Blocklist Removal Center
Contacts  |  Official Statements  |  Sponsors  |  FAQs  |  News Blog   
Bookmark and Share Report on the criminal 'Rock Phish' domains registered at Nic.at
Statement

Category: Report
Updated: 2007-06-21
Statement Ref: S07

Blocklist Help

Blocked? To check, get info and resolve listings go to
Blocklist Removal Center

Associated Documents

How Blocklists Work
Legal Questions
Glossary

After first refusing to remove criminal Rock Phish domains registered and run through Austrian domain registry/registrar Nic.at, and then issuing a silly legal threat to Spamhaus, Nic.at has now apparently reversed its position and has finally begun suspending the Rock Phish domains.

If so, Spamhaus appreciates this change, as does the world of anti-spam and anti-phishing, law enforcement and the general internet user and business communities who lose billions of dollars each year to the non-stop flow of phishing attacks used to steal their monies and identities. We will be pleased to see Nic.at finally acting responsibly and taking action to stop a notorious cybercrime problem, as other major registrars do. We hope that this will be an ongoing solution and not a one-time move in order to get out of Spamhaus' bad graces.

However, it is not totally clear to Spamhaus what Nic.at are doing, as we have some conflicting reports. While many of the .at phishing domains have now been suspended and some given empty zone files, some users are reporting that many criminal phisher domain registrations are still live at Nic.at, and it's only the efforts of other registrars and hosting providers in shutting down other resources that have removed the domains' DNS from the internet.

Concern has been raised in the banking industry over the Nic.at affair. The international banks being phished by the 'Rock Phish' Russian cybercrime gang served (knowingly and for profit) by Nic.at include: USAA Bank, Washington Mutual, Nationwide, Volksbank, National City, Nordea, Commerce Bank. We wonder if the position of Nic.at would change if Austrian Banks were being phished and Austrian citizens were the target of Nic.at's Russian phishing customers.

Nic.at have claimed the Austrian law prevents them from suspending domains involved in criminal phishing of world banks. Spamhaus really cannot believe that Austrian law could require anyone to be an accessory to a criminal act as a result of a civil contract.

Nic.at should be operating with proper 'Terms and Conditions of Service' that forbid the use of .at domains for criminal or serious abuse purposes. That they lack such obvious and basic ability says simply that they should hire proper lawyers to write their Terms Of Service. Contrary to "we can't stop crime" claims by the Nic.at legal deparment, here is an Austrian High Court finding that Nic.at IS responsible for and must take appropriate steps in cases where they are informed of abuse (in this case Nic.at had to be ordered to remove fpo.at).

Below is a more detailed report of how the Nic.at registry has been abused by these gangs of criminals.


(Report Compiled by anti-phishing researcher, Gary Warner of the CastleCops PIRT Team.)

I thought it might be helpful to those who are working on changing the opinions of the "nic.at" registrar to see a history of the Rock Phish fraud being perpetrated on their domain names.

There have been 69 ".at" domain names used by the Rock Phisher since April 17th, when the Rock Phisher, being frustrated that we were now gaining cooperation from ".hk" domain registrar, HKDNR, began to explore other options for domain registration.

Although the Rock Phisher gang still uses a few .hk domains, as of this weekend, the ten oldest rock phish domains were all ".at". With the exception of the single brand "Fast Flux" rock phish domains, ALL of the rock phish domains greater than 7 days old were on ".at".

Emails sent to the abuse desk at "nic.at" were replied to by the Legal Department. (Either Dr. Barbara Schlossbauer, or Mag. Bernhard Erler). The replies basically said that they had no responsibility for the content of ".at" domains and that we should take things up with the domain owner. When we pointed out that the domain owner information was fraudulent and the domains were paid for with stolen credit cards, we were advised that we must PROVE that the domains were registered by non-existent persons. They even recommended a method for us to do so, as you can see in this email:

=====================================================

Dear Sirs,

to be able to withdraw a domain we need a clear proof that the domain holder data is wrong.

As a proof we accept e.g. a registered letter that could not be delivered to the address named in the whois-database because of an unknown recipient or a recipient that moved to another place. If the letter is not accepted by the recipient, this does not confirm the incorrectness of the data.

Therefore we would kindly ask for a proof in regard to the wrong user data that you mention.

Best regards

Dr. Barbara Schlossbauer
nic.at - legal department

nic.at Internet Verwaltungs- und Betriebsgesellschaft m.b.H.
Jakob-Haringer-Str. 8/V, 5020 Salzburg, Austria

Tel: +43 (662) 4669 - xxxx
Fax: +43 (662) 4669 - xxxx

E-Mail: mailto:-----@nic.at
Homepage: http://www.nic.at

Registered office: Salzburg LG Salzburg / FN 172568b
VAT-No.: ATU 45305101 DVR: 0968935
__________________________________________________

Curiously, yesterday at this time there were only twelve rock phish domains older than 10 days old, and they were ALL ".at" domains. Today, strangely, all of those domains have disappeared. In fact, ALL 69 of the ".at" domains are failing to resolve for me as of this timestamp!!

Well done Spamhaus!!!

=====================================================

The format of the data below will be domains, ordered by first appearance, and followed by the first appearance of each brand which we can document was spammed for that domain. Most of these spam runs continued in great volume for the life of the domain.

=====================================================

APRIL 17
------------
30175.at
    - BB&T on 4/17
    - Fifth Third on 4/17
    - Nordea on 4/24
    - E*Trade on 5/13
    - National City on 5/13


APRIL 18
------------
mymast.at
     - Fifth Third on 4/18
     - BB&T on 4/18
     - Nordea on 4/18


APRIL 19
-------------
j2u.at
     - Fifth Third on 4/19
     - BB&T on 4/20
     - Nordea on 4/23
     - E*Trade on 5/8
     - National City on 5/10
     - Regions Bank on 5/11

myjs.at
     - Fifth Third on 4/19
     - BB&T on 5/1
     - Nordea on 5/3
     - National City on 5/10
     - E*Trade on 5/10
     - Regions Bank on 5/11
     - Commerce Bank on 5/28
     - USAA Bank on 6/4
     - Washington Mutual on 6/5
     - US Bank on 6/7
     - PNC Bank on 6/10
     - Nationwide on 6/10

flagstaff.at
     - Fifth Third on 4/19

column.at
     - Fifth Third on 4/19

APRIL 20
--------------
myj.at
     - BB&T on 4/20
     - Fifth Third on 4/20
     - Nordea on 4/30


jweb.at
     - BB&T on 4/20
     - Fifth Third on 4/20
     - Nordea on 4/30
     - E*Trade on 5/8
     - NationalCity on 5/10
     - Regions Bank on 5/11


APRIL 22
---------------
easykdi.at
   - BB&T on 4/22
   - Fifth Third on 4/22

kdisite.at
   - Fifth Third on 4/22
   - BB&T on 4/22

bestkdi.at
   - BB&T on 4/22
   - Fifth Third on 4/22

kdipro.at
   - BB&T on 4/22
   - Fifth Third on 4/22


APRIL 27
---------------
skonhome.at
   - Fifth Third on 4/27

bigj.at
   - Fifth Third on 4/27
   - BB&T on 5/1
   - Nordea on 5/3
   - E*Trade on 5/8
   - National City on 5/10
   - Regions Bank on 5/11

APRIL 30
----------------
mjduweb.at
   - Fifth Third on 4/30
   - BB&T on 4/30
   - Nordea on 4/30

themjdu.at

MAY 1
----------------
mjdusite.at
   - BB&T on 5/1
   - Fifth Third on 5/1

mjdupro.at
   - BB&T on 5/1
   - Fifth Third on 5/1

mjdu.at
   - Fifth Third on 5/1
   - BB&T on 5/1
   - Nordea on 5/2

mymjdu.at
   - Fifth Third on 5/1
   - BB&T on 5/1

MAY 11
-----------------
yourplo.at
   - Regions Bank on 5/11
   - National City on 5/11
   - E*Trade on 5/11
   - CommerceBank on 5/28
   - USAA on 6/4
   - Washington Mutual on 6/5

bestplo.at
   - Regions Bank on 5/11
   - National City on 5/11
   - E*Trade on 5/11
   - Nordea on 5/11
   - CommerceBank on 5/28
   - USAA on 6/4
   - Washington Mutual on 6/5

haae.at
   - Regions Bank on 5/11
   - E*Trade on 5/11
   - National City on 5/11
   - Nordea on 5/20

plosure.at
   - Regions Bank on 5/11
   - E*Trade on 5/11
   - National City on 5/11
   - CommerceBank on 5/28
   - USAA on 6/4
   - Washington Mutual on 6/5

myhaae.at
   - Regions Bank on 5/11
   - National City on 5/11
   - E*Trade on 5/11
   - Nordea on 5/14


thehaae.at
   - Regions Bank on 5/11
   - E*Trade on 5/11
   - National City on 5/11


ploshop.at
   - Regions Bank on 5/11
   - E*Trade on 5/11
   - National City on 5/11
   - Nordea on 5/17
   - Commerce Bank on 5/28
   - USAA on 6/4
   - Washington Mutual on 6/5

metroplo.at
   - Regions Bank on 5/11
   - National City on 5/11
   - E*Trade on 5/11
   - Commerce Bank on 5/28
   - Washington Mutual on 6/5
   - USAA on 6/5

myplo.at
   - Regions Bank on 5/11
   - National City on 5/11
   - E*Trade on 5/11
   - Commerce Bank on 5/28
   - USAA on 6/4
   - Washington Mutual on 6/5

besthaae.at
   - Regions Bank on 5/11
   - National City on 5/11
   - E*Trade on 5/12

MAY 22
-----------------
comrhome.at
   - National City on 5/22
   - Regions Bank on 5/25
   - Commerce Bank on 5/28
   - Nordea on 6/3
   - USAA on 6/4
   - Washington Mutual on 6/5
   - US Bank on 6/7
   - Nationwide on 6/10
   - PNC on 6/10

comr.at
   - National City on 5/22
   - Nordea on 5/22
   - Regions Bank on 5/25
   - Commerce Bank on 5/28
   - USAA on 6/4
   - Washington Mutual on 6/5
   - US Bank on 6/7
   - PNC Bank on 6/10
   - Nationwide on 6/10

MAY 25
-----------------
yourbmx.at
   - Regions Bank on 5/25
   - Commerce Bank on 5/28
   - National City on 5/31
   - USAA on 6/4
   - Washington Mutual on 6/5


MAY 28
-----------------
myfe.at
   - Regions Bank on 5/28
   - Commerce Bank on 5/28

JUNE 4
-----------------
vdilive.at
   - Regions Bank on 6/4
   - USAA Bank on 6/4
   - Washington Mutual on 6/5

easyvdi.at
   - Regions Bank on 6/4
   - USAA on 6/4
   - National City on 6/4
   - Washington Mutual on 6/5

bestvdi.at
   - Regions Bank on 6/4
   - USAA on 6/4
   - Washington Mutual on 6/4

vdipro.at
   - Regions Bank on 6/4
   - USAA on 6/4
   - National City on 6/4
   - Washington Mutual on 6/5

vdistore.at
   - Regions Bank on 6/4
   - USAA on 6/4
   - Washington Mutual on 6/5

JUNE 5
------------------
dyufour.at
   - Washington Mutual on 6/5
   - National City on 6/5

dsyufor.at
   - Washington Mutual on 6/5
   - National City on 6/5

dyu4.at
   - Washington Mutual on 6/5
   - National City on 6/5


JUNE 6
--------------------
myghy.at
   - Washington Mutual on 6/6
   - PNC on 6/18

theghy.at
   - Washington Mutual on 6/6

newwow.at
   - Washington Mutual on 6/6
   - National City on 6/7
   - Nordea on 6/7

mywow.at
   - Washington Mutual on 6/6
   - National City on 6/7

JUNE 8
--------------------
ply.at
   - US Bank on 6/8
   - Nationwide on 6/10
   - PNC on 6/10
   - Washington Mutual on 6/12

ply4u.at
   - US Bank on 6/8
   - PNC on 6/10
   - Nationwide on 6/10
   - Washington Mutual on 6/12

ply2u.at
   - US Bank on 6/8
   - PNC on 6/10
   - Nationwide on 6/10
   - Washington Mutual on 6/12

bigply.at
   - US Bank on 6/8
   - PNC on 6/10
   - Nationwide on 6/10

JUNE 9
---------------------
besthkd.at
   - US Bank on 6/9
   - PNC on 6/10
   - Nationwide on 6/10
   - National City on 6/10
   - Washington Mutual on 6/12

myhkd.at
   - US Bank on 6/9
   - PNC on 6/10
   - Nationwide on 6/10
   - National City on 6/12
   - Washington Mutual on 6/12

newhkd.at
   - US Bank on 6/9
   - Nationwide on 6/10
   - PNC on 6/10
   - Washington Mutual on 6/10

hkdpro.at
   - US Bank on 6/9
   - PNC on 6/10
   - Nationwide on 6/10
   - Washington Mutual on 6/12

hkdlive.at
   - US Bank on 6/9
   - PNC on 6/10
   - Nationwide on 6/10
   - National City on 6/12
   - Washington Mutual on 6/12

JUNE 11
----------------
kirypro.at
   - Regions Bank on 6/11


JUNE 12
----------------
kisry.at
   - Regions Bank on 6/12
   - Volksbank on 6/18

mykisry.at
   - National City on 6/12
   - US Bank on 6/12
   - Nationwide on 6/12
   - PNC on 6/12
   - Washington Mutual on 6/12

kiry.at
   - US Bank on 6/12
   - Nationwide on 6/12
   - PNC on 6/12
   - Washington Mutual on 6/12



JUNE 18
--------------
goip.at
   - PNC on 6/18

thegoip.at
   - PNC on 6/18

moveip.at
   - PNC on 6/18

mygoip.at
   - PNC on 6/18

newriuf.at
   - PNC on 6/18

riuflive.at
   - PNC on 6/18

riuf.at
   - PNC on 6/18

bestgoip.at
   - PNC on 6/18

riufpro.at
   - PNC on 6/18

myriuf.at
   - PNC on 6/18
=====================================================

This report was written by anti-phishing researcher, Gary Warner, of the CastleCops PIRT Team. Published in this Spamhaus statement with the permission of Gary Warner.

Statements Index

Popular Spammer Myths About Spamhaus

Case Dismissed: Ames & McGee v The Spamhaus Project

EMarketersAmerica v The Spamhaus Project

Case Answer: e360Insight vs. The Spamhaus Project

Spamhaus IPv6 Blocklists Strategy Statement

Fake DNSBL uncovered: nszones.com

Report on the criminal 'Rock Phish' domains registered at Nic.at

TRO Answer: e360Insight vs. The Spamhaus Project

DDoS and Virus Attacks on Spamhaus

Spamhaus Position on CAN-SPAM Act of 2003


Copyright © 2016 The Spamhaus Project Ltd. Reproduction from "Report on the criminal 'Rock Phish' domains registered at Nic.at" is permitted provided you quote the source as "The Spamhaus Project" and provide a link to the source url: http://www.spamhaus.org/organization/statement/7/report-on-the-criminal-rock-phish-domains-registered-at-nic.at
© 1998-2016 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy