Home / Blogs

.hk the "Most Unsafe" Domains?

Suresh Ramasubramanian

Hong Kong domains are the most dangerous in the world; this little factoid from a recent McAfee report [PDF] generated quite a bit of media coverage, and even made TIME magazine's top stories list (here is McAfee's press release on the subject). But all is not as it seems, and aspects of the report may have been out of date before the report was even published.

McAfee's study seems to be based on a year's worth of data, and last year was a particularly bad year for the Hong Kong domain, thanks to a gang of botnet spammers registering thousands of domains under the .hk ccTLD.

These domains were most likely registered using stolen credit cards, and contained bogus information in the whois records. The contact email address for each domain was usually an email address at a random free webmail site like Yahoo, Hotmail, or some free webmail domains hosted on Outblaze, where I head the anti-spam operations.

The .hk domains started turning up in spam for porn, fake prescription medication, phishing (identity theft) and many other illegal schemes such as "money mule recruitment", where people are conned into running an "export agency" and unwittingly become conduits for money laundering and receivers of goods bought with stolen credit cards.

This certainly turned out to be a gigantic reputation problem for the .hk ccTLD — far more scam domains were being registered under .hk than legitimate domains. Even worse, these scam domains were being hosted on botnets.

A botnet is a very large, highly failure-tolerant and distributed network. It is also international in nature, so that a child pornography website hosted on an infected PC in Hong Kong could turn up the very next minute on an infected laptop in Brazil. With distributed peer-to-peer botnets the domain name used by a botnet is sometimes its single point of failure.

Registrars (which provide domain registration services) and Registries (which administer gTLDs and ccTLDs) are therefore crucial to any attempt to mitigate botnets.

HKDNR, the registry for the .hk ccTLD, was initially slow to react to this problem, prompting antivirus and anti-phishing researchers like Gary Warner (now Director of Research in Computer Forensics & Cybercrime at the University of Alabama at Birmingham) to declare a "crisis situation" in a March 2007 email to a mailing list that discusses phishing. In the email he accused HKDNR of inaction and insufficient response to the concerns of the anti-spam community.

HKDNR and the Hong Kong CERT (HKCERT) were accused of responding to complaints with canned letters that promised to investigate, but appeared to take no action at all. The response letters (samples of which he quoted in his email) encouraged complainants from outside Hong Kong to "report the matter to their local law enforcement agencies". Which is, of course, appropriate, but is not a substitute for quick deactivation of these scam domains.

By late 2007, the number of .hk domains registered by scam artists numbered in the tens of thousands. Action by various groups (independent technologists, anti-spam block list providers, CERT teams, law enforcement and regulatory agencies) then seemed to convince HKDNR of the need to take immediate drastic action against scam domains registered in the .hk ccTLD.

As the Postmaster and Head of Anti-spam Operations for Outblaze, I contributed to the effort by providing a feed of several thousand .hk domains from spam reported on our network of 40 million hosted email users.

The results were astounding. Over 10,000 scam domains were terminated in a matter of days. Long term measures were also put in place, such as:

  • Credit card fraud prevention, including Verified by Visa (most of these scam domains were registered using stolen credit cards)
  • Due diligence measures to detect fake domain registration
  • Closer cooperation of HKDNR with relevant authorities and agencies.

International cooperation is vital for two reasons:

  1. as an early warning when scam artists attempt to set up shop again
  2. as a way to share best practices with groups, associations, government regulators, and law enforcement agencies working on the prevention of spam and cybercrime.

In a matter of days, the huge concentration of scammer domains in the .hk ccTLD scattered, shifting to other countries and ccTLDs. Some moved to China (as the McAfee report indicates, a large number of scammer domains still exist in .cn space) and others went onto .biz, .info, and even ccTLDs like .ma (Morocco).

The botnet problem is clearly international, and registrars and registries around the world are vulnerable to what HKDNR suffered last year. While it might be stale news in that HKDNR has already dealt with this problem, it serves as a reminder that botnet criminals are still out there and still causing trouble. Spam and cybercrime are hitting record levels and that there is a need for constant awareness and joint efforts to mitigate the menace that botnets have evolved into over the last few years.

I have earlier written a long and detailed paper [PDF] on botnet mitigation for the International Telecommunications Union (ITU) as part of the ITU's Botnet Mitigation Toolkit.

It discusses the threat that botnets pose to the worldwide community of Internet users, and describes an interlinked set of policy, technology, and civil society approaches to the problem of botnets. Most of what I have written in this blog entry is already present in the ITU paper, so I will stop here and encourage people reading this to glance at the paper as well. It is 100 pages long so probably not bedtime reading, but I'd still appreciate your comments.

By Suresh Ramasubramanian, Architect, Antispam and Compliance

Related topics: Cyberattack, Cybercrime, Domain Names, Registry Services, Policy & Regulation, Security, Spam, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Re: .hk the "Most Unsafe" Domains? Fergie  –  Jun 06, 2008 9:18 AM PST

Suresh,

I'm very pleased to see that you posted this summary, since I was thinking of doing so in a similar fashion (but I'm glad you beat me to it).

As you mentioned, the McAfee report used data from a period that was long enough to include the horrible issues that HKIRC/HKDNR suffered prior to "cleaning up their act", and to tell you the truth, I give them a lot of credit for finally cleaning up their act. No if we could get other registries/registrars to do the same…

Last week during the 2nd Annual APWG Counter eCrime Operations Summit (CeCOS II), Bonnie Chun from HKIRC/HKDNR gave a presentation which provided an overview of how they have worked with the security community, HK-CERT, and law enforcement in Hong Kong (and abroad) to clean up criminal domain abuse in the .HK ccTLD.

So, while .HK may have once been a "bad neighborhood" with regards to malicious domains, etc., I certainly would not consider it to be any more dangerous than, say, .US or .EU in the grand scheme of things — especially not any more.

Thanks for the post — and see you around. :-)

- ferg

--
"Fergie", a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research
Trend Micro, Inc., Cupertino, California USA

Re: .hk the "Most Unsafe" Domains? Suresh Ramasubramanian  –  Jun 06, 2008 9:22 AM PST

We (outblaze) live in HK - its a great city and I'd hate for it to be considered a bad neighborhood, even online.  :)

To post comments, please login or create an account.

Related Blogs

Did the DPRK Hack Sony?

The Empire Strikes Back: "New" Verisign Hums a Familiar Tune

Thirty-Three Million and Counting

The Real Facts About New gTLDs

Can Big Companies Stop Being Hacked?

Related News

Topics

Industry Updates – Sponsored Posts

Season's Greetings - 2014 End of Year Message from DotConnectAfrica

Minds + Machines in 2014 and 2015

New .VOTE and .VOTO Domains Launched

Consumers Prefer the .ORGANIC Domain for True-Organic Goods

DNW Podcast Interview with Antony Van Couvering

TLD Registry and Right of the Dot Establish a Domain Name Industry "Dream Team"

TLD Registry Ltd Welcomes New Board Members

New .LGBT Top-Level Domain Launched

.sydney Domain Names Now Available in Pre-Release

"Chinese Domaining Masterclass" to be Presented at NamesCon Las Vegas in January 2015

Auction and Sales Channel Update

Radix Set to Launch .SITE TLD in 2015

Annual Manthan Award Event This Week

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

List of New gTLD Availability & Key Information Provided for Download

Radix Launches .Space for Individuals, Freelancers and Professionals

TLD Registry Wins Best Marketing Award at China New gTLD Roadshow

Public Interest Registry Introduces 'OnGood' - New Brand Identity for .ngo & .ong

Sponsored Topics

Verisign

Security

Sponsored by
Verisign
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
dotMobi

Mobile

Sponsored by
dotMobi
Afilias

DNSSEC

Sponsored by
Afilias