phish Report #8992
> The phish below was seen by us on 2007-03-07 06:43:01
>
> Some of the buried phish components are as follows:
> ht*tp://online.bbt.com.onlineservlet_id39603970.idname.hk/cbus (currently
showing status 301)
> h*ttp://online.bbt.com.onlineservlet_id39603970.idname.hk/cbus/ (currently
showing status 200)
>
> If you are responsible for the security of the IPs currently
hosting or email drop boxes assisting one or more of the URLs above,
please take action to close it down as soon as possible, as this will break
the phish.
>
> YOUR PROMPT ATTENTION IS VITAL IN ORDER TO LIMIT NUMBER OF POSSIBLE
VICTIMS.
>
> For more details, see:
>
»/phishtrack?pi···62315c69
>
>
> Thank you,
> The BBR PhishTracker project
> at »/phishtrack
> visit this link for more information
>
MGD |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to nwrickert
Re: Rock phish report Mar 07, 2007
said by nwrickert :Rock phish info for today:...... Well they have certainly picked the pace back up from the beating they took last week.
I am shocked and pleasantly surprised at the prompt ESTDOMAINS cancellation. They have been on my list of Cesspool operations for some time.
MGD |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to pleekmo
Re: Rock phish report Mar 03, 2007
said by pleekmo :.....Of course the way around this is to register using different (stolen) identities. I wonder if the phishers have a large enough stockpile of stolen identities to go through a list and use one for each domain registration. An interesting cost analysis situation here: Ease of use and insecurity of repeated use of a single or few registration identities versus the expense and security of one-time use of a large number of identities. I am sure they do but once the card purchase gets an online approval they tend to rack several up on it as the clock starts ticking after the first charge. They have no way of knowing if the victim monitors charges online and will report the fraud at once. So the more cards that they can save for pure income processing the better for them.
They do not usually hammer the card used for registration with other charges, the goal being not to trigger any alerts and get the longest use of the registrations as possible.
An interesting note on the recent rash of BB&T targeted phishes, I have dry ran them, and they do not ask for card data. They only request the log in credentials for the online access to the victim's accounts. I assume from that they then fleece whatever accounts are attached to it via transfers and online e-payments.
MGD |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
2 edits | reply to nwrickert
Rock phish report Mar 08, 2007
Today's submission info (so far):
9018 68.73.102.146 online.bbt.com.onlineservlet_id646437.idisop.hk
also 69.234.243.75, 71.202.106.141, 75.130.201.157, 85.220.119.37
9020 68.73.102.14
online.bbt.com.onlineservlet_id72491282.idisor.hk
also 69.234.243.75, 71.202.106.141, 85.220.119.37, 88.161.209.16
9021 200.120.67.245 online.bbt.com.onlineservlet_id42664.idname.hk
9033 75.58.177.39 online.bbt.com.onlineservlet_id79387045.ident1.hk
9036 24.59.102.234 online.bbt.com.onlineservlet_id04144439.jdllid.hk
also 72.178.79.2, 76.9.33.247, 76.166.45.18, 80.47.78.46
9037 59.145.226.51 online.bbt.com.onlineservlet_id91442.tokretweb.hk
9038 59.145.226.51 online.bbt.com.onlineservlet_id130027.idusers.hk
9039 59.145.226.51 online.bbt.com.onlineservlet_id07176.itprodll.hk
9042 59.145.226.51 online.bbt.com.onlineservlet_id107889939.lltco.hk
Registrars hall of shame
Phish domain Registrar
ident1.hk HKDNR 3/06/2007
idisop.hk HKDNR 3/07/2007
idisor.hk HKDNR 3/07/2007
idname.hk HKDNR 3/07/2007
idusers.hk HKDNR 3/06/2007
itprodll.hk HKDNR 3/07/2007
jdllid.hk HKDNR 3/07/2007
lltco.hk HKDNR 3/07/2007
tokretweb.hk HKDNR 3/08/2007
DNS server domain Registrar
HKPERMANENT.HK HKDNR 3/06/2007
KOLLENS.NET ESTDOMAINS 3/06/2007 (suspended)
OP-FREE.COM REGISTER.COM 3/06/2007
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
3 edits | reply to nwrickert
Rock phish report Mar 09, 2007
The rock phish group have been busy today. Here is the info on phish submitted so far:
9046 67.160.255.175 online.bbt.com.onlineservlet_id0498092.idisop.hk
also 68.47.25.133, 69.234.243.75, 74.132.173.180, 86.153.11.44
9047 219.251.166.157 online.bbt.com.onlineservlet_id754724.ident.hk
9048 219.251.166.157 online.bbt.com.onlineservlet_id45684486.idname.hk
9049 219.251.166.157 online.bbt.com.onlineservlet_id765217.idname.hk
9050 68.47.25.133 online.bbt.com.onlineservlet_id16340.idisor.hk
also 72.188.208.43, 74.132.173.180, 86.153.11.44, 207.255.217.187
9051 219.251.166.157 online.bbt.com.onlineservlet_id93624935.idusers.hk
9052 219.251.166.157 online.bbt.com.onlineservlet_id5450672254.lltco.hk
9053 219.251.166.157 online.bbt.com.onlineservlet_id5867037.lltco.hk
9054 81.214.110.144 online.bbt.com.onlineservlet_id92637591.itprodll.hk
9055 68.47.25.133 online.bbt.com.onlineservlet_id706916.idisup.hk
also 72.188.208.43, 74.132.173.180, 86.153.11.44, 207.255.217.187
9056 68.47.25.133 online.bbt.com.onlineservlet_id68092107.idisop.hk
also 72.188.208.43, 74.132.173.180, 86.153.11.44, 207.255.217.187
9057 81.214.110.144 online.bbt.com.onlineservlet_id08952763.ident.hk
9059 68.47.25.133 online.bbt.com.onlineservlet_id6393376.idisop.hk
also 72.188.208.43, 74.132.173.180, 86.153.11.44, 207.255.217.187
9063 66.67.128.25 online.bbt.com.onlineservlet_id6847698369.idisop.hk
also 68.189.150.243, 71.108.87.111, 74.138.43.131, 88.161.209.16
9066 89.139.194.198 online.bbt.com.onlineservlet_id94573.idusers.hk
9069 24.222.62.237 online.bbt.com.onlineservlet_id54520.idisup.hk
also 71.202.106.141, 74.138.43.131, 75.11.182.235, 85.69.78.21
9075 66.69.50.245 online.bbt.com.onlineservlet_id1473021921.idissp.hk
also 67.183.119.148, 68.255.73.98, 70.113.82.88, 84.71.196.7
9076 67.183.119.148 online.bbt.com.onlineservlet_id9961662918.idisor.hk
also 68.251.75.27, 68.255.73.98, 70.240.186.192, 71.139.6.199
Registrars hall of shame
Phish domain Registrar
ident.hk HKDNR 3/06/2007
idisop.hk HKDNR 3/07/2007
idisor.hk HKDNR 3/07/2007
idissp.hk HKDNR 3/07/2007
idisup.hk HKDNR 3/07/2007
idname.hk HKDNR 3/07/2007
idusers.hk HKDNR 3/06/2007
itprodll.hk HKDNR 3/07/2007
lltco.hk HKDNR 3/07/2007
DNS server domain Registrar
HKPERMANENT.HK HKDNR 3/06/2007
OP-FREE.COM REGISTER.COM 3/06/2007
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | I sent an email to HKDNR, listing all of the ".hk" domains shown in today's report.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
2 edits | reply to nwrickert
Rock phish report Mar 10, 2007
Information on today's rock phish submissions:
9080 75.68.111.68 online.bbt.com.onlineservlet_id42465664.toptenret.hk
9083 temp failure online.bbt.com.onlineservlet_id782608797.jdllid.hk
9084 75.68.111.68 online.bbt.com.onlineservlet_id18022.ident.hk
9095 200.254.216.134 online.bbt.com.onlineservlet_id473998587.itdo.hk
9096 temp failure online.bbt.com.onlineservlet_id946281.idisup.hk
9097 200.254.216.134 online.bbt.com.onlineservlet_id08978.toptenret.hk
Registrars hall of shame
Phish domain Registrar
ident.hk HKDNR 3/06/2007
idisup.hk HKDNR 3/07/2007
itdo.hk HKDNR 3/05/2007
jdllid.hk HKDNR 3/07/2007
toptenret.hk HKDNR 3/08/2007
DNS server domain Registrar
OP-FREE.COM REGISTER.COM 3/06/2007
WEB-MU.COM REGISTER.COM 3/09/2007
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
1 edit | reply to nwrickert
Rock phish report Mar 11, 2007
Here is today's info:
9101 66.158.234.21 business-eb.ibanking-services43617d.bbt.com.posnds.net
9102 219.251.166.157 online.bbt.com.onlineservlet_id12753.stackdr.hk
9107 219.251.166.157 online.bbt.com.onlineservlet_id3005318.custid.hk
9108 219.251.166.157 online.bbt.com.onlineservlet_id110775803.itprodll.hk
9109 219.251.166.157 online.bbt.com.onlineservlet_id73288613.itprodll.hk
9110 219.251.166.157 online.bbt.com.onlineservlet_id73043501.hktech.hk
9111 219.251.166.157 online.bbt.com.onlineservlet_id24129777.ident.hk
9112 219.251.166.157 online.bbt.com.onlineservlet_id1477586662.stackdr.hk
9113 temp failure online.bbt.com.onlineservlet_id16983279.idisor.hk
9114 219.251.166.157 online.bbt.com.onlineservlet_id05467.idllc.hk
9115 219.251.166.157 online.bbt.com.onlineservlet_id27870.idname.hk
9117 temp failure online.bbt.com.onlineservlet_id387111174.idissp.hk
9119 temp failure online.bbt.com.onlineservlet_id2818789451.idisap.hk
9122 219.251.166.157 online.bbt.com.onlineservlet_id491079.userdate.in
9127 219.251.166.157 online.bbt.com.onlineservlet_id73027.troniekweb.hk
9128 219.251.166.157 online.bbt.com.onlineservlet_id92706.userdate.in
9130 69.138.247.111 online.bbt.com.onlineservlet_id936913341.dllisap.hk
Registrars hall of shame
Phish domain Registrar
custid.hk HKDNR 3/05/2007
dllisap.hk HKDNR 3/02/2007
hktech.hk HKDNR 3/05/2007
ident.hk HKDNR 3/06/2007
idisap.hk HKDNR 3/07/2007
idisor.hk HKDNR 3/07/2007
idissp.hk HKDNR 3/07/2007
idllc.hk HKDNR 3/07/2007
idname.hk HKDNR 3/07/2007
itprodll.hk HKDNR 3/07/2007
posnds.net REGISTER.COM 3/08/2007
stackdr.hk HKDNR 3/06/2007
troniekweb.hk HKDNR 3/08/2007
userdate.in PlanA Corp 3/11/2007
DNS server domain Registrar
HKPERMANENT.HK HKDNR 3/06/2007
KOLLENS.NET ESTDOMAINS 3/06/2007 (suspended)
OP-FREE.COM REGISTER.COM 3/06/2007
WEB-MU.COM REGISTER.COM 3/09/2007
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| HKDNR HKDNR etc ..... could see this one coming ... they are all over that TLD.
Did you ever get a human respones to that list submit ??
This is a typical pattern for the Rockphisher find a comatose registrar that does not revoke promptly, and ride them as long as he can, then rinse and repeat.
MGD |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | Did you ever get a human respones to that list submit ?? No, nothing. All indications are that HKDNR is asleep at the wheel.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
1 edit | reply to MGD
Did you ever get a human respones to that list submit ?? I finally received a response. They requested permission to forward my email to HKCERT and to the Hong Kong police.
I'm guessing that they have started to receive charge-back notices.
I gave them permission, and included a list of additional HKDNR domains used by the rock phishers. I also pointed them to this thread.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
