Every now and then, when I am bored, I reverse engineer some of my phishing emails (Linkedin message, Fedex parcel etc). Very often I find that the phisherperson has embedded a rogue document (often .php) in a legitimate server. Sometimes I send a polite email to the admins of these sites warning them about the injected file. I NEVER received a thank you from any of these people. I don't care - I am not doing it for thanks, but I do sometimes wonder what the internet has done to once-common human decency and politeness.
As someone with the authority and means to shut down domains for exactly this, the truth is, most people have either used email addresses they never check, or, just ignore all warnings.
I'd argue >75% of people contacted never reply. Their entire domain gets shut down, and then, probably 75% of those do finally contact asking why their domain is down.
It's probably most likely that since WHOIS data is public, people just don't put addresses they check often there.
>with the authority and means to shut down domains for exactly this
How do you get that authority to do that? What does "shut down" entail? Does that mean you can unregister or hijack domains? I'd like to know more about this, as well as the accountability process and where I can report abusive behavior that will actually get addressed.
Work for a registry with many TLDs. Shut down is removing NS records from the TLD zone.
And yes, you can generally report this type of thing to a registry of a TLD. We often act quicker than many registrars, in my experience(though it depends on a TLDs owner/policies...some are much better wrt malicious activity than others).
I used to work downstream from groups like yours. In the data center, we would receive abuse reports and investigate. Look for 100% CPU use, or wide-open ports, or just visit the server on port 80 and see the phishing page. Then pull the nic and email the technical and administrative contacts.
Hey just because it may be a fair time until I next get a chance to ask someone who may have the answer - I've wondered a fair bit do you guys get a lot of spam at the abuse@ for domains or do spam bots know to not bother with them?
No reason to ask at all honesty, it's just been one of those curios that pops up in mind occasionally
I work(ed) for a TLD registry, not a registrar, so our information isn't in WHOIS. As such, it gets little to no abuse. We do get email from the big names in security research/abuse tracking guys.
I'm currently dealing with this from jetigroup.?rg. The registry information is invalid, the contact emails I found for the guy who ran the company at one time bounce back, but a weak password on a mailman install let someone create a distribution list that allows every recipient to post. They broke the unsubscribe part of the script, so nobody can get off the list. Until I made a rule to kill all mail from the domain, the flood of "remove me, I'm contacting the secretary of state" messages were simultaneously hilarious, annoying, and sad.
I once got a really good phishing email pretending to be ebay. It included my full legal name and my ebay id. It was some BS threatening to sue me for nonpayment if I didn't paypal them money or some stupid shit like that.
So I forwarded it to spoof@ebay.com with the message "reporting phishing email" or something. Somehow that report got "handled" by a clueless, non-technical, front line rep who thought I thought the email was real and was inquiring about the contents of the email. Pissed me off that the email wasn't handled by the correct department. I won't be bothering to forward any more phishing emails anymore.
How do they know that you can be trusted, and aren't just another spammer/phisher?
You and I can tell the difference, but to the sort of people who run vulnerable servers, perhaps a legitimate email about server security looks indistinguishable from the others ("Hi I'm from Microsoft technical support. Please let me in to your computer to help you fix it").
What I do in my emails is tell them the exact URL of the bad page. All they need to do is look at the file with a text editor (they are admins, after all). Once they have done this, they will see strange Javascript. They will know it has nothing to do with their own (or their clients) web pages. There are no links per se in my email (except the URL, but I leave off the http:).
I've worked as a security analyst at a company and sometimes I would report phishing pages to the webhost. After a while, I realized that half of my emails were being silently quarantined by the company's outbound spam filters due to the included URLs. I was able to manually release them, but I wonder how many emails will then be flagged on the receiving end.
Typically when sending an email with content like that for a notification you'll "defang" the URL by rendering it like "hXXp:// foo (dot) bar (dot) com" or something along those lines to ensure that it isn't automatically flagged and filtered, though it's also common on the receiving end to apply no spam filters to their abuse@ email as well. You'll usually have better luck sending this information to the abuse email listed in the IP whois than to any contact information at the domain itself.
Perhaps using a dedicated email for these sorts of reports could limit the damage if that were to happen. It would probably increase the chance of being flagged, though.
I don't think you need to trust the sender of the email. If someone emails me and there is a link to mywebsite.com and I click and it looks like the Google login page, I am going to be super alarmed and take the necessary action. Maybe they are out to get me (they hacked my website and put malware there), but if it's my own website that gets me, that's on me.
> How do they know that you can be trusted, and aren't just another spammer/phisher?
That's not it, not all of the time anyway.
Over the summer I discovered a third party mail server with a missing DNS entry. It was like that for months and all their mail was getting flagged as spam.
I sent them an email (from an account that wasn't flagging their mail as spam) pointing it out. They fixed it within 24 hours but I never got a single reply.
At least four things were admitted: that you received the information, somebody processed it, the approximate time you received/processed, and the intention to take action.
I would hope any well-intentioned and reputable company would not mind, but some might not want to admit any of that! Plenty of ammo for anyone who subsequently blames you if you then fail to remedy the situation in a timely fashion.
A reputable company that deserves it's reputation is probably not hosting phishers pages on their site. Sure, shit happens, but anything above a micro company that's hosting pages should catch that. The shared hosting company I used caught a breach on my personal page once, another time Google notified me: it's not rocket surgery to catch these things is it.
If the company is too small to monitor their own pages then I'd expect them not to be worried about this sort of liability (ie knowing of a breach, they're too small to be sued for much, presumably: if they were bigger they'd know about it already).
You just can’t tell, when your job is hosting user content, e.g. managed website hosting (cpanel) or static pages (Azure static website hosting). I mention these two companies because I received 2 phishing attempts this week, both pretending to be from Microsoft, with the payload hosted on cpanel and Azure respectively.
Both have an abuse / phishing declaration form online. I signaled both pages, and they are still up for the moment.
I doubt a court would make a distinction. The claimant (plaintiff) would have to prove the defendant knew about the emails being sent to the public blockchain and decided not to do anything about it.
That's not necessarily easy to prove, in the same way the defendant could claim emails were trapped in spam filters, etc. or more realistically, the burden of proof is on the claimant so the defendant wouldn't say anything if they're smart.
Yeah, it's pretty bad. Some games try to gamify polite behavior (bonuses for getting tagged as helpful in a dungeon, etc), and that sort of works. Kind of sad that it's necessary, though.
I also think the rude behavior is a combination of both anonymity and "I'm never going to see or hear from this person again".
You wonder if it's the Internet or the desire to deflect liability. The insurance card in your car instructs you never to admit guilt, it's not a long stretch to assume the same factor is at work here.
In the cases where the problem is fixed, I think you'll find that the explanation is as simple as this:
They view the message as showing up a failure on their part and they do not want anything showing that they have made a mistake in some way. So, they do not acknowledge your message as it provide a means of tracking that failure.
For those cases where it is not fixed, there is no-one who cares to do so.
In the past, I have made communications with website admins about various aspects of their sites (non-security related) when they poorly relate to those of us who are getting older and have increasing eyesight difficulties. The usual response has been "No one else has complained, so take a long jump off a short pier - our site is perfect." I sometimes try to explain that people won't continue to visit if the experience is bad, nor will they bother highlighting that there are problems. They will generally still respond with "shut-up and go away."
You just leave them to their ineffective site and move on. Very occasionally, you get back a thanks and see improvements made, but that is rare.
Generally speaking the standard is to not respond to email reporting malicious activity on a server, just to resolve the issue and carry on, particularly if the report is being read by an admin at a webhosting company. Doesn't mean the notification isn't appreciated!
I was once repeatedly getting phishing emails from a small fire company a few states away. It seemed that one individuals email there had been comprised. I called the fire company and asked to speak with him. He was super embarrassed and thanked me. Their IT person* there apparently didn’t know how to fix the issue, so I suggested a few possible solutions and we parted ways. I didn’t get any more emails from his address so maybe it worked ?
* their IT person I think was really just the person who was best with computers.
I'm on my company's many distribution email list for info@ support@ and other common addresses. I do the exact same thing, but I've received a number of email responses saying thanks or asking for the original email headers.
I usually only notify .edu or nonprofit organizations and completely ignore large corporations. Sending an email to a larger organization usually gets lost and nothing comes of it.
> I send a polite email to the admins of these sites warning them about the injected file. I NEVER received a thank you from any of these people.
Out of curiosity, do you receive answers at all?
If not, there could be a technical reason rather than the decline of human decency: your including the link to the phishing page gets the message filtered away by automated security software.
Do you ever follow-up in an isolated, safe, environment to determine if the file still exists? Curious to see if there is any correlation to the "admins" and the hackers themselves.
I get an email claiming that I have unread Linkedin messages. The email uses their Logos. But if I were to click any of the links in the email, it would send me to a php or html file that contains a Javascript redirect script. That script, if executed, then goes to the phishers actual page. Sometimes, there is an additional DNS redirect at the JS redirected page. For some reason, the JS redirect tries to hide the redirect by encoding the target URL in an array of integers. The script converts the numbers to characters, concatenates them, and then sets the location property of the DOM. If there was enough interest, I could write all this stuff up as a blog.
The solution should be to just stop using human generated passwords and instead have each site generate their own and for browsers and apps use password managers built into the OS and offer to fill them in based on the domain. This is increasingly happening. We need the large sites to move to this to eliminate phishing entirely. So https://f00l.com isn’t same as https://fool.com
For sites that I don't care that much about, I use and like Chrome's (relatively) new password manager [0].
I haven't looked into it in enough depth to be 100% convinced to trust it with my financially-linked passwords. (In reality, it's almost surely good enough, but I haven't reached that informed conclusion yet.)
1Password X for Firefox and Chrome, 1Password on Safari have pretty much solved this problem. The vast majority of passwords I fill are CMD + [shortcut].
Generating and saving new ones works like that maybe 50% of the time. The failure rate however is driven less by the extension technology and more by the password form itself.
Yeah. “Dear Alice, I saw your right-pad repository on Github and think you’d be a great fit for a job at Google. Can you fill out an application at g00gle.com/jobs? PS is $300K OK with you?”
